cve-check-tool: Use CA cert bundle in correct sysroot

Native libcurl looks for CA certs in the wrong place by default. * Add patch that allows overriding the default CA certificate location. Patch is originally from meta-security-isafw. * Use the new --cacert to set the correct CA bundle path (From OE-Core rev: 73bd11d5190a072064128cc13b4537154d07b129) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jussi Kukkonen <jussi.kukkonen@intel.com> 2017-02-09 21:38:33 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-02-15 09:29:56 -0800
commit: d887c24d5af0f570a259985fa99af5c56158fcfa (patch)
tree: ae5d59972c956d573f5795615d29ba22b3b0e204 /meta/recipes-devtools/cve-check-tool
parent: ea616d122676e7d5bbf606b7dbfa8f62c63d4a27 (diff)
download: poky-d887c24d5af0f570a259985fa99af5c56158fcfa.tar.gz
2 files changed, 218 insertions, 1 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index c78af6728c..fcd3182931 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
 SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
           file://check-for-malloc_trim-before-using-it.patch \
           file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
+           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
          "
 SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
@@ -39,7 +40,8 @@ do_populate_cve_db() {
    [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
    bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
-    if cve-check-update -d "$cve_dir" ; then
+    # --cacert works around curl-native not finding the CA bundle
+    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
        printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
    else
        bbwarn "Error in executing cve-check-update"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
new file mode 100644
index 0000000000..3d8ebd1bd2
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
@@ -0,0 +1,215 @@
+From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
+From: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Date: Thu, 9 Feb 2017 14:51:28 +0200
+Subject: [PATCH] curl: allow overriding default CA certificate file
+Similar to curl, --cacert can now be used in cve-check-tool and
+cve-check-update to override the default CA certificate file. Useful
+in cases where the system default is unsuitable (for example,
+out-dated) or broken (as in OE's current native libcurl, which embeds
+a path string from one build host and then uses it on another although
+the right path may have become something different).
+Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Took Patrick Ohlys original patch from meta-security-isafw, rebased
+on top of other patches.
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+---
+ src/library/cve-check-tool.h |  1 +
+ src/library/fetch.c          | 10 +++++++++-
+ src/library/fetch.h          |  3 ++-
+ src/main.c                   |  5 ++++-
+ src/update-main.c            |  4 +++-
+ src/update.c                 | 12 +++++++-----
+ src/update.h                 |  2 +-
+ 7 files changed, 27 insertions(+), 10 deletions(-)
+diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
+index e4bb5b1..f89eade 100644
+--- a/src/library/cve-check-tool.h
+++ b/src/library/cve-check-tool.h
+@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
+     bool bugs;                          /**<Whether bug tracking is enabled */
+     GHashTable *mapping;                /**<CVE Mapping */
+     const char *output_file;            /**<Output file, if any */
+    const char *cacert_file;            /**<Non-default SSL certificate file, if any */
+ } CveCheckTool;
+ 
+ /**
+diff --git a/src/library/fetch.c b/src/library/fetch.c
+index 0fe6d76..8f998c3 100644
+--- a/src/library/fetch.c
+++ b/src/library/fetch.c
+@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
+ }
+ 
+ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
+-                      unsigned int start_percent, unsigned int end_percent)
+                      unsigned int start_percent, unsigned int end_percent,
+                      const char *cacert_file)
+ {
+         FetchStatus ret = FETCH_STATUS_FAIL;
+         CURLcode res;
+@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
+                 return ret;
+         }
+ 
+        if (cacert_file) {
+                res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
+                if (res != CURLE_OK) {
+                        goto bail;
+                }
+        }
+
+         if (stat(target, &st) == 0) {
+                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
+                 if (res != CURLE_OK) {
+diff --git a/src/library/fetch.h b/src/library/fetch.h
+index 4cce5d1..836c7d7 100644
+--- a/src/library/fetch.h
+++ b/src/library/fetch.h
+@@ -29,7 +29,8 @@ typedef enum {
+  * @return A FetchStatus, indicating the operation taken
+  */
+ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
+-                      unsigned int this_percent, unsigned int next_percent);
+                      unsigned int this_percent, unsigned int next_percent,
+                      const char *cacert_file);
+ 
+ /**
+  * Attempt to extract the given gzipped file
+diff --git a/src/main.c b/src/main.c
+index 8e6f158..ae69d47 100644
+--- a/src/main.c
+++ b/src/main.c
+@@ -280,6 +280,7 @@ static bool csv_mode = false;
+ static char *modified_stamp = NULL;
+ static gchar *mapping_file = NULL;
+ static gchar *output_file = NULL;
+static gchar *cacert_file = NULL;
+ 
+ static GOptionEntry _entries[] = {
+         { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
+@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
+         { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
+         { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
+         { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
+         { .short_name = 0 }
+ };
+ 
+@@ -492,6 +494,7 @@ int main(int argc, char **argv)
+ 
+         quiet = csv_mode || !no_html;
+         self->output_file = output_file;
+        self->cacert_file = cacert_file;
+ 
+         if (!csv_mode && self->output_file) {
+                 quiet = false;
+@@ -530,7 +533,7 @@ int main(int argc, char **argv)
+                 if (status) {
+                         fprintf(stderr, "Update of db forced\n");
+                         cve_db_unlock();
+-                        if (!update_db(quiet, db_path->str)) {
+                        if (!update_db(quiet, db_path->str, self->cacert_file)) {
+                                 fprintf(stderr, "DB update failure\n");
+                                 goto cleanup;
+                         }
+diff --git a/src/update-main.c b/src/update-main.c
+index 2379cfa..c52d9d0 100644
+--- a/src/update-main.c
+++ b/src/update-main.c
+@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
+ static gchar *nvds = NULL;
+ static bool _show_version = false;
+ static bool _quiet = false;
+static const char *_cacert_file = NULL;
+ 
+ static GOptionEntry _entries[] = {
+         { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
+         { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
+         { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
+         { .short_name = 0 }
+ };
+ 
+@@ -88,7 +90,7 @@ int main(int argc, char **argv)
+                 goto end;
+         }
+ 
+-        if (update_db(_quiet, db_path->str)) {
+        if (update_db(_quiet, db_path->str, _cacert_file)) {
+                 ret = EXIT_SUCCESS;
+         } else {
+                 fprintf(stderr, "Failed to update database\n");
+diff --git a/src/update.c b/src/update.c
+index 070560a..8cb4a39 100644
+--- a/src/update.c
+++ b/src/update.c
+@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
+ 
+ static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
+                            bool db_exist, bool verbose,
+-                           unsigned int this_percent, unsigned int next_percent)
+                           unsigned int this_percent, unsigned int next_percent,
+                           const char *cacert_file)
+ {
+         const char nvd_uri[] = URI_PREFIX;
+         autofree(cve_string) *uri_meta = NULL;
+@@ -331,14 +332,14 @@ refetch:
+         }
+ 
+         /* Fetch NVD META file */
+-        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
+         if (st == FETCH_STATUS_FAIL) {
+                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
+                 return -1;
+         }
+ 
+         /* Fetch NVD XML file */
+-        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
+         switch (st) {
+         case FETCH_STATUS_FAIL:
+                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
+@@ -391,7 +392,7 @@ refetch:
+         return 0;
+ }
+ 
+-bool update_db(bool quiet, const char *db_file)
+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
+ {
+         autofree(char) *db_dir = NULL;
+         autofree(CveDB) *cve_db = NULL;
+@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
+                 if (!quiet)
+                         fprintf(stderr, "completed: %u%%\r", start_percent);
+                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
+-                                     start_percent, end_percent);
+                                     start_percent, end_percent,
+                                     cacert_file);
+                 switch (rc) {
+                 case 0:
+                         if (!quiet)
+diff --git a/src/update.h b/src/update.h
+index b8e9911..ceea0c3 100644
+--- a/src/update.h
+++ b/src/update.h
+@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
+ 
+ int update_required(const char *db_file);
+ 
+-bool update_db(bool quiet, const char *db_file);
+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
+ 
+ 
+ /*
+-- 
+2.1.4
author	Jussi Kukkonen <jussi.kukkonen@intel.com>	2017-02-09 21:38:33 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-02-15 09:29:56 -0800
commit	d887c24d5af0f570a259985fa99af5c56158fcfa (patch)
tree	ae5d59972c956d573f5795615d29ba22b3b0e204 /meta/recipes-devtools/cve-check-tool
parent	ea616d122676e7d5bbf606b7dbfa8f62c63d4a27 (diff)
download	poky-d887c24d5af0f570a259985fa99af5c56158fcfa.tar.gz

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb index c78af6728c..fcd3182931 100644 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
9	SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \	9	SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
10	file://check-for-malloc_trim-before-using-it.patch \	10	file://check-for-malloc_trim-before-using-it.patch \
11	file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \	11	file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
		12	file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
12	"	13	"
13		14
14	SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"	15	SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
@@ -39,7 +40,8 @@ do_populate_cve_db() {
39	[ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"	40	[ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
40		41
41	bbdebug 2 "Updating cve-check-tool database located in $cve_dir"	42	bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
42	if cve-check-update -d "$cve_dir" ; then	43	# --cacert works around curl-native not finding the CA bundle
		44	if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
43	printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"	45	printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
44	else	46	else
45	bbwarn "Error in executing cve-check-update"	47	bbwarn "Error in executing cve-check-update"


diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch new file mode 100644 index 0000000000..3d8ebd1bd2 --- /dev/null +++ b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
@@ -0,0 +1,215 @@
		1	From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
		2	From: Jussi Kukkonen <jussi.kukkonen@intel.com>
		3	Date: Thu, 9 Feb 2017 14:51:28 +0200
		4	Subject: [PATCH] curl: allow overriding default CA certificate file
		5
		6	Similar to curl, --cacert can now be used in cve-check-tool and
		7	cve-check-update to override the default CA certificate file. Useful
		8	in cases where the system default is unsuitable (for example,
		9	out-dated) or broken (as in OE's current native libcurl, which embeds
		10	a path string from one build host and then uses it on another although
		11	the right path may have become something different).
		12
		13	Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
		14
		15	Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
		16
		17
		18	Took Patrick Ohlys original patch from meta-security-isafw, rebased
		19	on top of other patches.
		20
		21	Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
		22	---
		23	src/library/cve-check-tool.h \| 1 +
		24	src/library/fetch.c \| 10 +++++++++-
		25	src/library/fetch.h \| 3 ++-
		26	src/main.c \| 5 ++++-
		27	src/update-main.c \| 4 +++-
		28	src/update.c \| 12 +++++++-----
		29	src/update.h \| 2 +-
		30	7 files changed, 27 insertions(+), 10 deletions(-)
		31
		32	diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
		33	index e4bb5b1..f89eade 100644
		34	--- a/src/library/cve-check-tool.h
		35	+++ b/src/library/cve-check-tool.h
		36	@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
		37	bool bugs; /*<Whether bug tracking is enabled /
		38	GHashTable mapping; /<CVE Mapping /
		39	const char output_file; /<Output file, if any /
		40	+ const char cacert_file; /<Non-default SSL certificate file, if any /
		41	} CveCheckTool;
		42
		43	/**
		44	diff --git a/src/library/fetch.c b/src/library/fetch.c
		45	index 0fe6d76..8f998c3 100644
		46	--- a/src/library/fetch.c
		47	+++ b/src/library/fetch.c
		48	@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
		49	}
		50
		51	FetchStatus fetch_uri(const char uri, const char target, bool verbose,
		52	- unsigned int start_percent, unsigned int end_percent)
		53	+ unsigned int start_percent, unsigned int end_percent,
		54	+ const char *cacert_file)
		55	{
		56	FetchStatus ret = FETCH_STATUS_FAIL;
		57	CURLcode res;
		58	@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char uri, const char target, bool verbose,
		59	return ret;
		60	}
		61
		62	+ if (cacert_file) {
		63	+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
		64	+ if (res != CURLE_OK) {
		65	+ goto bail;
		66	+ }
		67	+ }
		68	+
		69	if (stat(target, &st) == 0) {
		70	res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
		71	if (res != CURLE_OK) {
		72	diff --git a/src/library/fetch.h b/src/library/fetch.h
		73	index 4cce5d1..836c7d7 100644
		74	--- a/src/library/fetch.h
		75	+++ b/src/library/fetch.h
		76	@@ -29,7 +29,8 @@ typedef enum {
		77	* @return A FetchStatus, indicating the operation taken
		78	*/
		79	FetchStatus fetch_uri(const char uri, const char target, bool verbose,
		80	- unsigned int this_percent, unsigned int next_percent);
		81	+ unsigned int this_percent, unsigned int next_percent,
		82	+ const char *cacert_file);
		83
		84	/**
		85	* Attempt to extract the given gzipped file
		86	diff --git a/src/main.c b/src/main.c
		87	index 8e6f158..ae69d47 100644
		88	--- a/src/main.c
		89	+++ b/src/main.c
		90	@@ -280,6 +280,7 @@ static bool csv_mode = false;
		91	static char *modified_stamp = NULL;
		92	static gchar *mapping_file = NULL;
		93	static gchar *output_file = NULL;
		94	+static gchar *cacert_file = NULL;
		95
		96	static GOptionEntry _entries[] = {
		97	{ "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
		98	@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
		99	{ "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
		100	{ "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
		101	{ "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
		102	+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
		103	{ .short_name = 0 }
		104	};
		105
		106	@@ -492,6 +494,7 @@ int main(int argc, char **argv)
		107
		108	quiet = csv_mode \|\| !no_html;
		109	self->output_file = output_file;
		110	+ self->cacert_file = cacert_file;
		111
		112	if (!csv_mode && self->output_file) {
		113	quiet = false;
		114	@@ -530,7 +533,7 @@ int main(int argc, char **argv)
		115	if (status) {
		116	fprintf(stderr, "Update of db forced\n");
		117	cve_db_unlock();
		118	- if (!update_db(quiet, db_path->str)) {
		119	+ if (!update_db(quiet, db_path->str, self->cacert_file)) {
		120	fprintf(stderr, "DB update failure\n");
		121	goto cleanup;
		122	}
		123	diff --git a/src/update-main.c b/src/update-main.c
		124	index 2379cfa..c52d9d0 100644
		125	--- a/src/update-main.c
		126	+++ b/src/update-main.c
		127	@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
		128	static gchar *nvds = NULL;
		129	static bool _show_version = false;
		130	static bool _quiet = false;
		131	+static const char *_cacert_file = NULL;
		132
		133	static GOptionEntry _entries[] = {
		134	{ "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
		135	{ "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
		136	{ "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
		137	+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
		138	{ .short_name = 0 }
		139	};
		140
		141	@@ -88,7 +90,7 @@ int main(int argc, char **argv)
		142	goto end;
		143	}
		144
		145	- if (update_db(_quiet, db_path->str)) {
		146	+ if (update_db(_quiet, db_path->str, _cacert_file)) {
		147	ret = EXIT_SUCCESS;
		148	} else {
		149	fprintf(stderr, "Failed to update database\n");
		150	diff --git a/src/update.c b/src/update.c
		151	index 070560a..8cb4a39 100644
		152	--- a/src/update.c
		153	+++ b/src/update.c
		154	@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
		155
		156	static int do_fetch_update(int year, const char db_dir, CveDB cve_db,
		157	bool db_exist, bool verbose,
		158	- unsigned int this_percent, unsigned int next_percent)
		159	+ unsigned int this_percent, unsigned int next_percent,
		160	+ const char *cacert_file)
		161	{
		162	const char nvd_uri[] = URI_PREFIX;
		163	autofree(cve_string) *uri_meta = NULL;
		164	@@ -331,14 +332,14 @@ refetch:
		165	}
		166
		167	/* Fetch NVD META file */
		168	- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
		169	+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
		170	if (st == FETCH_STATUS_FAIL) {
		171	fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
		172	return -1;
		173	}
		174
		175	/* Fetch NVD XML file */
		176	- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
		177	+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
		178	switch (st) {
		179	case FETCH_STATUS_FAIL:
		180	fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
		181	@@ -391,7 +392,7 @@ refetch:
		182	return 0;
		183	}
		184
		185	-bool update_db(bool quiet, const char *db_file)
		186	+bool update_db(bool quiet, const char db_file, const char cacert_file)
		187	{
		188	autofree(char) *db_dir = NULL;
		189	autofree(CveDB) *cve_db = NULL;
		190	@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
		191	if (!quiet)
		192	fprintf(stderr, "completed: %u%%\r", start_percent);
		193	rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
		194	- start_percent, end_percent);
		195	+ start_percent, end_percent,
		196	+ cacert_file);
		197	switch (rc) {
		198	case 0:
		199	if (!quiet)
		200	diff --git a/src/update.h b/src/update.h
		201	index b8e9911..ceea0c3 100644
		202	--- a/src/update.h
		203	+++ b/src/update.h
		204	@@ -15,7 +15,7 @@ cve_string get_db_path(const char path);
		205
		206	int update_required(const char *db_file);
		207
		208	-bool update_db(bool quiet, const char *db_file);
		209	+bool update_db(bool quiet, const char db_file, const char cacert_file);
		210
		211
		212	/*
		213	--
		214	2.1.4
		215