diff options
author | Peter Marko <peter.marko@siemens.com> | 2023-06-29 23:12:52 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-07-10 11:36:34 +0100 |
commit | abe98b03430e06f786e4c60a74cd3324ba5d2d43 (patch) | |
tree | 239a11b187afbe5d4e18325e199645ffd0bf3b6d /meta/recipes-core/meta | |
parent | 773594fd74279f54844cc16949567f70c81176fc (diff) | |
download | poky-abe98b03430e06f786e4c60a74cd3324ba5d2d43.tar.gz |
cve-update-nvd2-native: fix cvssV3 metrics
After upgrade to soon-to-be-released kirkstone 4.0.11 CVE annotations got broken.
Anything which has only cvssV3 does not resolve properly.
Fix the API fields used to extract it.
i0.0 score is now at level of NVD DB 1.1.
All CVEs with UNKNOWN vector are not present in NVD DB 1.1.
NVD API 1.1:
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4776
LOCAL|32146
NETWORK|167746
PHYSICAL|185
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73331
1.8|7
1.9|3
...
NVD API 2.0 (broken):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4587
LOCAL|26273
NETWORK|150421
UNKNOWN|24644
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|205925
NVD API 2.0 (fixed):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|5090
LOCAL|32322
NETWORK|168004
PHYSICAL|213
UNKNOWN|511
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73841
1.8|7
1.9|3
...
(From OE-Core rev: 61a5857efdcc0f49c69c0deb24fce99007aeef19)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/meta')
-rw-r--r-- | meta/recipes-core/meta/cve-update-nvd2-native.bb | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 61f4d47f96..c85df23f59 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb | |||
@@ -312,12 +312,19 @@ def update_db(conn, elt): | |||
312 | cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] | 312 | cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] |
313 | except KeyError: | 313 | except KeyError: |
314 | cvssv2 = 0.0 | 314 | cvssv2 = 0.0 |
315 | cvssv3 = None | ||
315 | try: | 316 | try: |
316 | accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector'] | 317 | accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] |
317 | cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] | 318 | cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] |
318 | except KeyError: | 319 | except KeyError: |
319 | accessVector = accessVector or "UNKNOWN" | 320 | pass |
320 | cvssv3 = 0.0 | 321 | try: |
322 | accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] | ||
323 | cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] | ||
324 | except KeyError: | ||
325 | pass | ||
326 | accessVector = accessVector or "UNKNOWN" | ||
327 | cvssv3 = cvssv3 or 0.0 | ||
321 | 328 | ||
322 | conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", | 329 | conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", |
323 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() | 330 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() |