summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/meta
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2023-06-29 23:12:52 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2023-07-10 11:36:34 +0100
commitabe98b03430e06f786e4c60a74cd3324ba5d2d43 (patch)
tree239a11b187afbe5d4e18325e199645ffd0bf3b6d /meta/recipes-core/meta
parent773594fd74279f54844cc16949567f70c81176fc (diff)
downloadpoky-abe98b03430e06f786e4c60a74cd3324ba5d2d43.tar.gz
cve-update-nvd2-native: fix cvssV3 metrics
After upgrade to soon-to-be-released kirkstone 4.0.11 CVE annotations got broken. Anything which has only cvssV3 does not resolve properly. Fix the API fields used to extract it. i0.0 score is now at level of NVD DB 1.1. All CVEs with UNKNOWN vector are not present in NVD DB 1.1. NVD API 1.1: sqlite> select vector, count(vector) from nvd group by vector; ADJACENT_NETWORK|4776 LOCAL|32146 NETWORK|167746 PHYSICAL|185 sqlite> select scorev3, count(scorev3) from nvd group by scorev3; 0.0|73331 1.8|7 1.9|3 ... NVD API 2.0 (broken): sqlite> select vector, count(vector) from nvd group by vector; ADJACENT_NETWORK|4587 LOCAL|26273 NETWORK|150421 UNKNOWN|24644 sqlite> select scorev3, count(scorev3) from nvd group by scorev3; 0.0|205925 NVD API 2.0 (fixed): sqlite> select vector, count(vector) from nvd group by vector; ADJACENT_NETWORK|5090 LOCAL|32322 NETWORK|168004 PHYSICAL|213 UNKNOWN|511 sqlite> select scorev3, count(scorev3) from nvd group by scorev3; 0.0|73841 1.8|7 1.9|3 ... (From OE-Core rev: 61a5857efdcc0f49c69c0deb24fce99007aeef19) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/meta')
-rw-r--r--meta/recipes-core/meta/cve-update-nvd2-native.bb15
1 files changed, 11 insertions, 4 deletions
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 61f4d47f96..c85df23f59 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -312,12 +312,19 @@ def update_db(conn, elt):
312 cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] 312 cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
313 except KeyError: 313 except KeyError:
314 cvssv2 = 0.0 314 cvssv2 = 0.0
315 cvssv3 = None
315 try: 316 try:
316 accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector'] 317 accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
317 cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] 318 cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
318 except KeyError: 319 except KeyError:
319 accessVector = accessVector or "UNKNOWN" 320 pass
320 cvssv3 = 0.0 321 try:
322 accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
323 cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
324 except KeyError:
325 pass
326 accessVector = accessVector or "UNKNOWN"
327 cvssv3 = cvssv3 or 0.0
321 328
322 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", 329 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
323 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() 330 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-17 23:48:46 +0000