From 122c106794b3bfe2fede6d3de8e0a8ec8b856c41 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 23 Jun 2023 13:32:49 +0100 Subject: cve-update-nvd2-native: handle all configuration nodes, not just first Some CVEs, such as CVE-2013-6629, list multiple configurations which are vulnerable. The current JSON parser only considers the first configuration. Instead, consider every configuration. We don't yet handle the AND/OR logical operators, but this is a step in the right direction. (From OE-Core rev: e521d6ce48d3b04eb2d53c710bba18593a908fe3) Signed-off-by: Ross Burton Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit e1bf4f6dd686055fe9a8bdcc3f739eac2807bae0) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'meta/recipes-core') diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2b585983ac..0c627ef262 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -323,11 +323,12 @@ def update_db(conn, elt): [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() try: - configurations = elt['cve']['configurations'][0]['nodes'] - for config in configurations: - parse_node_and_insert(conn, config, cveId) + for config in elt['cve']['configurations']: + # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing + for node in config["nodes"]: + parse_node_and_insert(conn, node, cveId) except KeyError: - bb.debug(2, "Entry without a configuration") + bb.debug(2, "CVE %s has no configurations" % cveId) do_fetch[nostamp] = "1" -- cgit v1.2.3-54-g00ecf