summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2024-10-23 11:45:22 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2024-10-25 15:25:33 +0100
commit3b551fc466b992ac09ab04d54ddcb3c36e1dd670 (patch)
tree936a552df0d2db48fd85b3e62c39754791c4771e
parent96a6df7b14c51be156995b79767b9fadd15f9b6e (diff)
downloadpoky-3b551fc466b992ac09ab04d54ddcb3c36e1dd670.tar.gz
cve-check: add support for cvss v4.0
https://nvd.nist.gov/general/news/cvss-v4-0-official-support CVSS v4.0 was released in November 2023 NVD announced support for it in June 2024 Current stats are: * cvss v4 provided, but also v3, so cve-check showed a value sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 != 0.0; 2069 * only cvss v4 provided, so cve-check did not show any sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 = 0.0; 260 (From OE-Core rev: 358dbfcd80ae1fa414d294c865dd293670c287f0) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat
-rw-r--r--meta/classes/cve-check.bbclass10
-rw-r--r--meta/classes/vex.bbclass1
-rw-r--r--meta/recipes-core/meta/cve-update-nvd2-native.bb14
-rwxr-xr-xscripts/cve-json-to-text.py2
4 files changed, 19 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6245594dd7..0c92b87f52 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -31,7 +31,7 @@
31CVE_PRODUCT ??= "${BPN}" 31CVE_PRODUCT ??= "${BPN}"
32CVE_VERSION ??= "${PV}" 32CVE_VERSION ??= "${PV}"
33 33
34CVE_CHECK_DB_FILENAME ?= "nvdcve_2-1.db" 34CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db"
35CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" 35CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
36CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" 36CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
37CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" 37CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
@@ -445,9 +445,10 @@ def get_cve_info(d, cve_data):
445 cve_data[row[0]]["NVD-summary"] = row[1] 445 cve_data[row[0]]["NVD-summary"] = row[1]
446 cve_data[row[0]]["NVD-scorev2"] = row[2] 446 cve_data[row[0]]["NVD-scorev2"] = row[2]
447 cve_data[row[0]]["NVD-scorev3"] = row[3] 447 cve_data[row[0]]["NVD-scorev3"] = row[3]
448 cve_data[row[0]]["NVD-modified"] = row[4] 448 cve_data[row[0]]["NVD-scorev4"] = row[4]
449 cve_data[row[0]]["NVD-vector"] = row[5] 449 cve_data[row[0]]["NVD-modified"] = row[5]
450 cve_data[row[0]]["NVD-vectorString"] = row[6] 450 cve_data[row[0]]["NVD-vector"] = row[6]
451 cve_data[row[0]]["NVD-vectorString"] = row[7]
451 cursor.close() 452 cursor.close()
452 conn.close() 453 conn.close()
453 454
@@ -534,6 +535,7 @@ def cve_write_data_json(d, cve_data, cve_status):
534 cve_item["summary"] = cve_data[cve]["NVD-summary"] 535 cve_item["summary"] = cve_data[cve]["NVD-summary"]
535 cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] 536 cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
536 cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] 537 cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
538 cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
537 cve_item["modified"] = cve_data[cve]["NVD-modified"] 539 cve_item["modified"] = cve_data[cve]["NVD-modified"]
538 cve_item["vector"] = cve_data[cve]["NVD-vector"] 540 cve_item["vector"] = cve_data[cve]["NVD-vector"]
539 cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] 541 cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass
index bb16e2a529..01d4e52051 100644
--- a/meta/classes/vex.bbclass
+++ b/meta/classes/vex.bbclass
@@ -282,6 +282,7 @@ def cve_write_data_json(d, cve_data, cve_status):
282 cve_item["summary"] = cve_data[cve]["NVD-summary"] 282 cve_item["summary"] = cve_data[cve]["NVD-summary"]
283 cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] 283 cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
284 cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] 284 cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
285 cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
285 cve_item["vector"] = cve_data[cve]["NVD-vector"] 286 cve_item["vector"] = cve_data[cve]["NVD-vector"]
286 cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] 287 cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
287 if 'status' in cve_data[cve]: 288 if 'status' in cve_data[cve]:
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index a7e568e307..93d1fa1de6 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -255,7 +255,7 @@ def initialize_db(conn):
255 c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") 255 c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
256 256
257 c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ 257 c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
258 SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)") 258 SCOREV2 TEXT, SCOREV3 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)")
259 259
260 c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ 260 c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
261 VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ 261 VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
@@ -361,12 +361,18 @@ def update_db(conn, elt):
361 cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] 361 cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
362 except KeyError: 362 except KeyError:
363 pass 363 pass
364 cvssv3 = cvssv3 or 0.0
365 try:
366 accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
367 vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
368 cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
369 except KeyError:
370 cvssv4 = 0.0
364 accessVector = accessVector or "UNKNOWN" 371 accessVector = accessVector or "UNKNOWN"
365 vectorString = vectorString or "UNKNOWN" 372 vectorString = vectorString or "UNKNOWN"
366 cvssv3 = cvssv3 or 0.0
367 373
368 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?)", 374 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
369 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector, vectorString]).close() 375 [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
370 376
371 try: 377 try:
372 # Remove any pre-existing CVE configuration. Even for partial database 378 # Remove any pre-existing CVE configuration. Even for partial database
diff --git a/scripts/cve-json-to-text.py b/scripts/cve-json-to-text.py
index 5531ee5eb6..87a5669987 100755
--- a/scripts/cve-json-to-text.py
+++ b/scripts/cve-json-to-text.py
@@ -125,6 +125,8 @@ def process_data(filename, data):
125 lines += "CVSS v2 BASE SCORE: %s\n" % issue["scorev2"] 125 lines += "CVSS v2 BASE SCORE: %s\n" % issue["scorev2"]
126 if "scorev3" in issue: 126 if "scorev3" in issue:
127 lines += "CVSS v3 BASE SCORE: %s\n" % issue["scorev3"] 127 lines += "CVSS v3 BASE SCORE: %s\n" % issue["scorev3"]
128 if "scorev4" in issue:
129 lines += "CVSS v4 BASE SCORE: %s\n" % issue["scorev4"]
128 if "vector" in issue: 130 if "vector" in issue:
129 lines += "VECTOR: %s\n" % issue["vector"] 131 lines += "VECTOR: %s\n" % issue["vector"]
130 if "vectorString" in issue: 132 if "vectorString" in issue:
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-06-14 07:00:35 +0000