summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@arm.com>2023-07-11 12:54:47 +0100
committerSteve Sakoman <steve@sakoman.com>2023-07-13 06:42:46 -1000
commit471318ae2f6b3c142822001f4a18e2fed8c78f1a (patch)
treeacfece47c27ee3bc5f2f8d3014416f9c4c05301a
parent8a140722956c0f17845bfa02ed9dd220fd87a72c (diff)
downloadpoky-471318ae2f6b3c142822001f4a18e2fed8c78f1a.tar.gz
cve-update-nvd2-native: actually use API keys
There were vestigal remains of API key support which could be removed, but as using an API key - in theory - gives the user larger rate limits it's probably wise to expose it. If the user has an API key, then set NVDCVE_API_KEY. (From OE-Core rev: 200c2783b3f8546f561382fff6bd5268680d403a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a542de684282bfec79f24ae2f1a2027ffde319d8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-core/meta/cve-update-nvd2-native.bb23
1 files changed, 12 insertions, 11 deletions
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 8a48e3ddc3..2f7dad7e82 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -17,6 +17,10 @@ deltask do_populate_sysroot
17 17
18NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0" 18NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0"
19 19
20# If you have a NVD API key (https://nvd.nist.gov/developers/request-an-api-key)
21# then setting this to get higher rate limits.
22NVDCVE_API_KEY ?= ""
23
20# CVE database update interval, in seconds. By default: once a day (24*60*60). 24# CVE database update interval, in seconds. By default: once a day (24*60*60).
21# Use 0 to force the update 25# Use 0 to force the update
22# Use a negative value to skip the update 26# Use a negative value to skip the update
@@ -121,19 +125,14 @@ def nvd_request_next(url, api_key, args):
121 import http 125 import http
122 import time 126 import time
123 127
124 headers = {} 128 request = urllib.request.Request(url + "?" + urllib.parse.urlencode(args))
125 if api_key: 129 if api_key:
126 headers['apiKey'] = api_key 130 request.add_header("apiKey", api_key)
127 131 bb.note("Requesting %s" % request.full_url)
128 bb.note("Requesting %s" % str(args))
129
130 data = urllib.parse.urlencode(args)
131
132 full_request = url + '?' + data
133 132
134 for attempt in range(5): 133 for attempt in range(5):
135 try: 134 try:
136 r = urllib.request.urlopen(full_request) 135 r = urllib.request.urlopen(request)
137 136
138 if (r.headers['content-encoding'] == 'gzip'): 137 if (r.headers['content-encoding'] == 'gzip'):
139 buf = r.read() 138 buf = r.read()
@@ -144,7 +143,7 @@ def nvd_request_next(url, api_key, args):
144 r.close() 143 r.close()
145 144
146 except Exception as e: 145 except Exception as e:
147 bb.note("CVE database: received error (%s), retrying (request: %s)" % (e, full_request)) 146 bb.note("CVE database: received error (%s), retrying" % (e))
148 time.sleep(6) 147 time.sleep(6)
149 pass 148 pass
150 else: 149 else:
@@ -186,9 +185,11 @@ def update_db_file(db_tmp_file, d, database_time):
186 bb.note("Updating entries") 185 bb.note("Updating entries")
187 index = 0 186 index = 0
188 url = d.getVar("NVDCVE_URL") 187 url = d.getVar("NVDCVE_URL")
188 api_key = d.getVar("NVDCVE_API_KEY") or None
189
189 while True: 190 while True:
190 req_args['startIndex'] = index 191 req_args['startIndex'] = index
191 raw_data = nvd_request_next(url, None, req_args) 192 raw_data = nvd_request_next(url, api_key, req_args)
192 if raw_data is None: 193 if raw_data is None:
193 # We haven't managed to download data 194 # We haven't managed to download data
194 return False 195 return False
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-01-22 07:52:45 +0000