diff options
| author | Peter Marko <peter.marko@siemens.com> | 2024-10-25 22:21:01 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-11-02 06:32:36 -0700 |
| commit | b87290f76d5d4a9813d57c52c1252d4e2c39a9e9 (patch) | |
| tree | 27012e4b04a4e1146c5d841c7d2e36da77d05b21 | |
| parent | 24effee3d5b4d1a45c442fab689a8189c8eb2b0a (diff) | |
| download | poky-b87290f76d5d4a9813d57c52c1252d4e2c39a9e9.tar.gz | |
cve-check: add support for cvss v4.0
https://nvd.nist.gov/general/news/cvss-v4-0-official-support
CVSS v4.0 was released in November 2023
NVD announced support for it in June 2024
Current stats are:
* cvss v4 provided, but also v3, so cve-check showed a value
sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 != 0.0;
2069
* only cvss v4 provided, so cve-check did not show any
sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 = 0.0;
260
(From OE-Core rev: 358dbfcd80ae1fa414d294c865dd293670c287f0)
(From OE-Core rev: 8c20a7badb6e5d6c6c90176e45e90f776df25298)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 11 | ||||
| -rw-r--r-- | meta/recipes-core/meta/cve-update-nvd2-native.bb | 14 |
2 files changed, 17 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index b47c61da63..dd9847f366 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}" | |||
| 26 | CVE_VERSION ??= "${PV}" | 26 | CVE_VERSION ??= "${PV}" |
| 27 | 27 | ||
| 28 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" | 28 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" |
| 29 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-1.db" | 29 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-2.db" |
| 30 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" | 30 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" |
| 31 | 31 | ||
| 32 | CVE_CHECK_LOG ?= "${T}/cve.log" | 32 | CVE_CHECK_LOG ?= "${T}/cve.log" |
| @@ -397,9 +397,10 @@ def get_cve_info(d, cves): | |||
| 397 | cve_data[row[0]]["summary"] = row[1] | 397 | cve_data[row[0]]["summary"] = row[1] |
| 398 | cve_data[row[0]]["scorev2"] = row[2] | 398 | cve_data[row[0]]["scorev2"] = row[2] |
| 399 | cve_data[row[0]]["scorev3"] = row[3] | 399 | cve_data[row[0]]["scorev3"] = row[3] |
| 400 | cve_data[row[0]]["modified"] = row[4] | 400 | cve_data[row[0]]["scorev4"] = row[4] |
| 401 | cve_data[row[0]]["vector"] = row[5] | 401 | cve_data[row[0]]["modified"] = row[5] |
| 402 | cve_data[row[0]]["vectorString"] = row[6] | 402 | cve_data[row[0]]["vector"] = row[6] |
| 403 | cve_data[row[0]]["vectorString"] = row[7] | ||
| 403 | cursor.close() | 404 | cursor.close() |
| 404 | conn.close() | 405 | conn.close() |
| 405 | return cve_data | 406 | return cve_data |
| @@ -455,6 +456,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): | |||
| 455 | write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] | 456 | write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] |
| 456 | write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] | 457 | write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] |
| 457 | write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] | 458 | write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] |
| 459 | write_string += "CVSS v4 BASE SCORE: %s\n" % cve_data[cve]["scorev4"] | ||
| 458 | write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] | 460 | write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] |
| 459 | write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] | 461 | write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] |
| 460 | write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) | 462 | write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) |
| @@ -570,6 +572,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): | |||
| 570 | "summary" : cve_data[cve]["summary"], | 572 | "summary" : cve_data[cve]["summary"], |
| 571 | "scorev2" : cve_data[cve]["scorev2"], | 573 | "scorev2" : cve_data[cve]["scorev2"], |
| 572 | "scorev3" : cve_data[cve]["scorev3"], | 574 | "scorev3" : cve_data[cve]["scorev3"], |
| 575 | "scorev4" : cve_data[cve]["scorev4"], | ||
| 573 | "vector" : cve_data[cve]["vector"], | 576 | "vector" : cve_data[cve]["vector"], |
| 574 | "vectorString" : cve_data[cve]["vectorString"], | 577 | "vectorString" : cve_data[cve]["vectorString"], |
| 575 | "status" : status, | 578 | "status" : status, |
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 060545b1e3..b4c46ef756 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb | |||
| @@ -247,7 +247,7 @@ def initialize_db(conn): | |||
| 247 | c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") | 247 | c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") |
| 248 | 248 | ||
| 249 | c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ | 249 | c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ |
| 250 | SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)") | 250 | SCOREV2 TEXT, SCOREV3 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)") |
| 251 | 251 | ||
| 252 | c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ | 252 | c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ |
| 253 | VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ | 253 | VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ |
| @@ -353,12 +353,18 @@ def update_db(conn, elt): | |||
| 353 | cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] | 353 | cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] |
| 354 | except KeyError: | 354 | except KeyError: |
| 355 | pass | 355 | pass |
| 356 | cvssv3 = cvssv3 or 0.0 | ||
| 357 | try: | ||
| 358 | accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector'] | ||
| 359 | vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString'] | ||
| 360 | cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore'] | ||
| 361 | except KeyError: | ||
| 362 | cvssv4 = 0.0 | ||
| 356 | accessVector = accessVector or "UNKNOWN" | 363 | accessVector = accessVector or "UNKNOWN" |
| 357 | vectorString = vectorString or "UNKNOWN" | 364 | vectorString = vectorString or "UNKNOWN" |
| 358 | cvssv3 = cvssv3 or 0.0 | ||
| 359 | 365 | ||
| 360 | conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?)", | 366 | conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)", |
| 361 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector, vectorString]).close() | 367 | [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close() |
| 362 | 368 | ||
| 363 | try: | 369 | try: |
| 364 | # Remove any pre-existing CVE configuration. Even for partial database | 370 | # Remove any pre-existing CVE configuration. Even for partial database |