Message ID | 20230623123250.726731-3-ross.burton@arm.com |
---|---|
State | Accepted, archived |
Commit | e1bf4f6dd686055fe9a8bdcc3f739eac2807bae0 |
Headers | show |
Series | [1/4] cve-update-db-native: remove | expand |
On Fri, 23 Jun 2023, 08:32 , <ross.burton@arm.com> wrote: > From: Ross Burton <ross.burton@arm.com> > > Some CVEs, such as CVE-2013-6629, list multiple configurations which are > vulnerable. The current JSON parser only considers the first > configuration. > > Instead, consider every configuration. We don't yet handle the AND/OR > logical operators, but this is a step in the right direction. > > Signed-off-by: Ross Burton <ross.burton@arm.com> > --- > meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb > b/meta/recipes-core/meta/cve-update-nvd2-native.bb > index 2b585983ac7..0c627ef2623 100644 > --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb > +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb > @@ -323,11 +323,12 @@ def update_db(conn, elt): > [cveId, cveDesc, cvssv2, cvssv3, date, > accessVector]).close() > > try: > - configurations = elt['cve']['configurations'][0]['nodes'] > - for config in configurations: > - parse_node_and_insert(conn, config, cveId) > + for config in elt['cve']['configurations']: > + # This is suboptimal as it doesn't handle AND/OR and negate, > but is better than nothing > + for node in config["nodes"]: > + parse_node_and_insert(conn, node, cveId) > except KeyError: > - bb.debug(2, "Entry without a configuration") > + bb.debug(2, "CVE %s has no configurations" % cveId) > > do_fetch[nostamp] = "1" > Looks good to me, thank you Ross. Regards, Marta >
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2b585983ac7..0c627ef2623 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -323,11 +323,12 @@ def update_db(conn, elt): [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() try: - configurations = elt['cve']['configurations'][0]['nodes'] - for config in configurations: - parse_node_and_insert(conn, config, cveId) + for config in elt['cve']['configurations']: + # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing + for node in config["nodes"]: + parse_node_and_insert(conn, node, cveId) except KeyError: - bb.debug(2, "Entry without a configuration") + bb.debug(2, "CVE %s has no configurations" % cveId) do_fetch[nostamp] = "1"