@@ -31,7 +31,7 @@
CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
-CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db"
+CVE_CHECK_DB_FILENAME ?= "nvdcve_2-3.db"
CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
@@ -449,12 +449,14 @@ def get_cve_info(d, cve_data):
continue
#cve_data[row[0]] = {}
cve_data[row[0]]["NVD-summary"] = row[1]
- cve_data[row[0]]["NVD-scorev2"] = row[2]
- cve_data[row[0]]["NVD-scorev3"] = row[3]
- cve_data[row[0]]["NVD-scorev4"] = row[4]
- cve_data[row[0]]["NVD-modified"] = row[5]
- cve_data[row[0]]["NVD-vector"] = row[6]
- cve_data[row[0]]["NVD-vectorString"] = row[7]
+ cve_data[row[0]]["NVD-vectorStringV2"] = row[2]
+ cve_data[row[0]]["NVD-scorev2"] = row[3]
+ cve_data[row[0]]["NVD-vectorStringV3"] = row[4]
+ cve_data[row[0]]["NVD-scorev3"] = row[5]
+ cve_data[row[0]]["NVD-vectorStringV4"] = row[6]
+ cve_data[row[0]]["NVD-scorev4"] = row[7]
+ cve_data[row[0]]["NVD-modified"] = row[8]
+ cve_data[row[0]]["NVD-vector"] = row[9]
cursor.close()
conn.close()
@@ -539,12 +541,14 @@ def cve_write_data_json(d, cve_data, cve_status):
}
if 'NVD-summary' in cve_data[cve]:
cve_item["summary"] = cve_data[cve]["NVD-summary"]
+ cve_item["vectorStringV2"] = cve_data[cve]["NVD-vectorStringV2"]
cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
+ cve_item["vectorStringV3"] = cve_data[cve]["NVD-vectorStringV3"]
cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
+ cve_item["vectorStringV4"] = cve_data[cve]["NVD-vectorStringV4"]
cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
cve_item["modified"] = cve_data[cve]["NVD-modified"]
cve_item["vector"] = cve_data[cve]["NVD-vector"]
- cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
if 'status' in cve_data[cve]:
cve_item["detail"] = cve_data[cve]["status"]
if 'justification' in cve_data[cve]:
@@ -280,11 +280,13 @@ def cve_write_data_json(d, cve_data, cve_status):
}
if 'NVD-summary' in cve_data[cve]:
cve_item["summary"] = cve_data[cve]["NVD-summary"]
+ cve_item["vectorStringV2"] = cve_data[cve]["NVD-vectorStringV2"]
cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
+ cve_item["vectorStringV3"] = cve_data[cve]["NVD-vectorStringV3"]
cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
+ cve_item["vectorStringV4"] = cve_data[cve]["NVD-vectorStringV4"]
cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
cve_item["vector"] = cve_data[cve]["NVD-vector"]
- cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
if 'status' in cve_data[cve]:
cve_item["detail"] = cve_data[cve]["status"]
if 'justification' in cve_data[cve]:
@@ -259,8 +259,11 @@ def initialize_db(conn):
c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
- c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
- SCOREV2 TEXT, SCOREV3 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)")
+ c.execute(
+ "CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+ VECTORSTRINGV2 TEXT, SCOREV2 TEXT, VECTORSTRINGV3 TEXT, SCOREV3 TEXT, \
+ VECTORSTRINGV4 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT)"
+ )
c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
@@ -334,7 +337,9 @@ def update_db(conn, elt):
"""
accessVector = None
- vectorString = None
+ vectorStringV2 = None
+ vectorStringV3 = None
+ vectorStringV4 = None
cveId = elt['cve']['id']
if elt['cve']['vulnStatus'] == "Rejected":
c = conn.cursor()
@@ -349,35 +354,50 @@ def update_db(conn, elt):
date = elt['cve']['lastModified']
try:
accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
- vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
+ vectorStringV2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
except KeyError:
cvssv2 = 0.0
cvssv3 = None
try:
accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
+ vectorStringV3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
except KeyError:
pass
try:
accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
+ vectorStringV3 = elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
except KeyError:
pass
cvssv3 = cvssv3 or 0.0
try:
accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
+ vectorStringV4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
except KeyError:
cvssv4 = 0.0
accessVector = accessVector or "UNKNOWN"
- vectorString = vectorString or "UNKNOWN"
-
- conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
- [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
+ vectorStringV2 = vectorStringV2 or "UNKNOWN"
+ vectorStringV3 = vectorStringV3 or "UNKNOWN"
+ vectorStringV4 = vectorStringV4 or "UNKNOWN"
+
+ conn.execute(
+ "insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+ [
+ cveId,
+ cveDesc,
+ vectorStringV2,
+ cvssv2,
+ vectorStringV3,
+ cvssv3,
+ vectorStringV4,
+ cvssv4,
+ date,
+ accessVector,
+ ],
+ ).close()
try:
# Remove any pre-existing CVE configuration. Even for partial database
@@ -121,16 +121,20 @@ def process_data(filename, data):
lines += "CVE DESCRIPTION: %s\n" % issue["description"]
if "summary" in issue:
lines += "CVE SUMMARY: %s\n" % issue["summary"]
+ if "vectorStringV2" in issue:
+ lines += "VECTORSTRING v2: %s\n" % issue["vectorStringV2"]
if "scorev2" in issue:
lines += "CVSS v2 BASE SCORE: %s\n" % issue["scorev2"]
+ if "vectorStringV3" in issue:
+ lines += "VECTORSTRING v3: %s\n" % issue["vectorStringV3"]
if "scorev3" in issue:
lines += "CVSS v3 BASE SCORE: %s\n" % issue["scorev3"]
+ if "vectorStringV4" in issue:
+ lines += "VECTORSTRING v4: %s\n" % issue["vectorStringV4"]
if "scorev4" in issue:
lines += "CVSS v4 BASE SCORE: %s\n" % issue["scorev4"]
if "vector" in issue:
lines += "VECTOR: %s\n" % issue["vector"]
- if "vectorString" in issue:
- lines += "VECTORSTRING: %s\n" % issue["vectorString"]
lines += "MORE INFORMATION: https://nvd.nist.gov/vuln/detail/%s\n" % issue["id"]
lines += "\n"
Currently, cve-check includes a vector string for each CVE included in the issue list for each package. This vector string is the lowest CVSS version that's available. For example, if a CVE has both a v2 and v3.1 vector strint, the v2 vector string is only included. This patch adds each supported vector string (v2, v3, and v4). For v3, v3.1 is preferred over v3. If a vector string is not available for a given verison, the string will default to "UNKNOWN". Signed-off-by: Colin McAllister <colinmca242@gmail.com> --- This is an alternative patch to "cve-update-nvd2-native: Update vector logic" where each versioned vector string is attempted to be included. This does introduce a breaking API change, where vectorString has been removed and replaced with the versioned vectorString variables. I tried to update all references to the current use of vector strings, but I was a little confused looking at meta/lib/oe/spdx30.py. I'm not sure if this change will affect that file. I did turn on SPDX generation and ran another build. I looked at the outputs, but didn't see any vector string output. meta/classes/cve-check.bbclass | 20 +++++---- meta/classes/vex.bbclass | 4 +- .../meta/cve-update-nvd2-native.bb | 42 ++++++++++++++----- scripts/cve-json-to-text.py | 8 +++- 4 files changed, 52 insertions(+), 22 deletions(-)