diff mbox series

[master] cve-update-nvd2-native: Use maximum CVSS score from all sources

Message ID 20260121092250.3847197-1-hetpat@cisco.com
State New
Headers show
Series [master] cve-update-nvd2-native: Use maximum CVSS score from all sources | expand

Commit Message

Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) Jan. 21, 2026, 9:22 a.m. UTC 
From: Het Patel <hetpat@cisco.com>

The CVE check system was incorrectly reporting lower CVSS scores when
multiple scoring sources were available in the NVD database. This
occurred because the code only extracted the first element from the
CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary
source with a lower score instead of the Primary source with the
actual severity score.

This fix takes maximum CVSS score.

Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15931

Signed-off-by: Het Patel <hetpat@cisco.com>
---
 .../meta/cve-update-nvd2-native.bb            | 55 +++++++++++++------
 1 file changed, 39 insertions(+), 16 deletions(-)

Comments

Yoann Congal Jan. 21, 2026, 9:41 a.m. UTC | #1 
Hello,

Le mer. 21 janv. 2026 à 10:22, Het Patel via lists.openembedded.org <hetpat=
cisco.com@lists.openembedded.org> a écrit :

> From: Het Patel <hetpat@cisco.com>
>
> The CVE check system was incorrectly reporting lower CVSS scores when
> multiple scoring sources were available in the NVD database. This
> occurred because the code only extracted the first element from the
> CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary
> source with a lower score instead of the Primary source with the
> actual severity score.
>
> This fix takes maximum CVSS score.
>
> Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15931


The proper way to reference a bug is "Fixes [YOCTO #bug-id]" (see
https://docs.yoctoproject.org/dev/contributor-guide/submit-changes.html#implement-and-commit-changes
)

You don't need to specify [master] in the subject as it is the default.

When you send a new patch following reviews, please increment its version
: [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...
For example, now, you could send a "[PATCH v2] cve-update-nvd2-native: Use
maximum CVSS score from all sources"

Thanks!

Signed-off-by: Het Patel <hetpat@cisco.com>
> ---
>  .../meta/cve-update-nvd2-native.bb            | 55 +++++++++++++------
>  1 file changed, 39 insertions(+), 16 deletions(-)
>
> diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
> b/meta/recipes-core/meta/cve-update-nvd2-native.bb
> index 8c8148dd92..41c34ba0d0 100644
> --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
> +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
> @@ -350,32 +350,55 @@ def update_db(conn, elt):
>          if desc['lang'] == 'en':
>              cveDesc = desc['value']
>      date = elt['cve']['lastModified']
> +
> +    # Extract maximum CVSS scores from all sources (Primary and Secondary)
> +    cvssv2 = 0.0
>      try:
> -        accessVector =
> elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
> -        vectorString =
> elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
> -        cvssv2 =
> elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
> +        # Iterate through all cvssMetricV2 entries and find the maximum
> score
> +        for metric in elt['cve']['metrics']['cvssMetricV2']:
> +            score = metric['cvssData']['baseScore']
> +            if score > cvssv2:
> +                cvssv2 = score
> +                accessVector = metric['cvssData']['accessVector']
> +                vectorString = metric['cvssData']['vectorString']
>      except KeyError:
> -        cvssv2 = 0.0
> -    cvssv3 = None
> +        pass
> +
> +    cvssv3 = 0.0
>      try:
> -        accessVector = accessVector or
> elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
> -        vectorString = vectorString or
> elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
> -        cvssv3 =
> elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
> +        # Iterate through all cvssMetricV30 entries and find the maximum
> score
> +        for metric in elt['cve']['metrics']['cvssMetricV30']:
> +            score = metric['cvssData']['baseScore']
> +            if score > cvssv3:
> +                cvssv3 = score
> +                accessVector = accessVector or
> metric['cvssData']['attackVector']
> +                vectorString = vectorString or
> metric['cvssData']['vectorString']
>      except KeyError:
>          pass
> +
>      try:
> -        accessVector = accessVector or
> elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
> -        vectorString = vectorString or
> elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
> -        cvssv3 = cvssv3 or
> elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
> +        # Iterate through all cvssMetricV31 entries and find the maximum
> score
> +        for metric in elt['cve']['metrics']['cvssMetricV31']:
> +            score = metric['cvssData']['baseScore']
> +            if score > cvssv3:
> +                cvssv3 = score
> +                accessVector = accessVector or
> metric['cvssData']['attackVector']
> +                vectorString = vectorString or
> metric['cvssData']['vectorString']
>      except KeyError:
>          pass
> -    cvssv3 = cvssv3 or 0.0
> +
> +    cvssv4 = 0.0
>      try:
> -        accessVector = accessVector or
> elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
> -        vectorString = vectorString or
> elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
> -        cvssv4 =
> elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
> +        # Iterate through all cvssMetricV40 entries and find the maximum
> score
> +        for metric in elt['cve']['metrics']['cvssMetricV40']:
> +            score = metric['cvssData']['baseScore']
> +            if score > cvssv4:
> +                cvssv4 = score
> +                accessVector = accessVector or
> metric['cvssData']['attackVector']
> +                vectorString = vectorString or
> metric['cvssData']['vectorString']
>      except KeyError:
> -        cvssv4 = 0.0
> +        pass
> +
>      accessVector = accessVector or "UNKNOWN"
>      vectorString = vectorString or "UNKNOWN"
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#229800):
> https://lists.openembedded.org/g/openembedded-core/message/229800
> Mute This Topic: https://lists.openembedded.org/mt/117378826/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
diff mbox series

Patch

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 8c8148dd92..41c34ba0d0 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -350,32 +350,55 @@  def update_db(conn, elt):
         if desc['lang'] == 'en':
             cveDesc = desc['value']
     date = elt['cve']['lastModified']
+
+    # Extract maximum CVSS scores from all sources (Primary and Secondary)
+    cvssv2 = 0.0
     try:
-        accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
-        vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
-        cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV2 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV2']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv2:
+                cvssv2 = score
+                accessVector = metric['cvssData']['accessVector']
+                vectorString = metric['cvssData']['vectorString']
     except KeyError:
-        cvssv2 = 0.0
-    cvssv3 = None
+        pass
+
+    cvssv3 = 0.0
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
-        cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV30 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV30']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv3:
+                cvssv3 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
         pass
+
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
-        cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV31 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV31']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv3:
+                cvssv3 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
         pass
-    cvssv3 = cvssv3 or 0.0
+
+    cvssv4 = 0.0
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
-        cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV40 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV40']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv4:
+                cvssv4 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
-        cvssv4 = 0.0
+        pass
+
     accessVector = accessVector or "UNKNOWN"
     vectorString = vectorString or "UNKNOWN"