Hi,
since last night it affects all branches I tested.
But it doesn't seem to be a format change, rather baseMetricV2 is
optional for some entries
e.g.
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-14725",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"references": {
"reference_data": [
{
"url":
"https://www.oracle.com/security-alerts/cpujul2020.html";,
"name":
"https://www.oracle.com/security-alerts/cpujul2020.html";,
"refsource": "MISC",
"tags": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "..."
}
]
}
},
"configurations": {
"CVE_data_version": "4.0",
"nodes": []
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"version": "3.1",
"vectorString":
"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6
}
},
"publishedDate": "2020-07-24T20:15Z",
"lastModifiedDate": "2020-07-25T02:01Z"
}
I guess it should be treated like baseMetricV3 - lets see if I can craft
a patch for that
BR
Konrad
On 25.07.20 16:52, akuster808 wrote:
On 7/25/20 4:13 AM, Konrad Weihmann wrote:
Hi all,
I'm just too lazy to check if that has been fixed in master already,
but since yesterday cve-check breaks on zeus for me with the following
I think I just saw this on master. We need to check if NVD changed their
format again.
-armin
File:
'/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
lineno: 91, function: do_populate_cve_db
0087: # Update db with current year json file
0088: try:
0089: response = urllib.request.urlopen(json_url)
0090: if response:
*** 0091: update_db(c,
gzip.decompress(response.read()).decode('utf-8'))
0092: c.execute("insert or replace into META
values (?, ?)", [year, last_modified])
0093: except urllib.error.URLError as e:
0094: cve_f.write('Warning: CVE db update error,
CVE data is outdated.\n\n')
0095: bb.warn("Cannot parse CVE data (%s), update
failed" % e.reason)
File:
'/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
lineno: 173, function: update_db
0169:
0170: cveId = elt['cve']['CVE_data_meta']['ID']
0171: cveDesc =
elt['cve']['description']['description_data'][0]['value']
0172: date = elt['lastModifiedDate']
*** 0173: accessVector =
elt['impact']['baseMetricV2']['cvssV2']['accessVector']
0174: cvssv2 =
elt['impact']['baseMetricV2']['cvssV2']['baseScore']
0175:
0176: try:
0177: cvssv3 =
elt['impact']['baseMetricV3']['cvssV3']['baseScore']
Exception: KeyError: 'baseMetricV2'
Cheers
Konrad
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#140953):
https://lists.openembedded.org/g/openembedded-core/message/140953
Mute This Topic: https://lists.openembedded.org/mt/75782989/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
