From: Ross Burton <ross.bur...@arm.com>
Some CVEs, such as CVE-2013-6629, list multiple configurations which are
vulnerable. The current JSON parser only considers the first
configuration.
Instead, consider every configuration. We don't yet handle the AND/OR
logical operators, but this is a step in the right direction.
Signed-off-by: Ross Burton <ross.bur...@arm.com>
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 2b585983ac7..0c627ef2623 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -323,11 +323,12 @@ def update_db(conn, elt):
[cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
try:
- configurations = elt['cve']['configurations'][0]['nodes']
- for config in configurations:
- parse_node_and_insert(conn, config, cveId)
+ for config in elt['cve']['configurations']:
+ # This is suboptimal as it doesn't handle AND/OR and negate, but
is better than nothing
+ for node in config["nodes"]:
+ parse_node_and_insert(conn, node, cveId)
except KeyError:
- bb.debug(2, "Entry without a configuration")
+ bb.debug(2, "CVE %s has no configurations" % cveId)
do_fetch[nostamp] = "1"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183328):
https://lists.openembedded.org/g/openembedded-core/message/183328
Mute This Topic: https://lists.openembedded.org/mt/99717256/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
