From: Ross Burton <ross.bur...@arm.com> Some CVEs, such as CVE-2013-6629, list multiple configurations which are vulnerable. The current JSON parser only considers the first configuration.
Instead, consider every configuration. We don't yet handle the AND/OR logical operators, but this is a step in the right direction. Signed-off-by: Ross Burton <ross.bur...@arm.com> --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2b585983ac7..0c627ef2623 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -323,11 +323,12 @@ def update_db(conn, elt): [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() try: - configurations = elt['cve']['configurations'][0]['nodes'] - for config in configurations: - parse_node_and_insert(conn, config, cveId) + for config in elt['cve']['configurations']: + # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing + for node in config["nodes"]: + parse_node_and_insert(conn, node, cveId) except KeyError: - bb.debug(2, "Entry without a configuration") + bb.debug(2, "CVE %s has no configurations" % cveId) do_fetch[nostamp] = "1" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183328): https://lists.openembedded.org/g/openembedded-core/message/183328 Mute This Topic: https://lists.openembedded.org/mt/99717256/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-