On Fri, 23 Jun 2023, 08:32 , <ross.bur...@arm.com> wrote: > From: Ross Burton <ross.bur...@arm.com> > > Some CVEs, such as CVE-2013-6629, list multiple configurations which are > vulnerable. The current JSON parser only considers the first > configuration. > > Instead, consider every configuration. We don't yet handle the AND/OR > logical operators, but this is a step in the right direction. > > Signed-off-by: Ross Burton <ross.bur...@arm.com> > --- > meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb > b/meta/recipes-core/meta/cve-update-nvd2-native.bb > index 2b585983ac7..0c627ef2623 100644 > --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb > +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb > @@ -323,11 +323,12 @@ def update_db(conn, elt): > [cveId, cveDesc, cvssv2, cvssv3, date, > accessVector]).close() > > try: > - configurations = elt['cve']['configurations'][0]['nodes'] > - for config in configurations: > - parse_node_and_insert(conn, config, cveId) > + for config in elt['cve']['configurations']: > + # This is suboptimal as it doesn't handle AND/OR and negate, > but is better than nothing > + for node in config["nodes"]: > + parse_node_and_insert(conn, node, cveId) > except KeyError: > - bb.debug(2, "Entry without a configuration") > + bb.debug(2, "CVE %s has no configurations" % cveId) > > do_fetch[nostamp] = "1" >
Looks good to me, thank you Ross. Regards, Marta >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183336): https://lists.openembedded.org/g/openembedded-core/message/183336 Mute This Topic: https://lists.openembedded.org/mt/99717256/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-