On Wed, Nov 27, 2024 at 1:59 PM Colin McAllister via lists.openembedded.org <[email protected]> wrote:
> The database used by cve-check currently stores the access vector and > vector string for the oldest CVSS version for each CVE. This should be > reversed, where the newest possible CVSS version is included instead. > > Signed-off-by: Colin McAllister <[email protected]> > --- > meta/classes/cve-check.bbclass | 2 +- > meta/recipes-core/meta/cve-update-nvd2-native.bb | 12 ++++++------ > 2 files changed, 7 insertions(+), 7 deletions(-) > > diff --git a/meta/classes/cve-check.bbclass > b/meta/classes/cve-check.bbclass > index 0c92b87f52..c4cbcdf8e3 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -31,7 +31,7 @@ > CVE_PRODUCT ??= "${BPN}" > CVE_VERSION ??= "${PV}" > > -CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db" > +CVE_CHECK_DB_FILENAME ?= "nvdcve_2-3.db" > CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" > CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" > CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" > diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb > b/meta/recipes-core/meta/cve-update-nvd2-native.bb > index a68a8bb89f..e111709b22 100644 > --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb > +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb > @@ -355,21 +355,21 @@ def update_db(conn, elt): > cvssv2 = 0.0 > cvssv3 = None > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] > + accessVector = > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] > + vectorString = > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] > cvssv3 = > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] > except KeyError: > pass > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] > + accessVector = > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] > + vectorString = > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] > cvssv3 = cvssv3 or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] > except KeyError: > pass > cvssv3 = cvssv3 or 0.0 > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString'] > + accessVector = > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector'] > + vectorString = > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString'] > cvssv4 = > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore'] > except KeyError: > cvssv4 = 0.0 > -- > When we're at this patch... I'm wondering if anyone is actually using the vectorString from our database for any processing? In other terms, is someone extracting parts of the vector (like network vulnerabilities)? Or we can just remove it and people who want it, will have a look in other places? test_image_json is not checking for the vector string, most likely time outs when downloading the database. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#207994): https://lists.openembedded.org/g/openembedded-core/message/207994 Mute This Topic: https://lists.openembedded.org/mt/109805499/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
