From: Het Patel <[email protected]> The CVE check system was incorrectly reporting lower CVSS scores when multiple scoring sources were available in the NVD database. This occurred because the code only extracted the first element from the CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary source with a lower score instead of the Primary source with the actual severity score.
This fix takes maximum CVSS score. Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15931 Signed-off-by: Het Patel <[email protected]> --- .../meta/cve-update-nvd2-native.bb | 55 +++++++++++++------ 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 8c8148dd92..41c34ba0d0 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -350,32 +350,55 @@ def update_db(conn, elt): if desc['lang'] == 'en': cveDesc = desc['value'] date = elt['cve']['lastModified'] + + # Extract maximum CVSS scores from all sources (Primary and Secondary) + cvssv2 = 0.0 try: - accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] - vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString'] - cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV2 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV2']: + score = metric['cvssData']['baseScore'] + if score > cvssv2: + cvssv2 = score + accessVector = metric['cvssData']['accessVector'] + vectorString = metric['cvssData']['vectorString'] except KeyError: - cvssv2 = 0.0 - cvssv3 = None + pass + + cvssv3 = 0.0 try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] - cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV30 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV30']: + score = metric['cvssData']['baseScore'] + if score > cvssv3: + cvssv3 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: pass + try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] - cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV31 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV31']: + score = metric['cvssData']['baseScore'] + if score > cvssv3: + cvssv3 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: pass - cvssv3 = cvssv3 or 0.0 + + cvssv4 = 0.0 try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString'] - cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV40 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV40']: + score = metric['cvssData']['baseScore'] + if score > cvssv4: + cvssv4 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: - cvssv4 = 0.0 + pass + accessVector = accessVector or "UNKNOWN" vectorString = vectorString or "UNKNOWN"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229795): https://lists.openembedded.org/g/openembedded-core/message/229795 Mute This Topic: https://lists.openembedded.org/mt/117378342/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
