Hello, Le mer. 21 janv. 2026 à 10:22, Het Patel via lists.openembedded.org <hetpat= [email protected]> a écrit :
> From: Het Patel <[email protected]> > > The CVE check system was incorrectly reporting lower CVSS scores when > multiple scoring sources were available in the NVD database. This > occurred because the code only extracted the first element from the > CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary > source with a lower score instead of the Primary source with the > actual severity score. > > This fix takes maximum CVSS score. > > Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15931 The proper way to reference a bug is "Fixes [YOCTO #bug-id]" (see https://docs.yoctoproject.org/dev/contributor-guide/submit-changes.html#implement-and-commit-changes ) You don't need to specify [master] in the subject as it is the default. When you send a new patch following reviews, please increment its version : [PATCH] -> [PATCH v2] -> [PATCH v3] -> ... For example, now, you could send a "[PATCH v2] cve-update-nvd2-native: Use maximum CVSS score from all sources" Thanks! Signed-off-by: Het Patel <[email protected]> > --- > .../meta/cve-update-nvd2-native.bb | 55 +++++++++++++------ > 1 file changed, 39 insertions(+), 16 deletions(-) > > diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb > b/meta/recipes-core/meta/cve-update-nvd2-native.bb > index 8c8148dd92..41c34ba0d0 100644 > --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb > +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb > @@ -350,32 +350,55 @@ def update_db(conn, elt): > if desc['lang'] == 'en': > cveDesc = desc['value'] > date = elt['cve']['lastModified'] > + > + # Extract maximum CVSS scores from all sources (Primary and Secondary) > + cvssv2 = 0.0 > try: > - accessVector = > elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] > - vectorString = > elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString'] > - cvssv2 = > elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] > + # Iterate through all cvssMetricV2 entries and find the maximum > score > + for metric in elt['cve']['metrics']['cvssMetricV2']: > + score = metric['cvssData']['baseScore'] > + if score > cvssv2: > + cvssv2 = score > + accessVector = metric['cvssData']['accessVector'] > + vectorString = metric['cvssData']['vectorString'] > except KeyError: > - cvssv2 = 0.0 > - cvssv3 = None > + pass > + > + cvssv3 = 0.0 > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] > - cvssv3 = > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] > + # Iterate through all cvssMetricV30 entries and find the maximum > score > + for metric in elt['cve']['metrics']['cvssMetricV30']: > + score = metric['cvssData']['baseScore'] > + if score > cvssv3: > + cvssv3 = score > + accessVector = accessVector or > metric['cvssData']['attackVector'] > + vectorString = vectorString or > metric['cvssData']['vectorString'] > except KeyError: > pass > + > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] > - cvssv3 = cvssv3 or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] > + # Iterate through all cvssMetricV31 entries and find the maximum > score > + for metric in elt['cve']['metrics']['cvssMetricV31']: > + score = metric['cvssData']['baseScore'] > + if score > cvssv3: > + cvssv3 = score > + accessVector = accessVector or > metric['cvssData']['attackVector'] > + vectorString = vectorString or > metric['cvssData']['vectorString'] > except KeyError: > pass > - cvssv3 = cvssv3 or 0.0 > + > + cvssv4 = 0.0 > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString'] > - cvssv4 = > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore'] > + # Iterate through all cvssMetricV40 entries and find the maximum > score > + for metric in elt['cve']['metrics']['cvssMetricV40']: > + score = metric['cvssData']['baseScore'] > + if score > cvssv4: > + cvssv4 = score > + accessVector = accessVector or > metric['cvssData']['attackVector'] > + vectorString = vectorString or > metric['cvssData']['vectorString'] > except KeyError: > - cvssv4 = 0.0 > + pass > + > accessVector = accessVector or "UNKNOWN" > vectorString = vectorString or "UNKNOWN" > > > > > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229802): https://lists.openembedded.org/g/openembedded-core/message/229802 Mute This Topic: https://lists.openembedded.org/mt/117378826/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
