On Wed, 2026-01-21 at 02:08 -0800, Het Patel via lists.openembedded.org wrote: > From: Het Patel <[email protected]> > > The CVE check system was incorrectly reporting lower CVSS scores when > multiple scoring sources were available in the NVD database. This > occurred because the code only extracted the first element from the > CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary > source with a lower score instead of the Primary source with the > actual severity score. > > This fix iterates through all available sources and takes the maximum > CVSS score to ensure the highest severity is reported. > > Fixes [YOCTO #15931] > > Signed-off-by: Het Patel <[email protected]>
Het, Thanks for the patch! Why is the highest CVSS score the correct one to take? I think the commit message needs updating to answer this or point us to a relevant reference. Best regards, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229814): https://lists.openembedded.org/g/openembedded-core/message/229814 Mute This Topic: https://lists.openembedded.org/mt/117379016/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
