Re: [OE-core] [PATCH 3/4] cve-update-nvd2-native: handle all configuration nodes, not just first
On Fri, 23 Jun 2023, 08:32 , wrote: > From: Ross Burton > > Some CVEs, such as CVE-2013-6629, list multiple configurations which are > vulnerable. The current JSON parser only considers the first > configuration. > > Instead, consider every configuration. We don't yet handle the AND/OR > logical operators, but this is a step in the right direction. > > Signed-off-by: Ross Burton > --- > meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 + > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb > b/meta/recipes-core/meta/cve-update-nvd2-native.bb > index 2b585983ac7..0c627ef2623 100644 > --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb > +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb > @@ -323,11 +323,12 @@ def update_db(conn, elt): > [cveId, cveDesc, cvssv2, cvssv3, date, > accessVector]).close() > > try: > -configurations = elt['cve']['configurations'][0]['nodes'] > -for config in configurations: > -parse_node_and_insert(conn, config, cveId) > +for config in elt['cve']['configurations']: > +# This is suboptimal as it doesn't handle AND/OR and negate, > but is better than nothing > +for node in config["nodes"]: > +parse_node_and_insert(conn, node, cveId) > except KeyError: > -bb.debug(2, "Entry without a configuration") > +bb.debug(2, "CVE %s has no configurations" % cveId) > > do_fetch[nostamp] = "1" > Looks good to me, thank you Ross. Regards, Marta > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183336): https://lists.openembedded.org/g/openembedded-core/message/183336 Mute This Topic: https://lists.openembedded.org/mt/99717256/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 3/4] cve-update-nvd2-native: handle all configuration nodes, not just first
From: Ross Burton Some CVEs, such as CVE-2013-6629, list multiple configurations which are vulnerable. The current JSON parser only considers the first configuration. Instead, consider every configuration. We don't yet handle the AND/OR logical operators, but this is a step in the right direction. Signed-off-by: Ross Burton --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2b585983ac7..0c627ef2623 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -323,11 +323,12 @@ def update_db(conn, elt): [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() try: -configurations = elt['cve']['configurations'][0]['nodes'] -for config in configurations: -parse_node_and_insert(conn, config, cveId) +for config in elt['cve']['configurations']: +# This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing +for node in config["nodes"]: +parse_node_and_insert(conn, node, cveId) except KeyError: -bb.debug(2, "Entry without a configuration") +bb.debug(2, "CVE %s has no configurations" % cveId) do_fetch[nostamp] = "1" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183328): https://lists.openembedded.org/g/openembedded-core/message/183328 Mute This Topic: https://lists.openembedded.org/mt/99717256/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-