[OE-core][master][mickledore][kirkstone][dunfell][PATCH v2] cve-update-nvd2-native: fix cvssV3 metrics

[Peter Marko via lists.openembedded.org]

From: Peter Marko <peter.ma...@siemens.com>

After upgrade to soon-to-be-released kirkstone 4.0.11 CVE annotations got 
broken.
Anything which has only cvssV3 does not resolve properly.
Fix the API fields used to extract it.

i0.0 score is now at level of NVD DB 1.1.
All CVEs with UNKNOWN vector are not present in NVD DB 1.1.

NVD API 1.1:
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4776
LOCAL|32146
NETWORK|167746
PHYSICAL|185
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73331
1.8|7
1.9|3
...

NVD API 2.0 (broken):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4587
LOCAL|26273
NETWORK|150421
UNKNOWN|24644
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|205925

NVD API 2.0 (fixed):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|5090
LOCAL|32322
NETWORK|168004
PHYSICAL|213
UNKNOWN|511
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73841
1.8|7
1.9|3
...

Signed-off-by: Peter Marko <peter.ma...@siemens.com>
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb 
b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 2b585983ac..4585126f73 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -312,12 +312,19 @@ def update_db(conn, elt):
         cvssv2 = 
elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
     except KeyError:
         cvssv2 = 0.0
+    cvssv3 = None
     try:
-        accessVector = accessVector or 
elt['impact']['baseMetricV3']['cvssV3']['attackVector']
-        cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+        accessVector = accessVector or 
elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
+        cvssv3 = 
elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
     except KeyError:
-        accessVector = accessVector or "UNKNOWN"
-        cvssv3 = 0.0
+        pass
+    try:
+        accessVector = accessVector or 
elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
+        cvssv3 = cvssv3 or 
elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+    except KeyError:
+        pass
+    accessVector = accessVector or "UNKNOWN"
+    cvssv3 = cvssv3 or 0.0
 
     conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
                 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183639): 
https://lists.openembedded.org/g/openembedded-core/message/183639
Mute This Topic: https://lists.openembedded.org/mt/99859653/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-