diff mbox series

[master,mickledore,kirkstone,dunfell] cve-update-nvd2-native: fix cvssV3 metrics

Message ID 20230629134312.732919-1-peter.marko@siemens.com
State New, archived
Headers show
Series [master,mickledore,kirkstone,dunfell] cve-update-nvd2-native: fix cvssV3 metrics | expand

Commit Message

Peter Marko June 29, 2023, 1:43 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

After upgrade to soon-to-be-released kirkstone 4.0.11
CVE annotations got broken.
Anything which has only cvssV3 did not resolve properly.
Fix the API fields used to extract it.
Number of CVEs with score 0.0 is still not at 1.1 API level,
but that is probably NVD API difference issue.

NVD API 1.1:
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4776
LOCAL|32146
NETWORK|167746
PHYSICAL|185
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73331
1.8|7
1.9|3
...

NVD API 2.0 (broken):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4587
LOCAL|26273
NETWORK|150421
UNKNOWN|24644
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|205925

NVD API 2.0 (fixed):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4998
LOCAL|32226
NETWORK|167877
PHYSICAL|185
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|115460
1.8|4
1.9|1
...

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 2b585983ac..cb03fe730c 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -313,8 +313,8 @@  def update_db(conn, elt):
     except KeyError:
         cvssv2 = 0.0
     try:
-        accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
-        cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
+        cvssv3 = elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
     except KeyError:
         accessVector = accessVector or "UNKNOWN"
         cvssv3 = 0.0