diff mbox series

[3/4] cve-update-nvd2-native: handle all configuration nodes, not just first

Message ID 20230623123250.726731-3-ross.burton@arm.com
State Accepted, archived
Commit e1bf4f6dd686055fe9a8bdcc3f739eac2807bae0
Headers show
Series [1/4] cve-update-db-native: remove | expand

Commit Message

Ross Burton June 23, 2023, 12:32 p.m. UTC 
From: Ross Burton <ross.burton@arm.com>

Some CVEs, such as CVE-2013-6629, list multiple configurations which are
vulnerable. The current JSON parser only considers the first
configuration.

Instead, consider every configuration. We don't yet handle the AND/OR
logical operators, but this is a step in the right direction.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comments

Marta Rybczynska June 23, 2023, 4 p.m. UTC | #1 
On Fri, 23 Jun 2023, 08:32 , <ross.burton@arm.com> wrote:

> From: Ross Burton <ross.burton@arm.com>
>
> Some CVEs, such as CVE-2013-6629, list multiple configurations which are
> vulnerable. The current JSON parser only considers the first
> configuration.
>
> Instead, consider every configuration. We don't yet handle the AND/OR
> logical operators, but this is a step in the right direction.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
> b/meta/recipes-core/meta/cve-update-nvd2-native.bb
> index 2b585983ac7..0c627ef2623 100644
> --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
> +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
> @@ -323,11 +323,12 @@ def update_db(conn, elt):
>                  [cveId, cveDesc, cvssv2, cvssv3, date,
> accessVector]).close()
>
>      try:
> -        configurations = elt['cve']['configurations'][0]['nodes']
> -        for config in configurations:
> -            parse_node_and_insert(conn, config, cveId)
> +        for config in elt['cve']['configurations']:
> +            # This is suboptimal as it doesn't handle AND/OR and negate,
> but is better than nothing
> +            for node in config["nodes"]:
> +                parse_node_and_insert(conn, node, cveId)
>      except KeyError:
> -        bb.debug(2, "Entry without a configuration")
> +        bb.debug(2, "CVE %s has no configurations" % cveId)
>
>  do_fetch[nostamp] = "1"
>

Looks good to me, thank you Ross.

Regards,
Marta

>
diff mbox series

Patch

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 2b585983ac7..0c627ef2623 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -323,11 +323,12 @@  def update_db(conn, elt):
                 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
 
     try:
-        configurations = elt['cve']['configurations'][0]['nodes']
-        for config in configurations:
-            parse_node_and_insert(conn, config, cveId)
+        for config in elt['cve']['configurations']:
+            # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
+            for node in config["nodes"]:
+                parse_node_and_insert(conn, node, cveId)
     except KeyError:
-        bb.debug(2, "Entry without a configuration")
+        bb.debug(2, "CVE %s has no configurations" % cveId)
 
 do_fetch[nostamp] = "1"