[meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri

[meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri

[Konrad Weihmann]

Recently an entry in the NVD DB appeared that looks like that
{'vulnerable': True, 'cpe_name': []}.
As besides all the vulnerable flag no data is present we would get
a KeyError exception on acccess.
Use get method on dictionary and return if no meta data is present
Also quit if the length of the array after splitting is less than 6

Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
---
v2: handle the case where key is set but value is none and
    if resulting array is shorter than expected

 meta/recipes-core/meta/cve-update-db-native.bb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 25ec6bac71..e5822cee58 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -139,7 +139,12 @@ def parse_node_and_insert(c, node, cveId):
         for cpe in node.get('cpe_match', ()):
             if not cpe['vulnerable']:
                 return
-            cpe23 = cpe['cpe23Uri'].split(':')
+            cpe23 = cpe.get('cpe23Uri')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
             vendor = cpe23[3]
             product = cpe23[4]
             version = cpe23[5]
-- 
2.25.1

Re: [OE-core] [meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri

[Ralph Siemsen]

On Thu, Apr 22, 2021 at 06:48:27PM +0200, Konrad Weihmann wrote:
>Recently an entry in the NVD DB appeared that looks like that
>{'vulnerable': True, 'cpe_name': []}.
>As besides all the vulnerable flag no data is present we would get
>a KeyError exception on acccess.
>Use get method on dictionary and return if no meta data is present
>Also quit if the length of the array after splitting is less than 6

Seems to work fine here. Thanks for the quick action.

Tested-by: Ralph Siemsen <ralph.siemsen@linaro.org>

>Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
>---
>v2: handle the case where key is set but value is none and
>    if resulting array is shorter than expected
>
> meta/recipes-core/meta/cve-update-db-native.bb | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
>index 25ec6bac71..e5822cee58 100644
>--- a/meta/recipes-core/meta/cve-update-db-native.bb
>+++ b/meta/recipes-core/meta/cve-update-db-native.bb
>@@ -139,7 +139,12 @@ def parse_node_and_insert(c, node, cveId):
>         for cpe in node.get('cpe_match', ()):
>             if not cpe['vulnerable']:
>                 return
>-            cpe23 = cpe['cpe23Uri'].split(':')
>+            cpe23 = cpe.get('cpe23Uri')
>+            if not cpe23:
>+                return
>+            cpe23 = cpe23.split(':')
>+            if len(cpe23) < 6:
>+                return
>             vendor = cpe23[3]
>             product = cpe23[4]
>             version = cpe23[5]
>-- 
>2.25.1
>

Re: [OE-core] [meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri

[Alejandro Hernandez Samaniego]

[-- Attachment #1: Type: text/plain, Size: 2153 bytes --]

Hey Konrad,

Seems to work on my side as well, it applies cleanly for dunfell as 
well, I will send  it again so it gets backported since that also broken.

Cheers,

Alejandro

Tested-by: Alejandro Hernandez <alhe@linux.microsoft.com>

On 4/22/21 11:12 AM, Ralph Siemsen wrote:
> On Thu, Apr 22, 2021 at 06:48:27PM +0200, Konrad Weihmann wrote:
>> Recently an entry in the NVD DB appeared that looks like that
>> {'vulnerable': True, 'cpe_name': []}.
>> As besides all the vulnerable flag no data is present we would get
>> a KeyError exception on acccess.
>> Use get method on dictionary and return if no meta data is present
>> Also quit if the length of the array after splitting is less than 6
>
> Seems to work fine here. Thanks for the quick action.
>
> Tested-by: Ralph Siemsen <ralph.siemsen@linaro.org>
>
>> Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
>> ---
>> v2: handle the case where key is set but value is none and
>>    if resulting array is shorter than expected
>>
>> meta/recipes-core/meta/cve-update-db-native.bb | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/recipes-core/meta/cve-update-db-native.bb 
>> b/meta/recipes-core/meta/cve-update-db-native.bb
>> index 25ec6bac71..e5822cee58 100644
>> --- a/meta/recipes-core/meta/cve-update-db-native.bb
>> +++ b/meta/recipes-core/meta/cve-update-db-native.bb
>> @@ -139,7 +139,12 @@ def parse_node_and_insert(c, node, cveId):
>>         for cpe in node.get('cpe_match', ()):
>>             if not cpe['vulnerable']:
>>                 return
>> -            cpe23 = cpe['cpe23Uri'].split(':')
>> +            cpe23 = cpe.get('cpe23Uri')
>> +            if not cpe23:
>> +                return
>> +            cpe23 = cpe23.split(':')
>> +            if len(cpe23) < 6:
>> +                return
>>             vendor = cpe23[3]
>>             product = cpe23[4]
>>             version = cpe23[5]
>> -- 
>> 2.25.1
>>
>
> 
>

[-- Attachment #2: Type: text/html, Size: 3726 bytes --]