* [meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri
@ 2021-04-22 16:48 Konrad Weihmann
2021-04-22 17:12 ` [OE-core] " Ralph Siemsen
0 siblings, 1 reply; 3+ messages in thread
From: Konrad Weihmann @ 2021-04-22 16:48 UTC (permalink / raw)
To: openembedded-core; +Cc: Konrad Weihmann
Recently an entry in the NVD DB appeared that looks like that
{'vulnerable': True, 'cpe_name': []}.
As besides all the vulnerable flag no data is present we would get
a KeyError exception on acccess.
Use get method on dictionary and return if no meta data is present
Also quit if the length of the array after splitting is less than 6
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
---
v2: handle the case where key is set but value is none and
if resulting array is shorter than expected
meta/recipes-core/meta/cve-update-db-native.bb | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 25ec6bac71..e5822cee58 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -139,7 +139,12 @@ def parse_node_and_insert(c, node, cveId):
for cpe in node.get('cpe_match', ()):
if not cpe['vulnerable']:
return
- cpe23 = cpe['cpe23Uri'].split(':')
+ cpe23 = cpe.get('cpe23Uri')
+ if not cpe23:
+ return
+ cpe23 = cpe23.split(':')
+ if len(cpe23) < 6:
+ return
vendor = cpe23[3]
product = cpe23[4]
version = cpe23[5]
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri
2021-04-22 16:48 [meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri Konrad Weihmann
@ 2021-04-22 17:12 ` Ralph Siemsen
2021-04-22 19:34 ` Alejandro Hernandez Samaniego
0 siblings, 1 reply; 3+ messages in thread
From: Ralph Siemsen @ 2021-04-22 17:12 UTC (permalink / raw)
To: Konrad Weihmann; +Cc: openembedded-core
On Thu, Apr 22, 2021 at 06:48:27PM +0200, Konrad Weihmann wrote:
>Recently an entry in the NVD DB appeared that looks like that
>{'vulnerable': True, 'cpe_name': []}.
>As besides all the vulnerable flag no data is present we would get
>a KeyError exception on acccess.
>Use get method on dictionary and return if no meta data is present
>Also quit if the length of the array after splitting is less than 6
Seems to work fine here. Thanks for the quick action.
Tested-by: Ralph Siemsen <ralph.siemsen@linaro.org>
>Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
>---
>v2: handle the case where key is set but value is none and
> if resulting array is shorter than expected
>
> meta/recipes-core/meta/cve-update-db-native.bb | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
>index 25ec6bac71..e5822cee58 100644
>--- a/meta/recipes-core/meta/cve-update-db-native.bb
>+++ b/meta/recipes-core/meta/cve-update-db-native.bb
>@@ -139,7 +139,12 @@ def parse_node_and_insert(c, node, cveId):
> for cpe in node.get('cpe_match', ()):
> if not cpe['vulnerable']:
> return
>- cpe23 = cpe['cpe23Uri'].split(':')
>+ cpe23 = cpe.get('cpe23Uri')
>+ if not cpe23:
>+ return
>+ cpe23 = cpe23.split(':')
>+ if len(cpe23) < 6:
>+ return
> vendor = cpe23[3]
> product = cpe23[4]
> version = cpe23[5]
>--
>2.25.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri
2021-04-22 17:12 ` [OE-core] " Ralph Siemsen
@ 2021-04-22 19:34 ` Alejandro Hernandez Samaniego
0 siblings, 0 replies; 3+ messages in thread
From: Alejandro Hernandez Samaniego @ 2021-04-22 19:34 UTC (permalink / raw)
To: Ralph Siemsen, Konrad Weihmann; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2153 bytes --]
Hey Konrad,
Seems to work on my side as well, it applies cleanly for dunfell as
well, I will send it again so it gets backported since that also broken.
Cheers,
Alejandro
Tested-by: Alejandro Hernandez <alhe@linux.microsoft.com>
On 4/22/21 11:12 AM, Ralph Siemsen wrote:
> On Thu, Apr 22, 2021 at 06:48:27PM +0200, Konrad Weihmann wrote:
>> Recently an entry in the NVD DB appeared that looks like that
>> {'vulnerable': True, 'cpe_name': []}.
>> As besides all the vulnerable flag no data is present we would get
>> a KeyError exception on acccess.
>> Use get method on dictionary and return if no meta data is present
>> Also quit if the length of the array after splitting is less than 6
>
> Seems to work fine here. Thanks for the quick action.
>
> Tested-by: Ralph Siemsen <ralph.siemsen@linaro.org>
>
>> Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
>> ---
>> v2: handle the case where key is set but value is none and
>> if resulting array is shorter than expected
>>
>> meta/recipes-core/meta/cve-update-db-native.bb | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
>> b/meta/recipes-core/meta/cve-update-db-native.bb
>> index 25ec6bac71..e5822cee58 100644
>> --- a/meta/recipes-core/meta/cve-update-db-native.bb
>> +++ b/meta/recipes-core/meta/cve-update-db-native.bb
>> @@ -139,7 +139,12 @@ def parse_node_and_insert(c, node, cveId):
>> for cpe in node.get('cpe_match', ()):
>> if not cpe['vulnerable']:
>> return
>> - cpe23 = cpe['cpe23Uri'].split(':')
>> + cpe23 = cpe.get('cpe23Uri')
>> + if not cpe23:
>> + return
>> + cpe23 = cpe23.split(':')
>> + if len(cpe23) < 6:
>> + return
>> vendor = cpe23[3]
>> product = cpe23[4]
>> version = cpe23[5]
>> --
>> 2.25.1
>>
>
>
>
[-- Attachment #2: Type: text/html, Size: 3726 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-22 19:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-22 16:48 [meta-oe][PATCH v2] cve-update-db-native: skip on empty cpe23Uri Konrad Weihmann
2021-04-22 17:12 ` [OE-core] " Ralph Siemsen
2021-04-22 19:34 ` Alejandro Hernandez Samaniego
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.