* cve-check breaks on zeus
@ 2020-07-25 11:13 Konrad Weihmann
2020-07-25 14:52 ` [OE-core] " akuster
0 siblings, 1 reply; 3+ messages in thread
From: Konrad Weihmann @ 2020-07-25 11:13 UTC (permalink / raw)
To: OE-core
Hi all,
I'm just too lazy to check if that has been fixed in master already, but
since yesterday cve-check breaks on zeus for me with the following
File: '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
lineno: 91, function: do_populate_cve_db
0087: # Update db with current year json file
0088: try:
0089: response = urllib.request.urlopen(json_url)
0090: if response:
*** 0091: update_db(c,
gzip.decompress(response.read()).decode('utf-8'))
0092: c.execute("insert or replace into META values
(?, ?)", [year, last_modified])
0093: except urllib.error.URLError as e:
0094: cve_f.write('Warning: CVE db update error,
CVE data is outdated.\n\n')
0095: bb.warn("Cannot parse CVE data (%s), update
failed" % e.reason)
File: '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
lineno: 173, function: update_db
0169:
0170: cveId = elt['cve']['CVE_data_meta']['ID']
0171: cveDesc =
elt['cve']['description']['description_data'][0]['value']
0172: date = elt['lastModifiedDate']
*** 0173: accessVector =
elt['impact']['baseMetricV2']['cvssV2']['accessVector']
0174: cvssv2 =
elt['impact']['baseMetricV2']['cvssV2']['baseScore']
0175:
0176: try:
0177: cvssv3 =
elt['impact']['baseMetricV3']['cvssV3']['baseScore']
Exception: KeyError: 'baseMetricV2'
Cheers
Konrad
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] cve-check breaks on zeus
2020-07-25 11:13 cve-check breaks on zeus Konrad Weihmann
@ 2020-07-25 14:52 ` akuster
2020-07-26 9:15 ` Konrad Weihmann
0 siblings, 1 reply; 3+ messages in thread
From: akuster @ 2020-07-25 14:52 UTC (permalink / raw)
To: Konrad Weihmann, OE-core
[-- Attachment #1: Type: text/plain, Size: 2077 bytes --]
On 7/25/20 4:13 AM, Konrad Weihmann wrote:
> Hi all,
>
> I'm just too lazy to check if that has been fixed in master already,
> but since yesterday cve-check breaks on zeus for me with the following
I think I just saw this on master. We need to check if NVD changed their
format again.
-armin
>
> File:
> '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
> lineno: 91, function: do_populate_cve_db
> 0087: # Update db with current year json file
> 0088: try:
> 0089: response = urllib.request.urlopen(json_url)
> 0090: if response:
> *** 0091: update_db(c,
> gzip.decompress(response.read()).decode('utf-8'))
> 0092: c.execute("insert or replace into META
> values (?, ?)", [year, last_modified])
> 0093: except urllib.error.URLError as e:
> 0094: cve_f.write('Warning: CVE db update error,
> CVE data is outdated.\n\n')
> 0095: bb.warn("Cannot parse CVE data (%s), update
> failed" % e.reason)
> File:
> '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
> lineno: 173, function: update_db
> 0169:
> 0170: cveId = elt['cve']['CVE_data_meta']['ID']
> 0171: cveDesc =
> elt['cve']['description']['description_data'][0]['value']
> 0172: date = elt['lastModifiedDate']
> *** 0173: accessVector =
> elt['impact']['baseMetricV2']['cvssV2']['accessVector']
> 0174: cvssv2 =
> elt['impact']['baseMetricV2']['cvssV2']['baseScore']
> 0175:
> 0176: try:
> 0177: cvssv3 =
> elt['impact']['baseMetricV3']['cvssV3']['baseScore']
> Exception: KeyError: 'baseMetricV2'
>
> Cheers
> Konrad
>
>
[-- Attachment #2: Type: text/html, Size: 3211 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] cve-check breaks on zeus
2020-07-25 14:52 ` [OE-core] " akuster
@ 2020-07-26 9:15 ` Konrad Weihmann
0 siblings, 0 replies; 3+ messages in thread
From: Konrad Weihmann @ 2020-07-26 9:15 UTC (permalink / raw)
To: akuster808, OE-core
Hi,
since last night it affects all branches I tested.
But it doesn't seem to be a format change, rather baseMetricV2 is
optional for some entries
e.g.
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-14725",
"ASSIGNER": "cve@mitre.org"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"references": {
"reference_data": [
{
"url":
"https://www.oracle.com/security-alerts/cpujul2020.html",
"name":
"https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"tags": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "..."
}
]
}
},
"configurations": {
"CVE_data_version": "4.0",
"nodes": []
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"version": "3.1",
"vectorString":
"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6
}
},
"publishedDate": "2020-07-24T20:15Z",
"lastModifiedDate": "2020-07-25T02:01Z"
}
I guess it should be treated like baseMetricV3 - lets see if I can craft
a patch for that
BR
Konrad
On 25.07.20 16:52, akuster808 wrote:
>
>
> On 7/25/20 4:13 AM, Konrad Weihmann wrote:
>> Hi all,
>>
>> I'm just too lazy to check if that has been fixed in master already,
>> but since yesterday cve-check breaks on zeus for me with the following
>
> I think I just saw this on master. We need to check if NVD changed their
> format again.
>
> -armin
>
>>
>> File:
>> '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
>> lineno: 91, function: do_populate_cve_db
>> 0087: # Update db with current year json file
>> 0088: try:
>> 0089: response = urllib.request.urlopen(json_url)
>> 0090: if response:
>> *** 0091: update_db(c,
>> gzip.decompress(response.read()).decode('utf-8'))
>> 0092: c.execute("insert or replace into META
>> values (?, ?)", [year, last_modified])
>> 0093: except urllib.error.URLError as e:
>> 0094: cve_f.write('Warning: CVE db update error,
>> CVE data is outdated.\n\n')
>> 0095: bb.warn("Cannot parse CVE data (%s), update
>> failed" % e.reason)
>> File:
>> '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
>> lineno: 173, function: update_db
>> 0169:
>> 0170: cveId = elt['cve']['CVE_data_meta']['ID']
>> 0171: cveDesc =
>> elt['cve']['description']['description_data'][0]['value']
>> 0172: date = elt['lastModifiedDate']
>> *** 0173: accessVector =
>> elt['impact']['baseMetricV2']['cvssV2']['accessVector']
>> 0174: cvssv2 =
>> elt['impact']['baseMetricV2']['cvssV2']['baseScore']
>> 0175:
>> 0176: try:
>> 0177: cvssv3 =
>> elt['impact']['baseMetricV3']['cvssV3']['baseScore']
>> Exception: KeyError: 'baseMetricV2'
>>
>> Cheers
>> Konrad
>>
>>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-26 9:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-25 11:13 cve-check breaks on zeus Konrad Weihmann
2020-07-25 14:52 ` [OE-core] " akuster
2020-07-26 9:15 ` Konrad Weihmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.