summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2024-10-23 11:45:22 +0200
committerSteve Sakoman <steve@sakoman.com>2024-11-26 05:37:09 -0800
commita99c033f4c22b2270acebb45e16487eade2b77c5 (patch)
tree72df7f62f7e20916eb75f45fe36b9a9436c9e4de
parent6a44d7c07807fc1f84b412a2fced054f71818d70 (diff)
downloadpoky-a99c033f4c22b2270acebb45e16487eade2b77c5.tar.gz
cve-check: add support for cvss v4.0
https://nvd.nist.gov/general/news/cvss-v4-0-official-support CVSS v4.0 was released in November 2023 NVD announced support for it in June 2024 Current stats are: * cvss v4 provided, but also v3, so cve-check showed a value sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 != 0.0; 2069 * only cvss v4 provided, so cve-check did not show any sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 = 0.0; 260 (From OE-Core rev: 7ce34ce58f83bc02fa2c04bec54e358e8614157e) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 358dbfcd80ae1fa414d294c865dd293670c287f0) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/classes/cve-check.bbclass10
-rw-r--r--meta/classes/vex.bbclass1
-rw-r--r--meta/recipes-core/meta/cve-update-nvd2-native.bb14
-rwxr-xr-xscripts/cve-json-to-text.py2
4 files changed, 19 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6245594dd7..0c92b87f52 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -31,7 +31,7 @@
31CVE_PRODUCT ??= "${BPN}" 31CVE_PRODUCT ??= "${BPN}"
32CVE_VERSION ??= "${PV}" 32CVE_VERSION ??= "${PV}"
33 33
34CVE_CHECK_DB_FILENAME ?= "nvdcve_2-1.db" 34CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db"
35CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" 35CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
36CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" 36CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
37CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" 37CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
@@ -445,9 +445,10 @@ def get_cve_info(d, cve_data):
445 cve_data[row[0]]["NVD-summary"] = row[1] 445 cve_data[row[0]]["NVD-summary"] = row[1]
446 cve_data[row[0]]["NVD-scorev2"] = row[2] 446 cve_data[row[0]]["NVD-scorev2"] = row[2]
447 cve_data[row[0]]["NVD-scorev3"] = row[3] 447 cve_data[row[0]]["NVD-scorev3"] = row[3]
448 cve_data[row[0]]["NVD-modified"] = row[4] 448 cve_data[row[0]]["NVD-scorev4"] = row[4]
449 cve_data[row[0]]["NVD-vector"] = row[5] 449 cve_data[row[0]]["NVD-modified"] = row[5]
450 cve_data[row[0]]["NVD-vectorString"] = row[6] 450 cve_data[row[0]]["NVD-vector"] = row[6]
451 cve_data[row[0]]["NVD-vectorString"] = row[7]
451 cursor.close() 452 cursor.close()
452 conn.close() 453 conn.close()
453 454
@@ -534,6 +535,7 @@ def cve_write_data_json(d, cve_data, cve_status):
534 cve_item["summary"] = cve_data[cve]["NVD-summary"] 535 cve_item["summary"] = cve_data[cve]["NVD-summary"]
535 cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] 536 cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
536 cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] 537 cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
538 cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
537 cve_item["modified"] = cve_data[cve]["NVD-modified"] 539 cve_item["modified"] = cve_data[cve]["NVD-modified"]
538 cve_item["vector"] = cve_data[cve]["NVD-vector"] 540 cve_item["vector"] = cve_data[cve]["NVD-vector"]
539 cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] 541 cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass
index bb16e2a529..01d4e52051 100644
--- a/meta/classes/vex.bbclass
+++ b/meta/classes/vex.bbclass
@@ -282,6 +282,7 @@ def cve_write_data_json(d, cve_data, cve_status):
282 cve_item["summary"] = cve_data[cve]["NVD-summary"] 282 cve_item["summary"] = cve_data[cve]["NVD-summary"]
283 cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] 283 cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
284 cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] 284 cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
285 cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
285 cve_item["vector"] = cve_data[cve]["NVD-vector"] 286 cve_item["vector"] = cve_data[cve]["NVD-vector"]
286 cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] 287 cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
287 if 'status' in cve_data[cve]: 288 if 'status' in cve_data[cve]:
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 2d23d28c3e..5fbe9095cc 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -255,7 +255,7 @@ def initialize_db(conn):
255 c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") 255 c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
256 256
257 c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ 257 c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
258 SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)") 258 SCOREV2 TEXT, SCOREV3 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)")
259 259
260 c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ 260 c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
261 VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ 261 VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
@@ -361,12 +361,18 @@ def update_db(conn, elt):
361 cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] 361 cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
362 except KeyError: 362 except KeyError:
363 pass 363 pass
364 cvssv3 = cvssv3 or 0.0
365 try:
366 accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
367 vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
368 cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
369 except KeyError:
370 cvssv4 = 0.0
364 accessVector = accessVector or "UNKNOWN" 371 accessVector = accessVector or "UNKNOWN"
365 vectorString = vectorString or "UNKNOWN" 372 vectorString = vectorString or "UNKNOWN"
366 cvssv3 = cvssv3 or 0.0
367 373
368 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?)", 374 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
369 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector, vectorString]).close() 375 [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
370 376
371 try: 377 try:
372 # Remove any pre-existing CVE configuration. Even for partial database 378 # Remove any pre-existing CVE configuration. Even for partial database
diff --git a/scripts/cve-json-to-text.py b/scripts/cve-json-to-text.py
index 5531ee5eb6..87a5669987 100755
--- a/scripts/cve-json-to-text.py
+++ b/scripts/cve-json-to-text.py
@@ -125,6 +125,8 @@ def process_data(filename, data):
125 lines += "CVSS v2 BASE SCORE: %s\n" % issue["scorev2"] 125 lines += "CVSS v2 BASE SCORE: %s\n" % issue["scorev2"]
126 if "scorev3" in issue: 126 if "scorev3" in issue:
127 lines += "CVSS v3 BASE SCORE: %s\n" % issue["scorev3"] 127 lines += "CVSS v3 BASE SCORE: %s\n" % issue["scorev3"]
128 if "scorev4" in issue:
129 lines += "CVSS v4 BASE SCORE: %s\n" % issue["scorev4"]
128 if "vector" in issue: 130 if "vector" in issue:
129 lines += "VECTOR: %s\n" % issue["vector"] 131 lines += "VECTOR: %s\n" % issue["vector"]
130 if "vectorString" in issue: 132 if "vectorString" in issue:
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-26 11:19:11 +0000