From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" <hetpat@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com
Subject: [OE-core] [scarthgap] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources
Date: Mon, 12 Jan 2026 23:08:40 -0800 [thread overview]
Message-ID: <20260113070840.115911-1-hetpat@cisco.com> (raw)
From: Het Patel <hetpat@cisco.com>
The CVE check system was incorrectly reporting lower CVSS scores when
multiple scoring sources were available in the NVD database. This
occurred because the code only extracted the first element from the
CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary
source with a lower score instead of the Primary source with the
actual severity score.
This fix takes maximum CVSS score.
Signed-off-by: Het Patel <hetpat@cisco.com>
---
.../meta/cve-update-nvd2-native.bb | 55 +++++++++++++------
1 file changed, 39 insertions(+), 16 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 945bd1d927..28d5810d5d 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -352,32 +352,55 @@ def update_db(conn, elt):
if desc['lang'] == 'en':
cveDesc = desc['value']
date = elt['cve']['lastModified']
+
+ # Extract maximum CVSS scores from all sources (Primary and Secondary)
+ cvssv2 = 0.0
try:
- accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
- vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
- cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
+ # Iterate through all cvssMetricV2 entries and find the maximum score
+ for metric in elt['cve']['metrics']['cvssMetricV2']:
+ score = metric['cvssData']['baseScore']
+ if score > cvssv2:
+ cvssv2 = score
+ accessVector = metric['cvssData']['accessVector']
+ vectorString = metric['cvssData']['vectorString']
except KeyError:
- cvssv2 = 0.0
- cvssv3 = None
+ pass
+
+ cvssv3 = 0.0
try:
- accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
- cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
+ # Iterate through all cvssMetricV30 entries and find the maximum score
+ for metric in elt['cve']['metrics']['cvssMetricV30']:
+ score = metric['cvssData']['baseScore']
+ if score > cvssv3:
+ cvssv3 = score
+ accessVector = accessVector or metric['cvssData']['attackVector']
+ vectorString = vectorString or metric['cvssData']['vectorString']
except KeyError:
pass
+
try:
- accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
- cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+ # Iterate through all cvssMetricV31 entries and find the maximum score
+ for metric in elt['cve']['metrics']['cvssMetricV31']:
+ score = metric['cvssData']['baseScore']
+ if score > cvssv3:
+ cvssv3 = score
+ accessVector = accessVector or metric['cvssData']['attackVector']
+ vectorString = vectorString or metric['cvssData']['vectorString']
except KeyError:
pass
- cvssv3 = cvssv3 or 0.0
+
+ cvssv4 = 0.0
try:
- accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
- cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
+ # Iterate through all cvssMetricV40 entries and find the maximum score
+ for metric in elt['cve']['metrics']['cvssMetricV40']:
+ score = metric['cvssData']['baseScore']
+ if score > cvssv4:
+ cvssv4 = score
+ accessVector = accessVector or metric['cvssData']['attackVector']
+ vectorString = vectorString or metric['cvssData']['vectorString']
except KeyError:
- cvssv4 = 0.0
+ pass
+
accessVector = accessVector or "UNKNOWN"
vectorString = vectorString or "UNKNOWN"
next reply other threads:[~2026-01-13 7:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-13 7:08 Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-01-16 10:31 ` [OE-core] [scarthgap] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources Yoann Congal
2026-01-21 7:30 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260113070840.115911-1-hetpat@cisco.com \
--to=hetpat@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox