* [OE-core] [scarthgap] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources @ 2026-01-13 7:08 Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-01-16 10:31 ` Yoann Congal 0 siblings, 1 reply; 3+ messages in thread From: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-01-13 7:08 UTC (permalink / raw) To: openembedded-core; +Cc: xe-linux-external From: Het Patel <hetpat@cisco.com> The CVE check system was incorrectly reporting lower CVSS scores when multiple scoring sources were available in the NVD database. This occurred because the code only extracted the first element from the CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary source with a lower score instead of the Primary source with the actual severity score. This fix takes maximum CVSS score. Signed-off-by: Het Patel <hetpat@cisco.com> --- .../meta/cve-update-nvd2-native.bb | 55 +++++++++++++------ 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 945bd1d927..28d5810d5d 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -352,32 +352,55 @@ def update_db(conn, elt): if desc['lang'] == 'en': cveDesc = desc['value'] date = elt['cve']['lastModified'] + + # Extract maximum CVSS scores from all sources (Primary and Secondary) + cvssv2 = 0.0 try: - accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] - vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString'] - cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV2 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV2']: + score = metric['cvssData']['baseScore'] + if score > cvssv2: + cvssv2 = score + accessVector = metric['cvssData']['accessVector'] + vectorString = metric['cvssData']['vectorString'] except KeyError: - cvssv2 = 0.0 - cvssv3 = None + pass + + cvssv3 = 0.0 try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] - cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV30 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV30']: + score = metric['cvssData']['baseScore'] + if score > cvssv3: + cvssv3 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: pass + try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] - cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV31 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV31']: + score = metric['cvssData']['baseScore'] + if score > cvssv3: + cvssv3 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: pass - cvssv3 = cvssv3 or 0.0 + + cvssv4 = 0.0 try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString'] - cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV40 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV40']: + score = metric['cvssData']['baseScore'] + if score > cvssv4: + cvssv4 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: - cvssv4 = 0.0 + pass + accessVector = accessVector or "UNKNOWN" vectorString = vectorString or "UNKNOWN" ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [scarthgap] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources 2026-01-13 7:08 [OE-core] [scarthgap] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-01-16 10:31 ` Yoann Congal 2026-01-21 7:30 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 3+ messages in thread From: Yoann Congal @ 2026-01-16 10:31 UTC (permalink / raw) To: hetpat; +Cc: openembedded-core, xe-linux-external [-- Attachment #1: Type: text/plain, Size: 5737 bytes --] Le mar. 13 janv. 2026 à 08:08, Het Patel via lists.openembedded.org <hetpat= cisco.com@lists.openembedded.org> a écrit : > From: Het Patel <hetpat@cisco.com> > > The CVE check system was incorrectly reporting lower CVSS scores when > multiple scoring sources were available in the NVD database. This > occurred because the code only extracted the first element from the > CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary > source with a lower score instead of the Primary source with the > actual severity score. > > This fix takes maximum CVSS score. > Hello, Does this patch interact with the open bug 15931 – CVE Reporting wrong CVSSv3 score (https://bugzilla.yoctoproject.org/show_bug.cgi?id=15931) ? Also, does this need to be fixed on master and/or whinlatter? If yes, you should first send this patch (adapted most likely) to master. Then, once merged, send a backport request to the stable branches. Thanks! > > Signed-off-by: Het Patel <hetpat@cisco.com> > --- > .../meta/cve-update-nvd2-native.bb | 55 +++++++++++++------ > 1 file changed, 39 insertions(+), 16 deletions(-) > > diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb > b/meta/recipes-core/meta/cve-update-nvd2-native.bb > index 945bd1d927..28d5810d5d 100644 > --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb > +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb > @@ -352,32 +352,55 @@ def update_db(conn, elt): > if desc['lang'] == 'en': > cveDesc = desc['value'] > date = elt['cve']['lastModified'] > + > + # Extract maximum CVSS scores from all sources (Primary and Secondary) > + cvssv2 = 0.0 > try: > - accessVector = > elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] > - vectorString = > elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString'] > - cvssv2 = > elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] > + # Iterate through all cvssMetricV2 entries and find the maximum > score > + for metric in elt['cve']['metrics']['cvssMetricV2']: > + score = metric['cvssData']['baseScore'] > + if score > cvssv2: > + cvssv2 = score > + accessVector = metric['cvssData']['accessVector'] > + vectorString = metric['cvssData']['vectorString'] > except KeyError: > - cvssv2 = 0.0 > - cvssv3 = None > + pass > + > + cvssv3 = 0.0 > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] > - cvssv3 = > elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] > + # Iterate through all cvssMetricV30 entries and find the maximum > score > + for metric in elt['cve']['metrics']['cvssMetricV30']: > + score = metric['cvssData']['baseScore'] > + if score > cvssv3: > + cvssv3 = score > + accessVector = accessVector or > metric['cvssData']['attackVector'] > + vectorString = vectorString or > metric['cvssData']['vectorString'] > except KeyError: > pass > + > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] > - cvssv3 = cvssv3 or > elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] > + # Iterate through all cvssMetricV31 entries and find the maximum > score > + for metric in elt['cve']['metrics']['cvssMetricV31']: > + score = metric['cvssData']['baseScore'] > + if score > cvssv3: > + cvssv3 = score > + accessVector = accessVector or > metric['cvssData']['attackVector'] > + vectorString = vectorString or > metric['cvssData']['vectorString'] > except KeyError: > pass > - cvssv3 = cvssv3 or 0.0 > + > + cvssv4 = 0.0 > try: > - accessVector = accessVector or > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector'] > - vectorString = vectorString or > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString'] > - cvssv4 = > elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore'] > + # Iterate through all cvssMetricV40 entries and find the maximum > score > + for metric in elt['cve']['metrics']['cvssMetricV40']: > + score = metric['cvssData']['baseScore'] > + if score > cvssv4: > + cvssv4 = score > + accessVector = accessVector or > metric['cvssData']['attackVector'] > + vectorString = vectorString or > metric['cvssData']['vectorString'] > except KeyError: > - cvssv4 = 0.0 > + pass > + > accessVector = accessVector or "UNKNOWN" > vectorString = vectorString or "UNKNOWN" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#229229): > https://lists.openembedded.org/g/openembedded-core/message/229229 > Mute This Topic: https://lists.openembedded.org/mt/117239924/4316185 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > > -- Yoann Congal Smile ECS [-- Attachment #2: Type: text/html, Size: 8914 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [scarthgap] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources 2026-01-16 10:31 ` Yoann Congal @ 2026-01-21 7:30 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 0 replies; 3+ messages in thread From: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-01-21 7:30 UTC (permalink / raw) To: yoann.congal@smile.fr Cc: openembedded-core@lists.openembedded.org, xe-linux-external(mailer list) [-- Attachment #1: Type: text/plain, Size: 6535 bytes --] Hi, Yes, this patch directly addresses Bug 15931 (CVE Reporting wrong CVSSv3 score). The bug reports two issues: 1. The code only extracted the first element [0] from the CVSS metrics arrays, which could be a Secondary source with a lower score instead of the Primary source 2. The cvssv3 = cvssv3 or ... logic meant v3.0 scores took precedence over v3.1 scores This patch fixes both by iterating through all metric entries and selecting the maximum score. I will send this patch to the master first. Once merged, I'll submit a backport request to the stable branches. Thanks, Het ________________________________ From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Yoann Congal via lists.openembedded.org <yoann.congal=smile.fr@lists.openembedded.org> Sent: Friday, January 16, 2026 4:01 PM To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) <hetpat@cisco.com> Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; xe-linux-external(mailer list) <xe-linux-external@cisco.com> Subject: Re: [OE-core] [scarthgap] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources Le mar. 13 janv. 2026 à 08:08, Het Patel via lists.openembedded.org<http://lists.openembedded.org> <hetpat=cisco.com@lists.openembedded.org<mailto:cisco.com@lists.openembedded.org>> a écrit : From: Het Patel <hetpat@cisco.com<mailto:hetpat@cisco.com>> The CVE check system was incorrectly reporting lower CVSS scores when multiple scoring sources were available in the NVD database. This occurred because the code only extracted the first element from the CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary source with a lower score instead of the Primary source with the actual severity score. This fix takes maximum CVSS score. Hello, Does this patch interact with the open bug 15931 – CVE Reporting wrong CVSSv3 score (https://bugzilla.yoctoproject.org/show_bug.cgi?id=15931) ? Also, does this need to be fixed on master and/or whinlatter? If yes, you should first send this patch (adapted most likely) to master. Then, once merged, send a backport request to the stable branches. Thanks! Signed-off-by: Het Patel <hetpat@cisco.com<mailto:hetpat@cisco.com>> --- .../meta/cve-update-nvd2-native.bb<http://cve-update-nvd2-native.bb> | 55 +++++++++++++------ 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb<http://cve-update-nvd2-native.bb> b/meta/recipes-core/meta/cve-update-nvd2-native.bb<http://cve-update-nvd2-native.bb> index 945bd1d927..28d5810d5d 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb<http://cve-update-nvd2-native.bb> +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb<http://cve-update-nvd2-native.bb> @@ -352,32 +352,55 @@ def update_db(conn, elt): if desc['lang'] == 'en': cveDesc = desc['value'] date = elt['cve']['lastModified'] + + # Extract maximum CVSS scores from all sources (Primary and Secondary) + cvssv2 = 0.0 try: - accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] - vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString'] - cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV2 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV2']: + score = metric['cvssData']['baseScore'] + if score > cvssv2: + cvssv2 = score + accessVector = metric['cvssData']['accessVector'] + vectorString = metric['cvssData']['vectorString'] except KeyError: - cvssv2 = 0.0 - cvssv3 = None + pass + + cvssv3 = 0.0 try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] - cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV30 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV30']: + score = metric['cvssData']['baseScore'] + if score > cvssv3: + cvssv3 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: pass + try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] - cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV31 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV31']: + score = metric['cvssData']['baseScore'] + if score > cvssv3: + cvssv3 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: pass - cvssv3 = cvssv3 or 0.0 + + cvssv4 = 0.0 try: - accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector'] - vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString'] - cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore'] + # Iterate through all cvssMetricV40 entries and find the maximum score + for metric in elt['cve']['metrics']['cvssMetricV40']: + score = metric['cvssData']['baseScore'] + if score > cvssv4: + cvssv4 = score + accessVector = accessVector or metric['cvssData']['attackVector'] + vectorString = vectorString or metric['cvssData']['vectorString'] except KeyError: - cvssv4 = 0.0 + pass + accessVector = accessVector or "UNKNOWN" vectorString = vectorString or "UNKNOWN" -- Yoann Congal Smile ECS [-- Attachment #2: Type: text/html, Size: 12847 bytes --] ^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-01-21 7:30 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-01-13 7:08 [OE-core] [scarthgap] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-01-16 10:31 ` Yoann Congal 2026-01-21 7:30 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox