* [OE-core] [master] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources
@ 2026-01-21 7:35 Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-01-21 7:45 ` Patchtest results for " patchtest
0 siblings, 1 reply; 2+ messages in thread
From: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-01-21 7:35 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external
From: Het Patel <hetpat@cisco.com>
The CVE check system was incorrectly reporting lower CVSS scores when
multiple scoring sources were available in the NVD database. This
occurred because the code only extracted the first element from the
CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary
source with a lower score instead of the Primary source with the
actual severity score.
This fix takes maximum CVSS score.
Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15931
Signed-off-by: Het Patel <hetpat@cisco.com>
---
.../meta/cve-update-nvd2-native.bb | 55 +++++++++++++------
1 file changed, 39 insertions(+), 16 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 8c8148dd92..41c34ba0d0 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -350,32 +350,55 @@ def update_db(conn, elt):
if desc['lang'] == 'en':
cveDesc = desc['value']
date = elt['cve']['lastModified']
+
+ # Extract maximum CVSS scores from all sources (Primary and Secondary)
+ cvssv2 = 0.0
try:
- accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
- vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
- cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
+ # Iterate through all cvssMetricV2 entries and find the maximum score
+ for metric in elt['cve']['metrics']['cvssMetricV2']:
+ score = metric['cvssData']['baseScore']
+ if score > cvssv2:
+ cvssv2 = score
+ accessVector = metric['cvssData']['accessVector']
+ vectorString = metric['cvssData']['vectorString']
except KeyError:
- cvssv2 = 0.0
- cvssv3 = None
+ pass
+
+ cvssv3 = 0.0
try:
- accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
- cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
+ # Iterate through all cvssMetricV30 entries and find the maximum score
+ for metric in elt['cve']['metrics']['cvssMetricV30']:
+ score = metric['cvssData']['baseScore']
+ if score > cvssv3:
+ cvssv3 = score
+ accessVector = accessVector or metric['cvssData']['attackVector']
+ vectorString = vectorString or metric['cvssData']['vectorString']
except KeyError:
pass
+
try:
- accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
- cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+ # Iterate through all cvssMetricV31 entries and find the maximum score
+ for metric in elt['cve']['metrics']['cvssMetricV31']:
+ score = metric['cvssData']['baseScore']
+ if score > cvssv3:
+ cvssv3 = score
+ accessVector = accessVector or metric['cvssData']['attackVector']
+ vectorString = vectorString or metric['cvssData']['vectorString']
except KeyError:
pass
- cvssv3 = cvssv3 or 0.0
+
+ cvssv4 = 0.0
try:
- accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
- vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
- cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
+ # Iterate through all cvssMetricV40 entries and find the maximum score
+ for metric in elt['cve']['metrics']['cvssMetricV40']:
+ score = metric['cvssData']['baseScore']
+ if score > cvssv4:
+ cvssv4 = score
+ accessVector = accessVector or metric['cvssData']['attackVector']
+ vectorString = vectorString or metric['cvssData']['vectorString']
except KeyError:
- cvssv4 = 0.0
+ pass
+
accessVector = accessVector or "UNKNOWN"
vectorString = vectorString or "UNKNOWN"
^ permalink raw reply related [flat|nested] 2+ messages in thread* Patchtest results for [OE-core] [master] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources
2026-01-21 7:35 [OE-core] [master] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-01-21 7:45 ` patchtest
0 siblings, 0 replies; 2+ messages in thread
From: patchtest @ 2026-01-21 7:45 UTC (permalink / raw)
To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2243 bytes --]
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch /home/patchtest/share/mboxes/master-Fix-CVE-CVSS-scoring-to-use-maximum-score-from-all-sources.patch
FAIL: test shortlog format: Commit shortlog (first line of commit message) should follow the format "<target>: <summary>" (test_mbox.TestMbox.test_shortlog_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test CVE tag format: No new CVE patches introduced (test_patch.TestPatch.test_cve_tag_format)
SKIP: test Signed-off-by presence: No new CVE patches introduced (test_patch.TestPatch.test_signed_off_by_presence)
SKIP: test Upstream-Status presence: No new CVE patches introduced (test_patch.TestPatch.test_upstream_status_presence_format)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
---
Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-01-21 7:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-21 7:35 [OE-core] [master] [PATCH] Fix CVE CVSS scoring to use maximum score from all sources Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-01-21 7:45 ` Patchtest results for " patchtest
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox