[OE-core] [PATCH v3] cve-update-nvd2-native: Use maximum CVSS score from all sources

[OE-core] [PATCH v3] cve-update-nvd2-native: Use maximum CVSS score from all sources

[Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)]

From: Het Patel <hetpat@cisco.com>

The CVE check system was incorrectly reporting lower CVSS scores when
multiple scoring sources were available in the NVD database. This
occurred because the code only extracted the first element from the
metrics arrays, which could be a "Secondary" source with a lower score
rather than the "Primary" source or the highest available vendor score.

According to the CVSS v4.0 User Guide, "In situations where multiple
CVSS-B scores are applicable but only one is provided, the highest
CVSS-B score must be utilized." This follows the "reasonable worst-case"
principle established by the CVSS SIG.

This fix iterates through all available sources (v2, v3.0, v3.1, and
v4.0) and selects the maximum CVSS score to ensure the highest severity
is reported.

Fixes [YOCTO #15931]

References:
- https://www.first.org/cvss/v4.0/user-guide
- https://www.first.org/cvss/v3.1/user-guide
- https://www.first.org/cvss/v2/minutes/cvss-meeting-minutes-06202006.pdf

Signed-off-by: Het Patel <hetpat@cisco.com>
---
 .../meta/cve-update-nvd2-native.bb            | 55 +++++++++++++------
 1 file changed, 39 insertions(+), 16 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 8c8148dd92..41c34ba0d0 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -350,32 +350,55 @@ def update_db(conn, elt):
         if desc['lang'] == 'en':
             cveDesc = desc['value']
     date = elt['cve']['lastModified']
+
+    # Extract maximum CVSS scores from all sources (Primary and Secondary)
+    cvssv2 = 0.0
     try:
-        accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
-        vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
-        cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV2 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV2']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv2:
+                cvssv2 = score
+                accessVector = metric['cvssData']['accessVector']
+                vectorString = metric['cvssData']['vectorString']
     except KeyError:
-        cvssv2 = 0.0
-    cvssv3 = None
+        pass
+
+    cvssv3 = 0.0
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
-        cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV30 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV30']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv3:
+                cvssv3 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
         pass
+
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
-        cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV31 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV31']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv3:
+                cvssv3 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
         pass
-    cvssv3 = cvssv3 or 0.0
+
+    cvssv4 = 0.0
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
-        cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV40 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV40']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv4:
+                cvssv4 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
-        cvssv4 = 0.0
+        pass
+
     accessVector = accessVector or "UNKNOWN"
     vectorString = vectorString or "UNKNOWN"
 

Re: [OE-core] [PATCH v3] cve-update-nvd2-native: Use maximum CVSS score from all sources

[Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)]

[-- Attachment #1: Type: text/plain, Size: 5583 bytes --]

Gentle reminder.
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Het Patel via lists.openembedded.org <hetpat=cisco.com@lists.openembedded.org>
Sent: Thursday, January 22, 2026 8:29 PM
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Cc: xe-linux-external(mailer list) <xe-linux-external@cisco.com>
Subject: [OE-core] [PATCH v3] cve-update-nvd2-native: Use maximum CVSS score from all sources

From: Het Patel <hetpat@cisco.com>

The CVE check system was incorrectly reporting lower CVSS scores when
multiple scoring sources were available in the NVD database. This
occurred because the code only extracted the first element from the
metrics arrays, which could be a "Secondary" source with a lower score
rather than the "Primary" source or the highest available vendor score.

According to the CVSS v4.0 User Guide, "In situations where multiple
CVSS-B scores are applicable but only one is provided, the highest
CVSS-B score must be utilized." This follows the "reasonable worst-case"
principle established by the CVSS SIG.

This fix iterates through all available sources (v2, v3.0, v3.1, and
v4.0) and selects the maximum CVSS score to ensure the highest severity
is reported.

Fixes [YOCTO #15931]

References:
- https://www.first.org/cvss/v4.0/user-guide
- https://www.first.org/cvss/v3.1/user-guide
- https://www.first.org/cvss/v2/minutes/cvss-meeting-minutes-06202006.pdf

Signed-off-by: Het Patel <hetpat@cisco.com>
---
 .../meta/cve-update-nvd2-native.bb            | 55 +++++++++++++------
 1 file changed, 39 insertions(+), 16 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 8c8148dd92..41c34ba0d0 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -350,32 +350,55 @@ def update_db(conn, elt):
         if desc['lang'] == 'en':
             cveDesc = desc['value']
     date = elt['cve']['lastModified']
+
+    # Extract maximum CVSS scores from all sources (Primary and Secondary)
+    cvssv2 = 0.0
     try:
-        accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
-        vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
-        cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV2 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV2']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv2:
+                cvssv2 = score
+                accessVector = metric['cvssData']['accessVector']
+                vectorString = metric['cvssData']['vectorString']
     except KeyError:
-        cvssv2 = 0.0
-    cvssv3 = None
+        pass
+
+    cvssv3 = 0.0
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
-        cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV30 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV30']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv3:
+                cvssv3 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
         pass
+
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
-        cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV31 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV31']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv3:
+                cvssv3 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
         pass
-    cvssv3 = cvssv3 or 0.0
+
+    cvssv4 = 0.0
     try:
-        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
-        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
-        cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
+        # Iterate through all cvssMetricV40 entries and find the maximum score
+        for metric in elt['cve']['metrics']['cvssMetricV40']:
+            score = metric['cvssData']['baseScore']
+            if score > cvssv4:
+                cvssv4 = score
+                accessVector = accessVector or metric['cvssData']['attackVector']
+                vectorString = vectorString or metric['cvssData']['vectorString']
     except KeyError:
-        cvssv4 = 0.0
+        pass
+
     accessVector = accessVector or "UNKNOWN"
     vectorString = vectorString or "UNKNOWN"


[-- Attachment #2: Type: text/html, Size: 9823 bytes --]

Re: [OE-core] [PATCH v3] cve-update-nvd2-native: Use maximum CVSS score from all sources

[Yoann Congal]

[-- Attachment #1: Type: text/plain, Size: 6975 bytes --]

Le mer. 28 janv. 2026 à 07:03, Het Patel via lists.openembedded.org <hetpat=
cisco.com@lists.openembedded.org> a écrit :

> Gentle reminder.
>

Hello,

Your patch was not forgotten: It is in master-next:
https://git.openembedded.org/openembedded-core/log/?h=master-next
That means that it has passed testing and now needs to be reviewed by the
review team.
Please note that there are higher priority subjects right now, as stated in
the weekly report: https://wiki.yoctoproject.org/wiki/Weekly_Status.

You can ping again if your patch has not been reviewed or merged in two
weeks.

Regards,


> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of Het Patel via
> lists.openembedded.org <hetpat=cisco.com@lists.openembedded.org>
> *Sent:* Thursday, January 22, 2026 8:29 PM
> *To:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>
> *Cc:* xe-linux-external(mailer list) <xe-linux-external@cisco.com>
> *Subject:* [OE-core] [PATCH v3] cve-update-nvd2-native: Use maximum CVSS
> score from all sources
>
> From: Het Patel <hetpat@cisco.com>
>
> The CVE check system was incorrectly reporting lower CVSS scores when
> multiple scoring sources were available in the NVD database. This
> occurred because the code only extracted the first element from the
> metrics arrays, which could be a "Secondary" source with a lower score
> rather than the "Primary" source or the highest available vendor score.
>
> According to the CVSS v4.0 User Guide, "In situations where multiple
> CVSS-B scores are applicable but only one is provided, the highest
> CVSS-B score must be utilized." This follows the "reasonable worst-case"
> principle established by the CVSS SIG.
>
> This fix iterates through all available sources (v2, v3.0, v3.1, and
> v4.0) and selects the maximum CVSS score to ensure the highest severity
> is reported.
>
> Fixes [YOCTO #15931]
>
> References:
> - https://www.first.org/cvss/v4.0/user-guide
> - https://www.first.org/cvss/v3.1/user-guide
> - https://www.first.org/cvss/v2/minutes/cvss-meeting-minutes-06202006.pdf
>
> Signed-off-by: Het Patel <hetpat@cisco.com>
> ---
>  .../meta/cve-update-nvd2-native.bb            | 55 +++++++++++++------
>  1 file changed, 39 insertions(+), 16 deletions(-)
>
> diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
> b/meta/recipes-core/meta/cve-update-nvd2-native.bb
> index 8c8148dd92..41c34ba0d0 100644
> --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
> +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
> @@ -350,32 +350,55 @@ def update_db(conn, elt):
>          if desc['lang'] == 'en':
>              cveDesc = desc['value']
>      date = elt['cve']['lastModified']
> +
> +    # Extract maximum CVSS scores from all sources (Primary and Secondary)
> +    cvssv2 = 0.0
>      try:
> -        accessVector =
> elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
> -        vectorString =
> elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
> -        cvssv2 =
> elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
> +        # Iterate through all cvssMetricV2 entries and find the maximum
> score
> +        for metric in elt['cve']['metrics']['cvssMetricV2']:
> +            score = metric['cvssData']['baseScore']
> +            if score > cvssv2:
> +                cvssv2 = score
> +                accessVector = metric['cvssData']['accessVector']
> +                vectorString = metric['cvssData']['vectorString']
>      except KeyError:
> -        cvssv2 = 0.0
> -    cvssv3 = None
> +        pass
> +
> +    cvssv3 = 0.0
>      try:
> -        accessVector = accessVector or
> elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
> -        vectorString = vectorString or
> elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
> -        cvssv3 =
> elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
> +        # Iterate through all cvssMetricV30 entries and find the maximum
> score
> +        for metric in elt['cve']['metrics']['cvssMetricV30']:
> +            score = metric['cvssData']['baseScore']
> +            if score > cvssv3:
> +                cvssv3 = score
> +                accessVector = accessVector or
> metric['cvssData']['attackVector']
> +                vectorString = vectorString or
> metric['cvssData']['vectorString']
>      except KeyError:
>          pass
> +
>      try:
> -        accessVector = accessVector or
> elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
> -        vectorString = vectorString or
> elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
> -        cvssv3 = cvssv3 or
> elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
> +        # Iterate through all cvssMetricV31 entries and find the maximum
> score
> +        for metric in elt['cve']['metrics']['cvssMetricV31']:
> +            score = metric['cvssData']['baseScore']
> +            if score > cvssv3:
> +                cvssv3 = score
> +                accessVector = accessVector or
> metric['cvssData']['attackVector']
> +                vectorString = vectorString or
> metric['cvssData']['vectorString']
>      except KeyError:
>          pass
> -    cvssv3 = cvssv3 or 0.0
> +
> +    cvssv4 = 0.0
>      try:
> -        accessVector = accessVector or
> elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
> -        vectorString = vectorString or
> elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
> -        cvssv4 =
> elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
> +        # Iterate through all cvssMetricV40 entries and find the maximum
> score
> +        for metric in elt['cve']['metrics']['cvssMetricV40']:
> +            score = metric['cvssData']['baseScore']
> +            if score > cvssv4:
> +                cvssv4 = score
> +                accessVector = accessVector or
> metric['cvssData']['attackVector']
> +                vectorString = vectorString or
> metric['cvssData']['vectorString']
>      except KeyError:
> -        cvssv4 = 0.0
> +        pass
> +
>      accessVector = accessVector or "UNKNOWN"
>      vectorString = vectorString or "UNKNOWN"
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#230078):
> https://lists.openembedded.org/g/openembedded-core/message/230078
> Mute This Topic: https://lists.openembedded.org/mt/117400902/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 11780 bytes --]