* cve-check breaks on zeus
@ 2020-07-25 11:13 Konrad Weihmann
2020-07-25 14:52 ` [OE-core] " akuster
0 siblings, 1 reply; 3+ messages in thread
From: Konrad Weihmann @ 2020-07-25 11:13 UTC (permalink / raw)
To: OE-core
Hi all,
I'm just too lazy to check if that has been fixed in master already, but
since yesterday cve-check breaks on zeus for me with the following
File: '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
lineno: 91, function: do_populate_cve_db
0087: # Update db with current year json file
0088: try:
0089: response = urllib.request.urlopen(json_url)
0090: if response:
*** 0091: update_db(c,
gzip.decompress(response.read()).decode('utf-8'))
0092: c.execute("insert or replace into META values
(?, ?)", [year, last_modified])
0093: except urllib.error.URLError as e:
0094: cve_f.write('Warning: CVE db update error,
CVE data is outdated.\n\n')
0095: bb.warn("Cannot parse CVE data (%s), update
failed" % e.reason)
File: '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb',
lineno: 173, function: update_db
0169:
0170: cveId = elt['cve']['CVE_data_meta']['ID']
0171: cveDesc =
elt['cve']['description']['description_data'][0]['value']
0172: date = elt['lastModifiedDate']
*** 0173: accessVector =
elt['impact']['baseMetricV2']['cvssV2']['accessVector']
0174: cvssv2 =
elt['impact']['baseMetricV2']['cvssV2']['baseScore']
0175:
0176: try:
0177: cvssv3 =
elt['impact']['baseMetricV3']['cvssV3']['baseScore']
Exception: KeyError: 'baseMetricV2'
Cheers
Konrad
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [OE-core] cve-check breaks on zeus 2020-07-25 11:13 cve-check breaks on zeus Konrad Weihmann @ 2020-07-25 14:52 ` akuster 2020-07-26 9:15 ` Konrad Weihmann 0 siblings, 1 reply; 3+ messages in thread From: akuster @ 2020-07-25 14:52 UTC (permalink / raw) To: Konrad Weihmann, OE-core [-- Attachment #1: Type: text/plain, Size: 2077 bytes --] On 7/25/20 4:13 AM, Konrad Weihmann wrote: > Hi all, > > I'm just too lazy to check if that has been fixed in master already, > but since yesterday cve-check breaks on zeus for me with the following I think I just saw this on master. We need to check if NVD changed their format again. -armin > > File: > '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb', > lineno: 91, function: do_populate_cve_db > 0087: # Update db with current year json file > 0088: try: > 0089: response = urllib.request.urlopen(json_url) > 0090: if response: > *** 0091: update_db(c, > gzip.decompress(response.read()).decode('utf-8')) > 0092: c.execute("insert or replace into META > values (?, ?)", [year, last_modified]) > 0093: except urllib.error.URLError as e: > 0094: cve_f.write('Warning: CVE db update error, > CVE data is outdated.\n\n') > 0095: bb.warn("Cannot parse CVE data (%s), update > failed" % e.reason) > File: > '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb', > lineno: 173, function: update_db > 0169: > 0170: cveId = elt['cve']['CVE_data_meta']['ID'] > 0171: cveDesc = > elt['cve']['description']['description_data'][0]['value'] > 0172: date = elt['lastModifiedDate'] > *** 0173: accessVector = > elt['impact']['baseMetricV2']['cvssV2']['accessVector'] > 0174: cvssv2 = > elt['impact']['baseMetricV2']['cvssV2']['baseScore'] > 0175: > 0176: try: > 0177: cvssv3 = > elt['impact']['baseMetricV3']['cvssV3']['baseScore'] > Exception: KeyError: 'baseMetricV2' > > Cheers > Konrad > > [-- Attachment #2: Type: text/html, Size: 3211 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] cve-check breaks on zeus 2020-07-25 14:52 ` [OE-core] " akuster @ 2020-07-26 9:15 ` Konrad Weihmann 0 siblings, 0 replies; 3+ messages in thread From: Konrad Weihmann @ 2020-07-26 9:15 UTC (permalink / raw) To: akuster808, OE-core Hi, since last night it affects all branches I tested. But it doesn't seem to be a format change, rather baseMetricV2 is optional for some entries e.g. { "cve": { "data_type": "CVE", "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-14725", "ASSIGNER": "cve@mitre.org" }, "problemtype": { "problemtype_data": [ { "description": [] } ] }, "references": { "reference_data": [ { "url": "https://www.oracle.com/security-alerts/cpujul2020.html", "name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "tags": [] } ] }, "description": { "description_data": [ { "lang": "en", "value": "..." } ] } }, "configurations": { "CVE_data_version": "4.0", "nodes": [] }, "impact": { "baseMetricV3": { "cvssV3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 1.2, "impactScore": 3.6 } }, "publishedDate": "2020-07-24T20:15Z", "lastModifiedDate": "2020-07-25T02:01Z" } I guess it should be treated like baseMetricV3 - lets see if I can craft a patch for that BR Konrad On 25.07.20 16:52, akuster808 wrote: > > > On 7/25/20 4:13 AM, Konrad Weihmann wrote: >> Hi all, >> >> I'm just too lazy to check if that has been fixed in master already, >> but since yesterday cve-check breaks on zeus for me with the following > > I think I just saw this on master. We need to check if NVD changed their > format again. > > -armin > >> >> File: >> '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb', >> lineno: 91, function: do_populate_cve_db >> 0087: # Update db with current year json file >> 0088: try: >> 0089: response = urllib.request.urlopen(json_url) >> 0090: if response: >> *** 0091: update_db(c, >> gzip.decompress(response.read()).decode('utf-8')) >> 0092: c.execute("insert or replace into META >> values (?, ?)", [year, last_modified]) >> 0093: except urllib.error.URLError as e: >> 0094: cve_f.write('Warning: CVE db update error, >> CVE data is outdated.\n\n') >> 0095: bb.warn("Cannot parse CVE data (%s), update >> failed" % e.reason) >> File: >> '/opt/build/poky/meta/recipes-core/meta/cve-update-db-native.bb', >> lineno: 173, function: update_db >> 0169: >> 0170: cveId = elt['cve']['CVE_data_meta']['ID'] >> 0171: cveDesc = >> elt['cve']['description']['description_data'][0]['value'] >> 0172: date = elt['lastModifiedDate'] >> *** 0173: accessVector = >> elt['impact']['baseMetricV2']['cvssV2']['accessVector'] >> 0174: cvssv2 = >> elt['impact']['baseMetricV2']['cvssV2']['baseScore'] >> 0175: >> 0176: try: >> 0177: cvssv3 = >> elt['impact']['baseMetricV3']['cvssV3']['baseScore'] >> Exception: KeyError: 'baseMetricV2' >> >> Cheers >> Konrad >> >> > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-26 9:15 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-07-25 11:13 cve-check breaks on zeus Konrad Weihmann 2020-07-25 14:52 ` [OE-core] " akuster 2020-07-26 9:15 ` Konrad Weihmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox