cve-update-nvd2-native: handle all configuration nodes, not just first

Some CVEs, such as CVE-2013-6629, list multiple configurations which are vulnerable. The current JSON parser only considers the first configuration. Instead, consider every configuration. We don't yet handle the AND/OR logical operators, but this is a step in the right direction. (From OE-Core rev: e521d6ce48d3b04eb2d53c710bba18593a908fe3) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e1bf4f6dd686055fe9a8bdcc3f739eac2807bae0) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-03-06 15:29:40 +01:00 · 2023-06-23 13:32:49 +01:00
parent 65c2f76dca
commit 122c106794
1 changed files with 5 additions and 4 deletions
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -323,11 +323,12 @@ def update_db(conn, elt):
                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()

    try:
-        configurations = elt['cve']['configurations'][0]['nodes']
-        for config in configurations:
-            parse_node_and_insert(conn, config, cveId)
+        for config in elt['cve']['configurations']:
+            # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
+            for node in config["nodes"]:
+                parse_node_and_insert(conn, node, cveId)
    except KeyError:
-        bb.debug(2, "Entry without a configuration")
+        bb.debug(2, "CVE %s has no configurations" % cveId)

 do_fetch[nostamp] = "1"