cve-update-nvd2-native: actually use API keys

There were vestigal remains of API key support which could be removed, but as using an API key - in theory - gives the user larger rate limits it's probably wise to expose it. If the user has an API key, then set NVDCVE_API_KEY. (From OE-Core rev: b3fc8ef9aba822b3d485242c8ebd0e0bff0ebfc8) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a542de684282bfec79f24ae2f1a2027ffde319d8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-05 08:02:25 +02:00 · 2023-07-11 12:54:47 +01:00
parent 579797adab
commit 87f16e1f3b
1 changed files with 12 additions and 11 deletions
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -17,6 +17,10 @@ deltask do_populate_sysroot

 NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0"

+# If you have a NVD API key (https://nvd.nist.gov/developers/request-an-api-key)
+# then setting this to get higher rate limits.
+NVDCVE_API_KEY ?= ""
+
 # CVE database update interval, in seconds. By default: once a day (24*60*60).
 # Use 0 to force the update
 # Use a negative value to skip the update
@@ -121,19 +125,14 @@ def nvd_request_next(url, api_key, args):
    import http
    import time

-    headers = {}
+    request = urllib.request.Request(url + "?" + urllib.parse.urlencode(args))
    if api_key:
-        headers['apiKey'] = api_key
-
-    bb.note("Requesting %s" % str(args))
-
-    data = urllib.parse.urlencode(args)
-
-    full_request = url + '?' + data
+        request.add_header("apiKey", api_key)
+    bb.note("Requesting %s" % request.full_url)

    for attempt in range(5):
        try:
-            r = urllib.request.urlopen(full_request)
+            r = urllib.request.urlopen(request)

            if (r.headers['content-encoding'] == 'gzip'):
                buf = r.read()
@@ -144,7 +143,7 @@ def nvd_request_next(url, api_key, args):
            r.close()

        except Exception as e:
-            bb.note("CVE database: received error (%s), retrying (request: %s)" % (e, full_request))
+            bb.note("CVE database: received error (%s), retrying" % (e))
            time.sleep(6)
            pass
        else:
@@ -186,9 +185,11 @@ def update_db_file(db_tmp_file, d, database_time):
        bb.note("Updating entries")
        index = 0
        url = d.getVar("NVDCVE_URL")
+        api_key = d.getVar("NVDCVE_API_KEY") or None
+
        while True:
            req_args['startIndex'] = index
-            raw_data = nvd_request_next(url, None, req_args)
+            raw_data = nvd_request_next(url, api_key, req_args)
            if raw_data is None:
                # We haven't managed to download data
                return False