cve-update-nvd2-native: fix cvssV3 metrics

After upgrade to soon-to-be-released kirkstone 4.0.11 CVE annotations got broken.
Anything which has only cvssV3 does not resolve properly.
Fix the API fields used to extract it.

i0.0 score is now at level of NVD DB 1.1.
All CVEs with UNKNOWN vector are not present in NVD DB 1.1.

NVD API 1.1:
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4776
LOCAL|32146
NETWORK|167746
PHYSICAL|185
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73331
1.8|7
1.9|3
...

NVD API 2.0 (broken):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4587
LOCAL|26273
NETWORK|150421
UNKNOWN|24644
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|205925

NVD API 2.0 (fixed):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|5090
LOCAL|32322
NETWORK|168004
PHYSICAL|213
UNKNOWN|511
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73841
1.8|7
1.9|3
...

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 61f4d47f961e3466cd8c950f6654f901c2d0edde..c85df23f5988e5de16c9abd20e2368b4372c1bd5 100644 (file)
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -312,12 +312,19 @@ def update_db(conn, elt):
         cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
     except KeyError:
         cvssv2 = 0.0
+    cvssv3 = None
     try:
-        accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
-        cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
+        cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
     except KeyError:
-        accessVector = accessVector or "UNKNOWN"
-        cvssv3 = 0.0
+        pass
+    try:
+        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
+        cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+    except KeyError:
+        pass
+    accessVector = accessVector or "UNKNOWN"
+    cvssv3 = cvssv3 or 0.0
 
     conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
                 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()