cve-update-nvd2-native: Use maximum CVSS score from all sources
The CVE check system was incorrectly reporting lower CVSS scores when
multiple scoring sources were available in the NVD database. This
occurred because the code only extracted the first element from the
metrics arrays, which could be a "Secondary" source with a lower score
rather than the "Primary" source or the highest available vendor score.
According to the CVSS v4.0 User Guide, "In situations where multiple
CVSS-B scores are applicable but only one is provided, the highest
CVSS-B score must be utilized." This follows the "reasonable worst-case"
principle established by the CVSS SIG.
This fix iterates through all available sources (v2, v3.0, v3.1, and
v4.0) and selects the maximum CVSS score to ensure the highest severity
is reported.
Fixes [YOCTO #15931]
References:
- https://www.first.org/cvss/v4.0/user-guide
- https://www.first.org/cvss/v3.1/user-guide
- https://www.first.org/cvss/v2/minutes/cvss-meeting-minutes-
06202006.pdf
Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
projects / thirdparty / openembedded / openembedded-core-contrib.git / commit
