tools/cve_support
Zhixiong Chi 87b94e70d0 cve_policy_filter: Upstream vulsscan json data format changed
Since vulsscan upstream commit [https://github.com/future-architect/
vuls/commit/96c3592db1c4b3d658e8e8169fdc17c670e48379] had been merged,
So the list type for nvd and jvn items was added in vulsscan data result.

For example the part of json result changed
from
    "scannedCves": {
        "CVE-2015-8035": {
            "cveContents": {
                "nvd": {
                    "type": "nvd",
                    "cveID": "CVE-2015-8035",
                    "title": "",
                    "summary": "The xz_decomp function in xzlib.c in libxml2 \
                     2.9.1 does not properly detect compression errors, which \
                     allows context-dependent attackers to cause a denial of \
                     service (process hang) via crafted XML data.",
                    "cvss2Score": 2.6,
                    "cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
                    "cvss2Severity": "LOW",
                    "cvss3Score": 0,
                    "cvss3Vector": "",
                    ...
                },
            },
        },
    }

to
    "scannedCves": {
        "CVE-2015-8035": {
            "cveContents": {
                "nvd": [
                    {
                        "type": "nvd",
                        "cveID": "CVE-2015-8035",
                        "title": "",
                        "summary": "The xz_decomp function in xzlib.c in libxml2 \
                         2.9.1 does not properly detect compression errors, which \
                         allows context-dependent attackers to cause a denial of \
                         service (process hang) via crafted XML data.",
                        "cvss2Score": 2.6,
                        "cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
                        "cvss2Severity": "LOW",
                        "cvss3Score": 0,
                        "cvss3Vector": "",
                        ...
                    },
                ],
            },
        },
   }

There is only one item within NVD area according to the latest vulsscan result data set.
Meanwhile we can only see two items within JVN area for the CVE-2018-5407 as follows:

"cveContents": {
    "jvn": [
        {
            "type": "jvn",
            "cveID": "CVE-2018-5407",
            "cvss2Score": 1.9,
            "title": "HPE Integrated Lights-Out 5、HPE Integrated Lights-Out 4
            "cvss2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
        },
        {
            "type": "jvn",
            "cveID": "CVE-2018-5407",
            "title": "Simultaneous Multi-threading における情報漏えいに関する脆弱性",
            "cvss2Score": 9,
            "cvss2Vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
        }
    ],

As Michel and Mark suggested, we don't see anything obvious in the log and descriptions
in way of plans to indicate if we should expect more than one item in NVD arean.
Now we update it in cve_policy_filter.py parser for NVD, and add exeception raised
in case it ever happens will allow us to react to the occurrence when the NVD length
is more than 1.

Therefore when getting the cve report we can avoid the following error:

 Traceback (most recent call last):
   File "cve_support/cve_policy_filter.py", line 345, in <module>
     main()
   File "cve_support/cve_policy_filter.py", line 338, in main
     cvssv2_parse_n_report(cves,title,data)
   File "cve_support/cve_policy_filter.py", line 269, in cvssv2_parse_n_report
     nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Score"]
 TypeError: list indices must be integers or slices, not str

Change-Id: I847938fde14d6240637537e964578758289b56f5
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2021-10-24 23:31:38 -04:00
..
cve_policy_filter.py cve_policy_filter: Upstream vulsscan json data format changed 2021-10-24 23:31:38 -04:00
lp.py Update filter to track won't fix or invalid bugs 2020-04-20 06:43:56 -07:00
template_v3.txt cve_policy_filter.py supports CVSSV2 and CVSSV3 vulnerability report generation 2021-02-09 14:30:20 +05:30
template.txt Update filter to track won't fix or invalid bugs 2020-04-20 06:43:56 -07:00