cve_policy_filter: Upstream vulsscan json data format changed

Since vulsscan upstream commit [https://github.com/future-architect/ vuls/commit/96c3592db1c4b3d658e8e8169fdc17c670e48379] had been merged, So the list type for nvd and jvn items was added in vulsscan data result. For example the part of json result changed from "scannedCves": { "CVE-2015-8035": { "cveContents": { "nvd": { "type": "nvd", "cveID": "CVE-2015-8035", "title": "", "summary": "The xz_decomp function in xzlib.c in libxml2 \ 2.9.1 does not properly detect compression errors, which \ allows context-dependent attackers to cause a denial of \ service (process hang) via crafted XML data.", "cvss2Score": 2.6, "cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "cvss2Severity": "LOW", "cvss3Score": 0, "cvss3Vector": "", ... }, }, }, } to "scannedCves": { "CVE-2015-8035": { "cveContents": { "nvd": [ { "type": "nvd", "cveID": "CVE-2015-8035", "title": "", "summary": "The xz_decomp function in xzlib.c in libxml2 \ 2.9.1 does not properly detect compression errors, which \ allows context-dependent attackers to cause a denial of \ service (process hang) via crafted XML data.", "cvss2Score": 2.6, "cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "cvss2Severity": "LOW", "cvss3Score": 0, "cvss3Vector": "", ... }, ], }, }, } There is only one item within NVD area according to the latest vulsscan result data set. Meanwhile we can only see two items within JVN area for the CVE-2018-5407 as follows: "cveContents": { "jvn": [ { "type": "jvn", "cveID": "CVE-2018-5407", "cvss2Score": 1.9, "title": "HPE Integrated Lights-Out 5、HPE Integrated Lights-Out 4 "cvss2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", }, { "type": "jvn", "cveID": "CVE-2018-5407", "title": "Simultaneous Multi-threading における情報漏えいに関する脆弱性", "cvss2Score": 9, "cvss2Vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C", } ], As Michel and Mark suggested, we don't see anything obvious in the log and descriptions in way of plans to indicate if we should expect more than one item in NVD arean. Now we update it in cve_policy_filter.py parser for NVD, and add exeception raised in case it ever happens will allow us to react to the occurrence when the NVD length is more than 1. Therefore when getting the cve report we can avoid the following error: Traceback (most recent call last): File "cve_support/cve_policy_filter.py", line 345, in <module> main() File "cve_support/cve_policy_filter.py", line 338, in main cvssv2_parse_n_report(cves,title,data) File "cve_support/cve_policy_filter.py", line 269, in cvssv2_parse_n_report nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Score"] TypeError: list indices must be integers or slices, not str Change-Id: I847938fde14d6240637537e964578758289b56f5 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2021-10-20 05:26:22 -04:00 · 2021-10-20 05:26:22 -04:00 · 87b94e70d0
parent caf686d9e2
commit 87b94e70d0
1 changed files with 27 additions and 7 deletions
--- a/cve_support/cve_policy_filter.py
+++ b/cve_support/cve_policy_filter.py
@ -24,6 +24,18 @@ cves_to_omit = []
 cves_report = {}


+class NVDLengthException(Exception):
+    """
+    Throw the exception when the length of NVD list != 1
+    """
+    def __init__(self, length):
+        self.length = length
+
+    def __str__(self):
+        print("Warning: NVD length: %d, not 1, Please check again!" \
+            % self.length)
+
+
 def print_html_report(cves_report, title):
    """
    Print the html report
@ -123,7 +135,7 @@ def get_summary(data, cve_id):
    return: nvd summary
    """
    try:
-        summary = data["scannedCves"][cve_id]["cveContents"]["nvd"]["summary"]
+        summary = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["summary"]
    except KeyError:
        summary = None
    return summary
@ -133,7 +145,7 @@ def get_source_link(data, cve_id):
    return: web link to the nvd report
    """
    try:
-        source_link = data["scannedCves"][cve_id]["cveContents"]["nvd"]["sourceLink"]
+        source_link = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["sourceLink"]
    except KeyError:
        source_link = None
    return source_link
@ -227,12 +239,16 @@ def cvssv3_parse_n_report(cves,title,data):
        affectedpackages_list = []
        allfixed = "fixed"
        try:
-            nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss3Score"]
-            cvss3vector = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss3Vector"]
+            nvdlength = len(data["scannedCves"][cve_id]["cveContents"]["nvd"])
+            if nvdlength != 1:
+                raise NVDLengthException(nvdlength)
+
+            nvd3_score = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Score"]
+            cvss3vector = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Vector"]
        except KeyError:
            cves_w_errors.append(cve)
        else:
-            cve["cvss3Score"] = nvd2_score
+            cve["cvss3Score"] = nvd3_score
            for element in cvss3vector.split("/"):
                if "AV:" in element:
                    _av = element.split(":")[1]
@ -266,8 +282,12 @@ def cvssv2_parse_n_report(cves,title,data):
        affectedpackages_list = []
        allfixed = "fixed"
        try:
-            nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Score"]
-            cvss2vector = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Vector"]
+            nvdlength = len(data["scannedCves"][cve_id]["cveContents"]["nvd"])
+            if nvdlength != 1:
+                raise NVDLengthException(nvdlength)
+
+            nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss2Score"]
+            cvss2vector = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss2Vector"]
        except KeyError:
            cves_w_errors.append(cve)
        else: