diff options
author | Konrad Weihmann <kweihmann@outlook.com> | 2021-04-22 18:48:27 +0200 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2021-04-27 04:35:09 -1000 |
commit | 45148918628ba797755f3cbb52f065ec6dbbcfd2 (patch) | |
tree | 60f7edbaa1b45c5224ab9d4619d4a06685f7cecd | |
parent | c98f3563937dc55605cc1f09c096f7cd716a78ce (diff) | |
download | openembedded-core-45148918628ba797755f3cbb52f065ec6dbbcfd2.tar.gz |
cve-update-db-native: skip on empty cpe23Uri
Recently an entry in the NVD DB appeared that looks like that
{'vulnerable': True, 'cpe_name': []}.
As besides all the vulnerable flag no data is present we would get
a KeyError exception on acccess.
Use get method on dictionary and return if no meta data is present
Also quit if the length of the array after splitting is less than 6
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 00ce2796d97de2bc376b038d0ea7969088791d34)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-core/meta/cve-update-db-native.bb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 5d9fb59cbc..e86c69803f 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -132,7 +132,12 @@ def parse_node_and_insert(c, node, cveId): for cpe in node.get('cpe_match', ()): if not cpe['vulnerable']: return - cpe23 = cpe['cpe23Uri'].split(':') + cpe23 = cpe.get('cpe23Uri') + if not cpe23: + return + cpe23 = cpe23.split(':') + if len(cpe23) < 6: + return vendor = cpe23[3] product = cpe23[4] version = cpe23[5] |