cve-update-db-native: skip on empty cpe23Uri

Recently an entry in the NVD DB appeared that looks like that {'vulnerable': True, 'cpe_name': []}. As besides all the vulnerable flag no data is present we would get a KeyError exception on acccess. Use get method on dictionary and return if no meta data is present Also quit if the length of the array after splitting is less than 6 (From OE-Core rev: e9776c55cf251fc884ac3ce4fd6c96769b1d17ff) Signed-off-by: Konrad Weihmann <kweihmann@outlook.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 00ce2796d97de2bc376b038d0ea7969088791d34) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-01 13:58:04 +00:00 · 2021-04-22 18:48:27 +02:00 · 2021-04-22 18:48:27 +02:00 · 4c9d9b7985
commit 4c9d9b7985
parent 008f229249
1 changed files with 6 additions and 1 deletions
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@ -138,7 +138,12 @@ def parse_node_and_insert(c, node, cveId):
        for cpe in node.get('cpe_match', ()):
            if not cpe['vulnerable']:
                return
-            cpe23 = cpe['cpe23Uri'].split(':')
+            cpe23 = cpe.get('cpe23Uri')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
            vendor = cpe23[3]
            product = cpe23[4]
            version = cpe23[5]