[oe-commits] [openembedded-core] 27/49: cve-update-db-native: improve metadata parsing

git at git.openembedded.org git at git.openembedded.org
Wed Nov 6 20:45:14 UTC 2019 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch sumo-next
in repository openembedded-core.

commit c718e073e8e9cd5df9e19dd02fcac2139758b5b7
Author: Ross Burton <ross.burton at intel.com>
AuthorDate: Wed Nov 6 17:37:40 2019 +0200

    cve-update-db-native: improve metadata parsing
    
    The metadata parser is fragile: first it coerces a bytes() to a str() (so the
    string is b'LastModifiedDate:2019...'), assumes the first line is the date, and
    then uses a regex to parse (which then includes the trailing quote as part of
    the date).
    
    Clean this up by parsing the bytes as UTF-8 (ASCII is probably fine, but this is
    safer), iterate through the lines and split on colons to find the right
    key/value pair.
    
    (From OE-Core rev: bb4e53af33d6ca1e9346464adbdc1b39c47530f3)
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 meta/recipes-core/meta/cve-update-db-native.bb | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index a5d8e32..6907197 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -17,7 +17,7 @@ python do_populate_cve_db() {
     Update NVD database with json data feed
     """
 
-    import sqlite3, urllib, shutil, gzip, re
+    import sqlite3, urllib, shutil, gzip
     from datetime import date
 
     BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
@@ -47,13 +47,15 @@ python do_populate_cve_db() {
         req = urllib.request.Request(meta_url)
         if proxy:
             req.set_proxy(proxy, 'https')
-        try:
-            with urllib.request.urlopen(req, timeout=1) as r:
-                date_line = str(r.read().splitlines()[0])
-                last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
-        except:
-            cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
-            break
+        with urllib.request.urlopen(req) as r:
+            for l in r.read().decode("utf-8").splitlines():
+                key, value = l.split(":", 1)
+                if key == "lastModifiedDate":
+                    last_modified = value
+                    break
+            else:
+                bb.warn("Cannot parse CVE metadata, update failed")
+                return
 
         # Compare with current db last modified date
         c.execute("select DATE from META where YEAR = ?", (year,))

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list