@@ -22,7 +22,7 @@ python do_populate_cve_db() {
Update NVD database with json data feed
"""
- import sqlite3, urllib, shutil, gzip, re
+ import sqlite3, urllib, shutil, gzip
from datetime import date
BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
@@ -52,13 +52,15 @@ python do_populate_cve_db() {
req = urllib.request.Request(meta_url)
if proxy:
req.set_proxy(proxy, 'https')
- try:
- with urllib.request.urlopen(req, timeout=1) as r:
- date_line = str(r.read().splitlines()[0])
- last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
- except:
- cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
- break
+ with urllib.request.urlopen(req) as r:
+ for l in r.read().decode("utf-8").splitlines():
+ key, value = l.split(":", 1)
+ if key == "lastModifiedDate":
+ last_modified = value
+ break
+ else:
+ bb.warn("Cannot parse CVE metadata, update failed")
+ return
# Compare with current db last modified date
c.execute("select DATE from META where YEAR = ?", (year,))
The metadata parser is fragile: first it coerces a bytes() to a str() (so the string is b'LastModifiedDate:2019...'), assumes the first line is the date, and then uses a regex to parse (which then includes the trailing quote as part of the date). Clean this up by parsing the bytes as UTF-8 (ASCII is probably fine, but this is safer), iterate through the lines and split on colons to find the right key/value pair. Signed-off-by: Ross Burton <ross.burton@intel.com> --- meta/recipes-core/meta/cve-update-db-native.bb | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core