Closed eslerm closed 5 months ago
I can confirm the same issue. pip3.11 install cvelib
on RHEL-8.
Indeed, this is a regression in CVE Services, which no longer includes the user
attribute for CVE IDs that were reserved before CVE Services was launched. It was discussed in the automation workgroup yesterday (Jan 23) and it will be addressed in the next patch release (hopefully soon). In the mean time, you can display the output with --raw
which bypasses rendering the output.
If it ends up taking a long time to fix this in CVE Services, I can patch cvelib to check for the existence of the user
attribute.
Related issue in cve-services: https://github.com/CVEProject/cve-services/issues/1176
Thanks @mprpic \o/
During
cve list
, it is no longer guaranteed thatcve['requested_by']['user']
is true. If a user is unknown, it is not being set. This appears to be due to change in the CVE Services API which occurred since Jan 11 2024.To fix this I'm using the following in
cve_list()
:What is odd, is that old CVEs which lack a user can still be called with
cve show $CVE_ID
, even thoughprint_cve_id()
callscve['requested_by']['user']
.