possible API change to `cve list`

[eslerm]

During cve list, it is no longer guaranteed that cve['requested_by']['user'] is true. If a user is unknown, it is not being set. This appears to be due to change in the CVE Services API which occurred since Jan 11 2024.

To fix this I'm using the following in cve_list():

    for cve in cves:
        user = "pre_idr_user"
        if 'user' in cve['requested_by']:
            user = cve['requested_by']['user']
        lines.append(
            ( 
                cve["cve_id"],
                cve["state"],
                cve["owning_cna"],
                f"{user} ({cve['requested_by']['cna']})",
                human_ts(cve["reserved"]),
            )
        )

What is odd, is that old CVEs which lack a user can still be called with cve show $CVE_ID, even though print_cve_id() calls cve['requested_by']['user'].

[dsommers]

I can confirm the same issue. pip3.11 install cvelib on RHEL-8.

[mprpic]

Indeed, this is a regression in CVE Services, which no longer includes the user attribute for CVE IDs that were reserved before CVE Services was launched. It was discussed in the automation workgroup yesterday (Jan 23) and it will be addressed in the next patch release (hopefully soon). In the mean time, you can display the output with --raw which bypasses rendering the output.

If it ends up taking a long time to fix this in CVE Services, I can patch cvelib to check for the existence of the user attribute.

[mprpic]

Related issue in cve-services: https://github.com/CVEProject/cve-services/issues/1176

[eslerm]

Thanks @mprpic \o/