Closed matthew-renodin-bh closed 2 months ago
terriko
commented
3 months ago This has been changed to a debug message so it's going to vanish in 3.4, but it's likely coming up more frequently now because we need to add some cvss v4 support for newer CVEs. I"ll update the title to reflect that.
anthonyharrison
commented
3 months ago I think we also get the message if there is no CVSS score included in the CVE (which is increasingly common since February 2024)
matthew-renodin-bh
commented
3 months ago when this error occurs it appears that it is ignored setting the flag to False
On Wed, Aug 21, 2024 at 4:02 AM anthonyharrison @.***> wrote:
I think we also get the message if there is no CVSS score included in the CVE (which is increasingly common since February 2024)
— Reply to this email directly, view it on GitHub https://github.com/intel/cve-bin-tool/issues/4370#issuecomment-2301406407, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKVEW5XWKR6GZOQBZBFSGW3ZSRCQNAVCNFSM6AAAAABM2L4AL6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBRGQYDMNBQG4 . You are receiving this because you authored the thread.Message ID: @.***>
terriko
commented
2 months ago So, I was completely wrong in my guess about what was happening here to make this message appear more frequently.
We were looking for the (old) "metrics" when we needed to switch to the (new) "impact" when loading the json. I've got a fix incoming that should handle that better.
I've removed the log messages entirely because I'm pretty sure they're going to be spectacularly unhelpful in the future where where the metrics just aren't available, but I feel like we need some better regression tests here to make sure cvss scores get loaded correctly when available.
Description
[17:09:53] INFO cve_bin_tool.CVEDB - Adding 886 CVE entries nvd_api.py:187 Downloading Feeds from NVD... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:01 [17:09:54] INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-28319
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-26306
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-27397
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-35966
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-36915
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-40972
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-41042
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-42114
To reproduce
Steps to reproduce the behaviour:
Expected behaviour: Actual behaviour: Fetching incremental metadata from NVD... ━━━━━━━━━━━━━━━━━━━━━━━━━ 0% -:--:-- [17:09:53] INFO cve_bin_tool.CVEDB - Adding 886 CVE entries nvd_api.py:187 Downloading Feeds from NVD... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:01 [17:09:54] INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-28319
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-26306
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-27397
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-35966
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-36915
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-40972
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-41042
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257 CVE-2024-42114
Version/platform info
Version of CVE-bin-tool( e.g. output of
cve-bin-tool --version): 3.3Installed from pypi or github? pypi
Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)
uname -asysteminfo | findstr /B /C:"OS Name" /C:"OS Version"Python version (e.g.python3 --version): Python 3.10.14Running in any particular CI environment we should know about? (e.g. Github Actions)
Anything else?
This is a data difference. The code is not handling the newest version from the data.
Feel free to add any other context here.