parsers/mysql.py: skip CVE if CVSS is not found
m403 opened this issue · comments
Mauro Matteo Cascella commented
CVE-2022-1292 in MySQL Oracle CPU Jul 2022 (https://www.oracle.com/security-alerts/cpujul2022verbose.html#MSQL) has no CVSS score. As a result, the parser is failing here:
https://github.com/mprpic/advisory-parser/blob/master/advisory_parser/parsers/mysql.py#L135
ValueError: not enough values to unpack (expected 2, got 1)
.
Proposed patch:
--- advisory_parser/parsers/mysql.py.orig 2022-08-04 14:35:50.421965529 +0200
+++ advisory_parser/parsers/mysql.py 2022-08-04 14:36:10.956021469 +0200
@@ -134,7 +134,15 @@
description = "\n".join(description)
# Take the text part only, i.e. anything before the CVSS string
- description, cvss_text = re.split(r"\n\s*CVSS v?3\.[0-9] (?=Base Score)", description)
+ desc_cvss = re.split(r"\n\s*CVSS v?3\.[0-9] (?=Base Score)", description)
+ if len(desc_cvss) != 2:
+ warnings.append(
+ "ERROR: Could not identify CVSS score in {}; skipping:\n\n{}\n---".format(
+ cve, description
+ )
+ )
+ continue
+ description, cvss_text = desc_cvss
# Filter out some whitespace
description = description.replace("\n", " ").replace(" ", " ").strip()