fix: Database records being lost (fixes intel#3150)

anthonyharrison · anthonyharrison · commit aa2ddf3f3698 · 2023-07-11T22:17:28.000+01:00
diff --git a/cve_bin_tool/cvedb.py b/cve_bin_tool/cvedb.py
@@ -279,7 +279,7 @@ def table_schemas(self):
             versionEndIncluding TEXT,
             versionEndExcluding TEXT,
             data_source TEXT,
-            FOREIGN KEY(cve_number) REFERENCES cve_severity(cve_number)
+            FOREIGN KEY(cve_number, data_source) REFERENCES cve_severity(cve_number, data_source)
         )
         """
         exploit_table_create = """
@@ -472,8 +472,8 @@ def populate_db(self) -> None:
                 break
 
         for cve_data, source_name in self.data:
-            if source_name != "NVD" and cve_data[0] is not None:
-                cve_data = self.update_vendors(cve_data)
+            #if source_name != "NVD" and cve_data[0] is not None:
+            #    cve_data = self.update_vendors(cve_data)
 
             severity_data, affected_data = cve_data
 
@@ -493,7 +493,7 @@ def populate_db(self) -> None:
 
     def populate_severity(self, severity_data, cursor, data_source):
         (insert_severity, _, _, _, _) = self.insert_queries()
-        del_cve_range = "DELETE from cve_range where CVE_number=?"
+        del_cve_range = "DELETE from cve_range where CVE_number=? and data_source=?"
 
         for cve in severity_data:
             # Check no None values
@@ -532,7 +532,8 @@ def populate_severity(self, severity_data, cursor, data_source):
                 LOGGER.info(f"Unable to insert data for {data_source} - {e}\n{cve}")
 
         # Delete any old range entries for this CVE_number
-        cursor.executemany(del_cve_range, [(cve["ID"],) for cve in severity_data])
+        for cve in severity_data:
+            cursor.execute(del_cve_range,[cve["ID"], data_source])
 
     def populate_affected(self, affected_data, cursor, data_source):
         (_, insert_cve_range, _, _, _) = self.insert_queries()
@@ -689,6 +690,7 @@ def db_open_and_get_cursor(self) -> sqlite3.Cursor:
     def db_close(self) -> None:
         """Closes connection to sqlite database."""
         if self.connection:
+            self.connection.commit()
             self.connection.close()
             self.connection = None
 
diff --git a/cve_bin_tool/data_sources/nvd_source.py b/cve_bin_tool/data_sources/nvd_source.py
@@ -255,12 +255,13 @@ def format_data_api2(self, all_cve_entries):
             # return list of versions
             affects_list = []
             if "configurations" in cve_item:
-                for node in cve_item["configurations"][0]["nodes"]:
-                    LOGGER.debug(f"Processing {node} for {cve_item['id']}")
-                    affects_list.extend(self.parse_node_api2(node))
-                    if "children" in node:
-                        for child in node["children"]:
-                            affects_list.extend(self.parse_node_api2(child))
+                for configuration in cve_item["configurations"]:
+                    for node in configuration['nodes']:
+                        self.LOGGER.debug(f"Processing {node} for {cve_item['id']}")
+                        affects_list.extend(self.parse_node_api2(node))
+                        if "children" in node:
+                            for child in node["children"]:
+                                affects_list.extend(self.parse_node_api2(child))
             else:
                 LOGGER.debug(f"No configuration information for {cve_item['id']}")
             for affects in affects_list:
