fix(nvd_source): fix configuration without nodes

ffontaine · ffontaine · commit 6acc64004a25 · 2025-12-13T22:22:04.000+01:00
https://nvd.nist.gov/vuln/detail/cve-2025-40939 has the following configurations: [{}] This will result in a crash as current code wrongly assumes that all configuration object has a nodes parameter Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -637,6 +637,7 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             access.redhat.com:443
+            amazonaws.com:443
             api.github.com:443
             azure.archive.ubuntu.com:80
             csrc.nist.gov:443
diff --git a/cve_bin_tool/data_sources/nvd_source.py b/cve_bin_tool/data_sources/nvd_source.py
@@ -181,11 +181,12 @@ def format_data(self, all_cve_entries):
             # return list of versions
             affects_list = []
             if "configurations" in cve_item:
-                for node in cve_item["configurations"]["nodes"]:
-                    affects_list.extend(self.parse_node(node))
-                    if "children" in node:
-                        for child in node["children"]:
-                            affects_list.extend(self.parse_node(child))
+                if "nodes" in cve_item["configurations"]:
+                    for node in cve_item["configurations"]["nodes"]:
+                        affects_list.extend(self.parse_node(node))
+                        if "children" in node:
+                            for child in node["children"]:
+                                affects_list.extend(self.parse_node(child))
 
             for affects in affects_list:
                 affects["cve_id"] = cve["ID"]
@@ -351,12 +352,13 @@ def format_data_api2(self, all_cve_entries):
             affects_list = []
             if "configurations" in cve_item:
                 for configuration in cve_item["configurations"]:
-                    for node in configuration["nodes"]:
-                        self.LOGGER.debug(f"Processing {node} for {cve_item['id']}")
-                        affects_list.extend(self.parse_node_api2(node))
-                        if "children" in node:
-                            for child in node["children"]:
-                                affects_list.extend(self.parse_node_api2(child))
+                    if "nodes" in configuration:
+                        for node in configuration["nodes"]:
+                            self.LOGGER.debug(f"Processing {node} for {cve_item['id']}")
+                            affects_list.extend(self.parse_node_api2(node))
+                            if "children" in node:
+                                for child in node["children"]:
+                                    affects_list.extend(self.parse_node_api2(child))
             else:
                 LOGGER.debug(f"No configuration information for {cve_item['id']}")
             for affects in affects_list:
