nvd data mismatch results in critical error -- maybe switch to something less?

[terriko]

python -m cve_bin_tool.cli test/binaries/
cve_bin_tool.CVEDB - INFO - Using cached CVE data (<24h old). Use -u now to update immediately.
cve_bin_tool.cvedb.cache_update - CRITICAL - SHA mismatch for nvdcve-1.1-2020.json (have: '5E18F3B72CA0918FD75CCF18FAA3431827E0A7D604352DC94B596E069C6BBAD7', want: '7AE91502596F9665ED354B1496E6FBBF2D983BB160E4B5EE71CFA3C07675E7BB')
cve_bin_tool.cvedb.cache_update - INFO - Updating CVE cache for nvdcve-1.1-2020.json
cve_bin_tool.cvedb.cache_update - CRITICAL - SHA mismatch for nvdcve-1.1-2019.json (have: '5EB0F76D4868B5C5C03A79D31C675FAA2280670F3484A96B65A053A5C19A2D37', want: '0E7890481B17C2E66C1ED6883E300715F5073D70EBAFA3F085DB23F4E141058C')
cve_bin_tool.cvedb.cache_update - INFO - Updating CVE cache for nvdcve-1.1-2019.json

When the sha doesn't match for any of the nvd data files, cve_bin_tool throws a critical error. The more I think about this, th emore I think this might be excessive, as it's going to happen every single time the data updates (possibly multiple times a day) for multiple files. This could probably be a warning at the very least.

Currently every time the data is updated it could print around 40 messages of "out of date" and "updated" -- maybe this could be replaced by a summary message that says something like "the following years have new data: ..." and "the following years have been updated: ..."

[terriko]

For beginners who might want to work on this:

The offending line is here:
https://github.com/intel/cve-bin-tool/blob/master/cve_bin_tool/cvedb.py#L111

rather than using the critical message function, you'll want to change it to warning. If you want to change it to a summary message, it'll probably go around the same spot.

[ssd71]

I would like to work on this.

[terriko]

yay! Go ahead, and ask here if you have any questions while preparing your code!

[milindgupta]

How to generate the test case for this situation.
Thanks

[terriko]

@milindgupta We probably don't need a test case for this one, but if you look at how we test --skips in test_cli.py (the function is called test_skips) that should give you an idea of how to check the log output in a test.

[milindgupta]

I should just change critical to a warning at https://github.com/intel/cve-bin-tool/blob/master/cve_bin_tool/cvedb.py#L111, but here we might even have to add some conditions too, like if the current date is more then last updated.

[terriko]

Bump. I'm still looking for at least the one-line fix where we go from logger.critical() to logger.warning() on this line: https://github.com/intel/cve-bin-tool/blob/master/cve_bin_tool/cvedb.py#L111