intel · terriko · Jul 27, 2021 · May 27, 2020 · Jun 1, 2020 · Jul 18, 2020
diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py
@@ -159,36 +159,48 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
 
         # Go through and get all the severities
         if cve_list:
-            query = f"""
-            SELECT CVE_number, severity, description, score, cvss_version, cvss_vector
-            FROM cve_severity
-            WHERE CVE_number IN ({",".join(["?"] * len(cve_list))}) AND score >= ?
-            ORDER BY CVE_number
-            """
-            # Add score parameter to tuple listing CVEs to pass to query
-            cve_list.append(self.score)
-
-            result = self.cursor.execute(query, cve_list)
 
             cves: List[CVE] = []
-            for row in result:
-                triage = triage_data.get(row["cve_number"]) or triage_data.get(
-                    "default"
-                )
-                # Only scan cves if triage is not None.
-                # Triage will only be None if triage_data don't have default attribute.
-                # NOTE: Triage can be empty dictionary so checking `if triage:` won't suffice.
-                if triage is not None:
-                    row_dict = dict(row)
-                    row_dict.update(triage)
-                    # print(row_dict)
-                    row_dict["severity"] = row_dict["severity"] or row["severity"]
-                    row_dict["score"] = row_dict["score"] or row["score"]
-                    row_dict["cvss_version"] = (
-                        row_dict["cvss_version"] or row["cvss_version"]
+            finished = False
+            max_cves = 500
+            remaining = len(cve_list)
+            start = 0
+
+            while not finished:
+                # Limit number of CVEs in single query to maximum
+                number_of_cves = min(remaining, max_cves)
+                end = start + number_of_cves
+                remaining = remaining - number_of_cves
+                finished = remaining == 0
+
+                query = f"""
+                SELECT CVE_number, severity, description, score, cvss_version, cvss_vector
+		FROM cve_severity
+		WHERE CVE_number IN ({",".join(["?"] * number_of_cves)}) AND score >= ?
+		ORDER BY CVE_number
+		"""
+                # Add score parameter to tuple listing CVEs to pass to query
+                result = self.cursor.execute(query, cve_list[start:end] + [self.score])
+                start = end
+
+                for row in result:
+                    triage = triage_data.get(row["cve_number"]) or triage_data.get(
+                        "default"
                     )
-                    cve = CVE(**row_dict)
-                    cves.append(cve)
+                    # Only scan cves if triage is not None.
+                    # Triage will only be None if triage_data don't have default attribute.
+                    # NOTE: Triage can be empty dictionary so checking `if triage:` won't suffice.
+                    if triage is not None:
+                        row_dict = dict(row)
+                        row_dict.update(triage)
+                        # print(row_dict)
+                        row_dict["severity"] = row_dict["severity"] or row["severity"]
+                        row_dict["score"] = row_dict["score"] or row["score"]
+                        row_dict["cvss_version"] = (
+                            row_dict["cvss_version"] or row["cvss_version"]
+                        )
+                        cve = CVE(**row_dict)
+                        cves.append(cve)
 
             if cves:
                 self.products_with_cve += 1