On Wed, 13 Mar 2024, 16:15 Yoann Congal, <[email protected]> wrote:
> Add a new variable "CVE_DB_INCR_UPDATE_AGE_THRES", which can be used to > specify the maximum age of the database for doing an incremental update > For older databases, a full re-download is done. > > With a value of "0", this forces a full-redownload. > > Signed-off-by: Yoann Congal <[email protected]> > --- > .../meta/cve-update-nvd2-native.bb | 20 +++++++++++++++---- > 1 file changed, 16 insertions(+), 4 deletions(-) > > diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb > b/meta/recipes-core/meta/cve-update-nvd2-native.bb > index f21c139aa5..d565887498 100644 > --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb > +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb > @@ -26,6 +26,12 @@ NVDCVE_API_KEY ?= "" > # Use a negative value to skip the update > CVE_DB_UPDATE_INTERVAL ?= "86400" > > +# CVE database incremental update age threshold, in seconds. If the > database is > +# older than this threshold, do a full re-download, else, do an > incremental > +# update. By default: the maximum allowed value from NVD: 120 days > (120*24*60*60) > +# Use 0 to force a full download. > +CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000" > + > # Number of attempts for each http query to nvd server before giving up > CVE_DB_UPDATE_ATTEMPTS ?= "5" > > @@ -172,18 +178,24 @@ def update_db_file(db_tmp_file, d, database_time): > > req_args = {'startIndex' : 0} > > - # The maximum range for time is 120 days > - # Force a complete update if our range is longer > - if (database_time != 0): > + incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES")) > + if database_time != 0: > database_date = datetime.datetime.fromtimestamp(database_time, > tz=datetime.timezone.utc) > today_date = datetime.datetime.now(tz=datetime.timezone.utc) > delta = today_date - database_date > - if delta.days < 120: > + if incr_update_threshold == 0: > + bb.note("CVE database: forced full update") > + elif delta < datetime.timedelta(seconds=incr_update_threshold): > bb.note("CVE database: performing partial update") > + # The maximum range for time is 120 days > + if delta > datetime.timedelta(days=120): > + bb.error("CVE database: Trying to do an incremental > update on a larger than supported range") > req_args['lastModStartDate'] = database_date.isoformat() > req_args['lastModEndDate'] = today_date.isoformat() > else: > bb.note("CVE database: file too old, forcing a full update") > + else: > + bb.note("CVE database: no preexisting database, do a full > download") > > with bb.progress.ProgressHandler(d) as ph, > open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: > > -- > I find naming of the variable misleading, sourcing like FORCE_FULL_DOWNLOAD would be more obvious. Also, I'm not sure we need a variable if the user can just delete the database file and force the download this way. The 120 days case is special, because its a limit set in the spec. Regards, Marta >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197104): https://lists.openembedded.org/g/openembedded-core/message/197104 Mute This Topic: https://lists.openembedded.org/mt/104907481/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
