From: Yoann Congal <yoann.con...@smile.fr>
When a CVE is created, it often has no precise version information and
this is stored as "-" (matching any version). After an update, version
information is added. The previous "-" must be removed, otherwise, the
CVE is still "Unpatched" for cve-check.
Signed-off-by: Yoann Congal <yoann.con...@smile.fr>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
(cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e)
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 5bba2219d6..4b8d01fe84 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -357,6 +357,10 @@ def update_db(conn, elt):
[cveId, cveDesc, cvssv2, cvssv3, date, accessVector,
vectorString]).close()
try:
+ # Remove any pre-existing CVE configuration. Even for partial database
+ # update, those will be repopulated. This ensures that old
+ # configuration is not kept for an updated CVE.
+ conn.execute("delete from PRODUCTS where ID = ?", [cveId]).close()
for config in elt['cve']['configurations']:
# This is suboptimal as it doesn't handle AND/OR and negate, but
is better than nothing
for node in config["nodes"]:
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197282):
https://lists.openembedded.org/g/openembedded-core/message/197282
Mute This Topic: https://lists.openembedded.org/mt/104996216/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
