diff mbox series

[kirkstone,08/15] cve-update-nvd2-native: Fix CVE configuration update

Message ID 38402b5e89d43bf2a45c8f5f2d631033be5019cd.1710950846.git.steve@sakoman.com
State Accepted
Delegated to: Steve Sakoman
Headers show
Series [kirkstone,01/15] expat: patch CVE-2024-28757 | expand

Commit Message

Steve Sakoman March 20, 2024, 4:09 p.m. UTC 
From: Yoann Congal <yoann.congal@smile.fr>

When a CVE is created, it often has no precise version information and
this is stored as "-" (matching any version). After an update, version
information is added. The previous "-" must be removed, otherwise, the
CVE is still "Unpatched" for cve-check.

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index a703b68aac..0044529b7d 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -352,6 +352,10 @@  def update_db(conn, elt):
                 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
 
     try:
+        # Remove any pre-existing CVE configuration. Even for partial database
+        # update, those will be repopulated. This ensures that old
+        # configuration is not kept for an updated CVE.
+        conn.execute("delete from PRODUCTS where ID = ?", [cveId]).close()
         for config in elt['cve']['configurations']:
             # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
             for node in config["nodes"]: