@@ -26,6 +26,12 @@ NVDCVE_API_KEY ?= ""
# Use a negative value to skip the update
CVE_DB_UPDATE_INTERVAL ?= "86400"
+# CVE database incremental update age threshold, in seconds. If the database is
+# older than this threshold, do a full re-download, else, do an incremental
+# update. By default: the maximum allowed value from NVD: 120 days (120*24*60*60)
+# Use 0 to force a full download.
+CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
+
# Number of attempts for each http query to nvd server before giving up
CVE_DB_UPDATE_ATTEMPTS ?= "5"
@@ -172,18 +178,24 @@ def update_db_file(db_tmp_file, d, database_time):
req_args = {'startIndex' : 0}
- # The maximum range for time is 120 days
- # Force a complete update if our range is longer
- if (database_time != 0):
+ incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES"))
+ if database_time != 0:
database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc)
today_date = datetime.datetime.now(tz=datetime.timezone.utc)
delta = today_date - database_date
- if delta.days < 120:
+ if incr_update_threshold == 0:
+ bb.note("CVE database: forced full update")
+ elif delta < datetime.timedelta(seconds=incr_update_threshold):
bb.note("CVE database: performing partial update")
+ # The maximum range for time is 120 days
+ if delta > datetime.timedelta(days=120):
+ bb.error("CVE database: Trying to do an incremental update on a larger than supported range")
req_args['lastModStartDate'] = database_date.isoformat()
req_args['lastModEndDate'] = today_date.isoformat()
else:
bb.note("CVE database: file too old, forcing a full update")
+ else:
+ bb.note("CVE database: no preexisting database, do a full download")
with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: