From: Yoann Congal <yoann.con...@smile.fr>
Add a new variable "CVE_DB_INCR_UPDATE_AGE_THRES", which can be used to
specify the maximum age of the database for doing an incremental update
For older databases, a full re-download is done.
With a value of "0", this forces a full-redownload.
Signed-off-by: Yoann Congal <yoann.con...@smile.fr>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
(cherry picked from commit 74c1765111b6610348eae4b7e41d7045ce58ef86)
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
.../meta/cve-update-nvd2-native.bb | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb
b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index f21c139aa5..d565887498 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -26,6 +26,12 @@ NVDCVE_API_KEY ?= ""
# Use a negative value to skip the update
CVE_DB_UPDATE_INTERVAL ?= "86400"
+# CVE database incremental update age threshold, in seconds. If the database is
+# older than this threshold, do a full re-download, else, do an incremental
+# update. By default: the maximum allowed value from NVD: 120 days
(120*24*60*60)
+# Use 0 to force a full download.
+CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
+
# Number of attempts for each http query to nvd server before giving up
CVE_DB_UPDATE_ATTEMPTS ?= "5"
@@ -172,18 +178,24 @@ def update_db_file(db_tmp_file, d, database_time):
req_args = {'startIndex' : 0}
- # The maximum range for time is 120 days
- # Force a complete update if our range is longer
- if (database_time != 0):
+ incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES"))
+ if database_time != 0:
database_date = datetime.datetime.fromtimestamp(database_time,
tz=datetime.timezone.utc)
today_date = datetime.datetime.now(tz=datetime.timezone.utc)
delta = today_date - database_date
- if delta.days < 120:
+ if incr_update_threshold == 0:
+ bb.note("CVE database: forced full update")
+ elif delta < datetime.timedelta(seconds=incr_update_threshold):
bb.note("CVE database: performing partial update")
+ # The maximum range for time is 120 days
+ if delta > datetime.timedelta(days=120):
+ bb.error("CVE database: Trying to do an incremental update on
a larger than supported range")
req_args['lastModStartDate'] = database_date.isoformat()
req_args['lastModEndDate'] = today_date.isoformat()
else:
bb.note("CVE database: file too old, forcing a full update")
+ else:
+ bb.note("CVE database: no preexisting database, do a full download")
with bb.progress.ProgressHandler(d) as ph,
open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197279):
https://lists.openembedded.org/g/openembedded-core/message/197279
Mute This Topic: https://lists.openembedded.org/mt/104996210/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
