cve-update-nvd2-native: Fix CVE configuration update

When a CVE is created, it often has no precise version information and this is stored as "-" (matching any version). After an update, version information is added. The previous "-" must be removed, otherwise, the CVE is still "Unpatched" for cve-check. (From OE-Core rev: 67c4d9d27f06a07eac46c0f2cba8cfa1691b0737) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-29 21:08:42 +01:00 · 2024-03-15 01:20:19 +01:00
parent 8d5fb5f5d2
commit 11d9d02cf6
1 changed files with 4 additions and 0 deletions
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -357,6 +357,10 @@ def update_db(conn, elt):
                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector, vectorString]).close()

    try:
+        # Remove any pre-existing CVE configuration. Even for partial database
+        # update, those will be repopulated. This ensures that old
+        # configuration is not kept for an updated CVE.
+        conn.execute("delete from PRODUCTS where ID = ?", [cveId]).close()
        for config in elt['cve']['configurations']:
            # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
            for node in config["nodes"]: