cve-update-nvd2-native: Add an age threshold for incremental update

Add a new variable "CVE_DB_INCR_UPDATE_AGE_THRES", which can be used to specify the maximum age of the database for doing an incremental update For older databases, a full re-download is done. With a value of "0", this forces a full-redownload. (From OE-Core rev: 74c1765111b6610348eae4b7e41d7045ce58ef86) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yoann Congal <yoann.congal@smile.fr> 2024-03-13 16:13:27 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-03-13 22:08:46 +0000
commit: 19f27037b2b785673c8f68f19ea783856f732e4d (patch)
tree: e0b45aaaf8f11e41acca2320741c560b3663587e
parent: 6243d7b8ce64a04e86e52edf46a4bb4ac1451e2e (diff)
download: poky-19f27037b2b785673c8f68f19ea783856f732e4d.tar.gz
1 files changed, 16 insertions, 4 deletions
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index f21c139aa5..d565887498 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -26,6 +26,12 @@ NVDCVE_API_KEY ?= ""
 # Use a negative value to skip the update
 CVE_DB_UPDATE_INTERVAL ?= "86400"
+# CVE database incremental update age threshold, in seconds. If the database is
+# older than this threshold, do a full re-download, else, do an incremental
+# update. By default: the maximum allowed value from NVD: 120 days (120*24*60*60)
+# Use 0 to force a full download.
+CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
 # Number of attempts for each http query to nvd server before giving up
 CVE_DB_UPDATE_ATTEMPTS ?= "5"
@@ -172,18 +178,24 @@ def update_db_file(db_tmp_file, d, database_time):
    req_args = {'startIndex' : 0}
-    # The maximum range for time is 120 days
+    incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES"))
-    # Force a complete update if our range is longer
+    if database_time != 0:
-    if (database_time != 0):
        database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc)
        today_date = datetime.datetime.now(tz=datetime.timezone.utc)
        delta = today_date - database_date
-        if delta.days < 120:
+        if incr_update_threshold == 0:
+            bb.note("CVE database: forced full update")
+        elif delta < datetime.timedelta(seconds=incr_update_threshold):
            bb.note("CVE database: performing partial update")
+            # The maximum range for time is 120 days
+            if delta > datetime.timedelta(days=120):
+                bb.error("CVE database: Trying to do an incremental update on a larger than supported range")
            req_args['lastModStartDate'] = database_date.isoformat()
            req_args['lastModEndDate'] = today_date.isoformat()
        else:
            bb.note("CVE database: file too old, forcing a full update")
+    else:
+        bb.note("CVE database: no preexisting database, do a full download")
    with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
author	Yoann Congal <yoann.congal@smile.fr>	2024-03-13 16:13:27 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-03-13 22:08:46 +0000
commit	19f27037b2b785673c8f68f19ea783856f732e4d (patch)
tree	e0b45aaaf8f11e41acca2320741c560b3663587e
parent	6243d7b8ce64a04e86e52edf46a4bb4ac1451e2e (diff)
download	poky-19f27037b2b785673c8f68f19ea783856f732e4d.tar.gz