cve-update-nvd2-native: Remove rejected CVE from database

When a CVE is updated to be rejected, matching database entries must be removed. Otherwise: * an incremental update is not equivalent the to an initial download. * rejected CVEs might still appear as Unpatched in cve-check. Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f276a980b8930b98e6c8f0e1a865d77dfcfe5085) Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yoann Congal <yoann.congal@smile.fr> 2024-03-17 16:21:52 -1000
committer: Steve Sakoman <steve@sakoman.com> 2024-03-19 03:33:31 -1000
commit: 717f0df5f35272f7706e4f92cc8b57cdda8066b6 (patch)
tree: 757954032d6b3876bedf675773b68b4b5dda5abc
parent: 38402b5e89d43bf2a45c8f5f2d631033be5019cd (diff)
download: openembedded-core-717f0df5f35272f7706e4f92cc8b57cdda8066b6.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 0044529b7d..1a3eeba6d0 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -323,6 +323,10 @@ def update_db(conn, elt):
     accessVector = None
     cveId = elt['cve']['id']
     if elt['cve']['vulnStatus'] ==  "Rejected":
+        c = conn.cursor()
+        c.execute("delete from PRODUCTS where ID = ?;", [cveId])
+        c.execute("delete from NVD where ID = ?;", [cveId])
+        c.close()
         return
     cveDesc = ""
     for desc in elt['cve']['descriptions']:
author	Yoann Congal <yoann.congal@smile.fr>	2024-03-17 16:21:52 -1000
committer	Steve Sakoman <steve@sakoman.com>	2024-03-19 03:33:31 -1000
commit	717f0df5f35272f7706e4f92cc8b57cdda8066b6 (patch)
tree	757954032d6b3876bedf675773b68b4b5dda5abc
parent	38402b5e89d43bf2a45c8f5f2d631033be5019cd (diff)
download	openembedded-core-717f0df5f35272f7706e4f92cc8b57cdda8066b6.tar.gz