cve-update-nvd2-native: Remove rejected CVE from database

When a CVE is updated to be rejected, matching database entries must be removed. Otherwise: * an incremental update is not equivalent the to an initial download. * rejected CVEs might still appear as Unpatched in cve-check. Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yoann Congal <yoann.congal@smile.fr> 2024-03-15 01:20:20 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-03-15 07:36:11 +0000
commit: f276a980b8930b98e6c8f0e1a865d77dfcfe5085 (patch)
tree: 24b02a4829d766ea70595c56e1c3a536917813b0 /meta/recipes-core
parent: 641ae3f36e09af9932dc33043a0a5fbfce62122e (diff)
download: openembedded-core-f276a980b8930b98e6c8f0e1a865d77dfcfe5085.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 4b8d01fe84..1901641965 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -324,6 +324,10 @@ def update_db(conn, elt):
     vectorString = None
     cveId = elt['cve']['id']
     if elt['cve']['vulnStatus'] ==  "Rejected":
+        c = conn.cursor()
+        c.execute("delete from PRODUCTS where ID = ?;", [cveId])
+        c.execute("delete from NVD where ID = ?;", [cveId])
+        c.close()
         return
     cveDesc = ""
     for desc in elt['cve']['descriptions']:
author	Yoann Congal <yoann.congal@smile.fr>	2024-03-15 01:20:20 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-03-15 07:36:11 +0000
commit	f276a980b8930b98e6c8f0e1a865d77dfcfe5085 (patch)
tree	24b02a4829d766ea70595c56e1c3a536917813b0 /meta/recipes-core
parent	641ae3f36e09af9932dc33043a0a5fbfce62122e (diff)
download	openembedded-core-f276a980b8930b98e6c8f0e1a865d77dfcfe5085.tar.gz