@@ -277,7 +277,7 @@ def cve_is_patched(d, cve_data, cve):
return True
return False
-def cve_update(d, cve_data, cve, entry):
+def cve_update(d, cve_data, cve, entry, force_update=False):
# If no entry, just add it
if cve not in cve_data:
cve_data[cve] = entry
@@ -297,7 +297,11 @@ def cve_update(d, cve_data, cve, entry):
bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result" % cve)
return
if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched":
- if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range":
+ if force_update:
+ cve_data[cve] = entry
+ bb.debug(1, "CVE entry %s forced to update from Patched to Unpatched from the scan result" % cve)
+ return
+ elif entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range":
# Range does not match the scan, but we already have a vulnerable match, ignore
bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve)
return
@@ -416,7 +420,7 @@ def check_cves(d, cve_data):
if not vulnerable:
bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
- cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"})
+ cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"}, force_update=True)
cve_cursor.close()
if not cves_in_product: