cve-update-db-native: make it possible to disable database updates

Make it possible to disable the database update completely by using
a negative update interval CVE_DB_UPDATE_INTERVAL.

Disabling the update is useful when running multiple parallel builds
when we want to have a control on the database version. This allows
coherent cve-check results without an database update for only
some of the builds.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index c8c1cbf115f3e5c7532ac3bd95b4196b627fbee3..18af89b53e0dbf809a77c158c841e60ace91f56a 100644 (file)
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -15,6 +15,7 @@ deltask do_populate_sysroot
 NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
 # CVE database update interval, in seconds. By default: once a day (24*60*60).
 # Use 0 to force the update
+# Use a negative value to skip the update
 CVE_DB_UPDATE_INTERVAL ?= "86400"
 
 python () {
@@ -51,8 +52,9 @@ python do_fetch() {
     try:
         import time
         update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
-        if (update_interval < 0):
-            update_interval = 0
+        if update_interval < 0:
+            bb.note("CVE database update skipped")
+            return
         if time.time() - os.path.getmtime(db_file) < update_interval:
             bb.debug(2, "Recently updated, skipping")
             return