diff mbox series

cve-check: fetch CVE data once at a time instead of in a single call

Message ID 20191113153548.8644-1-ross.burton@intel.com
State Superseded
Headers show
Series cve-check: fetch CVE data once at a time instead of in a single call | expand

Commit Message

Ross Burton Nov. 13, 2019, 3:35 p.m. UTC
This code used to construct a single SQL statement that fetched the NVD data for
every CVE requested.  For recipes such as the kernel where there are over 2000
CVEs to report this can hit limits in older sqlite releases and the query fails
with "sqlite3.OperationalError: too many SQL variables".

As the NVD table has an index on the ID column, whilst requesting the data
CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time
different is insignificant: 0.05s verses 0.01s on my machine.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/classes/cve-check.bbclass | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

-- 
2.20.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff mbox series

Patch

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e95716d9ded..f23f683ae80 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -267,17 +267,17 @@  def get_cve_info(d, cves):
 
     cve_data = {}
     conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
-    placeholders = ",".join("?" * len(cves))
-    query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
-    for row in conn.execute(query, tuple(cves)):
+
+    for cve in cves:
+        row = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)).fetchone()
         cve_data[row[0]] = {}
         cve_data[row[0]]["summary"] = row[1]
         cve_data[row[0]]["scorev2"] = row[2]
         cve_data[row[0]]["scorev3"] = row[3]
         cve_data[row[0]]["modified"] = row[4]
         cve_data[row[0]]["vector"] = row[5]
-    conn.close()
 
+    conn.close()
     return cve_data
 
 def cve_write_data(d, patched, unpatched, cve_data):