From: Ross Burton <ross@burtonini.com>
Date: Wed, 23 Feb 2022 12:54:31 +0000 (+0000)
Subject: cve-check: get_cve_info should open the database read-only
X-Git-Url: https://code.ossystems.io/gitweb?a=commitdiff_plain;h=8de517238f1f418d9af1ce312d99de04ce2e26fc;p=openembedded-core.git

cve-check: get_cve_info should open the database read-only

All of the function in cve-check should open the database read-only, as
the only writer is the fetch task in cve-update-db.  However,
get_cve_info() was failing to do this, which might be causing locking
issues with sqlite.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 2d69aeba4b..d715fbf4d8 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -265,7 +265,8 @@ def get_cve_info(d, cves):
     import sqlite3
 
     cve_data = {}
-    conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
+    db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+    conn = sqlite3.connect(db_file, uri=True)
 
     for cve in cves:
         for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):