From 7fc938ef32006946609023e4483e5babc0f5f53f Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Fri, 11 Dec 2020 17:14:16 +0100 Subject: [PATCH 1/2] Check DB versions before CERT severity updates When rebuilding the SCAP or CERT database, check if the other one has the correct version. If not, skip updating the CERT severity scores. This fixes an issue where the SCAP DB update during migration does not work because the CERT DB is not migrated yet and therefore incompatible. --- src/manage_sql_secinfo.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index b8d2aeaaf..79b99affd 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -4397,6 +4397,7 @@ update_cvss_cert_bund (int updated_cert_bund, int last_cert_update, static int sync_cert () { + int scap_db_version; int last_feed_update, last_cert_update, updated_dfn_cert; int updated_cert_bund; @@ -4458,7 +4459,19 @@ sync_cert () g_debug ("%s: update cvss", __func__); - if (manage_scap_loaded ()) + /* Update CERT data that depends on SCAP. */ + scap_db_version = manage_scap_db_version(); + + if (scap_db_version == -1) + g_info ("SCAP database does not exist (yet)," + " skipping CERT severity score update"); + else if (scap_db_version < GVMD_SCAP_DATABASE_VERSION) + g_info ("SCAP database has to be migrated," + " skipping CERT severity score update"); + else if (scap_db_version > GVMD_SCAP_DATABASE_VERSION) + g_warning ("SCAP database is newer than supported version," + " skipping CERT severity score update"); + else { int last_scap_update; @@ -4644,6 +4657,8 @@ update_scap_placeholders () static int update_scap_end () { + int cert_db_version; + g_debug ("%s: update timestamp", __func__); if (update_scap_timestamp ()) @@ -4666,8 +4681,18 @@ update_scap_end () sql ("ALTER SCHEMA scap2 RENAME TO scap;"); /* Update CERT data that depends on SCAP. */ - - if (manage_cert_loaded ()) + cert_db_version = manage_cert_db_version(); + + if (cert_db_version == -1) + g_info ("CERT database does not exist (yet)," + " skipping CERT severity score update"); + else if (cert_db_version < GVMD_CERT_DATABASE_VERSION) + g_info ("CERT database has to be migrated," + " skipping CERT severity score update"); + else if (cert_db_version > GVMD_CERT_DATABASE_VERSION) + g_warning ("CERT database is newer than supported version," + " skipping CERT severity score update"); + else { int last_cert_update, last_scap_update; From fb94da931439b30f883ddec25c5967c156d81d4a Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Fri, 11 Dec 2020 17:30:40 +0100 Subject: [PATCH 2/2] Add new SCAP/CERT version check to CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62d793346..4b164ac6a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Fix severity_in_level SQL function [#1312](https://github.com/greenbone/gvmd/pull/1312) - Fix and simplify SecInfo migration [#1331](https://github.com/greenbone/gvmd/pull/1331) - Prevent CPE/NVD_ID from being "(null)" [#1369](https://github.com/greenbone/gvmd/pull/1369) +- Check DB versions before CERT severity updates [#1376](https://github.com/greenbone/gvmd/pull/1376) ### Removed - Remove solution element from VT tags [#886](https://github.com/greenbone/gvmd/pull/886)