fix: re-evaluate unpatched CVEs in recalc

even though recalc is triggered by change in repostiries/released erratum, we need to re-evaluate also unpatched cves as it can happen that unpatched CVE becomes patched and we need to remove it from list of unpatched cves relates to: RHINENG-15100 RHINENG-15129
RedHatInsights · Jan 10, 2025 · 85256df · 85256df
1 parent 32414d0
commit 85256df
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 11 deletions.
diff --git a/evaluator/logic.py b/evaluator/logic.py
@@ -499,7 +499,6 @@ async def _evaluate_vmaas_res(
         sys_vuln_rows: dict,
         system_platform: SystemPlatform,
         conn: AsyncConnection,
-        recalc_event_id: Optional[int] = None,
     ) -> dict:
         """Insert vmaas cve results"""
 
@@ -539,11 +538,6 @@ async def _evaluate_vmaas_res(
                     None,
                 )
 
-            # if this is a re-evaluation, it means it was triggered by a new erratum in repository => don't change unfixed CVEs
-            # the change of unfixed CVEs in oval/csaf is not covered, it'll be handled only by evaluator_upload for now
-            if recalc_event_id:
-                return sys_vuln_rows
-
             # aggregate unfixed cves, get (package name, cpe, module) tuples and list of cves for these pairs
             pn_cpes = {}
             for cve_unpatched in unpatched_cves:
@@ -694,9 +688,7 @@ async def _evaluate_advisor_res(
 
         return sys_vuln_rows
 
-    async def evaluate_vulnerabilities(
-        self, system_platform: SystemPlatform, conn: AsyncConnection, recalc_event_id: Optional[int] = None
-    ) -> Dict[str, SystemVulnerabilitiesRow]:
+    async def evaluate_vulnerabilities(self, system_platform: SystemPlatform, conn: AsyncConnection) -> Dict[str, SystemVulnerabilitiesRow]:
         """Evaluate cve hits from vmaas and advisor"""
         sys_vuln_rows = {}
 
@@ -710,7 +702,6 @@ async def evaluate_vulnerabilities(
                     sys_vuln_rows,
                     system_platform,
                     conn,
-                    recalc_event_id=recalc_event_id,
                 )
         if system_platform.rule_results:
             # set of unpatched cves from vmaas for exclusion from advisor evaluation

diff --git a/evaluator/processor.py b/evaluator/processor.py
@@ -318,7 +318,7 @@ async def _evaluate_system(
                 # start both task asynchronously to speed up
                 sys_vuln_rows_db, sys_vuln_rows = await asyncio.gather(
                     self._load_db_system_vulnerabilities(system_platform, conn),
-                    self.evaluator_logic.evaluate_vulnerabilities(system_platform, conn, recalc_event_id=recalc_event_id),
+                    self.evaluator_logic.evaluate_vulnerabilities(system_platform, conn),
                 )
 
                 to_insert, to_update, to_delete = await self._compare_sys_vulns(sys_vuln_rows_db, sys_vuln_rows)