update: Do not treat sha256 failure as fatal if requested

Ikey Doherty · Ikey Doherty · commit c4f6e9453073 · 2017-02-23T10:17:43.000Z
The NVD database is known to have issues during early morning whereby
the meta files don't actually match the sha256 of the target xml feed.
This has caused problems for some users of cve-check-tool, so in this
case we will now continue as if nothing fatal had happened if we find
the CVE_SKIP_VERIFY variable in the environment.

Signed-off-by: Ikey Doherty &lt;michael.i.doherty@intel.com&gt;
diff --git a/src/update.c b/src/update.c
@@ -364,7 +364,10 @@ static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, bool db_
                                 goto refetch;
                         }
                         fprintf(stderr, "Unpacked data %s is not consistent\n", nvdcve_data->str);
-                        return -1;
+                        /* If CVE_SKIP_VERIFY is set in the environment, don't bail here */
+                        if (!getenv("CVE_SKIP_VERIFY")) {
+                                return -1;
+                        }
                 }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -364,7 +364,10 @@ static int do_fetch_update(int year, const char db_dir, CveDB cve_db, bool db_`
`364`	`364`	`goto refetch;`
`365`	`365`	`}`
`366`	`366`	`fprintf(stderr, "Unpacked data %s is not consistent\n", nvdcve_data->str);`
`367`		`- return -1;`
	`367`	`+ /* If CVE_SKIP_VERIFY is set in the environment, don't bail here */`
	`368`	`+ if (!getenv("CVE_SKIP_VERIFY")) {`
	`369`	`+ return -1;`
	`370`	`+ }`
`368`	`371`	`}`
`369`	`372`	`}`
`370`	`373`