Hello Martha, 
 
Thanks for the feedback.
 
As I understand, you are referring to CVE_DB_UPDATE_INTERVAL, which can be set to a negative value to disable the download. 

I have already tried using a custom "do_fetch" task with a git fetch/pull attempt, as well as with a fixed commit reference in failing scenarios.
But, it seems that I can't avoid a parsing issue if the SRCREV is set to ${AUTOREV} with the build machine not connected to any network (due to a failed attempt to resolve the latest commit hash).

A new .bbclass seems appropriate (e.g., non_deterministic_native.bbclass) to handle natives recipes that require an up-to-date git database.

Adding a non-deterministic class to fetch the latest available commit seems a necessary tool for CVE, as you always want to look at the latest available information (e.g., I have a PR also open for improve_kernel_cve, which has the same issue).

 

This class could be used to redefine fetch and unpack mechanisms provided by the "base" class, as you did with cve-update-nvd2-native.
It would take a default commit as a reference (e.g., "644ce1758db1773336ebebb6a0da90e132da0eb7"), which won't break the build without any network. In addition, the new do_fetch task would try at the same time to pull the latest available commit if any network is available.

But I don't think I want to handle this mechanism in my current PR. It may be preferable to keep it in a future dedicated one. I would prefer to have my boilerplate merge first with a fixed SRCREV.