Vmaas-sync periodically requests VMaaS service for CVE metadata.
Sync is run every 4 hours and requests VMaaS service for every known CVEs. For each returned CVE, sync updates or insert its metadata (cvss score, etc.). If CVE is present in Vulnerability but not in VMaaS, it gets deleted only if there is no system vulnerable to this CVE. When a new CVE appears from VMaaS, systems which have enabled repository which was updated since last vmaas sync gets re-evaluated by sending them to the evaluator-recalc component topic vulnerability.evaluator.recalc with message type re-evaluate_system.