On Mon, Oct 16, 2023 at 9:01 AM Mikko Rapeli <mikko.rap...@linaro.org> wrote: > > Many recipes embed other SW components. The name and version of the > embedded SW component differs from the main recipe. To detect CVEs in the > embedded SW component, it needs to be added to CVE_PRODUCT list using > name of the SW product in CVE database or with "vendor:product" syntax. > Then the version of the embedded SW component can be set using > CVE_VERSION_product variable. > > For example in meta-arm, trusted-firmware-a embeds mbed_tls SW component. > Thus trusted-firmware-a can add CVE_PRODUCT for it since CVE database > uses product name "mbed_tls": > > CVE_PRODUCT += "mbed_tls" > > and set the version of mbed_tls: > > CVE_VERSION_mbed_tls = "2.28.4" > > (Real patches for both are a bit more complex due to conditional build > enabling mbed_tls support and due to mbed_tls version being set in an > .inc file.) >
I like the support for embedded software. In this approach, I'm wondering how it would work for packages like curl that have multiple CPEs. Would we need to duplicate the list of CPEs? There are layers/recipes where we have a very long list of embedded components, meta-zephyr is probably the best example. Cheers, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189434): https://lists.openembedded.org/g/openembedded-core/message/189434 Mute This Topic: https://lists.openembedded.org/mt/101991269/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
