From: Quentin Schulz <[email protected]> The NVD has two additional CPEs for squashfs-tools pointing at the same GitHub git repo, squashfs_project:squashfs-tools[1] and squashfs-tools_project:squashfs-tools[2].
There are no other matches for squashfs-tools in the NVD except those two, so don't specify the vendor for now and match both vendors with only one entry in CVE_PRODUCT. [1] https://nvd.nist.gov/products/cpe/detail/029FFEC5-FB40-4591-A864-90CB97E80FEA [2] https://nvd.nist.gov/products/cpe/detail/ADE3E55D-5CBD-49B3-85B4-2035A9B380B3 Signed-off-by: Quentin Schulz <[email protected]> --- Not tested, I just was comparing which CPEs are missing in my Buildroot SBOM (which only generates max one CPE per package) against packages that can be found in Yocto where more CPEs are allowed and stumbled upon more CPEs for squashfs-tools that aren't in Yocto yet, so adding them. --- meta/recipes-devtools/squashfs-tools/squashfs-tools_4.7.5.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.7.5.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.7.5.bb index 7741039fcf..9a1ebd575c 100644 --- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.7.5.bb +++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.7.5.bb @@ -38,4 +38,4 @@ ARM_INSTRUCTION_SET:armv6 = "arm" BBCLASSEXTEND = "native nativesdk" -CVE_PRODUCT = "squashfs" +CVE_PRODUCT = "squashfs squashfs-tools" --- base-commit: 3724b93538d3acbec9f48d4c524b51d166071708 change-id: 20260518-squashfs-cpe-cca02a5fef28 Best regards, -- Quentin Schulz <[email protected]>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237251): https://lists.openembedded.org/g/openembedded-core/message/237251 Mute This Topic: https://lists.openembedded.org/mt/119376379/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
