Hi,
On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote:
> This bolt product does not currently have an entry in the CVE database.
> However, the default cve-check logic that maps recipes to products in
> the CVE database is incorrectly matching this package to a different
> bolt product made by bolt-cms. As a result, CVE checking incorrectly
> reports CVEs for that product for this package.
>
> Signed-off-by: Jeffrey Pautler <jeffrey.paut...@ni.com>
> ---
> meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> index b6ad6337c..583cc6378 100644
> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
>
> S = "${WORKDIR}/git"
>
> +CVE_CHECK_SKIP_RECIPE = "${PN}"
I think this is wrong and dangerous for anyone who in the future tries to use
cve checker for this recipe. Instead, set the CVE product with vendor correctly
so that other products/vendors don't mix the results? Hopefully any new CVEs
in the future will set the same vendor and product.
Cheers,
-Mikko
> inherit cmake pkgconfig meson features_check
>
> FILES:${PN} += "${datadir}/dbus-1/* \
> --
> 2.34.1
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#105303):
https://lists.openembedded.org/g/openembedded-devel/message/105303
Mute This Topic: https://lists.openembedded.org/mt/101662068/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
