On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote:
Hi,
On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote:
This bolt product does not currently have an entry in the CVE database.
However, the default cve-check logic that maps recipes to products in
the CVE database is incorrectly matching this package to a different
bolt product made by bolt-cms. As a result, CVE checking incorrectly
reports CVEs for that product for this package.
Signed-off-by: Jeffrey Pautler <jeffrey.paut...@ni.com>
---
meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
index b6ad6337c..583cc6378 100644
--- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
+++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
@@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
S = "${WORKDIR}/git"
+CVE_CHECK_SKIP_RECIPE = "${PN}"
I think this is wrong and dangerous for anyone who in the future tries to use
cve checker for this recipe. Instead, set the CVE product with vendor correctly
so that other products/vendors don't mix the results? Hopefully any new CVEs
in the future will set the same vendor and product.
Are you suggesting that he set the string to something like...
`cpe:*:a:freedesktop:bolt:*`
on the hopes that, if the Free Desktop folks open a CPE in the future,
that it will match?
Cheers,
-Mikko
inherit cmake pkgconfig meson features_check
FILES:${PN} += "${datadir}/dbus-1/* \
--
2.34.1
--
Alex Stewart
Software Engineer - NI Real-Time OS
NI (National Instruments)
alex.stew...@ni.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#105305):
https://lists.openembedded.org/g/openembedded-devel/message/105305
Mute This Topic: https://lists.openembedded.org/mt/101662068/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
