By specifying the CVE vendor as python, some CVEs are not found. For
instance, the CVE_PRODUCT for python3-pyopenssl becomes
python:pyopenssl, which yields no matches in the NIST NVD database
because the correct CVE vendor is pyopenssl.
Generally, CVE_PRODUCT ?= ${PYPI_PACKAGE}:${PYPI_PACKAGE} captures most
cases. However, some package names, such as python3-pytest, are
unrelated to the correct CVE product. In this case, the correct CVE
vendor is pytest, but the CVE product is py, resulting in no CVEs being
found. Therefore, not setting the CVE vendor is the most correct option.
Signed-off-by: Emil Kronborg <[email protected]>
---
Changes in v2:
- I forgot to sign the first version.
meta/classes-recipe/pypi.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes-recipe/pypi.bbclass b/meta/classes-recipe/pypi.bbclass
index b8c18ccf395a..64ef9148d27e 100644
--- a/meta/classes-recipe/pypi.bbclass
+++ b/meta/classes-recipe/pypi.bbclass
@@ -35,4 +35,4 @@ UPSTREAM_CHECK_PYPI_PACKAGE ?=
"${@d.getVar('PYPI_PACKAGE').replace('_', '-')}"
UPSTREAM_CHECK_URI ?=
"https://pypi.org/project/${UPSTREAM_CHECK_PYPI_PACKAGE}/";
UPSTREAM_CHECK_REGEX ?=
"/${UPSTREAM_CHECK_PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/"
-CVE_PRODUCT ?= "python:${PYPI_PACKAGE}"
+CVE_PRODUCT ?= "${PYPI_PACKAGE}"
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197368):
https://lists.openembedded.org/g/openembedded-core/message/197368
Mute This Topic: https://lists.openembedded.org/mt/105047700/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
