On Wed, 2024-03-20 at 16:09 +0000, Emil Kronborg via lists.openembedded.org wrote: > For some reason, the CVE product is just called py and not pytest in > the > NIST NVD database. Since the database only accept keywords with at > least > 3 characters, the CVE vendor must also be specified. > > Signed-off-by: Emil Kronborg <[email protected]> > --- > Changes in v2: > - I forgot to sign the first version. > > meta/recipes-devtools/python/python3-pytest_8.0.2.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb > b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb > index 57e979e909c3..080b89ebdd5e 100644 > --- a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb > +++ b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb > @@ -5,6 +5,8 @@ DESCRIPTION = "The pytest framework makes it easy to > write small tests, yet scal > LICENSE = "MIT" > LIC_FILES_CHKSUM = > "file://LICENSE;md5=bd27e41b6550fe0fc45356d1d81ee37c" > > +CVE_PRODUCT = "pytest:py" > + > SRC_URI[sha256sum] = > "d4051d623a2e0b7e51960ba963193b09ce6daeb9759a451844a21e4ddedfc1bd" > > DEPENDS += "python3-setuptools-scm-native"
I worry this is a misfiled CPE rather than general statement that they'd always use this for pytest CVEs. We might want to talk to them about tweaking it to be consistent? I'm certainly unsure about taking this patch as it might mask future issues? Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197413): https://lists.openembedded.org/g/openembedded-core/message/197413 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
