On 20 Mar 2024, at 16:08, Emil Kronborg via lists.openembedded.org <[email protected]> wrote: > > By specifying the CVE vendor as python, some CVEs are not found. For > instance, the CVE_PRODUCT for python3-pyopenssl becomes > python:pyopenssl, which yields no matches in the NIST NVD database > because the correct CVE vendor is pyopenssl. > > Generally, CVE_PRODUCT ?= ${PYPI_PACKAGE}:${PYPI_PACKAGE} captures most > cases. However, some package names, such as python3-pytest, are > unrelated to the correct CVE product. In this case, the correct CVE > vendor is pytest, but the CVE product is py, resulting in no CVEs being > found. Therefore, not setting the CVE vendor is the most correct option.
Have you got comparison reports for a world run before and after this change so we can see what the difference is? Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197421): https://lists.openembedded.org/g/openembedded-core/message/197421 Mute This Topic: https://lists.openembedded.org/mt/105047700/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
