On Wed, Feb 3, 2021 at 12:02 AM Mikko Rapeli <[email protected]> wrote: > > Hi, > > On Wed, Feb 03, 2021 at 08:42:57AM +0000, Anatol Belski wrote: > > The naming convention needs to be help so the CVE is recognized as > > fixed by the tooling. > > Yocto CVE checker does detect CVE patches also from patch comments so > this change is not needed for that. This is sufficient: > > poky$ git grep CVE-2020-35457 > meta/recipes-core/glib-2.0/glib-2.0/0001-goption-Add-a-precondition-to-avoid-GOptionEntry-lis.patch:CVE: > CVE-2020-35457
Yes, we are detecting the CVE patch from the patch comment. However our CVE patch guidelines do request that the patch be named with the CVE as the name: https://wiki.yoctoproject.org/wiki/Security (in the "Patch name convention and commit message" section) I'm sorry I didn't catch this when I merged this earlier. I always check the patch itself for the CVE tag, but I missed the name. So I'm happy to take this patch just to clean up the metadata and make it easy to see that this is a CVE patch. Steve > Is there some other tooling that you are referring to? > > Cheers, > > -Mikko > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147625): https://lists.openembedded.org/g/openembedded-core/message/147625 Mute This Topic: https://lists.openembedded.org/mt/80349258/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
