From: Peter Marko <[email protected]> Recently NVD updated all CVEs for json-c and old fixed cves are reported in some older yocto branches. NVD match clause now includes full tag name including date which is "greater" than tag without additional numbers.
Define CVE_VERSION identical to full tag also on master to avoid future CVEs to be reported incorrectly. Put it close to hash so recipe update patch includes this line. Signed-off-by: Peter Marko <[email protected]> --- meta/recipes-devtools/json-c/json-c_0.17.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/json-c/json-c_0.17.bb b/meta/recipes-devtools/json-c/json-c_0.17.bb index b7b596212f..f4b7a32cea 100644 --- a/meta/recipes-devtools/json-c/json-c_0.17.bb +++ b/meta/recipes-devtools/json-c/json-c_0.17.bb @@ -9,6 +9,9 @@ SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \ " SRC_URI[sha256sum] = "7550914d58fb63b2c3546f3ccfbe11f1c094147bd31a69dcd23714d7956159e6" +# NVD uses full tag name including date +CVE_VERSION = "0.17-20230812" + UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/tags"; UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188344): https://lists.openembedded.org/g/openembedded-core/message/188344 Mute This Topic: https://lists.openembedded.org/mt/101626352/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
