Hi, On Thu, Oct 19, 2023 at 10:19:53AM +0200, Marta Rybczynska wrote: > On Mon, Oct 16, 2023 at 9:01 AM Mikko Rapeli <[email protected]> wrote: > > > > Many recipes embed other SW components. The name and version of the > > embedded SW component differs from the main recipe. To detect CVEs in the > > embedded SW component, it needs to be added to CVE_PRODUCT list using > > name of the SW product in CVE database or with "vendor:product" syntax. > > Then the version of the embedded SW component can be set using > > CVE_VERSION_product variable. > > > > For example in meta-arm, trusted-firmware-a embeds mbed_tls SW component. > > Thus trusted-firmware-a can add CVE_PRODUCT for it since CVE database > > uses product name "mbed_tls": > > > > CVE_PRODUCT += "mbed_tls" > > > > and set the version of mbed_tls: > > > > CVE_VERSION_mbed_tls = "2.28.4" > > > > (Real patches for both are a bit more complex due to conditional build > > enabling mbed_tls support and due to mbed_tls version being set in an > > .inc file.) > > > > I like the support for embedded software. In this approach, I'm wondering > how it would work for packages like curl that have multiple CPEs. Would we > need to duplicate the list of CPEs?
The current approach of listing multiple CPEs in CVE_PRODUCT still works. It's just possible to include a different version for an entry in CVE_PRODUCT via CVE_VERSION_swcomponent variable. It will fall back to PV. > There are layers/recipes where we have a very long list of embedded > components, > meta-zephyr is probably the best example. Yes, I think this embedding of SW components is very common. I think some of the LICENSE data does reflect this but not in all cases. Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189437): https://lists.openembedded.org/g/openembedded-core/message/189437 Mute This Topic: https://lists.openembedded.org/mt/101991269/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
