Hi This change will need some adaptations in the create-spdx.bbclass to handle this new variable with _PN
Jose Mikko Rapeli <[email protected]> escreveu no dia quinta, 19/10/2023 à(s) 10:13: > Hi, > > On Thu, Oct 19, 2023 at 10:19:53AM +0200, Marta Rybczynska wrote: > > On Mon, Oct 16, 2023 at 9:01 AM Mikko Rapeli <[email protected]> > wrote: > > > > > > Many recipes embed other SW components. The name and version of the > > > embedded SW component differs from the main recipe. To detect CVEs in > the > > > embedded SW component, it needs to be added to CVE_PRODUCT list using > > > name of the SW product in CVE database or with "vendor:product" syntax. > > > Then the version of the embedded SW component can be set using > > > CVE_VERSION_product variable. > > > > > > For example in meta-arm, trusted-firmware-a embeds mbed_tls SW > component. > > > Thus trusted-firmware-a can add CVE_PRODUCT for it since CVE database > > > uses product name "mbed_tls": > > > > > > CVE_PRODUCT += "mbed_tls" > > > > > > and set the version of mbed_tls: > > > > > > CVE_VERSION_mbed_tls = "2.28.4" > > > > > > (Real patches for both are a bit more complex due to conditional build > > > enabling mbed_tls support and due to mbed_tls version being set in an > > > .inc file.) > > > > > > > I like the support for embedded software. In this approach, I'm wondering > > how it would work for packages like curl that have multiple CPEs. Would > we > > need to duplicate the list of CPEs? > > The current approach of listing multiple CPEs in CVE_PRODUCT still works. > It's just possible to include a different version for an entry in > CVE_PRODUCT > via CVE_VERSION_swcomponent variable. It will fall back to PV. > > > There are layers/recipes where we have a very long list of embedded > components, > > meta-zephyr is probably the best example. > > Yes, I think this embedding of SW components is very common. I think some > of the > LICENSE data does reflect this but not in all cases. > > Cheers, > > -Mikko > > > > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189448): https://lists.openembedded.org/g/openembedded-core/message/189448 Mute This Topic: https://lists.openembedded.org/mt/101991269/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
