[OE-core] [PATCH 3/3] classes/kernel.bbclass: update CVE_PRODUCT

[Marta Rybczynska]

Add linux:linux to CVE_PRODUCT. linux:linux is used by the kernel CNA
in raw CVE entries. We can't use just linux, because of conflicts with
CPE entries of multiple distributions.

Signed-off-by: Marta Rybczynska <marta.rybczyn...@syslinbit.com>
---
 meta/classes-recipe/kernel.bbclass | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/classes-recipe/kernel.bbclass 
b/meta/classes-recipe/kernel.bbclass
index 89badd90f1..2a4f3defda 100644
--- a/meta/classes-recipe/kernel.bbclass
+++ b/meta/classes-recipe/kernel.bbclass
@@ -21,7 +21,10 @@ PACKAGE_WRITE_DEPS += "depmodwrapper-cross"
 do_deploy[depends] += "depmodwrapper-cross:do_populate_sysroot 
gzip-native:do_populate_sysroot"
 do_clean[depends] += "make-mod-scripts:do_clean"
 
-CVE_PRODUCT ?= "linux_kernel"
+# CPE entries from NVD use linux_kernel, but the raw CVE entries from the 
kernel CNA have
+# vendor: linux and product: linux. Note that multiple distributions use 
"linux" as a product
+# name, so we need to fill vendor to avoid false positives
+CVE_PRODUCT ?= "linux_kernel linux:linux"
 
 S = "${STAGING_KERNEL_DIR}"
 B = "${WORKDIR}/build"
-- 
2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201909): 
https://lists.openembedded.org/g/openembedded-core/message/201909
Mute This Topic: https://lists.openembedded.org/mt/107228583/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-