Hi,
A review was conducted of the database entries, upstream sources, and the
associated CVE records for util-linux. Below is a detailed analysis and the
corresponding rationale.
Observations:
*
There are four vendor names associated with the util‑linux product:
andries_brouwer, linux, util-linux_project, and kernel.
*
`andries_brouwer:util-linux` and `linux:util-linux` are legacy entries from
older CVEs (pre-2012).
*
`util-linux_project` represents a transitional vendor namespace, now largely
deprecated.
Upstream Source Mapping:
*
The current upstream source code repositories found from README are:
*
GitHub: https://github.com/util-linux/util-linux.git
*
Kernel.org: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git
*
CVEs from 2018–2024 referencing util-linux use the CPE vendor `kernel`:
"cpe:2.3:a:kernel:util-linux"
*
Legacy CVEs (e.g., CVE-2008-1926, CVE-2011-1675/1676/1677) sometimes reference
`linux:util-linux` or `andries_brouwer:util-linux`, but these are historical
and correspond to older releases no longer maintained.
Conclusion:
*
All entries are “correct” in the sense that they exist in historical CVE/CPE
mappings.
*
However, only `kernel:util-linux` corresponds to the current upstream project
and is used in **active CVE tracking** today.
False Positive Analysis:
1.
The proposed change aligns CVE mapping with the official upstream project.
2.
It ensures that CVEs from modern releases are correctly linked to the live
repository.
3.
It maintains historical records in the database for reference, but prevents
them from being misattributed to “current” upstream versions.
Key point:
*
There are no false positives being removed and historical entries
(`linux:util-linux`, `andries_brouwer:util-linux`) remain in the database for
archival purposes.
Commit message will be updated accordingly.
Regards.
Het
________________________________
From: Marko, Peter <[email protected]>
Sent: Thursday, February 26, 2026 6:47 PM
To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
<[email protected]>; [email protected]
<[email protected]>
Cc: xe-linux-external(mailer list) <[email protected]>; Viral Chavda
(vchavda) <[email protected]>
Subject: RE: [OE-core] [PATCH v1] util-linux: Add vendor to CVE_PRODUCT to
exclude false positives
> -----Original Message-----
> From: [email protected] <openembedded-
> [email protected]> On Behalf Of Het Patel via
> lists.openembedded.org
> Sent: Thursday, February 26, 2026 13:54
> To: [email protected]
> Cc: [email protected]; [email protected]
> Subject: [OE-core] [PATCH v1] util-linux: Add vendor to CVE_PRODUCT to
> exclude false positives
>
> From: Het Patel <[email protected]>
>
> - Added the vendor to CVE_PRODUCT to prevent false positives.
>
> Signed-off-by: Het Patel <[email protected]>
> ---
> meta/recipes-core/util-linux/util-linux.inc | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/util-linux/util-linux.inc
> b/meta/recipes-core/util-
> linux/util-linux.inc
> index deb9bfd064..81fefa5afa 100644
> --- a/meta/recipes-core/util-linux/util-linux.inc
> +++ b/meta/recipes-core/util-linux/util-linux.inc
> @@ -24,4 +24,4 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-
> linux/v${MAJOR_VERSION}/util-lin
>
> SRC_URI[sha256sum] =
> "3330d873f0fceb5560b89a7dc14e4f3288bbd880e96903ed9b50ec2b5799e58b"
>
> -CVE_PRODUCT = "util-linux"
> +CVE_PRODUCT = "kernel:util-linux"
Which false positives are you trying to remove?
I think that all of these are correct and there are not false positives:
sqlite> select count(*), vendor, product from products where product like
'%util-linux%' group by vendor, product;
29|andries_brouwer|util-linux
16|kernel|util-linux
56|linux|util-linux
1|util-linux_project|util-linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232086):
https://lists.openembedded.org/g/openembedded-core/message/232086
Mute This Topic: https://lists.openembedded.org/mt/118011172/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
