On 10 Jul 2026, at 08:43, mark.yang via lists.openembedded.org <[email protected]> wrote: > NVD lists it as cryptography.io:cryptography, > and CNA lists it as pyca:cryptography, so CVE_PRODUCT is set to cryptography.
“cryptography” is vague and will no doubt cause false-positives in the future, and CVE_PRODUCT is actually a list, so setting it to "cryptography.io:cryptography pyca:cryptography” will match correctly and precisely. Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240850): https://lists.openembedded.org/g/openembedded-core/message/240850 Mute This Topic: https://lists.openembedded.org/mt/120203220/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
