I think your finding is important.
Yet, I'd suggest we change the default value in pypi.bbclass, removing
the 'python:' prefix.
That would set a more reasonable value.
Take NVD data as an example:
$ grep 'cpe:2.3:a:python:' ~/.cvedb/nvdcve-2.0-* | grep -v
':python:python:' | wc -l
159
In all NVD data, from 2002 to 2025 (+ Modified, Recent), there are only
159 lines that have 'python:' prefix.
That's a very small percentage. To be honest, the number is way below my
initial guess.
So, could you please try changing the default value in pypi.bbclass to
see how things work?
Regards,
Qi
On 12/30/25 23:51, Gyorgy Sarvari via lists.openembedded.org wrote:
Apologies for this CVE_PRODUCT patch-tsunami.
While reviewing an earlier submitted CVE patch, I was wondering why that
CVE didn't show up in the CVE report - it turned out that almost all
recipes using the pypi class use the default CVE_PRODUCT, however there
are quite a few where it is not appropriate, making the cve-checker to
miss relevant CVEs.
For today I don't plan to spam further, but I'm only about halfway
through my list for the master branch, about the same amount left for
tomorrow-ish.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123075):
https://lists.openembedded.org/g/openembedded-devel/message/123075
Mute This Topic: https://lists.openembedded.org/mt/116999150/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
