On 12/31/25 09:12, ChenQi wrote:
> I think your finding is important.
>
> Yet, I'd suggest we change the default value in pypi.bbclass, removing
> the 'python:' prefix.
> That would set a more reasonable value.
>
> Take NVD data as an example:
> $ grep 'cpe:2.3:a:python:' ~/.cvedb/nvdcve-2.0-* | grep -v
> ':python:python:' | wc -l
> 159
>
> In all NVD data, from 2002 to 2025 (+ Modified, Recent), there are only
> 159 lines that have 'python:' prefix.
> That's a very small percentage. To be honest, the number is way below my
> initial guess.
>
> So, could you please try changing the default value in pypi.bbclass to
> see how things work?
I think you are correct, and changing the default to
CVE_PRODUCT ?= "${PYPI_PACKAGE}"
would simplify things a lot, and probably would improve the status quo.
That would make about 80% of these patches obsolete, and I think the
introduced incorrect changes would be minimal (I know that it would
mis-identify as python a few wordpress and jenkins plugins and also 1 or
2 rust projects, but I am talking about ~10 recipes altogether in
meta-oe. All can be trivially corrected with specific CVE_PRODUCT) -
overall I think it would do more good than harm.
Though I haven't checked specifically, but I think there are recipes
with the same issue in oe-core also, which would be helped too.
With that said I am not on oe-core list, and I don't plan to go back
voluntarily- if you (or anyone else) would like to propose it however,
please feel free.
> Regards,
> Qi
>
>
> On 12/30/25 23:51, Gyorgy Sarvari via lists.openembedded.org wrote:
>> Apologies for this CVE_PRODUCT patch-tsunami.
>>
>> While reviewing an earlier submitted CVE patch, I was wondering why that
>> CVE didn't show up in the CVE report - it turned out that almost all
>> recipes using the pypi class use the default CVE_PRODUCT, however there
>> are quite a few where it is not appropriate, making the cve-checker to
>> miss relevant CVEs.
>>
>> For today I don't plan to spam further, but I'm only about halfway
>> through my list for the master branch, about the same amount left for
>> tomorrow-ish.
>>
>>
>>
>>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123076):
https://lists.openembedded.org/g/openembedded-devel/message/123076
Mute This Topic: https://lists.openembedded.org/mt/116999150/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
