Re: [OE-core] [PATCH v2] file: add CVE_PRODUCT
On Thu, Mar 21, 2024 at 17:15 +, Ross Burton wrote: > There’s also file:file, for example > https://nvd.nist.gov/vuln/detail/CVE-2007-2799. Hm, clicking on "Show Matching CPE(s)" gives no matches, which a search also confirms. Searching for file_project:file yield results with identical versioning to the file project [1], and the vendor website also matches. My guess is that NIST changed the CPE name at some point, but I am unsure if or how I can confirm that. [1]: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3=cpe%3A2.3%3Aa%3Afile_project%3Afile -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197454): https://lists.openembedded.org/g/openembedded-core/message/197454 Mute This Topic: https://lists.openembedded.org/mt/105047692/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] file: add CVE_PRODUCT
On 20 Mar 2024, at 16:08, Emil Kronborg via lists.openembedded.org wrote: > > Having only file as the CVE product is too generic. What we actually > want is file from file_project to match the correct CVE(s). There’s also file:file, for example https://nvd.nist.gov/vuln/detail/CVE-2007-2799. Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197420): https://lists.openembedded.org/g/openembedded-core/message/197420 Mute This Topic: https://lists.openembedded.org/mt/105047692/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] file: add CVE_PRODUCT
Having only file as the CVE product is too generic. What we actually want is file from file_project to match the correct CVE(s). Signed-off-by: Emil Kronborg --- Changes in v2: - I forgot to sign the first version. meta/recipes-devtools/file/file_5.45.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/file/file_5.45.bb b/meta/recipes-devtools/file/file_5.45.bb index fa8dc576dccd..0144328b701c 100644 --- a/meta/recipes-devtools/file/file_5.45.bb +++ b/meta/recipes-devtools/file/file_5.45.bb @@ -8,6 +8,8 @@ SECTION = "console/utils" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdda1b" +CVE_PRODUCT = "file_project:file" + DEPENDS = "file-replacement-native" DEPENDS:class-native = "bzip2-replacement-native" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197367): https://lists.openembedded.org/g/openembedded-core/message/197367 Mute This Topic: https://lists.openembedded.org/mt/105047692/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-