Re: [OE-core] [PATCH v2] python3-pytest: add CVE_PRODUCT
On Thu, Mar 21, 2024 at 17:10 +, Ross Burton wrote: > I can only find two CVEs with the CPE pytest:py and either of them are > actually related to the pytest package: > > https://nvd.nist.gov/vuln/detail/CVE-2020-29651 > https://nvd.nist.gov/vuln/detail/CVE-2022-42969 > > These issues relate to https://github.com/pytest-dev/py which is not pytest. You are right. This patch should not be pulled. -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197457): https://lists.openembedded.org/g/openembedded-core/message/197457 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] python3-pytest: add CVE_PRODUCT
On Thu, Mar 21, 2024 at 12:13 +, Richard Purdie wrote: > I worry this is a misfiled CPE rather than general statement that > they'd always use this for pytest CVEs. We might want to talk to them > about tweaking it to be consistent? I'm certainly unsure about taking > this patch as it might mask future issues? I made a mistake. This CPE belongs to the py project by pytest [1]. The vendor name being http://pytest.org tricked me. Searching for pytest in the NIST NVD database yields a single CPE: pytest:py, so I think it is fine to keep it as is, even though a CPE might appear as pytest:pytest instead of python:pytest. [1]: https://github.com/pytest-dev/py -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197456): https://lists.openembedded.org/g/openembedded-core/message/197456 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] python3-pytest: add CVE_PRODUCT
On 20 Mar 2024, at 16:09, Emil Kronborg via lists.openembedded.org wrote: > > For some reason, the CVE product is just called py and not pytest in the > NIST NVD database. Since the database only accept keywords with at least > 3 characters, the CVE vendor must also be specified. I can only find two CVEs with the CPE pytest:py and either of them are actually related to the pytest package: https://nvd.nist.gov/vuln/detail/CVE-2020-29651 https://nvd.nist.gov/vuln/detail/CVE-2022-42969 These issues relate to https://github.com/pytest-dev/py which is not pytest. Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197419): https://lists.openembedded.org/g/openembedded-core/message/197419 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] python3-pytest: add CVE_PRODUCT
On Wed, 2024-03-20 at 16:09 +, Emil Kronborg via lists.openembedded.org wrote: > For some reason, the CVE product is just called py and not pytest in > the > NIST NVD database. Since the database only accept keywords with at > least > 3 characters, the CVE vendor must also be specified. > > Signed-off-by: Emil Kronborg > --- > Changes in v2: > - I forgot to sign the first version. > > meta/recipes-devtools/python/python3-pytest_8.0.2.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb > b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb > index 57e979e909c3..080b89ebdd5e 100644 > --- a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb > +++ b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb > @@ -5,6 +5,8 @@ DESCRIPTION = "The pytest framework makes it easy to > write small tests, yet scal > LICENSE = "MIT" > LIC_FILES_CHKSUM = > "file://LICENSE;md5=bd27e41b6550fe0fc45356d1d81ee37c" > > +CVE_PRODUCT = "pytest:py" > + > SRC_URI[sha256sum] = > "d4051d623a2e0b7e51960ba963193b09ce6daeb9759a451844a21e4ddedfc1bd" > > DEPENDS += "python3-setuptools-scm-native" I worry this is a misfiled CPE rather than general statement that they'd always use this for pytest CVEs. We might want to talk to them about tweaking it to be consistent? I'm certainly unsure about taking this patch as it might mask future issues? Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197413): https://lists.openembedded.org/g/openembedded-core/message/197413 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] python3-pytest: add CVE_PRODUCT
For some reason, the CVE product is just called py and not pytest in the NIST NVD database. Since the database only accept keywords with at least 3 characters, the CVE vendor must also be specified. Signed-off-by: Emil Kronborg --- Changes in v2: - I forgot to sign the first version. meta/recipes-devtools/python/python3-pytest_8.0.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb index 57e979e909c3..080b89ebdd5e 100644 --- a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb +++ b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb @@ -5,6 +5,8 @@ DESCRIPTION = "The pytest framework makes it easy to write small tests, yet scal LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=bd27e41b6550fe0fc45356d1d81ee37c" +CVE_PRODUCT = "pytest:py" + SRC_URI[sha256sum] = "d4051d623a2e0b7e51960ba963193b09ce6daeb9759a451844a21e4ddedfc1bd" DEPENDS += "python3-setuptools-scm-native" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197369): https://lists.openembedded.org/g/openembedded-core/message/197369 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
