* [PATCH v2] pypi.bbclass: remove vendor from CVE_PRODUCT
@ 2024-03-20 16:08 Emil Kronborg
2024-03-21 17:16 ` [OE-core] " Ross Burton
0 siblings, 1 reply; 3+ messages in thread
From: Emil Kronborg @ 2024-03-20 16:08 UTC (permalink / raw
To: openembedded-core; +Cc: rasmus.villemoes, Emil Kronborg
By specifying the CVE vendor as python, some CVEs are not found. For
instance, the CVE_PRODUCT for python3-pyopenssl becomes
python:pyopenssl, which yields no matches in the NIST NVD database
because the correct CVE vendor is pyopenssl.
Generally, CVE_PRODUCT ?= ${PYPI_PACKAGE}:${PYPI_PACKAGE} captures most
cases. However, some package names, such as python3-pytest, are
unrelated to the correct CVE product. In this case, the correct CVE
vendor is pytest, but the CVE product is py, resulting in no CVEs being
found. Therefore, not setting the CVE vendor is the most correct option.
Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com>
---
Changes in v2:
- I forgot to sign the first version.
meta/classes-recipe/pypi.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes-recipe/pypi.bbclass b/meta/classes-recipe/pypi.bbclass
index b8c18ccf395a..64ef9148d27e 100644
--- a/meta/classes-recipe/pypi.bbclass
+++ b/meta/classes-recipe/pypi.bbclass
@@ -35,4 +35,4 @@ UPSTREAM_CHECK_PYPI_PACKAGE ?= "${@d.getVar('PYPI_PACKAGE').replace('_', '-')}"
UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${UPSTREAM_CHECK_PYPI_PACKAGE}/"
UPSTREAM_CHECK_REGEX ?= "/${UPSTREAM_CHECK_PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/"
-CVE_PRODUCT ?= "python:${PYPI_PACKAGE}"
+CVE_PRODUCT ?= "${PYPI_PACKAGE}"
--
2.44.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH v2] pypi.bbclass: remove vendor from CVE_PRODUCT
2024-03-20 16:08 [PATCH v2] pypi.bbclass: remove vendor from CVE_PRODUCT Emil Kronborg
@ 2024-03-21 17:16 ` Ross Burton
2024-03-23 15:52 ` Emil Kronborg
0 siblings, 1 reply; 3+ messages in thread
From: Ross Burton @ 2024-03-21 17:16 UTC (permalink / raw
To: emil.kronborg@protonmail.com; +Cc: OE-core, rasmus.villemoes@prevas.dk
On 20 Mar 2024, at 16:08, Emil Kronborg via lists.openembedded.org <emil.kronborg=protonmail.com@lists.openembedded.org> wrote:
>
> By specifying the CVE vendor as python, some CVEs are not found. For
> instance, the CVE_PRODUCT for python3-pyopenssl becomes
> python:pyopenssl, which yields no matches in the NIST NVD database
> because the correct CVE vendor is pyopenssl.
>
> Generally, CVE_PRODUCT ?= ${PYPI_PACKAGE}:${PYPI_PACKAGE} captures most
> cases. However, some package names, such as python3-pytest, are
> unrelated to the correct CVE product. In this case, the correct CVE
> vendor is pytest, but the CVE product is py, resulting in no CVEs being
> found. Therefore, not setting the CVE vendor is the most correct option.
Have you got comparison reports for a world run before and after this change so we can see what the difference is?
Ross
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH v2] pypi.bbclass: remove vendor from CVE_PRODUCT
2024-03-21 17:16 ` [OE-core] " Ross Burton
@ 2024-03-23 15:52 ` Emil Kronborg
0 siblings, 0 replies; 3+ messages in thread
From: Emil Kronborg @ 2024-03-23 15:52 UTC (permalink / raw
To: Ross Burton; +Cc: OE-core, rasmus.villemoes@prevas.dk
On Thu, Mar 21, 2024 at 17:16 +0000, Ross Burton wrote:
> Have you got comparison reports for a world run before and after this change so we can see what the difference is?
No. After setting CVE_PRODUCT for around 5 python-* recipes, I noticed
a pattern, which led me to pypi.bbclass. Here, I saw that the product is
hardcoded to 'python', and thought it would be easier (and more correct)
to fix it in a single place instead of multiple recipes.
--
Emil Kronborg
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-03-23 15:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-20 16:08 [PATCH v2] pypi.bbclass: remove vendor from CVE_PRODUCT Emil Kronborg
2024-03-21 17:16 ` [OE-core] " Ross Burton
2024-03-23 15:52 ` Emil Kronborg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.