| Message ID | 20240320160459.227582-1-emil.kronborg@protonmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] pypi.bbclass: remove vendor from CVE_PRODUCT | expand |
On 20 Mar 2024, at 16:08, Emil Kronborg via lists.openembedded.org <emil.kronborg=protonmail.com@lists.openembedded.org> wrote: > > By specifying the CVE vendor as python, some CVEs are not found. For > instance, the CVE_PRODUCT for python3-pyopenssl becomes > python:pyopenssl, which yields no matches in the NIST NVD database > because the correct CVE vendor is pyopenssl. > > Generally, CVE_PRODUCT ?= ${PYPI_PACKAGE}:${PYPI_PACKAGE} captures most > cases. However, some package names, such as python3-pytest, are > unrelated to the correct CVE product. In this case, the correct CVE > vendor is pytest, but the CVE product is py, resulting in no CVEs being > found. Therefore, not setting the CVE vendor is the most correct option. Have you got comparison reports for a world run before and after this change so we can see what the difference is? Ross
On Thu, Mar 21, 2024 at 17:16 +0000, Ross Burton wrote:
> Have you got comparison reports for a world run before and after this change so we can see what the difference is?
No. After setting CVE_PRODUCT for around 5 python-* recipes, I noticed
a pattern, which led me to pypi.bbclass. Here, I saw that the product is
hardcoded to 'python', and thought it would be easier (and more correct)
to fix it in a single place instead of multiple recipes.
diff --git a/meta/classes-recipe/pypi.bbclass b/meta/classes-recipe/pypi.bbclass index b8c18ccf395a..64ef9148d27e 100644 --- a/meta/classes-recipe/pypi.bbclass +++ b/meta/classes-recipe/pypi.bbclass @@ -35,4 +35,4 @@ UPSTREAM_CHECK_PYPI_PACKAGE ?= "${@d.getVar('PYPI_PACKAGE').replace('_', '-')}" UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${UPSTREAM_CHECK_PYPI_PACKAGE}/" UPSTREAM_CHECK_REGEX ?= "/${UPSTREAM_CHECK_PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/" -CVE_PRODUCT ?= "python:${PYPI_PACKAGE}" +CVE_PRODUCT ?= "${PYPI_PACKAGE}"
By specifying the CVE vendor as python, some CVEs are not found. For instance, the CVE_PRODUCT for python3-pyopenssl becomes python:pyopenssl, which yields no matches in the NIST NVD database because the correct CVE vendor is pyopenssl. Generally, CVE_PRODUCT ?= ${PYPI_PACKAGE}:${PYPI_PACKAGE} captures most cases. However, some package names, such as python3-pytest, are unrelated to the correct CVE product. In this case, the correct CVE vendor is pytest, but the CVE product is py, resulting in no CVEs being found. Therefore, not setting the CVE vendor is the most correct option. Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com> --- Changes in v2: - I forgot to sign the first version. meta/classes-recipe/pypi.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)