| Message ID | 20240320160849.231211-1-emil.kronborg@protonmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] file: add CVE_PRODUCT | expand |
On 20 Mar 2024, at 16:08, Emil Kronborg via lists.openembedded.org <emil.kronborg=protonmail.com@lists.openembedded.org> wrote: > > Having only file as the CVE product is too generic. What we actually > want is file from file_project to match the correct CVE(s). There’s also file:file, for example https://nvd.nist.gov/vuln/detail/CVE-2007-2799. Ross
On Thu, Mar 21, 2024 at 17:15 +0000, Ross Burton wrote:
> There’s also file:file, for example https://nvd.nist.gov/vuln/detail/CVE-2007-2799.
Hm, clicking on "Show Matching CPE(s)" gives no matches, which a search
also confirms. Searching for file_project:file yield results with
identical versioning to the file project [1], and the vendor website
also matches. My guess is that NIST changed the CPE name at some point,
but I am unsure if or how I can confirm that.
[1]: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afile_project%3Afile
diff --git a/meta/recipes-devtools/file/file_5.45.bb b/meta/recipes-devtools/file/file_5.45.bb index fa8dc576dccd..0144328b701c 100644 --- a/meta/recipes-devtools/file/file_5.45.bb +++ b/meta/recipes-devtools/file/file_5.45.bb @@ -8,6 +8,8 @@ SECTION = "console/utils" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdda1b" +CVE_PRODUCT = "file_project:file" + DEPENDS = "file-replacement-native" DEPENDS:class-native = "bzip2-replacement-native"
Having only file as the CVE product is too generic. What we actually want is file from file_project to match the correct CVE(s). Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com> --- Changes in v2: - I forgot to sign the first version. meta/recipes-devtools/file/file_5.45.bb | 2 ++ 1 file changed, 2 insertions(+)