[v2] python3-pytest: add CVE_PRODUCT

For some reason, the CVE product is just called py and not pytest in the
NIST NVD database. Since the database only accept keywords with at least
3 characters, the CVE vendor must also be specified.

Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com>
---
Changes in v2:
- I forgot to sign the first version.

 meta/recipes-devtools/python/python3-pytest_8.0.2.bb | 2 ++
 1 file changed, 2 insertions(+)

On Wed, 2024-03-20 at 16:09 +0000, Emil Kronborg via
lists.openembedded.org wrote:
> For some reason, the CVE product is just called py and not pytest in
> the
> NIST NVD database. Since the database only accept keywords with at
> least
> 3 characters, the CVE vendor must also be specified.
> 
> Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com>
> ---
> Changes in v2:
> - I forgot to sign the first version.
> 
>  meta/recipes-devtools/python/python3-pytest_8.0.2.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb
> b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb
> index 57e979e909c3..080b89ebdd5e 100644
> --- a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb
> +++ b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb
> @@ -5,6 +5,8 @@ DESCRIPTION = "The pytest framework makes it easy to
> write small tests, yet scal
>  LICENSE = "MIT"
>  LIC_FILES_CHKSUM =
> "file://LICENSE;md5=bd27e41b6550fe0fc45356d1d81ee37c"
>  
> +CVE_PRODUCT = "pytest:py"
> +
>  SRC_URI[sha256sum] =
> "d4051d623a2e0b7e51960ba963193b09ce6daeb9759a451844a21e4ddedfc1bd"
>  
>  DEPENDS += "python3-setuptools-scm-native"

I worry this is a misfiled CPE rather than general statement that
they'd always use this for pytest CVEs. We might want to talk to them
about tweaking it to be consistent? I'm certainly unsure about taking
this patch as it might mask future issues?

Cheers,

Richard

On 20 Mar 2024, at 16:09, Emil Kronborg via lists.openembedded.org <emil.kronborg=protonmail.com@lists.openembedded.org> wrote:
> 
> For some reason, the CVE product is just called py and not pytest in the
> NIST NVD database. Since the database only accept keywords with at least
> 3 characters, the CVE vendor must also be specified.

I can only find two CVEs with the CPE pytest:py and either of them are actually related to the pytest package:

https://nvd.nist.gov/vuln/detail/CVE-2020-29651
https://nvd.nist.gov/vuln/detail/CVE-2022-42969

These issues relate to https://github.com/pytest-dev/py which is not pytest.

Ross

On Thu, Mar 21, 2024 at 12:13 +0000, Richard Purdie wrote:
> I worry this is a misfiled CPE rather than general statement that
> they'd always use this for pytest CVEs. We might want to talk to them
> about tweaking it to be consistent? I'm certainly unsure about taking
> this patch as it might mask future issues?

I made a mistake. This CPE belongs to the py project by pytest [1]. The
vendor name being http://pytest.org tricked me. Searching for pytest in
the NIST NVD database yields a single CPE: pytest:py, so I think it is
fine to keep it as is, even though a CPE might appear as pytest:pytest
instead of python:pytest.

[1]: https://github.com/pytest-dev/py

On Thu, Mar 21, 2024 at 17:10 +0000, Ross Burton wrote:
> I can only find two CVEs with the CPE pytest:py and either of them are actually related to the pytest package:
> 
> https://nvd.nist.gov/vuln/detail/CVE-2020-29651
> https://nvd.nist.gov/vuln/detail/CVE-2022-42969
> 
> These issues relate to https://github.com/pytest-dev/py which is not pytest.

You are right. This patch should not be pulled.