diff mbox series

[meta-oe,v1] googletest: Add CVE_PRODUCT to support product name

Message ID 20260226125105.47526-4-hetpat@cisco.com
State Under Review
Headers show
Series [meta-oe,v1] googletest: Add CVE_PRODUCT to support product name | expand

Commit Message

Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) Feb. 26, 2026, 12:51 p.m. UTC 
From: Het Patel <hetpat@cisco.com>

- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.

Signed-off-by: Het Patel <hetpat@cisco.com>
---
 meta-oe/recipes-test/googletest/googletest_1.17.0.bb | 3 +++
 1 file changed, 3 insertions(+)

Comments

Marko, Peter Feb. 26, 2026, 1:19 p.m. UTC | #1 
> -----Original Message-----
> From: openembedded-devel@lists.openembedded.org <openembedded-
> devel@lists.openembedded.org> On Behalf Of Het Patel via
> lists.openembedded.org
> Sent: Thursday, February 26, 2026 13:51
> To: openembedded-devel@lists.openembedded.org
> Cc: xe-linux-external@cisco.com; vchavda@cisco.com
> Subject: [oe] [meta-oe] [PATCH v1] googletest: Add CVE_PRODUCT to support
> product name
> 
> From: Het Patel <hetpat@cisco.com>
> 
> - Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
> reporting.
> 
> Signed-off-by: Het Patel <hetpat@cisco.com>
> ---
>  meta-oe/recipes-test/googletest/googletest_1.17.0.bb | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta-oe/recipes-test/googletest/googletest_1.17.0.bb b/meta-
> oe/recipes-test/googletest/googletest_1.17.0.bb
> index c8ed80053d..242f0ac7da 100644
> --- a/meta-oe/recipes-test/googletest/googletest_1.17.0.bb
> +++ b/meta-oe/recipes-test/googletest/googletest_1.17.0.bb
> @@ -35,3 +35,6 @@ do_configure:prepend() {
>      # there isn't python in HOSTTOOLS so "env python" fails
>      sed -i 's@^#!/usr/bin/env python$@#!/usr/bin/env python3@g'
> ${S}/googlemock/test/*py ${S}/googletest/test/*py
>  }
> +
> +# Add CVE_PRODUCT to match the NVD CPE product name
> +CVE_PRODUCT = "google:google_test"

Where is this CPE coming from?
Afaik there is no CVE for googletest to look at used CPEs.
Please add reference to the commit message.
Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) Feb. 27, 2026, 5:30 a.m. UTC | #2 
Hi,

The CPE reference comes from the NVD entry for `google_test`. One of the CPE used is:

https://nvd.nist.gov/products/cpe/detail/5806549A-1DCE-4225-80C6-7099B53A0F77?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Agoogle%3Agoogle_test&status=FINAL

This CPE (`cpe:2.3:a:google:google_test`) is the product name currently defined by NVD for Googletest. The complete list of available CPEs matching `google_test` can be found here:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=google_test

You are correct that, at present, there are no CVEs reported for Googletest. However, the source code is already mapped to this CPE in NVD. Setting `CVE_PRODUCT` ensures that any future CVEs reported against this product will be correctly detected and attributed during CVE checking.

I will send a revised patch with this information clearly documented in the commit message as a reference.

Best regards,
Het.
diff mbox series

Patch

diff --git a/meta-oe/recipes-test/googletest/googletest_1.17.0.bb b/meta-oe/recipes-test/googletest/googletest_1.17.0.bb
index c8ed80053d..242f0ac7da 100644
--- a/meta-oe/recipes-test/googletest/googletest_1.17.0.bb
+++ b/meta-oe/recipes-test/googletest/googletest_1.17.0.bb
@@ -35,3 +35,6 @@  do_configure:prepend() {
     # there isn't python in HOSTTOOLS so "env python" fails
     sed -i 's@^#!/usr/bin/env python$@#!/usr/bin/env python3@g' ${S}/googlemock/test/*py ${S}/googletest/test/*py
 }
+
+# Add CVE_PRODUCT to match the NVD CPE product name
+CVE_PRODUCT = "google:google_test"