| Message ID | 20260413112313.1825573-1-hjadon@cisco.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,master] augeas: Add CVE_PRODUCT to support product name | expand |
On 4/13/26 13:23, Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Himanshu Jadon <hjadon@cisco.com> > > - Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE > reporting. > > Signed-off-by: Himanshu Jadon <hjadon@cisco.com> > --- > meta-oe/recipes-support/augeas/augeas_1.12.0.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta-oe/recipes-support/augeas/augeas_1.12.0.bb b/meta-oe/recipes-support/augeas/augeas_1.12.0.bb > index 14e818253b..10a3cf5fe1 100644 > --- a/meta-oe/recipes-support/augeas/augeas_1.12.0.bb > +++ b/meta-oe/recipes-support/augeas/augeas_1.12.0.bb > @@ -33,3 +33,6 @@ PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux" > > EXTRA_AUTORECONF += "-I ${S}/gnulib/m4" > + > +# Add CVE_PRODUCT to match the NVD CPE product name > +CVE_PRODUCT = "augeas:augeas" > > I can't find any CVE records with a different vendor in the db, and the CPE dictionary at NVD seems to have only one product with this name... are there any misreported CVEs or potentially ambiguous CPEs that I have missed, and that triggered this patch?
Thanks for checking and raising this point. You are right that currently NVD shows only one clear CPE mapping for augeas, and at present we have not observed any misreported CVEs or any ambiguous CPE matches for this recipe. This patch was added as a proactive metadata update. The intention is to make the recipe-to-CPE mapping explicit, instead of depending on implicit name matching. This helps us keep mapping behavior stable if matching logic changes later, or if NVD adds another vendor:product combination in future with a similar token. As of now, this change does not alter current CVE report results. It is only for clarity and future safety, and it does not impact build or runtime behaviour.
On 4/15/26 08:14, Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > Thanks for checking and raising this point. > > You are right that currently NVD shows only one clear CPE mapping for > augeas, and at present we have not observed any misreported CVEs or any > ambiguous CPE matches for this recipe. > > This patch was added as a proactive metadata update. The intention is to > make the recipe-to-CPE mapping explicit, instead of depending on implicit > name matching. This helps us keep mapping behavior stable if matching > logic changes later, or if NVD adds another vendor:product combination in > future with a similar token. > > As of now, this change does not alter current CVE report results. It > is only for clarity and future safety, and it does not impact build or > runtime behaviour. > > The current behavior is considered to be a feature, most recipes work just fine with the default CVE_PRODUCT (including this one). Explicit CVE_PRODUCT tags should be added only when they are really needed - when there are multiple CPEs associated with a recipe, or when multiple vendors provide different software with the same name. (Otherwise, if this explicit vendor:product matching would be really desired, it should be done for all recipes, not only 1-2 select ones - but in that case the change would fit the originating bbclass better)
diff --git a/meta-oe/recipes-support/augeas/augeas_1.12.0.bb b/meta-oe/recipes-support/augeas/augeas_1.12.0.bb index 14e818253b..10a3cf5fe1 100644 --- a/meta-oe/recipes-support/augeas/augeas_1.12.0.bb +++ b/meta-oe/recipes-support/augeas/augeas_1.12.0.bb @@ -33,3 +33,6 @@ PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux" EXTRA_AUTORECONF += "-I ${S}/gnulib/m4" + +# Add CVE_PRODUCT to match the NVD CPE product name +CVE_PRODUCT = "augeas:augeas"