From patchwork Tue Dec 30 15:48:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77731 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65394EE021D for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.66703.1767109746275160382 for ; Tue, 30 Dec 2025 07:49:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hGe+vKzs; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4775e891b5eso40898515e9.2 for ; Tue, 30 Dec 2025 07:49:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109745; x=1767714545; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=3VWzdGescdwuULwUpE2kMJj2Hg/M8T8dmmcgcZ9g3t8=; b=hGe+vKzsA55GwEEehohdm++F1xIW2MYspa2BGv4H4ML+FGFGrJknl8WHsaQioPpdvS JDbSSV3UhM3AYu0LS/4sgLy94WiweIt0A1qWHuEqVR9OBAcmKOWF22etlcTc3UoljbfM g/3ki0YhGC6ywIiSTUM+Rn9DVfhdCXeB/pUqOUm6oSc5rg3PGklXeUyi2tmq7Rc5RWiA UqnxOfWknsalAseEqc9IM2o6xTNPr0sO+LGsDwmz8miu+vTO4cgHO6i9Ke+5HEqAyUP/ t0ROIupzLnhkpvUMD+rC9GLQJeqzNQHfWfINIe6Hfn0lxOVFW8W2qsOyBzovBv6GKYeL FEew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109745; x=1767714545; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3VWzdGescdwuULwUpE2kMJj2Hg/M8T8dmmcgcZ9g3t8=; b=Y2Ce1RKM7XtlRoQqbz6cAfFQHqzjHFqlb5/l6o/b2ZiTnHetHwNksIpUDvpAKHgnyc WkEPMAPw9TqcP5KyQEMT9SVbb+63etAuT7UP+RM89pCiBemBrMurC/TUJ8kDiobbGgGx 0lY3gtni/FnKlQ4HC5//n5ZUHi32f7aYk0RBrUKXmB82NHjKdSNiPeLT895WM+fNOv/W GEnnrVCHinBfoy4GtR46vGPJPB1WMTN4viTqHjZoGjpRl9uHGNcOoioMTVmu0AsrcN2a ZzUmcujmICwK1Hp9B2txaHJF0DA6zrRqqM8wSAyKRKFRuUSftQJh8Y3MsS9LNQX/Vi0I qb9Q== X-Gm-Message-State: AOJu0Yza/XVtO/k9BUwepKBfXi7AoWA+LCj5L7DJnoYD57oMjkD0AAAn kLat0lD1hATajl4Gq+a+hszlh0pkbWQudnLNIVv1zAAyejwI+amCzUcnZHhwrA== X-Gm-Gg: AY/fxX5jr3JKAfrKw3HoyUM+HdeJp6wcaRF9PZ1kksxRh5kBO7n7ParKuwYaYw+AUXv rb4qNKHAkXpzyadWh1FzDe3QtXIU3Oyy8y5Z8J4KhusdDIA4W8IjqRRGkG923IsFCIIiQZ5tZYq 1LVRB1bB+c9U3bIdSGZJ5OFxjVRFN1G6w+hRe7JE9MV9W8P7oZO8EMur10vt967DTP02jWBayOU lSBzESUmKHp6oEglcQjhjGCNSztLBVW4Lrw5u7NcbZWsshegn3JNB4XxZiU4iROZpjUAQXTx7gj lMhb8/oiv926xUndTD+mYcOCx5UdyubM0pjttxQJX5G3t0HSMgWPZQ8tYJHdER6WwTnc9UkZpJr cxr1AIM8ECxU6iVCTc8tYzH8ixvfWch524Gm4py5UhlHcJELbL6BjRuMvlvR1lwbuE6WQZ8Cv6D tbEhh8zKGjtYoNWSuA784= X-Google-Smtp-Source: AGHT+IG9ReqaetbguV3ey7u4UJgqcOlFaeHSWYN2RCcakCoamHdXYQguLkSQAoPmAs1+vklPp6sVCA== X-Received: by 2002:a05:600c:3b1f:b0:477:bb0:751b with SMTP id 5b1f17b1804b1-47d20423ca4mr384405275e9.27.1767109744439; Tue, 30 Dec 2025 07:49:04 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:04 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 01/10] python-gunicorn: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:48:54 +0100 Message-ID: <20251230154903.736590-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123027 There is only one relevant CVE associated with this recipe in the CVE db, but it is tracked using gunicorn:gunicorn CPE instead of python:gunicorn (which is the default CPE from pypi.bbclass) See CVE db query: sqlite> select * from products where PRODUCT like '%gunicorn%'; CVE-2018-1000164|gunicorn|gunicorn|19.4.5|=|| Set CVE_PRODUCT so that it matches relevant CVEs. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-gunicorn_23.0.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-gunicorn_23.0.0.bb b/meta-python/recipes-devtools/python/python3-gunicorn_23.0.0.bb index 3c819a934d..a3524d6d8e 100644 --- a/meta-python/recipes-devtools/python/python3-gunicorn_23.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-gunicorn_23.0.0.bb @@ -7,6 +7,8 @@ SRC_URI[sha256sum] = "f014447a0101dc57e294f6c18ca6b40227a4c90e9bdb586042628030cb inherit pypi python_setuptools_build_meta ptest +CVE_PRODUCT = "gunicorn" + SRC_URI += " \ file://run-ptest \ " From patchwork Tue Dec 30 15:48:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77733 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7367EEE021F for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.66628.1767109746793989141 for ; Tue, 30 Dec 2025 07:49:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XX6EDqhu; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-477632d9326so62356225e9.1 for ; Tue, 30 Dec 2025 07:49:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109745; x=1767714545; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=l8KIP4MSOLQ/kyer+BwzYAPfdszbR82r0Unif9Sa4Nc=; b=XX6EDqhu6aAjf+1HTeXIWgfNN6ffM3GuuQMxEy8Oe0sydZxUWm0jtvcVbVkub6QS1+ Rr3QWlefT3NPhTNKQK/4OtoxNKWFu32oKC/egw43kJpbZhqOSovqS7U5/ENC86pIW71x zfnWelm5OS0dFksekIfsNPyHMIBsZ0ke5MC2oaPDGdHY7MGiQoGcWjFIE2+fRtrHjAR0 bysrFxS6np293qL4JLsqSPCDt9pt4vkijQRH9Ilp0DplGlGMfyolq+bt5wnUhln0C4+J ouESolDAxcgQmwvNTQfY8Y2NdGrnjR/wE642VQcIuFyfHKDMjNVpp/cp1yaQkmoU0Ngs dWCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109745; x=1767714545; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=l8KIP4MSOLQ/kyer+BwzYAPfdszbR82r0Unif9Sa4Nc=; b=ep8eyJUTAnMJ3vpjRlJUhgpPPQy8/dAx4uIx+OwvVX3g4k0r3cVUc6GyFiW2zW9gmm LazvuqahG03+FNRjpYYor5WtLFsZqRNATwWlBBIMghu5YzIbmc4InMw4/7tQmPnl4eWm fsdSxRZuAAJE9WZDNszm9SbeO1uxmtjkiNl90Z9u05d2AZaTytUYXeRBhtP6YFYM1mEr n2OZ2lrVMLy3n1GprUO67YwiHeCBsTaXqYCpeUsSnsqW+LaAW83VQMQEkKj2gD+d2uUU VHg/bBmzSTVenL7kGMHEDJRrwheOf7GOgxvCoUM+VpRpBLsN9gkHeT+F+K1pbvg393wo WIyA== X-Gm-Message-State: AOJu0YwiirMdhfwM0MXImiQinr6znS5KO6sXc9DZH57uT8Mc/3rGy0Rd 2R8Cnk8IXwdU+cqDqPxByvn5iSmeMPYjPnx0akgjMtHnThKCZ3TPtFBT+TYqPQ== X-Gm-Gg: AY/fxX4zRVeo5KbY3pxiYSppsJ7TlGP1+/0MhvhvkEjX7x2x4fCvvBfrQQsN4qw7JKy E8nSyuld/+3xnw32greMzAZDoOMQKKOUcgA6kyjE09HSgjMTgOwIG4+rz3hua6Z8eR5tJSH7iWi 4+I741uML2C7rwcxD8X/fbLI+xKAimizwoemqgcDEfHEOmv+0MB1JpVKcNRQAc7vzrDenlubm9o cRzHPPiyFkizydSYZ669+5pvtGrQxt/B8ko80eAe/2nti5fQ7y2OUSmdbXQewYtkIq82dKVemEO eYghhHtEHKgu2hnLuK3lRIb28iELMnl1PThigcDQll82WzUUy6He5g8oWg0t/Qc0HbVBdOrJPHo hJ0OvWiYW3a74nKUo8wFnETqU1f37ukoUJLFs0DN2bzTkfh6e9n8dPml+zQaMwD7dyBPjdXXePt aGaB89XNJsQy6zC/mxaOY= X-Google-Smtp-Source: AGHT+IEtXsHMCryDGwtTkrng0lsR84kBrHfkj+dIxj8jfzXtrw8c3r9Uiy2VUl/aOL0lKRiE4fajDQ== X-Received: by 2002:a05:600d:6405:20b0:477:7a87:48d1 with SMTP id 5b1f17b1804b1-47d216bab2fmr279594865e9.30.1767109745052; Tue, 30 Dec 2025 07:49:05 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:04 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 02/10] python3-flask: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:48:55 +0100 Message-ID: <20251230154903.736590-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123028 The default python:flask CPE doesn't match relevant CVE entries which are tracked under palletsprojects:flask CPE. See CVE db query: sqlite> select * from products where PRODUCT like 'flask'; CVE-2018-1000656|palletsprojects|flask|||0.12.3|< CVE-2019-1010083|palletsprojects|flask|||1.0|< CVE-2023-30861|palletsprojects|flask|||2.2.5|< CVE-2023-30861|palletsprojects|flask|2.3.0|>=|2.3.2|< Set the CVE_PRODUCT to "flask" so it matches relevant entries. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-flask_3.1.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-flask_3.1.2.bb b/meta-python/recipes-devtools/python/python3-flask_3.1.2.bb index de4a558bff..1b289c7227 100644 --- a/meta-python/recipes-devtools/python/python3-flask_3.1.2.bb +++ b/meta-python/recipes-devtools/python/python3-flask_3.1.2.bb @@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=ffeffa59c90c9c4a033c7574f8f3fb75" SRC_URI[sha256sum] = "bf656c15c80190ed628ad08cdfd3aaa35beb087855e2f494910aa3774cc4fd87" +CVE_PRODUCT = "flask" + inherit pypi python_flit_core ptest-python-pytest CLEANBROKEN = "1" From patchwork Tue Dec 30 15:48:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77737 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3D80EE4989 for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.66704.1767109747434065915 for ; Tue, 30 Dec 2025 07:49:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hf7CZkpD; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-477aa218f20so62367775e9.0 for ; Tue, 30 Dec 2025 07:49:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109746; x=1767714546; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jZw2f5FnqWqVyvqY9Hulnc7jTT5Z3gnu2FqlRvwapQI=; b=hf7CZkpDN4mmM2cGWviHqLTW7+8SrcdMeRQAuFFqmc3sakBGfOoIqFNJF3gMtORB2V vlOZYM+yHoR/gLkCShLVj/v4Jgo4I6QfCDidNSK89LGCkzfsiHHvxj8Q9Pj8CnpIfUh2 pv1KQ0Ezoy2mZ19hAYkBsWPJC2SxBvrjA4iUgYO4O2mF7JOuh25v2xWWXIVOUbYpnoSd jiwyMg7ArpsWixeXi4umAVYsiESY7yEaogpTcUzgxY4VAG91+j2AFDAH5euHmjHF3M+u vwEbRY+a7YSaRKTzHZyJeedZIL/hImGjJpccNyzPNZlWhvUvrKwdx+/D5w17icjUoY+5 oltg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109746; x=1767714546; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=jZw2f5FnqWqVyvqY9Hulnc7jTT5Z3gnu2FqlRvwapQI=; b=dPt5FRMBturiMFr2Z11na7fOXEYGaRafNI8/Za+t6YXMVUMaeTCkHwp5elpTHO3ojy Iep8wSFOK8AgfPyhm/WfWIKeyfxvGNI1IBBmEwlmTvvVET59ey+vV9EW678HUhozcRy1 aTQQiL8rUMsmJ3EdgZQhaa2jSu+zdunGNrTiyyw+BABTCSp2zJNad/cnl//X4hOly4dB yYm+rVmCX+LDXiN+IPXKO8hpYTKy9/KzJmEy3emlgcB/qof1JEZOF0V6znpueDdA2QBv ndPumBSLjCBKwND8fBFXpHeJeMeiUCOVLLRZXv6a8H7Rp+lJ2aPBelq527ttHUZ5vLmO Q7PQ== X-Gm-Message-State: AOJu0YzcVOoNgsvauykx/4cAz8OJar4hssR2QXc95+Xx3nf2fL2R60US bGLn2iYBobNaphtUQCKfO+srhfRQ005up5qq+61h44ArNgDtNCCDxEe/S2aaTQ== X-Gm-Gg: AY/fxX5Ntl8xUKrZT/Xxr/yCWN9wufPVPQQ33C/yfnqX7kkCMLIqRhNWG7HHSWa2jyj y6boBJZUXr7vUdySdMEWNAeuDVuI/cil8PoTT6xBXjUuPCy0mP57wOWS9SUxiQYd7C0d/rsyP/r MFWfGu1gqzkQopgtlEpyAclGl5MIlPx5h8cASwPbtwygmyiA4qi1etw91SeAyt5t0cTYgSp4ryR dxi2Nur5/zQr/e/nWEcF1avtkbJcwSKTDDoYic9p68B8t+cBF9Ng5eXMrb+YwoQYv1K7IbUiKVf 6rRYYfXfA841kepNCOwS/0abBkKHNQCVA/9JoL9xw63k8nIKHQaZUVrWTJx68WkoTGBZWvN8LJ8 Pn/uim/sxvECIa0C8QkeM2DL49htMNpECqUieAJnA8rAmI1pPWQhQMTHIUAI96Z57Lvw5Ae7Ov0 jQt6Q3hCW4 X-Google-Smtp-Source: AGHT+IF7cMQZ437oEClJHNNWevHI2j/Srri6MlYBNt9XGX///jogoYjIBonmgXUZws3upFFRG5kzrA== X-Received: by 2002:a05:600c:c086:b0:47b:e0ff:60f9 with SMTP id 5b1f17b1804b1-47d19577114mr276292625e9.20.1767109745723; Tue, 30 Dec 2025 07:49:05 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:05 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 03/10] python3-marshmallow: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:48:56 +0100 Message-ID: <20251230154903.736590-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123029 The default python:marshmallow CPE doesn't match the CVEs related to this product, as they are tracked with marshmallow_project:marshmallow CPE. See CVE db query: sqlite> select * from products where PRODUCT like 'marshmallow'; CVE-2018-17175|marshmallow_project|marshmallow|||2.15.1|< CVE-2018-17175|marshmallow_project|marshmallow|3.0|>=|3.0.0b9|< Set the CVE_PRODUCT so it matches related CVEs. Signed-off-by: Gyorgy Sarvari --- .../recipes-devtools/python/python3-marshmallow_4.1.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb b/meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb index 2919897dc3..01eead0cf8 100644 --- a/meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb @@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "\ SRC_URI[sha256sum] = "550aa14b619072f0a8d8184911b3f1021c5c32587fb27318ddf81ce0d0029c9d" +CVE_PRODUCT = "marshmallow" + inherit python_flit_core pypi ptest-python-pytest RDEPENDS:${PN}-ptest += " \ From patchwork Tue Dec 30 15:48:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77732 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC327EE4981 for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.66709.1767109751730899385 for ; Tue, 30 Dec 2025 07:49:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Dt7FDRNG; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-47a80d4a065so50622965e9.2 for ; Tue, 30 Dec 2025 07:49:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109750; x=1767714550; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=apyBYuUjwDWCMFCqVuTuP/YJ8ArVR5hOb+Sjnf1KOAE=; b=Dt7FDRNGWd+LAbhRAkeK9X2KcPd1R4y72E5ix2lOSpvISnaAbk20t29hj1crb847pP uOeHkB74FKWZ0+Y1HrBeOrkiZ3MZy1P3kO/TDl/uYk9rfCnasP+DCKlAFn/ynXRwBXKZ zFfdGzgxYb6rZFqgPkUoEOatVT20i2QYuTv2OZsPaMXwblSbzDs8cS4cO8EK0/dH2Va+ MHLsF4Jr0g2WPHfZ6aHw+49j2jZij86qemdLKGe3g+2tpsUlSmXgJd4e6pv8gB/Fli9S Wzu8azFoTGQKD/4YgtEsliNDczCfF8tfWfW/CUWZYlrENaJwLTOKFR66CT0LsKXH1pu0 AIxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109750; x=1767714550; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=apyBYuUjwDWCMFCqVuTuP/YJ8ArVR5hOb+Sjnf1KOAE=; b=vgWg6O802tHrAR9s4qR/R85etosWZmPv8MZTHTCFmiwBqo3Rcx9odDYoC3dX4ZFXRP 1lCbutQRr3TNT47J61Kjn769GzXrbf9x+x7dWAR7UNN2VlqhmcPhIiLFr9VZpyFF/JhW 2DQq88g9yzx4azhPJFXxHUZJgN1HASv9/MYl3STVR+XNiYahRwdpS6iq4VyXx5U1qCPm PGa3n03sGgWyp71WTl7vTKMMisOBVJWmyHcclISuPZgE97HA7U4vFR05NVgxJ72WYHfD DyE8edAjEhe339Tno3Egz+n6se+xOM+Je+9o4kdDv8UxLXF/Jsez251f+aeVbRMiacLh lRgA== X-Gm-Message-State: AOJu0YwsKtaIVo3O7Wj3wCZxfom7SSj8Z+MaUYVdjgq2V8mtXjl34HRB Oz9HWSyy65aEF3tXcxL1I1bDC2Uzebza6WgJBgmSIR9/W0l2IrywYVMRYx+sIw== X-Gm-Gg: AY/fxX5a82AWZrGhPX2LF4jjo2NMSQlB3ivOhgabkp4tYnzZtAHMtC+BkP9E+L1bTrM 6YlzjW4k3PjPOv/v1ziaP3aK2ccgkJVUrlx1YQrEPj3k68hCOwP7x6yWwa6tn/Tq6kxQ8UGp11+ SarpgfhPV9ESrfFatXVYWWih7qS83cDiyJDrCZxNeCUK5Uy3VZKYeIkfOkIiweRFtZhZQapoBNw wsiX53mVpa2x4HYmRcoHO4cVahbzIW6sKdJy3ZcPOcasa0mjqVL4rPi9HoLHFyH1czElQCuYQsT 9Uxrll4GCvstwDaLbaaWkR5LNklkKikrWhLcex/K7fwJa8+GG91pWKQYFsczMdqvk5QZjfr4x4p 1I5yLtIZPVOrmnWs399CXUkrVqcnvNPs/h+rjWMe4ztwNQ7E/xdHaz7eqHk6dvse4EkWRskoa3M 0l4l1Z6RYL X-Google-Smtp-Source: AGHT+IFM1AmeyDSQn20dq3t1CBHs+9PCHD+muz0o4wp69wFrEXNkqmtcsXH7AYx+q9mtM/jsR5q+Eg== X-Received: by 2002:a05:600c:3106:b0:47a:829a:ebb with SMTP id 5b1f17b1804b1-47d1957b115mr381383355e9.19.1767109746348; Tue, 30 Dec 2025 07:49:06 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:06 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 04/10] python3-parso: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:48:57 +0100 Message-ID: <20251230154903.736590-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123033 There is one related CVE tracked by nist, using the parso_project:parso CPE, which doesn't match the default python:parso CPE. See CVE db query: sqlite> select * from products where PRODUCT like 'parso'; CVE-2019-12760|parso_project|parso|||0.4.0|<= Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-parso_0.8.5.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-parso_0.8.5.bb b/meta-python/recipes-devtools/python/python3-parso_0.8.5.bb index e609a4ad73..2bde8c3f40 100644 --- a/meta-python/recipes-devtools/python/python3-parso_0.8.5.bb +++ b/meta-python/recipes-devtools/python/python3-parso_0.8.5.bb @@ -7,6 +7,8 @@ PYPI_PACKAGE = "parso" SRC_URI[sha256sum] = "034d7354a9a018bdce352f48b2a8a450f05e9d6ee85db84764e9b6bd96dafe5a" +CVE_PRODUCT = "parso" + inherit setuptools3 pypi RDEPENDS:${PN} = " \ From patchwork Tue Dec 30 15:48:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77735 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7B1CEE4987 for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.66705.1767109748714288220 for ; Tue, 30 Dec 2025 07:49:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=UWTnVjFI; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-47d493a9b96so15810365e9.1 for ; Tue, 30 Dec 2025 07:49:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109747; x=1767714547; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=9luqlq1pXJAgqtQ0/A5f1r93gGVLlY4Os1/wX0Y1ljA=; b=UWTnVjFIRhSjcy9MSD57sQiYo9jcAZkAUBiosJc4ivE1JPYIJuzEsIusHQOnUlV4EZ /QP0diyF6rLFjGpBZwyYhNUlpuULs9xztyzuy88X91mgK7I6cwfLFLe6BI87pi3HBd8y MbGe38be3/r0nQ8gOKwJrNxn5f3o2uNEhc1hHKeaCXAGYe5cKLMtSwvNV6Zu1dULf0gt 5++IjrYsqxUiL2gecGECS7h4tvcSXbA6LwcsuIJWHX1cfVkII7wI22VnitEhmaZudWRv 6y3BVPS5ghPOuBajuAveFAer+IRq6l+g9vOGXXFE4jhl2eDF9Ergc81jzGFWBNGBCYtU goKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109747; x=1767714547; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9luqlq1pXJAgqtQ0/A5f1r93gGVLlY4Os1/wX0Y1ljA=; b=aJ2jucGnZ2CXQsAfq9NHHsl45/slxLVyGbyMWcD8y+RmCstzmR24t/OODwxcRk0aoi tBSgjNJBpEln7lSmzMbtDQOvdo6KwSTmTi3eb9F9jSrxlvTJR7d2atRj7ngwWDePF4zZ jJiYxdq9wrCYk0EnOaUNYyK8JPT0EZkyy3Q/id3+lbIkYwmsZGV0t99EDkQeW+0z/BFa K11crYUvJ44zPYDIS3yRg1MDKmchPxOQDn3q0zu87YKeJlOiQWOmDWCOQNyfA28Fdhcl FxW8STqU7CfQQDJwsfWJ19/xA2KZyQms8yLGcn5e8VuK+SIq+tDW3HIxmyRjuBta/Ed9 OOqw== X-Gm-Message-State: AOJu0YwIcn4IET9uI5C9VG7V2XEpAx1IdMT0CMhR7M4WTCM4LM8gTzcn s3kc+MTF/HKQ0EwnRQ9JpJk7G0R9ylnvYvrOod3iUKGR9zmfmS2nwllG0MVQOw== X-Gm-Gg: AY/fxX5PkCNL8TZkEvkmp7BFmjchJaxLAnEFTucqDv3INqnmQcv3DNB02YKqU6UfdbC W288XOJmNYnLpW5xPVxw4hUhSpodDc55mX3JZbAvg6G0UXOHISXrcxumkwYV8F5k7knFHOtLX42 ts23HQz/LRk3K5iEVXLAuiv0vavMhmHn6BALjTtac/KVBRtyD/JHVgF4H33KhXYXkHwbr9EOHsb xHc6J57eFznKk41kpmUxoJLYTfTPzsx7jHTQXsQ4nMbiv1E1lmlOJnASqh+YzXfRQD0/nnx5DaV uHnf6UfRM5Eq7cqiGaAJzCQ13L223vtCt652iZFEev1rYwjVANouFn5lH7ajGIHYUMxmreEFHLY nBzAizxfhJd+8tajhdrhv2LXz05M62RcpAAhRY1TKZJ9s70pXvuRVqMBPhfvmFEO4lZ51nx2bZh 5sYjgl3Ky9VTVOakeavoM= X-Google-Smtp-Source: AGHT+IGOzMU9pL5Oaoopxf+ZuHzGIY0ZgJNsBPp0/o73eb9iGL9ssYxob+Etvvrqoz8rV4Ixn7ld5Q== X-Received: by 2002:a05:600c:4e8e:b0:477:b0b8:4dd0 with SMTP id 5b1f17b1804b1-47d1957b120mr415419115e9.17.1767109747020; Tue, 30 Dec 2025 07:49:07 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:06 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 05/10] python3-nltk: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:48:58 +0100 Message-ID: <20251230154903.736590-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123030 The CVEs for this project are tracked under nltk:nltk CPE, which doesn't match the default python:nltk CPE. See CVE db query: sqlite> select * from products where PRODUCT like 'nltk'; CVE-2019-14751|nltk|nltk|||3.4.5|< CVE-2021-3828|nltk|nltk|||3.6.3|<= CVE-2021-3842|nltk|nltk|||3.6.6|< CVE-2021-43854|nltk|nltk|||3.6.5|< Set the CVE_PRODUCT so it can be used to match CVEs. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python3-nltk/python3-nltk_3.9.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python3-nltk/python3-nltk_3.9.2.bb b/meta-python/recipes-devtools/python3-nltk/python3-nltk_3.9.2.bb index 8a1e0cc047..43c23254d9 100644 --- a/meta-python/recipes-devtools/python3-nltk/python3-nltk_3.9.2.bb +++ b/meta-python/recipes-devtools/python3-nltk/python3-nltk_3.9.2.bb @@ -7,6 +7,8 @@ BUGTRACKER = "https://github.com/nltk/nltk/issues" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" +CVE_PRODUCT = "nltk" + RDEPENDS:${PN} = "\ python3-click \ python3-joblib \ From patchwork Tue Dec 30 15:48:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77736 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB2E1EE4982 for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.66706.1767109749314168728 for ; Tue, 30 Dec 2025 07:49:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PjAySMXw; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4779aa4f928so100836425e9.1 for ; Tue, 30 Dec 2025 07:49:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109748; x=1767714548; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=g8V0Qfitm1kGlx4fDHO0E0IeWbmMt2AkWr5sm54Uwbw=; b=PjAySMXwn4CgTtGAkt7bhW5ZxgRlor9/Qua44uKsl8lMKfGKDqusvNxYwsIP7zCxnh au7r0gKE2FWASWweZ35+Z2LMA7Zb8DuEVk3RlM3LKxmhPPL/yfsu9d0O4lt7/x+1m1jJ nxMCgTbLzdz9YgLbkll5XSyTbSymlBcGynxb/mJ/oKwBcn+mnhln0nRTf/JxnCD31a7i nTvKHbtr70DVBb/8U6SSUqdj7J6uWxTPXK33BCipoaerHpFUD6p4rKwSm9IyD+/BElSy bQN0ZJfKBaUdaIQ5JI4felUCs2UPOz+sW3/33Yiu/FWe0QcFvCv7iPFJh5HrFIhSb6Tt hX+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109748; x=1767714548; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=g8V0Qfitm1kGlx4fDHO0E0IeWbmMt2AkWr5sm54Uwbw=; b=JIm3pZaeLkxyRo3fWSCqeYOea8NtfIxRKg3UmKjX6ugyEcHTsjfwJAwp+IUvVAgTdj QO6tYEYwyelMmySIoUMPwFy3tbEl4CvTU6zWZ37rVnsDXmeiAdZfkkw5YvpcdTdxLL6v El1IrWD4ndff4pcFCPFzT8qTwoqRQRTd+xox/aukPqMLiTCr5uHaiueS0vVMRVlFjfod j95uZ6EFl4V6rRiFwCn8qAiDSkiW7Ky/0sVoVAkXaCHTk+G6k23ebj126g5GyckkmBYN XOebE40PiJzQpQLi7geq9JpXZ8+w2NYRSoyN4G65dvVB0z2O0plntkkIaChpRAqci7uu Jfgw== X-Gm-Message-State: AOJu0Yzp/HdowZD4wzkFXqic3d3OEQ+IaAyxgFmDCyfpJLThn6pmsIgH HenNFsy7NSL7Kfe6mb1aGJyT6WJTnIp88ucj9uuIWn/YTmJPG+7WW3VGYA4q9Q== X-Gm-Gg: AY/fxX5/RvE6e3G6RL2RdRgQOXmBGMxQBqn4Ylw/ebFyWx9ewmCPB6APeGhFC8a2O44 1dg1OexTbBaZVMezLknF8e6jEv38xmQ1bq6Wn2ZAkuc2eNmnHUriOA9EApN5IijAEfM9ZppdB8h 3w1WpLxp/91sf8sSmI+j0Cq+ksYqi2G8+w03zg/RKVRIvUg2NO9bhjAYf/iofio9bKw84m8T63B wQzA2MZ+20lKUDsmyfFqHF5CYWbfdbg3ynjWDAKiwQYa4GxGbBJ4K1OkN1ioiZywRFg7N1b27Du BuuPLXJNUk4Y/t56TycpcJ8jXo5sP9GoeNFS8/RPEZU6FBlR04v3iZ1wnIPmldt4VUDSTONskBN 8vghxX1ciZJCK6kxTNcc25gWdhISx6DMkDYrvW5uNwF2iB7Ck4WOsBNXjVmzBMKPH4mduIAf3yN Dd6jypODlDrQ/fJH4ybKo= X-Google-Smtp-Source: AGHT+IEMbi6cX7SjQ+89JWAf0duITW7QoCUtHnI+2m+ihELsJ0aGnWYGKUx2zsOxsHPp+ufzamWvtQ== X-Received: by 2002:a05:600c:46ce:b0:477:8985:4036 with SMTP id 5b1f17b1804b1-47d1953bb1emr430974535e9.1.1767109747650; Tue, 30 Dec 2025 07:49:07 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:07 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 06/10] python3-waitress: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:48:59 +0100 Message-ID: <20251230154903.736590-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123031 The CVEs for this recipes are tracked using the agendaless:waitress CPE, which doesn't match the default python:waitress CPE, making the cve-checker miss relevant CVEs. See CVE db query: sqlite> select * from products where PRODUCT like 'waitress'; CVE-2019-16785|agendaless|waitress|||1.3.1|<= CVE-2019-16786|agendaless|waitress|||1.3.1|< CVE-2019-16789|agendaless|waitress|||1.4.0|<= CVE-2019-16792|agendaless|waitress|||1.3.1|<= CVE-2020-5236|agendaless|waitress|1.4.2|=|| CVE-2022-24761|agendaless|waitress|||2.1.1|< CVE-2022-31015|agendaless|waitress|2.1.0|>=|2.1.2|< CVE-2024-49768|agendaless|waitress|2.0.0|>=|3.0.1|< CVE-2024-49769|agendaless|waitress|||3.0.1|< Set CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-waitress_3.0.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-waitress_3.0.2.bb b/meta-python/recipes-devtools/python/python3-waitress_3.0.2.bb index b8e90807cf..c495132c59 100644 --- a/meta-python/recipes-devtools/python/python3-waitress_3.0.2.bb +++ b/meta-python/recipes-devtools/python/python3-waitress_3.0.2.bb @@ -6,6 +6,8 @@ SECTION = "devel/python" LICENSE = "ZPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=78ccb3640dc841e1baecb3e27a6966b2" +CVE_PRODUCT = "waitress" + RDEPENDS:${PN} += " \ python3-logging \ " From patchwork Tue Dec 30 15:49:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77734 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4FFDEE4983 for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.66708.1767109750990520908 for ; Tue, 30 Dec 2025 07:49:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=eNbFSuO/; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4779aa4f928so100836745e9.1 for ; Tue, 30 Dec 2025 07:49:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109749; x=1767714549; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PSX9f+go3xbXTS8CDFDHT9RFq/Xl1BQVz4FH1aJ4ais=; b=eNbFSuO/4SYp3PopTL1hv6p/Y3nuzkyDodAAvHhJrRblaqxtxqEtdWiZIiPfpQp9DN /A1pneXHXECc+e7b79H73uHwb5Y8hxJEum40TZHmWZ25kB/tkOrMswwePgeId1K3h85L zVTmGHta4c6RtsFOTXdHrK3Z+t/zBl/o2dlJzJ5RWUK7MQsh1Ib4FgxaryYMvI0V5RVK 1jLcDn3zZFVYqtbfGY/VzH9OnHm1vV+5bvLTokXoU8rFHXFmtJerWtgfHrHEHCMROF7n 3+yAV+3vpcpRAK+kvL2HoUEnXFy3hgvNhRSo7/n8o3fKsb502iiay5dWSldq/E3YWp5D om/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109749; x=1767714549; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PSX9f+go3xbXTS8CDFDHT9RFq/Xl1BQVz4FH1aJ4ais=; b=uV8P0go5fD0GKtg3X9icy8mbdlw4hWryQ3anJ7wlpK9h1Y2e2as0u4OnIoNCAavdTj aHHl8K7cJQbUYTG9YjsT6Z1uGMfvlr7lQV03Eb+OE9qM8Qb/wHSkG1jynrmMwEKWdNEx /zVtseFfOoFqc2Rh9FP2YfhcnH/AP4YpeMJRg3a406KcN5MTSVIVcCdg+LGzTncNNvlI s9abCYexe0iBaKtDzQqcQhIkI4l2fyuwhvmeHYGK8tDOJRM82FQM6q+TR1rBzOFy3teT AmOk1EkJ7TzI7wwuXa5hENRUYFQxXIV1VLL70ue/dRE2DTEvcncTQXA2us1HPQCOAohq LXbA== X-Gm-Message-State: AOJu0YxWlMwxnBSsZ4VEMimWnMTUJ6aVEY/eeYJRi3yeQWKnEpoVIp/D SRtqYIpIVUCW+WHQ4/xDeyyuXeKS4rzEaJzfH6/hPPZU5XbVTOQVmU9W3npPPw== X-Gm-Gg: AY/fxX5hsiapMPkogG+34q5xB34HM5qlnxNBXDwb2/Uh/EWL3EgqOtFXiEZscxFFPgT RBZtFWmJAmwmIhd1yZFq7jL0ILFV+qK0Nny0g5gTn4PQvGURWzdBBHkvlq3J0ZJfXXAHPYh6Abb 6Mp7ArAoOg9670IWhEC4jPef6CnJ/L/+8ZXF2yhlN6nrNLJO1UwrG4kWBRIqqcRpWHc/GdcSYyI 8F2KSva9azQOhE0vtW+jaV7tCB1WpuycGnOpsrqGs39HFIxfTzF1uHPX/HbqXlkmHtUtH+IquyM wwyGdOFY65Afva5Qkq6gvcak8bgOGefhPBmHfq3QAAl/Ssy4+8nuCzNSaJSB8S3IRjlJpJFYMNk hEEfSZiW9odPHc7M0mncQIwILMS5aXmVm7YP5m1SfRsNvyChcpPsr/HoQUW38iFUBcYLCHztK1U IAqhdUpMuO X-Google-Smtp-Source: AGHT+IEgFljcdhcXtZZYSk/RGbRPp1bAS8gs5VILYydlmDOGVrNZqD/5yJGats6V/kIlOc6PkM7t6w== X-Received: by 2002:a05:600c:444b:b0:477:9814:6882 with SMTP id 5b1f17b1804b1-47d1953b77fmr348628905e9.5.1767109749253; Tue, 30 Dec 2025 07:49:09 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:07 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 07/10] python3-reportlab: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:49:00 +0100 Message-ID: <20251230154903.736590-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123032 The relevant CVEs to this recipe are tracked using reportlab:reportlab CPE, which doesn't match the default python:reportlab CPE, so the cve-checker misses CVEs. See CVE db query: sqlite> select * from products where product like '%reportlab%'; CVE-2019-17626|reportlab|reportlab|||3.5.26|<=|0 CVE-2019-19450|reportlab|reportlab|||3.5.31|<|0 CVE-2020-28463|reportlab|reportlab|-||||0 CVE-2023-33733|reportlab|reportlab|||3.6.12|<=|0 Set CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-reportlab_4.4.5.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-reportlab_4.4.5.bb b/meta-python/recipes-devtools/python/python3-reportlab_4.4.5.bb index 4c411d5716..3ea47e355b 100644 --- a/meta-python/recipes-devtools/python/python3-reportlab_4.4.5.bb +++ b/meta-python/recipes-devtools/python/python3-reportlab_4.4.5.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=cf24392f451ff6710fca1e96cefa0424" SRC_URI[sha256sum] = "0457d642aa76df7b36b0235349904c58d8f9c606a872456ed04436aafadc1510" +CVE_PRODUCT = "reportlab" inherit pypi python_setuptools_build_meta BBCLASSEXTEND = "native nativesdk" From patchwork Tue Dec 30 15:49:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77738 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D92F0EE4988 for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.66629.1767109751818551449 for ; Tue, 30 Dec 2025 07:49:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=EnQFlGKq; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-47a95efd2ceso91088945e9.2 for ; Tue, 30 Dec 2025 07:49:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109750; x=1767714550; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=X++EXbQTAbXj8QWXccc9REMLSSAZzZUfFbalUYkbXYI=; b=EnQFlGKqgfrorSHuME+rm5UtEzi4rpfJCG1g9p+0WClSURJzKgwGickgP9QbWTCBrd QyACM3jYBAyWWXP315AMyTjtqrqc1lMpDa0Vr/8hXF9vlVuJUDI2uGYH/3fqJQBLbMfQ Zi0cBpeaPqFOFCMQ3yEfrVP88ubpIA2VMJuSN9iD6x7JY+kehea9n0t4R+jz+CV7oFg2 ku3IRce0fHBNJqF8DBvkEjO97cNWoQrxWOurdwTJ9ap3QxdHkLdZtSzB/OHAvDc+X2mp Q6dBDwRcJ6Ocs8U3pSrxYZEJimLq/vz92KTWnuao+I7+cFQiSAREPAkYHHdFWG42gsDv h8Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109750; x=1767714550; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=X++EXbQTAbXj8QWXccc9REMLSSAZzZUfFbalUYkbXYI=; b=dBiMnZsEideGiWfU3QoQ9alO28reCVq1TTvnWAq7fuMXENbKfdNRHphLpCKqjRItxx h6fqLs9O7aFUPMuuSva55KgijpeV5aJoufVecLgZbBfl39Oe6wOi/K0GFAEyRSZSP+fh o4l/m9Wa2N0cXMroQqh7o/qMFExxF4qIw/ciox1fGEoYOhI3fjhL0k/khSad4AAROcOb JeZJCsjjB+QerIQOud0njAZ1lKgum4s6L1OsBrCO/8zci3UkoCV7xNFIMXHwxbeGEAoM N5jWDn4NcrWmZhUQ7ylc6ZMiqMNX4m4uij87PiP+EvlIhrf9rTBZ80M6Rw5uZKej/w7A cCbw== X-Gm-Message-State: AOJu0YzmCutP/jkarYKyjemzO1JN2vyyep58MsWlHDIhA6YHuQvK+Z3k ejQB/L3nI6ySogIsiLEXmt1arTYbuaRukjQWckPClZ824wC07hdi1g1354JAJw== X-Gm-Gg: AY/fxX6SIpz75WYcSCAbc9GN+RKHd2JreCWZZZrBwyKXgAHWQwL6Z2PrdcaiZDsnU89 sxkIPryernRU+4dbTV3PYAjqVIKPEfIr+4mZFMjCkw2noVTcVCNtjPo676siaVlCP0S5che2HMn +rQLMHixfeU6VLBCwytM+brXen17OmzPQiRr4qCgMzJJBKa5oB+iuwA8TfUtsXeoNBhh+lD/JO5 jI5Yx4BwlHNLD4ua+TPInMeRoLUx4Ac53HqQQ7MSvEgIEvNO4A2jcahenUDWKTmhANn6MvxDUDH Ow7m6N8OV5AODOo3lMef2ssV+5sYvKslcsd9WOVST/AcCdAL0YQQP0yX4lOwv87y17ktHpGVt9W rEwNpzXSN119UbBH7pg819HECcVBNIEkmLBjKH6b+1BMju+KFIeIDbalCvIjg+u7Xh84KmxAAPO inMNboWf0C X-Google-Smtp-Source: AGHT+IGi/+xIzHlwJ0WC48KMYAKcy3hGTavC2vJcMt7lpSMhU39bE2E9dGNOydTYEF4X0FU1ERht9w== X-Received: by 2002:a05:600c:8216:b0:47d:403e:90c9 with SMTP id 5b1f17b1804b1-47d403e9114mr210442185e9.11.1767109750070; Tue, 30 Dec 2025 07:49:10 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:09 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 08/10] python3-validators: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:49:01 +0100 Message-ID: <20251230154903.736590-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123034 The CVEs related to this project are tracked using the validators_project:validators CPE, which doesn't match the default python:validators CPE. See CVE db query: sqlite> select * from products where product like 'validators'; CVE-2019-19588|validators_project|validators|0.12.2|>=|0.12.5|<= CVE-2023-45813|validators_project|validators|0.11.0|=|| CVE-2023-45813|validators_project|validators|0.20.0|=|| Set the CVE_PRODUCT so it matches relevant entries. Signed-off-by: Gyorgy Sarvari --- .../recipes-devtools/python/python3-validators_0.35.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-validators_0.35.0.bb b/meta-python/recipes-devtools/python/python3-validators_0.35.0.bb index d598cdc97c..79950f945c 100644 --- a/meta-python/recipes-devtools/python/python3-validators_0.35.0.bb +++ b/meta-python/recipes-devtools/python/python3-validators_0.35.0.bb @@ -5,6 +5,8 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=78327e3919fcd4e9a4a07299899c634c" SRC_URI[sha256sum] = "992d6c48a4e77c81f1b4daba10d16c3a9bb0dbb79b3a19ea847ff0928e70497a" +CVE_PRODUCT = "validators" + inherit pypi python_setuptools_build_meta ptest-python-pytest RDEPENDS:${PN}-ptest += " \ From patchwork Tue Dec 30 15:49:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77730 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 645F5EE021C for ; Tue, 30 Dec 2025 15:49:13 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.66630.1767109752500257031 for ; Tue, 30 Dec 2025 07:49:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IF/ZF2ZU; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-477a219dbcaso81615535e9.3 for ; Tue, 30 Dec 2025 07:49:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109751; x=1767714551; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=QcaCn56g9yncpAhR3k+RNu4CIxGoHf1nKUA9ILtFW3c=; b=IF/ZF2ZU/jRASremNUGfzJGiEY/xWv/ifS8P9ShKtzEUpWE4zVHCqB5YRjm0k2Vz0J 7vnl5Ku9bSHSerqY4DHdA8StvIwsesk9PcT4kYHWrLFzwNB2/QUZRVV70uxEYh7Y8SW/ eriZfuDJ8Iv+aI8zN++hp/vp25Yt6HkyeBOjggzy6dE18AFs15Gm/Yg1YpAVoxllnuDt Qao8FbYCmSxQYJ6yuJvvqh9wu/d/b/aedTj/QU0swU6ebyRtfAMY7aFvuc7OYxnbSmiw 4r6zWLn3WMdzJtbuhWAa83lBKFWVCsknF32CtDy91srPVa7QxL2Xf7v2LSVYIYstYn3b uQ/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109751; x=1767714551; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=QcaCn56g9yncpAhR3k+RNu4CIxGoHf1nKUA9ILtFW3c=; b=ncGpUjK/BooDHKkB38Z0llfRXDbzvpDEXPraWwjPk4YjnRfY7rjHCQLWXv05SiaXfL +fiT+515DP0Sv5Lx6v0LyA66uV2B80Ae++UND57vkjbk7Yh/zYo80JHlYee9q0+y5cmE 6Tbu8MSxEtO1hv1RELdvnZrk6qRLmtcqkdunAvI6rbTeVJ6xhuRPGse6GwIk+traXstC WblOnqVz74/BR7Nb5kZxLGOUzFEYlbq6GfJ4BsX1+VonUs8OWaRY9KIAkRy50ICvsBly NYyJMdK/S9beCXZMlRab8LUft2roSCXtwZAnbNeVYiOR8IaVSF7albmPUaAPHvcV9hI3 J8mg== X-Gm-Message-State: AOJu0YxWMAZw85NpE3MsAkxZDyG57YrUq5sEolm+/Zd+ZEPPzZzSLio+ 55qMgNUczWtUxRunNtYfkLFeDYZ2PnWTNhZToTT5t4OrWoe/+81d4jRTUynrQQ== X-Gm-Gg: AY/fxX7W43JukpqRdVcT8ofHQuH4tUR9pkts8Y9i6ZgCc1w3WfKDVDuQWKEqfoN/L9c +4W7TvhC92NYKPFomT+7zrFQ2UwcbLjp2ty4naKLPinRGXC06DZQv/g9mbb8j4aFz+RvNg/DjN2 wkLcRCHj0raxqzeJtXrwk8dkK5kCQHU+uzqBTUBOzSt7lTgOWUJIzA01niBnoP0Q9rMWbLyvKPN AVehz1sDcek8/OgHIoVOsBKG+Xvsjj5eHnBU8QqwEqkRJhl8NMhQFB9lyHsDneQk+Zv6KFHvJ60 MiTtEcsuTCJQ0+pgC5JeDeqt9+5yR9/UmqMaU+UM4dZ74yqQzj75Fgqh517XDuMeOgjbkViNuEp GK1dgmSQLNPGacHtP5KrzqrW3hEDXrlvrXxw61X09IlfF/tkbH2OfE9gg8D4u9JcPcNsAH5CZvA 8cbG+uOQPb X-Google-Smtp-Source: AGHT+IEoXvIvv5hxxcY/l3MC+PwozehBSXS3YeZOfKVzvd0DfjnGHiGX0Pj6weN18mXIdcM2TKxzDw== X-Received: by 2002:a05:600c:1991:b0:477:5af7:6fa with SMTP id 5b1f17b1804b1-47d195aa354mr435756715e9.32.1767109750831; Tue, 30 Dec 2025 07:49:10 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:10 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 09/10] python3-webargs: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:49:02 +0100 Message-ID: <20251230154903.736590-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123035 The relevant CVEs for this recipe are tracked using webargs_project:webargs CPE, which makes the default python:webargs CPE to miss CVEs. See CVE db query: sqlite> select * from products where product like '%webargs%'; CVE-2019-9710|webargs_project|webargs|||5.1.3|< CVE-2020-7965|webargs_project|webargs|5.0.0|>=|5.5.2|<= Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-webargs_8.7.1.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-webargs_8.7.1.bb b/meta-python/recipes-devtools/python/python3-webargs_8.7.1.bb index 307d2436c2..606796e287 100644 --- a/meta-python/recipes-devtools/python/python3-webargs_8.7.1.bb +++ b/meta-python/recipes-devtools/python/python3-webargs_8.7.1.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=27586b20700d7544c06933afe56f7df4" inherit pypi python_flit_core +CVE_PRODUCT = "webargs" SRC_URI[sha256sum] = "799bf9039c76c23fd8dc1951107a75a9e561203c15d6ae8f89c1e46e234636c1" RDEPENDS:${PN} += "\ From patchwork Tue Dec 30 15:49:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77739 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA05DEE021F for ; Tue, 30 Dec 2025 15:49:23 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.66711.1767109754138698089 for ; Tue, 30 Dec 2025 07:49:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DhVkyF/j; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-47775fb6cb4so58266515e9.0 for ; Tue, 30 Dec 2025 07:49:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767109752; x=1767714552; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=NigXKxhpmZpr1sJYS5hk5xsNNzibrFO4e4QyT9IgzWg=; b=DhVkyF/jodBOzpRjTtZ/PS/dq2Bjn95f9ArbEothx6JsT8855fMkf3HcFykOslLGA2 h4Bfwv/XHeb8DVyihM9M47n+cUmxJgyngDR6+BLCKRqDtsOdsa3SmpepyVzT1xwToAeK eD8p1BWpq1oSfVuu2QOIqLtks/2+cKBTSFuxrzBOQMLHqM+26Fcpvzyn87c1ETQc83C6 deMCMlmrucG+4w+cSbQMAuuiLi1NTGd87DO11mcAX1/Fqq2PCPXbQatuvQNzR7eqk2ku 6X5cnkpdn8Nb5uXsMdn9svbL65/6gCyYSVzdOLEhvW4sV2cX8GTwFBEhGk+h5ssxHOke Frig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767109752; x=1767714552; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=NigXKxhpmZpr1sJYS5hk5xsNNzibrFO4e4QyT9IgzWg=; b=ibrFEgbzuttSIXApibFLKZ0PNaEY+enRGBRSPwNSirrPAsS1d4vZvkWXKU/CK7lcsy 9KaahEgWsAEyTRYfA9JAOLRSMeHzDzzNjxpPEhuDcrcQ9MwT5pmQV6MzpuKsMtp/xbdr klIVkYPYUkLhogz5+TkxIN+5anHQBmTD+426gRcMrXD1wfUJj2aPeV7CWXJdjWbQyzgr ebb60argEu8LmIATj8+9GdntxdOYoM242jq9GFjR0t1NqEmvTxsBwIDY+ZK+f0MLOpUr 7s70rSCfGbyxs5/ArYz7W/j3Kyoi8xC4Dppjl0AFcylBcAgIXEe0g2OyK2ep5Eig1CqG wkWQ== X-Gm-Message-State: AOJu0Yz2iSelM/1HFKthop5HoVYcViEn5XSTuJ4aa5fpQd7lC+vK+mOu 3i5XjuIi7IEBqxEAjspkPU3bF1KKXFIo8pepugrrQXnUP49PccPi9qgdYpmRIg== X-Gm-Gg: AY/fxX6mx5Hq0JE2cyuvQ1H0CTu/EWDbekTo0NcWegPAt1MpYpDO1IMqIkCiB1jxOH4 yqI0Eh2c8RfYbiG4mCMCbjkyjaSmpxDF3spAgmX3fZFJGfRPh2rgLF7muRrWMZKY2QvsP6MFmGt wcW64GPJo2RGS7FfdnMJJkcM+pEDttUttuLdZJzmcrrQxsHPhVfCgUa/wR+cqRk7F8Ryhh++ZWG FGI845Q6RNzbiNmVF/b1G1j8JcnDjc69vto5WHU+Ccrd5D1wpl2B9UKsA9N4ebEdIjlED4pyWOc j1LU5PZV7cdsfNA5Fewz0X4IdS38JqmhWpNX02zI5OqzpQRI16jLfId+Sl299/WhngZlyqdbOs0 CD5peqsTxTzwqkudTRohr48fFhSPh5B5SP3mAc3L1rFa1EoyAPAa42+iC/zny0DZ0ARfGEqpMe1 8BxAIZYN7K X-Google-Smtp-Source: AGHT+IGrwoZ/MXwbUpqhbna9AtDxl8Hw4cnJbGQDhaSjCb4n27XO9su1RlHa6J52fg11YfJd/Udb1Q== X-Received: by 2002:a05:600c:858e:b0:47a:81b7:9a20 with SMTP id 5b1f17b1804b1-47d1c62930dmr298120355e9.9.1767109752400; Tue, 30 Dec 2025 07:49:12 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3a210e7sm253051225e9.3.2025.12.30.07.49.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 07:49:11 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 10/10] python3-svglib: set CVE_PRODUCT Date: Tue, 30 Dec 2025 16:49:03 +0100 Message-ID: <20251230154903.736590-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251230154903.736590-1-skandigraun@gmail.com> References: <20251230154903.736590-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Dec 2025 15:49:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123036 There is only one relevant CVE in the database, but it is tracked using svglib_project:svglib CPE, not the expected python:svglib CPE, making the cve-checker miss it. See CVE db query: sqlite> select * from products where product like '%svglib%'; CVE-2020-10799|svglib_project|svglib|||0.9.3|<= Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-svglib_1.6.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-svglib_1.6.0.bb b/meta-python/recipes-devtools/python/python3-svglib_1.6.0.bb index 67c072c9a1..fc16e3099d 100644 --- a/meta-python/recipes-devtools/python/python3-svglib_1.6.0.bb +++ b/meta-python/recipes-devtools/python/python3-svglib_1.6.0.bb @@ -6,6 +6,8 @@ DESCRIPTION = "Svglib is a Python library for reading SVG files and \ LICENSE = "LGPL-3.0-or-later" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=b52f2d57d10c4f7ee67a7eb9615d5d24" +CVE_PRODUCT = "svglib" + SRC_URI[sha256sum] = "4c38a274a744ef0d1677f55d5d62fc0fb798819f813e52872a796e615741733d" inherit pypi python_hatchling