From: Marta Rybczynska <rybczynska@gmail.com>
Date: Mon, 15 Jul 2024 10:20:02 +0000 (+0200)
Subject: classes/kernel.bbclass: update CVE_PRODUCT
X-Git-Tag: uninative-4.6~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27404c4ef815f41aac994e9f390776a8bf4f9553;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

classes/kernel.bbclass: update CVE_PRODUCT

Add linux:linux to CVE_PRODUCT. linux:linux is used by the kernel CNA
in raw CVE entries. We can't use just linux, because of conflicts with
CPE entries of multiple distributions.

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass
index 89badd90f18..2a4f3defda5 100644
--- a/meta/classes-recipe/kernel.bbclass
+++ b/meta/classes-recipe/kernel.bbclass
@@ -21,7 +21,10 @@ PACKAGE_WRITE_DEPS += "depmodwrapper-cross"
 do_deploy[depends] += "depmodwrapper-cross:do_populate_sysroot gzip-native:do_populate_sysroot"
 do_clean[depends] += "make-mod-scripts:do_clean"
 
-CVE_PRODUCT ?= "linux_kernel"
+# CPE entries from NVD use linux_kernel, but the raw CVE entries from the kernel CNA have
+# vendor: linux and product: linux. Note that multiple distributions use "linux" as a product
+# name, so we need to fill vendor to avoid false positives
+CVE_PRODUCT ?= "linux_kernel linux:linux"
 
 S = "${STAGING_KERNEL_DIR}"
 B = "${WORKDIR}/build"