go: set vendor in CVE_PRODUCT

Message ID	20231211134946.4162388-1-ross.burton@arm.com
State	Accepted, archived
Commit	fc3e9cce9e1a5aa5dc9a5ad4abdd4eb61f868d37
Headers	show Return-Path: <ross.burton@arm.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH] go: set vendor in CVE_PRODUCT Date: Mon, 11 Dec 2023 13:49:46 +0000 Message-Id: <20231211134946.4162388-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	go: set vendor in CVE_PRODUCT \| expand go: set vendor in CVE_PRODUCT

Message ID

20231211134946.4162388-1-ross.burton@arm.com

State

Accepted, archived

Commit

fc3e9cce9e1a5aa5dc9a5ad4abdd4eb61f868d37

Headers

From: ross.burton@arm.com
To: openembedded-core@lists.openembedded.org
Cc: nd@arm.com
Subject: [PATCH] go: set vendor in CVE_PRODUCT
Date: Mon, 11 Dec 2023 13:49:46 +0000
Message-Id: <20231211134946.4162388-1-ross.burton@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

go: set vendor in CVE_PRODUCT | expand

Commit Message

Ross Burton Dec. 11, 2023, 1:49 p.m. UTC

From: Ross Burton <ross.burton@arm.com>

It's not uncommon for specific third party modules to use "go" as the
product[1]. However, the canonical CPE for the official Go
language/runtime is always golang:go[2], so use that explicitly.

[1] e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-49292
[2] e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-39320

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-devtools/go/go-binary-native_1.20.12.bb | 2 +-
 meta/recipes-devtools/go/go-common.inc               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.12.bb b/meta/recipes-devtools/go/go-binary-native_1.20.12.bb
index e555412a19c..41db2ada808 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.20.12.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.20.12.bb
@@ -16,7 +16,7 @@  SRC_URI[go_linux_ppc64le.sha256sum] = "2ae0ec3736216dfbd7b01ff679842dc1bed365e53
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
 
-CVE_PRODUCT = "go"
+CVE_PRODUCT = "golang:go"
 
 S = "${WORKDIR}/go"
 
diff --git a/meta/recipes-devtools/go/go-common.inc b/meta/recipes-devtools/go/go-common.inc
index 96e32eeb978..db165792dcb 100644
--- a/meta/recipes-devtools/go/go-common.inc
+++ b/meta/recipes-devtools/go/go-common.inc
@@ -20,7 +20,7 @@  B = "${S}"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar"
 
 # all recipe variants are created from the same product
-CVE_PRODUCT = "go"
+CVE_PRODUCT = "golang:go"
 
 INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
 SSTATE_SCAN_CMD = "true"

go: set vendor in CVE_PRODUCT

Commit Message

Patch