[OE-core] [master] [PATCH] acpid2: Add vendor to CVE_PRODUCT

[OE-core] [master] [PATCH] acpid2: Add vendor to CVE_PRODUCT

[Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco)]

From: Himanshu Jadon <hjadon@cisco.com>

Added `tedfelix` as a vendor to `CVE_PRODUCT` to align with the
product naming defined in the NVD CPE database for `acpid2`.

Only a single CPE entry exists in the NVD for this product:
 `cpe:2.3:a:tedfelix:acpid2`

So far, only two CVEs have been reported against this CPE, confirming it
as the correct mapping for CVE reporting.

Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
---
 meta/recipes-bsp/acpid/acpid.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-bsp/acpid/acpid.inc b/meta/recipes-bsp/acpid/acpid.inc
index ba954563b6..0d32249a61 100644
--- a/meta/recipes-bsp/acpid/acpid.inc
+++ b/meta/recipes-bsp/acpid/acpid.inc
@@ -17,7 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${SOURCEFORGE_PROJECT}/acpid-${PV}.tar.xz \
            file://0001-Replace-stat64-with-stat.patch \
            "
 
-CVE_PRODUCT = "acpid2"
+CVE_PRODUCT = "tedfelix:acpid2"
 
 inherit autotools update-rc.d systemd sourceforge-releases
 
-- 
2.35.6

Re: [OE-core] [master] [PATCH] acpid2: Add vendor to CVE_PRODUCT

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 1447 bytes --]

On Mon, 2026-04-13 at 04:15 -0700, Himanshu Jadon -X (hjadon - E
INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Himanshu Jadon <hjadon@cisco.com>
> 
> Added `tedfelix` as a vendor to `CVE_PRODUCT` to align with the
> product naming defined in the NVD CPE database for `acpid2`.
> 
> Only a single CPE entry exists in the NVD for this product:
>  `cpe:2.3:a:tedfelix:acpid2`
> 
> So far, only two CVEs have been reported against this CPE, confirming it
> as the correct mapping for CVE reporting.
> 
> Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
> ---
>  meta/recipes-bsp/acpid/acpid.inc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-bsp/acpid/acpid.inc b/meta/recipes-bsp/acpid/acpid.inc
> index ba954563b6..0d32249a61 100644
> --- a/meta/recipes-bsp/acpid/acpid.inc
> +++ b/meta/recipes-bsp/acpid/acpid.inc
> @@ -17,7 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${SOURCEFORGE_PROJECT}/acpid-${PV}.tar.xz \
>             file://0001-Replace-stat64-with-stat.patch \
>             "
>  
> -CVE_PRODUCT = "acpid2"
> +CVE_PRODUCT = "tedfelix:acpid2"

I don't see any other invalid CPEs when I search for "acpid2" [1]. Why
do we need to specify the vendor here? Are you seeing matches against
other CPEs for acpid2?

[1]: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=acpid2

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [master] [PATCH] acpid2: Add vendor to CVE_PRODUCT

[Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco)]

[-- Attachment #1: Type: text/plain, Size: 608 bytes --]

Hi,

Thanks for checking this.

You are right, at present there is only one valid CPE for acpid2
(tedfelix:acpid2), and we are not seeing any wrong matches against other
CPEs right now.

This update is mainly to make the mapping explicit, instead of depending
on product-only implicit matching. As of now, it does not change current
CVE reporting output. The intent is to keep mapping stable if matching
logic changes later, or if NVD adds another vendor:product using the
same product token in future.

So this is a proactive metadata clarity change, not a fix for any
current misreporting.

[-- Attachment #2: Type: text/html, Size: 774 bytes --]