[PATCH] wic: set CVE_PRODUCT

[PATCH] wic: set CVE_PRODUCT

[Ross Burton]

There are CVEs such as CVE-2008-6713 which have a CPE of *:wic, which
get reported for our wic now that it has been split out to a standalone
tool.

Set CVE_PRODUCT to yoctoproject:wic to avoid this. There are no CVEs for
wic yet, but this is the likely CPE that would be used.

[1] https://nvd.nist.gov/vuln/detail/CVE-2008-6713

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-support/wic/wic_0.3.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/wic/wic_0.3.0.bb b/meta/recipes-support/wic/wic_0.3.0.bb
index a0a2773c76e..7dbf84b039a 100644
--- a/meta/recipes-support/wic/wic_0.3.0.bb
+++ b/meta/recipes-support/wic/wic_0.3.0.bb
@@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=4ee23c52855c222cba72583d301d2338"
 SRC_URI = "git://git.yoctoproject.org/wic.git;branch=master;protocol=https;tag=v${PV}"
 SRCREV = "5974ade11032f218841d9f449ef0efeee3f9a2ca"
 
+CVE_PRODUCT = "yoctoproject:wic"
+
 inherit python_hatchling
 
 RDEPENDS:${PN} += " \
-- 
2.43.0

Re: [OE-core] [PATCH] wic: set CVE_PRODUCT

[Quentin Schulz]

Hi Ross,

On 4/13/26 10:22 PM, Ross Burton via lists.openembedded.org wrote:
> There are CVEs such as CVE-2008-6713 which have a CPE of *:wic, which
> get reported for our wic now that it has been split out to a standalone
> tool.
> 
> Set CVE_PRODUCT to yoctoproject:wic to avoid this. There are no CVEs for
> wic yet, but this is the likely CPE that would be used.
> 

Considering the many different CPEs I've found for well-known pieces of 
software, I have a very low trust in "likely".

It'd be a good step forward to document in SECURITY.md in the wic repo 
which CPE to use, to avoid having too many CPEs if security researchers 
can read and follow instructions. However, it seems SECURITY.md isn't 
available on all branches on wic and it for sure isn't on the master 
branch, so no idea how we're supposed to do this. Adding Trevor in Cc.

Cheers,
Quentin