[PATCH] systemd: set CVE_PRODUCT

[PATCH] systemd: set CVE_PRODUCT

[Mikko Rapeli]

systemd.inc is used by systemd, systemd-boot and
systemd-tools-native recipes so make sure all
match to "systemd_project:systemd" vendor and product
in CVE database. The split between systemd, systemd-boot
and systemd-tools-native is specific to oe-core and
upstream just refers to systemd.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta/recipes-core/systemd/systemd.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc
index 989ca667b7..288d49e007 100644
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -20,3 +20,5 @@ SRCBRANCH = "v256-stable"
 SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH}"
 
 S = "${WORKDIR}/git"
+
+CVE_PRODUCT = "systemd_project:systemd"
-- 
2.43.0

RE: [OE-core] [PATCH] systemd: set CVE_PRODUCT

[Marko, Peter]

For historical reasons, we should not limit the check to systemd_project vendor.

sqlite> select vendor, product, count(*) from products where product = 'systemd' group by vendor, product;
linux|systemd|1
systemd_project|systemd|106
sqlite> select * from products where vendor = 'linux' and product = 'systemd';
CVE-2012-1174|linux|systemd|43|=||

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Mikko Rapeli via
> lists.openembedded.org
> Sent: Friday, December 13, 2024 13:03
> To: openembedded-core@lists.openembedded.org
> Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
> Subject: [OE-core] [PATCH] systemd: set CVE_PRODUCT
> 
> systemd.inc is used by systemd, systemd-boot and
> systemd-tools-native recipes so make sure all
> match to "systemd_project:systemd" vendor and product
> in CVE database. The split between systemd, systemd-boot
> and systemd-tools-native is specific to oe-core and
> upstream just refers to systemd.
> 
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  meta/recipes-core/systemd/systemd.inc | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-
> core/systemd/systemd.inc
> index 989ca667b7..288d49e007 100644
> --- a/meta/recipes-core/systemd/systemd.inc
> +++ b/meta/recipes-core/systemd/systemd.inc
> @@ -20,3 +20,5 @@ SRCBRANCH = "v256-stable"
>  SRC_URI =
> "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANC
> H}"
> 
>  S = "${WORKDIR}/git"
> +
> +CVE_PRODUCT = "systemd_project:systemd"
> --
> 2.43.0

Re: [OE-core] [PATCH] systemd: set CVE_PRODUCT

[Mikko Rapeli]

Hi,

On Fri, Dec 13, 2024 at 12:14:54PM +0000, Marko, Peter wrote:
> For historical reasons, we should not limit the check to systemd_project vendor.
> 
> sqlite> select vendor, product, count(*) from products where product = 'systemd' group by vendor, product;
> linux|systemd|1
> systemd_project|systemd|106
> sqlite> select * from products where vendor = 'linux' and product = 'systemd';
> CVE-2012-1174|linux|systemd|43|=||

Ok, will limit to just "systemd" product name in v2.

Cheers,

-Mikko