go: set vendor in CVE_PRODUCT

It's not uncommon for specific third party modules to use "go" as the product[1]. However, the canonical CPE for the official Go language/runtime is always golang:go[2], so use that explicitly. [1] e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-49292 [2] e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-39320 (From OE-Core rev: fc3e9cce9e1a5aa5dc9a5ad4abdd4eb61f868d37) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-03-06 15:29:40 +01:00 · 2023-12-11 13:49:46 +00:00
parent f32178a246
commit 7cf0c30096
2 changed files with 2 additions and 2 deletions
--- a/meta/recipes-devtools/go/go-binary-native_1.20.12.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.20.12.bb
@@ -16,7 +16,7 @@ SRC_URI[go_linux_ppc64le.sha256sum] = "2ae0ec3736216dfbd7b01ff679842dc1bed365e53
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"

-CVE_PRODUCT = "go"
+CVE_PRODUCT = "golang:go"

 S = "${WORKDIR}/go"

--- a/meta/recipes-devtools/go/go-common.inc
+++ b/meta/recipes-devtools/go/go-common.inc
@@ -20,7 +20,7 @@ B = "${S}"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar"

 # all recipe variants are created from the same product
-CVE_PRODUCT = "go"
+CVE_PRODUCT = "golang:go"

 INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
 SSTATE_SCAN_CMD = "true"