From 7cf0c30096913f977c1bd0d7e2b167cac6b93aec Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Mon, 11 Dec 2023 13:49:46 +0000
Subject: [PATCH] go: set vendor in CVE_PRODUCT

It's not uncommon for specific third party modules to use "go" as the
product[1]. However, the canonical CPE for the official Go
language/runtime is always golang:go[2], so use that explicitly.

[1] e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-49292
[2] e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-39320

(From OE-Core rev: fc3e9cce9e1a5aa5dc9a5ad4abdd4eb61f868d37)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-devtools/go/go-binary-native_1.20.12.bb | 2 +-
 meta/recipes-devtools/go/go-common.inc               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.12.bb b/meta/recipes-devtools/go/go-binary-native_1.20.12.bb
index e555412a19..41db2ada80 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.20.12.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.20.12.bb
@@ -16,7 +16,7 @@ SRC_URI[go_linux_ppc64le.sha256sum] = "2ae0ec3736216dfbd7b01ff679842dc1bed365e53
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
 
-CVE_PRODUCT = "go"
+CVE_PRODUCT = "golang:go"
 
 S = "${WORKDIR}/go"
 
diff --git a/meta/recipes-devtools/go/go-common.inc b/meta/recipes-devtools/go/go-common.inc
index 96e32eeb97..db165792dc 100644
--- a/meta/recipes-devtools/go/go-common.inc
+++ b/meta/recipes-devtools/go/go-common.inc
@@ -20,7 +20,7 @@ B = "${S}"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar"
 
 # all recipe variants are created from the same product
-CVE_PRODUCT = "go"
+CVE_PRODUCT = "golang:go"
 
 INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
 SSTATE_SCAN_CMD = "true"