On 26 Feb 2026, at 12:54, Het Patel via lists.openembedded.org <[email protected]> wrote: > > From: Het Patel <[email protected]> > > - Added the vendor to CVE_PRODUCT to prevent false positives.
What false positives? If this is actually “add the vendor because existing CVEs use this exact CPE” then say so, but please reassure us without having to do our own verification that this doesn’t actually mean we miss some CVEs. Basically, changing the CVE_PRODUCT is good if it improves the detection, but changes should be backed up with evidence. Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232321): https://lists.openembedded.org/g/openembedded-core/message/232321 Mute This Topic: https://lists.openembedded.org/mt/118011173/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
