This assessment appears to be correct, Ross. `freedesktop:dbus` in NVD CPE refers specifically to the core D-Bus daemon and libdbus, not to `python3-dbus`, which is a separate Python binding layer with its own source tree, versioning, and maintainership. Since no confirmed CVEs are directly attributed to `python3-dbus` in current NVD data, there is no valid basis for this CPE mapping.
A dependency relationship alone does not transfer CVE applicability. Setting `CVE_PRODUCT = "freedesktop:dbus"` in `python3-dbus` risks over-attributing `dbus` vulnerabilities onto `python3-dbus`, creating false positives in CVE scanning and a misleading impression that a `dbus` patch resolves `python3-dbus` issues. `python3-dbus` must be treated as a separate product identity for accurate CVE attribution. Requesting the community team to drop this patch: https://git.openembedded.org/openembedded-core/commit/?h=master-next&id=4d04761a4a69 ________________________________ From: [email protected] <[email protected]> on behalf of Ross Burton via lists.openembedded.org <[email protected]> Sent: Tuesday, March 3, 2026 8:49 PM To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [OE-core] [PATCH v1] python3-dbus: Add CVE_PRODUCT to support product name On 26 Feb 2026, at 12:54, Het Patel via lists.openembedded.org <[email protected]> wrote: > > From: Het Patel <[email protected]> > > - Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE > reporting. Have there been any CVEs for python-dbus so that you’re sure that you’re using the right CPE? This is the CPE for the fdo daemon and libdbus and python-dbus is a separate project, so you can’t know in advance what the CPE will be unless it’s been stated in advance, or there are CVEs to reference. Cheers, Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232718): https://lists.openembedded.org/g/openembedded-core/message/232718 Mute This Topic: https://lists.openembedded.org/mt/118011169/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
