meta-openembedded

mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00

Author	SHA1	Message	Date
Gyorgy Sarvari	eb20735d09	python3-flask-restx: set CVE_PRODUCT The relevant CVEs are tracked using flask-restx_project:flask-restx CPE, which makes the default python:flask-restx CPE to not match relevant CVEs. Set CVE_PRODUCT accordingly. See CVE db query: sqlite> select * from products where product like '%flask-restx%'; CVE-2021-32838\|flask-restx_project\|flask-restx\|\|\|0.5.1\|< Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:01 -08:00
Gyorgy Sarvari	a307398b7b	python3-fastapi: set CVE_PRODUCT Set correct CVE_PRODUCT - the default (python:fastapi) is not the one that is used to track CVEs. See CVE db query (n8n vendor is not relevant): sqlite> select * from products where product like 'fastapi'; CVE-2021-32677\|tiangolo\|fastapi\|\|\|0.65.2\|<\|0 CVE-2025-55526\|n8n\|fastapi\|0.115.14\|=\|\|\|0 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:01 -08:00
Gyorgy Sarvari	30b0c458bb	python3-lief: set CVE_PRODUCT The correct CVE_PRODUCT is "lief" for this recipe instead of the default ${PN}, that doesn't match relevant CVEs. See CVE db query: sqlite> select * from products where product like 'lief'; CVE-2021-32297\|lief-project\|lief\|\|\|0.11.4\|<= CVE-2022-38306\|lief-project\|lief\|\|\|0.12.1\|< CVE-2022-38307\|lief-project\|lief\|\|\|0.12.1\|< CVE-2022-38495\|lief-project\|lief\|\|\|0.12.1\|<= CVE-2022-38496\|lief-project\|lief\|\|\|0.12.1\|<= CVE-2022-38497\|lief-project\|lief\|\|\|0.12.1\|<= CVE-2022-40922\|lief-project\|lief\|0.12.1\|=\|\| CVE-2022-40923\|lief-project\|lief\|0.12.1\|=\|\| CVE-2022-43171\|lief-project\|lief\|0.12.1\|=\|\| CVE-2024-31636\|lief-project\|lief\|0.14.1\|=\|\| Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:01 -08:00
Gyorgy Sarvari	b4fd4a6217	python3-pydantic: set CVE_PRODUCT Set correct CVE_PRODUCT - the default ${PN} value doesn't match relevant CVEs. See CVE query (n8n vendor is not relevant): sqlite> select * from products where product like '%pydantic%'; CVE-2021-29510\|pydantic\|pydantic\|\|\|1.6.2\|< CVE-2021-29510\|pydantic\|pydantic\|1.7\|>=\|1.7.4\|< CVE-2021-29510\|pydantic\|pydantic\|1.8\|>=\|1.8.2\|< CVE-2024-3772\|pydantic\|pydantic\|\|\|1.10.13\|< CVE-2024-3772\|pydantic\|pydantic\|2.0\|>=\|2.4.0\|< CVE-2025-55526\|n8n\|pydantic\|2.11.7\|=\|\| Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:01 -08:00
Gyorgy Sarvari	d3a4074663	python3-pikepdf: set CVE_PRODUCT The relevant CVEs are tracked with pikepdf_project:pikepdf CPE, and the default python:pikepdf doesn't match CVEs. Set CVE_PRODUCT accordingly. See CVE db query: sqlite> select * from products where product like 'pikepdf'; CVE-2021-29421\|pikepdf_project\|pikepdf\|1.3.0\|>=\|2.9.2\|<= Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:00 -08:00
Gyorgy Sarvari	a2aa92f554	python3-mpmath: set CVE_PRODUCT The CVE database tracks relevant CVEs with mpmath:mpmath CPE. Set the CVE_PRODUCT accordingly. See CVE db query: sqlite> select * from products where product like 'mpmath'; CVE-2021-29063\|mpmath\|mpmath\|1.0.0\|>=\|1.2.1\|<= Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:00 -08:00
Gyorgy Sarvari	3536ca6a36	python3-flask-user: set CVE_PRODUCT The relevant CVE is tracked using flask-user_project:flask-user CPE, so the default python:flask-user value doesn't match it. Set CVE_PRODUCT accordingly. See CVE db query: sqlite> select * from products where product like 'flask-user'; CVE-2021-23401\|flask-user_project\|flask-user\|-\|\|\| Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:00 -08:00
Gyorgy Sarvari	b578877722	python3-eventlet: set CVE_PRODUCT The relevant CVEs are tracked using eventlet:eventlet CPE, and the default python:eventlet CPE doesn't match relevant CVEs. Set the correct CVE_PRODUCT. See CVE db query: sqlite> select * from products where product like 'eventlet'; CVE-2021-21419\|eventlet\|eventlet\|0.10\|>=\|0.31.0\|< CVE-2023-29483\|eventlet\|eventlet\|\|\|0.35.2\|< CVE-2025-58068\|eventlet\|eventlet\|\|\|0.40.3\|< Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:00 -08:00
Gyorgy Sarvari	f04728af28	python3-aiohttp: set CVE_PRODUCT The related CVEs are tracked using aiohttp:aiohttp CPE, so the default python:aiohttp CPE doesn't match relevant CVEs. Set the CVE_PRODUCT accordingly. See CVE db query: sqlite> select * from products where product like 'aiohttp'; CVE-2021-21330\|aiohttp\|aiohttp\|\|\|3.7.4\|< CVE-2022-33124\|aiohttp\|aiohttp\|3.8.1\|=\|\| CVE-2023-37276\|aiohttp\|aiohttp\|\|\|3.8.4\|<= CVE-2023-47627\|aiohttp\|aiohttp\|\|\|3.8.6\|< CVE-2023-47641\|aiohttp\|aiohttp\|\|\|3.8.0\|< CVE-2023-49081\|aiohttp\|aiohttp\|\|\|3.9.0\|< CVE-2023-49082\|aiohttp\|aiohttp\|\|\|3.9.0\|< CVE-2024-23334\|aiohttp\|aiohttp\|1.0.5\|>=\|3.9.2\|< CVE-2024-23829\|aiohttp\|aiohttp\|\|\|3.9.2\|< CVE-2024-27306\|aiohttp\|aiohttp\|\|\|3.9.4\|< CVE-2024-30251\|aiohttp\|aiohttp\|\|\|3.9.4\|< CVE-2024-42367\|aiohttp\|aiohttp\|3.10.0\|>=\|3.10.2\|< CVE-2024-52303\|aiohttp\|aiohttp\|3.10.6\|>=\|3.10.11\|< CVE-2024-52304\|aiohttp\|aiohttp\|\|\|3.10.11\|< CVE-2025-53643\|aiohttp\|aiohttp\|\|\|3.12.14\|< Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:34:00 -08:00
Gyorgy Sarvari	6cc3c31ed6	python3-brotli: set CVE_PRODUCT There is one brotli repository for all language bindings, and the same CPE is used for all: google:brotli (instead of the expected default of python:brotli, in case of the Python package). Set the CVE_PRODUCT accordingly. See CVE db query: sqlite> select * from products where product like 'brotli'; CVE-2020-8927\|google\|brotli\|\|\|1.0.8\|< Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:33:59 -08:00
Gyorgy Sarvari	93fd9b0db0	python3-uvicorn: set CVE_PRODUCT The default python:uvicorn CPE is not correct, the CVEs are tracked under encode:uvicorn. See CVE db query (n8n vendor is not relevant): sqlite> select * from products where product like 'uvicorn'; CVE-2020-7694\|encode\|uvicorn\|-\|\|\| CVE-2020-7695\|encode\|uvicorn\|\|\|0.11.7\|< CVE-2025-55526\|n8n\|uvicorn\|0.35.0\|=\|\| Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:33:59 -08:00
Gyorgy Sarvari	cc9af72f13	python3-autobahn: set CVE_PRODUCT The only CVE stored in the CVE db is tracked with "crossbar" vendor, which makes the default python:autobahn CPE to not match. Set the CVE_PRODUCT accordingly. See CVE db query: sqlite> select * from products where product like 'autobahn'; CVE-2020-35678\|crossbar\|autobahn\|\|\|20.12.3\|< Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:33:59 -08:00
Gyorgy Sarvari	1fac509459	python3-py: set CVE_PRODUCT The related CVEs are tracked using pytest:py CPE, so set the CVE_PRODUCT accordingly instead of the default python:py. See CVE db query: sqlite> select * from products where product like 'py'; CVE-2020-29651\|pytest\|py\|\|\|1.9.0\|<= CVE-2022-42969\|pytest\|py\|\|\|1.11.0\|<= Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:33:59 -08:00
Gyorgy Sarvari	15ab75e8fb	python3-flask-cors: set CVE_PRODUCT The related CVEs are tracked under multiple vendor IDs (but none of them are associated with the default "python" vendor). Query from CVE db: sqlite> select * from products where product like 'flask-cors'; CVE-2020-25032\|flask-cors_project\|flask-cors\|\|\|3.0.9\|< CVE-2024-1681\|corydolphin\|flask-cors\|4.0.0\|=\|\| CVE-2024-6221\|corydolphin\|flask-cors\|4.0.1\|=\|\| CVE-2024-6839\|flask-cors_project\|flask-cors\|4.0.1\|=\|\| CVE-2024-6844\|flask-cors_project\|flask-cors\|4.0.1\|=\|\| CVE-2024-6866\|flask-cors_project\|flask-cors\|4.0.1\|=\|\| Set the CVE_PRODUCT so it matches the relevant entries. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:33:59 -08:00
Gyorgy Sarvari	4fbf11954a	python3-pandas: set CVE_PRODUCT Currently there is only one CVE associated with pandas, and it is tracked using numfocus:pandas CPE by NIST instead of the default python:pandas from pypi.bbclass. See CVE db query: sqlite> select * from products where product like 'pandas'; CVE-2020-13091\|numfocus\|pandas\|\|\|1.0.3\|<= Set the CVE_PRODUCT accodingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:33:59 -08:00
Gyorgy Sarvari	34f5fd45af	python3-svglib: set CVE_PRODUCT There is only one relevant CVE in the database, but it is tracked using svglib_project:svglib CPE, not the expected python:svglib CPE, making the cve-checker miss it. See CVE db query: sqlite> select * from products where product like '%svglib%'; CVE-2020-10799\|svglib_project\|svglib\|\|\|0.9.3\|<= Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:56 -08:00
Gyorgy Sarvari	07dd23f681	python3-webargs: set CVE_PRODUCT The relevant CVEs for this recipe are tracked using webargs_project:webargs CPE, which makes the default python:webargs CPE to miss CVEs. See CVE db query: sqlite> select * from products where product like '%webargs%'; CVE-2019-9710\|webargs_project\|webargs\|\|\|5.1.3\|< CVE-2020-7965\|webargs_project\|webargs\|5.0.0\|>=\|5.5.2\|<= Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:56 -08:00
Gyorgy Sarvari	f30b5cd005	python3-validators: set CVE_PRODUCT The CVEs related to this project are tracked using the validators_project:validators CPE, which doesn't match the default python:validators CPE. See CVE db query: sqlite> select * from products where product like 'validators'; CVE-2019-19588\|validators_project\|validators\|0.12.2\|>=\|0.12.5\|<= CVE-2023-45813\|validators_project\|validators\|0.11.0\|=\|\| CVE-2023-45813\|validators_project\|validators\|0.20.0\|=\|\| Set the CVE_PRODUCT so it matches relevant entries. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:56 -08:00
Gyorgy Sarvari	df18617f6a	python3-reportlab: set CVE_PRODUCT The relevant CVEs to this recipe are tracked using reportlab:reportlab CPE, which doesn't match the default python:reportlab CPE, so the cve-checker misses CVEs. See CVE db query: sqlite> select * from products where product like '%reportlab%'; CVE-2019-17626\|reportlab\|reportlab\|\|\|3.5.26\|<=\|0 CVE-2019-19450\|reportlab\|reportlab\|\|\|3.5.31\|<\|0 CVE-2020-28463\|reportlab\|reportlab\|-\|\|\|\|0 CVE-2023-33733\|reportlab\|reportlab\|\|\|3.6.12\|<=\|0 Set CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:56 -08:00
Gyorgy Sarvari	16c2efd07b	python3-waitress: set CVE_PRODUCT The CVEs for this recipes are tracked using the agendaless:waitress CPE, which doesn't match the default python:waitress CPE, making the cve-checker miss relevant CVEs. See CVE db query: sqlite> select * from products where PRODUCT like 'waitress'; CVE-2019-16785\|agendaless\|waitress\|\|\|1.3.1\|<= CVE-2019-16786\|agendaless\|waitress\|\|\|1.3.1\|< CVE-2019-16789\|agendaless\|waitress\|\|\|1.4.0\|<= CVE-2019-16792\|agendaless\|waitress\|\|\|1.3.1\|<= CVE-2020-5236\|agendaless\|waitress\|1.4.2\|=\|\| CVE-2022-24761\|agendaless\|waitress\|\|\|2.1.1\|< CVE-2022-31015\|agendaless\|waitress\|2.1.0\|>=\|2.1.2\|< CVE-2024-49768\|agendaless\|waitress\|2.0.0\|>=\|3.0.1\|< CVE-2024-49769\|agendaless\|waitress\|\|\|3.0.1\|< Set CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:56 -08:00
Gyorgy Sarvari	82255f0af3	python3-parso: set CVE_PRODUCT There is one related CVE tracked by nist, using the parso_project:parso CPE, which doesn't match the default python:parso CPE. See CVE db query: sqlite> select * from products where PRODUCT like 'parso'; CVE-2019-12760\|parso_project\|parso\|\|\|0.4.0\|<= Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:55 -08:00
Gyorgy Sarvari	97363a7b77	python3-marshmallow: set CVE_PRODUCT The default python:marshmallow CPE doesn't match the CVEs related to this product, as they are tracked with marshmallow_project:marshmallow CPE. See CVE db query: sqlite> select * from products where PRODUCT like 'marshmallow'; CVE-2018-17175\|marshmallow_project\|marshmallow\|\|\|2.15.1\|< CVE-2018-17175\|marshmallow_project\|marshmallow\|3.0\|>=\|3.0.0b9\|< Set the CVE_PRODUCT so it matches related CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:55 -08:00
Gyorgy Sarvari	039970deb2	python3-flask: set CVE_PRODUCT The default python:flask CPE doesn't match relevant CVE entries which are tracked under palletsprojects:flask CPE. See CVE db query: sqlite> select * from products where PRODUCT like 'flask'; CVE-2018-1000656\|palletsprojects\|flask\|\|\|0.12.3\|< CVE-2019-1010083\|palletsprojects\|flask\|\|\|1.0\|< CVE-2023-30861\|palletsprojects\|flask\|\|\|2.2.5\|< CVE-2023-30861\|palletsprojects\|flask\|2.3.0\|>=\|2.3.2\|< Set the CVE_PRODUCT to "flask" so it matches relevant entries. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:55 -08:00
Gyorgy Sarvari	f121c925e8	python-gunicorn: set CVE_PRODUCT There is only one relevant CVE associated with this recipe in the CVE db, but it is tracked using gunicorn:gunicorn CPE instead of python:gunicorn (which is the default CPE from pypi.bbclass) See CVE db query: sqlite> select * from products where PRODUCT like '%gunicorn%'; CVE-2018-1000164\|gunicorn\|gunicorn\|19.4.5\|=\|\| Set CVE_PRODUCT so that it matches relevant CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:55 -08:00
Gyorgy Sarvari	77ba5f31e2	python3-supervisor: set CVE_PRODUCT This recipe's CVEs are tracked using supervisord:supervisor CPE by nist, so the default python:supervisor CPE doesn't match relevant CVEs. See CVE db query (home-assisstant vendor is not relevant): sqlite> select * from products where PRODUCT like 'supervisor'; CVE-2017-11610\|supervisord\|supervisor\|\|\|3.0\|<= CVE-2017-11610\|supervisord\|supervisor\|3.1.0\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.1.1\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.1.2\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.1.3\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.2.0\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.2.1\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.2.2\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.2.3\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.3.0\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.3.1\|=\|\| CVE-2017-11610\|supervisord\|supervisor\|3.3.2\|=\|\| CVE-2019-12105\|supervisord\|supervisor\|\|\|4.0.2\|<= CVE-2023-27482\|home-assistant\|supervisor\|\|\|2023.03.1\|< Set the CVE_PRODUCT explicitly to match relevant CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:54 -08:00
Gyorgy Sarvari	5ec4458878	python3-pyjwt: set CVE_PRODUCT The relevant CVEs are tracked using pyjwt_project:pyjwt CPE, so the defauly python:pyjwt CPE doesn't match them. See CVE db query: sqlite> select * from products where PRODUCT like '%pyjwt%'; CVE-2017-11424\|pyjwt_project\|pyjwt\|\|\|1.5.0\|<= CVE-2022-29217\|pyjwt_project\|pyjwt\|1.5.0\|>=\|2.4.0\|< CVE-2024-53861\|pyjwt_project\|pyjwt\|2.10.0\|=\|\| CVE-2025-45768\|pyjwt_project\|pyjwt\|2.10.1\|=\|\| Set the CVE_PRODUCT so it matches relevant CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:54 -08:00
Gyorgy Sarvari	851e449d54	python3-html5lib: set CVE_PRODUCT There are currently 2 related CVEs in the NIST db, both of them are tracked with html5lib:html5lib CPE, so the default python:html5lib CPE doesn't match. See CVE db query: sqlite> select * from products where PRODUCT like '%html5lib%'; CVE-2016-9909\|html5lib\|html5lib\|\|\|0.99999999\|<= CVE-2016-9910\|html5lib\|html5lib\|\|\|0.99999999\|<= Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:54 -08:00
Gyorgy Sarvari	6f2ce3843e	python3-werkzeug: set CVE_PRODUCT The relevant CVEs are tracked using palletsprojects:werkzeug CPE, which makes the the default python:werkzeug CPE to not match anything. See CVE db query: sqlite> select * from products where PRODUCT like 'werkzeug'; CVE-2016-10516\|palletsprojects\|werkzeug\|\|\|0.11.11\|< CVE-2019-14322\|palletsprojects\|werkzeug\|\|\|0.15.5\|< CVE-2019-14806\|palletsprojects\|werkzeug\|\|\|0.15.3\|< CVE-2020-28724\|palletsprojects\|werkzeug\|\|\|0.11.6\|< CVE-2022-29361\|palletsprojects\|werkzeug\|\|\|2.1.0\|<= CVE-2023-23934\|palletsprojects\|werkzeug\|\|\|2.2.3\|< CVE-2023-25577\|palletsprojects\|werkzeug\|\|\|2.2.3\|< CVE-2023-46136\|palletsprojects\|werkzeug\|\|\|2.3.8\|< CVE-2023-46136\|palletsprojects\|werkzeug\|3.0.0\|=\|\| CVE-2024-34069\|palletsprojects\|werkzeug\|\|\|3.0.3\|< CVE-2024-49766\|palletsprojects\|werkzeug\|\|\|3.0.6\|< CVE-2024-49767\|palletsprojects\|werkzeug\|\|\|3.0.6\|< CVE-2025-66221\|palletsprojects\|werkzeug\|\|\|3.1.4\|< Set the CVE_PRODUCT so it matches the relevant entries. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:54 -08:00
Gyorgy Sarvari	5dd59b03f8	python3-tqdm: set CVE_PRODUCT The only related CVE to this recipe is tracked using tqdm_project:tqdm CPE, so the default python:tqdm CPE doesn't match it. See relevant CVE db query: sqlite> select * from products where PRODUCT like 'tqdm'; CVE-2016-10075\|tqdm_project\|tqdm\|4.4.1\|=\|\| CVE-2016-10075\|tqdm_project\|tqdm\|4.10\|=\|\| Set the CVE_PRODUCT so it can match related CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:54 -08:00
Gyorgy Sarvari	4675c9ddb7	python3-ipython: set CVE_PRODUCT ipython CVEs are tracked using ipython:ipython CPE, so the default python:ipython CVE_PRODUCT doesn't match relevant CPEs. See CVE db query: sqlite> select * from products where PRODUCT like 'ipython'; CVE-2015-4706\|ipython\|ipython\|3.0.0\|=\|\| CVE-2015-4706\|ipython\|ipython\|3.1.0\|=\|\| CVE-2015-4707\|ipython\|ipython\|\|\|3.2.0\|< CVE-2015-5607\|ipython\|ipython\|2.0.0\|=\|\| CVE-2015-5607\|ipython\|ipython\|2.1.0\|=\|\| CVE-2015-5607\|ipython\|ipython\|2.2.0\|=\|\| CVE-2015-5607\|ipython\|ipython\|2.3.0\|=\|\| CVE-2015-5607\|ipython\|ipython\|2.3.1\|=\|\| CVE-2015-5607\|ipython\|ipython\|2.4.0\|=\|\| CVE-2015-5607\|ipython\|ipython\|2.4.1\|=\|\| CVE-2015-5607\|ipython\|ipython\|3.0.0\|=\|\| CVE-2015-5607\|ipython\|ipython\|3.1.0\|=\|\| CVE-2015-5607\|ipython\|ipython\|3.2.0\|=\|\| CVE-2015-5607\|ipython\|ipython\|3.2.1\|=\|\| CVE-2015-5607\|ipython\|ipython\|3.2.2\|=\|\| CVE-2015-5607\|ipython\|ipython\|3.2.3\|=\|\| CVE-2022-21699\|ipython\|ipython\|\|\|5.10.0\|<= CVE-2022-21699\|ipython\|ipython\|6.0.0\|>=\|7.16.3\|< CVE-2022-21699\|ipython\|ipython\|7.17.0\|>=\|7.31.1\|< CVE-2022-21699\|ipython\|ipython\|8.0.0\|>=\|8.0.1\|< CVE-2023-24816\|ipython\|ipython\|\|\|8.10.0\|< Set the CVE_PRODUCT accordingly to match the relevant entries. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:54 -08:00
Gyorgy Sarvari	25b9ae3902	python3-m2crypto: set CVE_PRODUCT NIST currently tracks CVEs under at least 2 different CPEs for this recipe, but neither of them is python:m2crypto (the default CVE_PRODUCT). See CVE db query: sqlite> select * from products where PRODUCT like '%m2crypto%'; CVE-2009-0127\|heikkitoivonen\|m2crypto\|-\|\|\| CVE-2020-25657\|m2crypto_project\|m2crypto\|-\|\|\| CVE-2023-50781\|m2crypto_project\|m2crypto\|-\|\|\| Set the CVE_PRODUCT to match the relevant CPEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:53 -08:00
Gyorgy Sarvari	a89ab32230	python3-twisted: set CVE_PRODUCT The related CVEs are tracked with twisted:twisted CPE, so the default python:twisted CPE doesn't match any entries. See CVE db query: sqlite> select * from products where PRODUCT = 'twisted'; CVE-2014-7143\|twisted\|twisted\|14.0.0\|=\|\| CVE-2016-1000111\|twisted\|twisted\|\|\|16.3.1\|< CVE-2019-12387\|twisted\|twisted\|\|\|19.2.1\|< CVE-2019-12855\|twisted\|twisted\|\|\|19.2.1\|<= CVE-2020-10108\|twisted\|twisted\|\|\|19.10.0\|<= CVE-2020-10109\|twisted\|twisted\|\|\|19.10.0\|<= CVE-2022-21712\|twisted\|twisted\|11.1.0\|>=\|22.1.0\|< CVE-2022-21716\|twisted\|twisted\|21.7.0\|>=\|22.2.0\|< CVE-2022-24801\|twisted\|twisted\|\|\|22.4.0\|< CVE-2022-39348\|twisted\|twisted\|0.9.4\|>=\|22.10.0\|< CVE-2023-46137\|twisted\|twisted\|\|\|22.8.0\|<= CVE-2024-41810\|twisted\|twisted\|\|\|24.3.0\|<= Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:53 -08:00
Gyorgy Sarvari	b96b616553	python3-simplejson: set CVE_PRODUCT There is one relevant CVE tracked using the simplejson_prject:simplejson CPE, and no entries tracked with python:simplejson. See CVE db query: sqlite> select * from products where PRODUCT like '%simplejson%'; CVE-2014-4616\|simplejson_project\|simplejson\|\|\|2.6.1\|< Set the CVE_PRODUCT accordingly Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:53 -08:00
Gyorgy Sarvari	0aa5b9d824	python3-virtualenv: set CVE_PRODUCT There are relevant CVEs tracked under two different CPEs: python:virtualenv (the default in OE), and virtualenv:virtualenv (these were missed). See CVE db query: sqlite> select * from products where PRODUCT = 'virtualenv'; CVE-2011-4617\|python\|virtualenv\|\|\|1.4.9\|<= CVE-2011-4617\|python\|virtualenv\|0.8\|=\|\| CVE-2011-4617\|python\|virtualenv\|0.8.1\|=\|\| CVE-2011-4617\|python\|virtualenv\|0.8.2\|=\|\| CVE-2011-4617\|python\|virtualenv\|0.8.3\|=\|\| CVE-2011-4617\|python\|virtualenv\|0.8.4\|=\|\| CVE-2011-4617\|python\|virtualenv\|0.9\|=\|\| CVE-2011-4617\|python\|virtualenv\|0.9.1\|=\|\| CVE-2011-4617\|python\|virtualenv\|0.9.2\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.0\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.1\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.1.1\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.2\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.3\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.3.1\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.3.2\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.3.3\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.3.4\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4.1\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4.2\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4.3\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4.4\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4.5\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4.6\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4.7\|=\|\| CVE-2011-4617\|python\|virtualenv\|1.4.8\|=\|\| CVE-2013-5123\|virtualenv\|virtualenv\|12.0.7\|=\|\| CVE-2024-53899\|virtualenv\|virtualenv\|\|\|20.26.6\|< Set the CVE_PRODUCT so both are matched. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:53 -08:00
Gyorgy Sarvari	c5a7d5765e	python3-httplib2: set CVE_PRODUCT There are no CVEs tracked with python:httplib2 CPE, but there are multiple ones tracked under httplib2_project:hgttplib2 CPE (and they are related to this recipe). See CVE db query: sqlite> select * from products where PRODUCT = 'httplib2'; CVE-2013-2037\|httplib2_project\|httplib2\|\|\|0.7.2\|<= CVE-2013-2037\|httplib2_project\|httplib2\|0.8\|=\|\| CVE-2020-11078\|httplib2_project\|httplib2\|\|\|0.18.0\|< CVE-2021-21240\|httplib2_project\|httplib2\|\|\|0.19.0\|< Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:52 -08:00
Gyorgy Sarvari	a9a8c80550	python3-matplotlib: set CVE_PRODUCT At least one CVE is tracked by debian:matplotlib CPE (and no CVEs are tracked by the defaul python:matplotlib CPE). See CVE db query: sqlite> select * from products where PRODUCT = 'matplotlib'; CVE-2013-1424\|debian\|matplotlib\|0.99.3-1\|>=\|1.4.2-3.1\|< Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:52 -08:00
Gyorgy Sarvari	fc90f2b514	python3-pyrad: set CVE_PRODUCT NIST tracks related CVEs with pyrad_project CPE vendor instead of "python". Set the CVE_PRODUCT to pyrad, so both can be matched. See CVE db query: sqlite> select * from products where PRODUCT = 'pyrad'; CVE-2013-0294\|pyrad_project\|pyrad\|\|\|2.1\|< CVE-2013-0342\|pyrad_project\|pyrad\|\|\|2.1\|< Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:52 -08:00
Gyorgy Sarvari	febab38136	python3-redis: set CVE_PRODUCT Set the correct CVE_PRODUCT for the recipe. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:52 -08:00
Gyorgy Sarvari	34f5d84f85	python3-twitter: set CVE_PRODUCT The product's CPE doesn't use "python" as the vendor, set the CVE_PRODUCT accordingly. See CVE db query: sqlite> select * from products where PRODUCT = 'tweepy'; CVE-2012-5825\|tweepy\|tweepy\|-\|\|\| Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:52 -08:00
Gyorgy Sarvari	49ced80122	python3-sqlalchemy: set CVE_PRODUCT The default python:sqlalchemy CPE fails to match CVEs, because the CVEs are associated with sqlalchemy:sqlalchemy CPE. See CVE db query: sqlite> select * from products where PRODUCT = 'sqlalchemy'; CVE-2012-0805\|sqlalchemy\|sqlalchemy\|\|\|0.7.0\|<= CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.0\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.0_beta1\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.0_beta2\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.0_beta3\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.1\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.2\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.3\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.4\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.5\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.6\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.6.7\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.7.0_b1\|=\|\| CVE-2012-0805\|sqlalchemy\|sqlalchemy\|0.7.0_b2\|=\|\| CVE-2019-7164\|sqlalchemy\|sqlalchemy\|\|\|1.2.17\|<= CVE-2019-7164\|sqlalchemy\|sqlalchemy\|1.3.0_beta1\|=\|\| CVE-2019-7164\|sqlalchemy\|sqlalchemy\|1.3.0_beta2\|=\|\| CVE-2019-7548\|sqlalchemy\|sqlalchemy\|1.2.17\|=\|\| Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:51 -08:00
Gyorgy Sarvari	e22d2a7ba6	python3-paramiko: set CVE_PRODUCT Set correct CVE_PRODUCT for paramiko. The default python:paramiko value doesn't match CVEs, because the product has its own set of CPEs associated with CVEs. See CVE db query: sqlite> select * from products where PRODUCT = 'paramiko'; CVE-2008-0299\|python_software_foundation\|paramiko\|1.7.1\|=\|\| CVE-2018-1000805\|paramiko\|paramiko\|1.17.6\|=\|\| CVE-2018-1000805\|paramiko\|paramiko\|1.18.5\|=\|\| CVE-2018-1000805\|paramiko\|paramiko\|2.0.8\|=\|\| CVE-2018-1000805\|paramiko\|paramiko\|2.1.5\|=\|\| CVE-2018-1000805\|paramiko\|paramiko\|2.2.3\|=\|\| CVE-2018-1000805\|paramiko\|paramiko\|2.3.2\|=\|\| CVE-2018-1000805\|paramiko\|paramiko\|2.4.1\|=\|\| CVE-2018-7750\|paramiko\|paramiko\|\|\|1.17.6\|< CVE-2018-7750\|paramiko\|paramiko\|1.18.0\|>=\|1.18.5\|< CVE-2018-7750\|paramiko\|paramiko\|2.0.0\|>=\|2.0.8\|< CVE-2018-7750\|paramiko\|paramiko\|2.1.0\|>=\|2.1.5\|< CVE-2018-7750\|paramiko\|paramiko\|2.2.0\|>=\|2.2.3\|< CVE-2018-7750\|paramiko\|paramiko\|2.3.0\|>=\|2.3.2\|< CVE-2018-7750\|paramiko\|paramiko\|2.4.0\|=\|\| CVE-2022-24302\|paramiko\|paramiko\|\|\|2.10.1\|< CVE-2023-48795\|paramiko\|paramiko\|\|\|3.4.0\|< Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:51 -08:00
Gyorgy Sarvari	139cc15de3	python3-tornado: set CVE_PRODUCT The default "python:tornado" CVE_PRODUCT doesn't match relevant CVEs, because the project's CPE is "tornadoweb:tornado". See cve db query (docmosis is an irrelevant vendor): sqlite> select * from products where PRODUCT = 'tornado'; CVE-2012-2374\|tornadoweb\|tornado\|\|\|2.2\|<= CVE-2012-2374\|tornadoweb\|tornado\|1.0\|=\|\| CVE-2012-2374\|tornadoweb\|tornado\|1.0.1\|=\|\| CVE-2012-2374\|tornadoweb\|tornado\|1.1\|=\|\| CVE-2012-2374\|tornadoweb\|tornado\|1.1.1\|=\|\| CVE-2012-2374\|tornadoweb\|tornado\|1.2\|=\|\| CVE-2012-2374\|tornadoweb\|tornado\|1.2.1\|=\|\| CVE-2012-2374\|tornadoweb\|tornado\|2.0\|=\|\| CVE-2012-2374\|tornadoweb\|tornado\|2.1\|=\|\| CVE-2012-2374\|tornadoweb\|tornado\|2.1.1\|=\|\| CVE-2014-9720\|tornadoweb\|tornado\|\|\|3.2.2\|< CVE-2023-25264\|docmosis\|tornado\|\|\|2.9.5\|< CVE-2023-25265\|docmosis\|tornado\|\|\|2.9.5\|< CVE-2023-25266\|docmosis\|tornado\|\|\|2.9.5\|< CVE-2023-28370\|tornadoweb\|tornado\|\|\|6.3.2\|< CVE-2024-42733\|docmosis\|tornado\|\|\|2.9.7\|<= CVE-2024-52804\|tornadoweb\|tornado\|\|\|6.4.2\|< CVE-2025-47287\|tornadoweb\|tornado\|\|\|6.5.0\|< CVE-2025-67724\|tornadoweb\|tornado\|\|\|6.5.3\|< CVE-2025-67725\|tornadoweb\|tornado\|\|\|6.5.3\|< CVE-2025-67726\|tornadoweb\|tornado\|\|\|6.5.3\|< Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:51 -08:00
Gyorgy Sarvari	96a2496b65	python3-cbor2: set CVE_PRODUCT The default, "python:cbor2" CVE_PRODUCT is not appropriate for this recipe, because most associated CVEs use "agronholm:cbor2" CPE. Set the CVE_PRODUCT to cbor2, so it will match the currently used CPE, and in case there will be future python:cbor2 CPEs also, they will be matched too. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:51 -08:00
Khem Raj	f06f03200d	python3-backports-zstd: Upgrade to 1.3.0 Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:51 -08:00
Liu Yiding	e15758ad1a	python3-fastapi-cli: upgrade 0.0.16 -> 0.0.20 Changelog: https://github.com/fastapi/fastapi-cli/releases/tag/0.0.20 Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:51 -08:00
Wang Mingyu	90ab1ee642	python3-typer: upgrade 0.20.1 -> 0.21.0 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:49 -08:00
Wang Mingyu	3be4495590	python3-pikepdf: upgrade 10.0.3 -> 10.1.0 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:48 -08:00
Wang Mingyu	54691ea40a	python3-marshmallow: upgrade 4.1.1 -> 4.1.2 Changelog: Merge error store messages without rebuilding collections. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:48 -08:00
Wang Mingyu	b7a2d1f770	python3-elementpath: upgrade 5.0.4 -> 5.1.0 License-Update: Copyright year updated to 2025. Changelog: =========== - Drop Python 3.9 compatibility and add Pyton 3.15 support - Improve XPath sequence internal processing with a list derived type xlist - Extensions and fixes for XSD datatypes - Add XSequence datatype for external representation of XPath sequences Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:48 -08:00
Wang Mingyu	c5196a2282	python3-coverage: upgrade 7.13.0 -> 7.13.1 Changelog: ============ - Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. - Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable. - Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105. - Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. - Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step. - Docs: added a section explaining more about what is considered a missing branch and how it is reported: Examples of missing branches, as requested in issue 1597. - Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn't set on 3.14+. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>	2025-12-31 08:28:48 -08:00

1 2 3 4 5 ...

8826 Commits