On 24 Jan 2020, at 12:54, Ross Burton <ross.burton@...> wrote:
On 24/01/2020 09:02, Anders Montonen wrote:
Hi, What's the best way for handling name collisions when using the cve-checker tool? For example, there's a ton of Adobe Flex vulnerabilities that are reported against the Flex lexical analyzer generator tool. Whitelisting the individual CVEs would be one option, but the list is pretty long.
Set CVE_PRODUCT, if you use a colon then you can set the vendor too.
This specific instance is already fixed in oe-core master:
# Not Apache Flex, or Adobe Flex, or IBM Flex. CVE_PRODUCT = "flex_project:flex”
Thanks (and to Mikko too), that worked, though I’m a bit curious how one would find the proper vendor name, especially for a project like this where there’s no clear company name.
