The metadata.xml of dev-libs/libp11 has the following lines: <upstream> <remote-id type="cpe">cpe:/a:opensc-project:opensc</remote-id> <remote-id type="github">opensc/libp11</remote-id> <remote-id type="sourceforge">opensc</remote-id> </upstream> We at ChromiumOS dev team uses the cpe string to automatically match the CVEs reported with the packages that are affected. I think here "cpe:/a:opensc-project:opensc" should be "cpe:/a:opensc-project:libp11". This current cpe string has caused our robot to keep filing CVE bugs related to the opensc projects to the stable libp11 packages. I think that is a mistake worth fixing at the upstream. Thank you!
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=945d0d0b02eb5a3648e239aaba4bbd21db1ee212 commit 945d0d0b02eb5a3648e239aaba4bbd21db1ee212 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-15 04:47:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-15 05:02:34 +0000 dev-libs/libp11: fix cpe Closes: https://bugs.gentoo.org/894428 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libp11/metadata.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)