From 71fafac324f23f62db6709c0998562e8f07f2361 Mon Sep 17 00:00:00 2001
From: Paul Eggleton <paul.eggleton@microsoft.com>
Date: Thu, 21 Apr 2022 18:40:37 -0700
Subject: ref-manual: add mention of vendor filtering to CVE_PRODUCT

Mention the vendor filtering functionality - prompted by OE-Core
revision 45d1a0bea0c628f84a00d641a4d323491988106f.

(From yocto-docs rev: 13ff5a49f14a26772b4775d9ecd08627e6becd4d)

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 documentation/ref-manual/variables.rst | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'documentation')

diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 47ea316395..4e90f03ca3 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1485,6 +1485,13 @@ system and gives an overview of their function and contents.
 
          CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
 
+      Sometimes the product name is not specific enough, for example
+      "tar" has been matching CVEs for the GNU ``tar`` package and also
+      the ``node-tar`` node.js extension. To avoid this problem, use the
+      vendor name as a prefix. The syntax for this is::
+
+         CVE_PRODUCT = "vendor:package"
+
    :term:`CVSDIR`
       The directory in which files checked out under the CVS system are
       stored.
-- 
cgit v1.2.3-54-g00ecf