On Mon, 25 Apr 2022, Shengjing Zhu wrote:
If you look at package crowdsec, you find no dependency on
golang-github-tidwall-gjson in its Built-Using:, but only an entry for
golang-github-appleboy-gin-jwt.
golang-github-appleboy-gin-jwt for its part depends on
golang-github-tidwall-gjson-dev.
So wouldn't be crowdsec affected by a CVE in golang-github-tidwall-gjson,
which is not detected when using Built-Using: but only by Build-Depends:?
At least I got more packages to be rebuilt when using ratt than with
Built-Using: ...
This is exactly the case for false positives of Build-Depends.
Ah, ok, do you have an example with a similar dependency chain with
packages not only used for tests and a correct Built-Using:-entry?
Otherwise a false positive would be much better than an unfixed package,
wouldn't it.
Thorsten
