Hi, On Tue, Apr 26, 2022 at 6:30 AM Thorsten Alteholz <deb...@alteholz.de> wrote: > On Mon, 25 Apr 2022, Shengjing Zhu wrote: > >> If you look at package crowdsec, you find no dependency on > >> golang-github-tidwall-gjson in its Built-Using:, but only an entry for > >> golang-github-appleboy-gin-jwt. > >> > >> golang-github-appleboy-gin-jwt for its part depends on > >> golang-github-tidwall-gjson-dev. > >> > >> So wouldn't be crowdsec affected by a CVE in golang-github-tidwall-gjson, > >> which is not detected when using Built-Using: but only by Build-Depends:? > >> > >> At least I got more packages to be rebuilt when using ratt than with > >> Built-Using: ... > > > > This is exactly the case for false positives of Build-Depends. > > Ah, ok, do you have an example with a similar dependency chain with > packages not only used for tests and a correct Built-Using:-entry? > > Otherwise a false positive would be much better than an unfixed package, > wouldn't it.
We can still take the crowdsec and golang-github-appleboy-gin-jwt examples. golang-github-appleboy-gin-jwt-dev Depends golang-github-dgrijalva-jwt-go-dev, but crowdsec doesn't Build-Depends golang-github-dgrijalva-jwt-go-dev. However golang-github-dgrijalva-jwt-go is in crowdsec's Built-Using. -- Shengjing Zhu
