Hello, I think I have come across some limitations in CVE and OSS handling for internal dependencies.
As a practical example to make this clear, let’s take this CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-35945 which doesn’t show up in the cve-check report, and the nghttp2 dependency is not listed in the license manifest file. The CVE is applicable to all versions of nghttp2 “Up to (excluding) 1.55.1” which affects an internal dependency of nodejs. The latest openembedded recipes are unaffected but Kirkstone uses node 16.20.2 and nghttp2 1.47.0 which does seem affected. Can you confirm that there is currently no way to define CVE_PRODUCT / CVE_VERSION pairs for nested package dependencies? Is this planned at all for the future or do you have any suggestions here? Otherwise I’ll need to consider some kind of workaround, perhaps defining N dummy/empty packages such as “nodejs-ngttp2” so that CVEs are detected and complete manifest license info is generated. The same issue applies to many large projects such as Qt, which have many nested/static (and at this stage hidden) dependencies. Thanks a lot in advance, Steven
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63621): https://lists.yoctoproject.org/g/yocto/message/63621 Mute This Topic: https://lists.yoctoproject.org/mt/107642720/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
