On Wed, Jul 31, 2024 at 10:03 AM Steven Dorigotti via lists.yoctoproject.org <sdorigotti=gmail....@lists.yoctoproject.org> wrote:
> Hello, > > I think I have come across some limitations in CVE and OSS handling for > internal dependencies. > > As a practical example to make this clear, let’s take this CVE: > https://nvd.nist.gov/vuln/detail/CVE-2023-35945 > > which doesn’t show up in the cve-check report, and the nghttp2 dependency > is not listed in the license manifest file. > > The CVE is applicable to all versions of nghttp2 “Up to (excluding) > 1.55.1” which affects an internal dependency of nodejs. The latest > openembedded recipes are unaffected but Kirkstone uses node 16.20.2 and > nghttp2 1.47.0 which does seem affected. > > Can you confirm that there is currently no way to define CVE_PRODUCT / > CVE_VERSION pairs for nested package dependencies? Is this planned at all > for the future or do you have any suggestions here? > > Otherwise I’ll need to consider some kind of workaround, perhaps defining > N dummy/empty packages such as “nodejs-ngttp2” so that CVEs are detected > and complete manifest license info is generated. > > The same issue applies to many large projects such as Qt, which have many > nested/static (and at this stage hidden) dependencies. > > Thanks a lot in advance, > > Hello Steven, I can't find an envoy recipe in the database, so the response needs to be generic. If nghttp2 is a normal dependency (dependency to a different recipe), this will work just fine. The CVE entry for this vuln has nghttp2 well marked. However, if the nghttp2 code is just copied in, without a trace in the OE build system, then it's another story. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63626): https://lists.yoctoproject.org/g/yocto/message/63626 Mute This Topic: https://lists.yoctoproject.org/mt/107642720/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
