> On 31 Jul 2024, at 10:56, Marta Rybczynska <rybczyn...@gmail.com> wrote: > If nghttp2 is a normal dependency (dependency to a different recipe), this > will work just fine. The CVE entry for this vuln has nghttp2 well marked. > However, if the nghttp2 code is just copied in, without a trace in the OE > build system, then it's another story
Yes, this is the case because nodejs is the only explicit dependency in my image, and the only references to nghttp2 are related to shared library compile flags - otherwise it's internal/static and I get no CVE/OSS reporting. I have also found several other cases in which there is no shared library alternative at all. Many thanks, Steven
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63628): https://lists.yoctoproject.org/g/yocto/message/63628 Mute This Topic: https://lists.yoctoproject.org/mt/107642720/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
