> -----Original Message----- > From: Steven Dorigotti <sdorigo...@gmail.com> > Sent: Wednesday, July 31, 2024 13:20 > To: Marko, Peter (ADV D EU SK BFS1) <peter.ma...@siemens.com> > Cc: yocto@lists.yoctoproject.org > Subject: Re: [yocto] CVEs and OSS info for nested dependencies > > > > On 31 Jul 2024, at 10:21, Marko, Peter <peter.ma...@siemens.com> wrote: > > Hello Peter, > > > This topic comes up from time to time. > > It’s nice to get confirmation, I was unable to find any traces of the issue. > > > There was already a patch proposed for this: > > https://lists.openembedded.org/g/openembedded- > core/topic/101991269#msg189260 > > https://lists.openembedded.org/g/openembedded- > core/topic/102076964#msg189501 > > > > Maybe it wouldn't be that difficult to finish it, but it's possible that it > > needs > to get a bit broader to also update generated spdx > > as there is ongoing activity to separate cve-check into offline tool > > processing > the spdx file. > > This does seems like a good start on the CVE reporting side. > > Whereas for SPDX, perhaps the “dummy dependency package” (e.g. nodejs- > nghttp2) approach may be the simplest alternative even though it requires > manual copying of license info/files and some extra maintenance overhead. > How does this sound to you?
I don't think that dummy dependencies are a good solution. They will be forgotten to update and for recipes like node there will be maybe hundereds of them. (e.g. see any rust recipe how long they are, and that would be split to that many files) Having a variable which defines all vendored components in some form (e.g. "type,name,version,cpe") looks much better. > > Thanks a lot for the sync, > Steven
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63630): https://lists.yoctoproject.org/g/yocto/message/63630 Mute This Topic: https://lists.yoctoproject.org/mt/107642720/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
