On Wed, Jul 31, 2024 at 1:28 PM Peter Marko via lists.yoctoproject.org <peter.marko=siemens....@lists.yoctoproject.org> wrote:
> > > -----Original Message----- > > From: Steven Dorigotti <sdorigo...@gmail.com> > > Sent: Wednesday, July 31, 2024 13:20 > > To: Marko, Peter (ADV D EU SK BFS1) <peter.ma...@siemens.com> > > Cc: yocto@lists.yoctoproject.org > > Subject: Re: [yocto] CVEs and OSS info for nested dependencies > > > > > > > On 31 Jul 2024, at 10:21, Marko, Peter <peter.ma...@siemens.com> > wrote: > > > > Hello Peter, > > > > > This topic comes up from time to time. > > > > It’s nice to get confirmation, I was unable to find any traces of the > issue. > > > > > There was already a patch proposed for this: > > > https://lists.openembedded.org/g/openembedded- > > core/topic/101991269#msg189260 > > > https://lists.openembedded.org/g/openembedded- > > core/topic/102076964#msg189501 > > > > > > Maybe it wouldn't be that difficult to finish it, but it's possible > that it needs > > to get a bit broader to also update generated spdx > > > as there is ongoing activity to separate cve-check into offline tool > processing > > the spdx file. > > > > This does seems like a good start on the CVE reporting side. > > > > Whereas for SPDX, perhaps the “dummy dependency package” (e.g. nodejs- > > nghttp2) approach may be the simplest alternative even though it requires > > manual copying of license info/files and some extra maintenance overhead. > > How does this sound to you? > > I don't think that dummy dependencies are a good solution. > They will be forgotten to update and for recipes like node there will be > maybe hundereds of them. > (e.g. see any rust recipe how long they are, and that would be split to > that many files) > Having a variable which defines all vendored components in some form (e.g. > "type,name,version,cpe") looks much better. > > Some form of metadata without having to do a dummy recipe would be good. It would need to include the recipe name plus version (to re-use CPEs if they exist already) or a complete vendor/product/version if a new one. This is likely a little more complex for SPDX, because you should likely say which file in the source is from which package. This being said, with the external tooling it is also possible to generate the appropriate JSON. Merging the package list is not supported for now, but it is an easy thing to do. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63632): https://lists.yoctoproject.org/g/yocto/message/63632 Mute This Topic: https://lists.yoctoproject.org/mt/107642720/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
