On Wed, Jul 31, 2024 at 1:28 PM Peter Marko via lists.yoctoproject.org
wrote:
>
> > -Original Message-
> > From: Steven Dorigotti
> > Sent: Wednesday, July 31, 2024 13:20
> > To: Marko, Peter (ADV D EU SK BFS1)
> > Cc: yocto@lists.yoctoproject.org
>
> -Original Message-
> From: Steven Dorigotti
> Sent: Wednesday, July 31, 2024 13:20
> To: Marko, Peter (ADV D EU SK BFS1)
> Cc: yocto@lists.yoctoproject.org
> Subject: Re: [yocto] CVEs and OSS info for nested dependencies
>
>
> > On 31 Jul 2024,
> On 31 Jul 2024, at 10:21, Marko, Peter wrote:
Hello Peter,
> This topic comes up from time to time.
It’s nice to get confirmation, I was unable to find any traces of the issue.
> There was already a patch proposed for this:
> https://lists.openembedded.org/g/openembedded-core/topic/10199126
> On 31 Jul 2024, at 10:56, Marta Rybczynska wrote:
> If nghttp2 is a normal dependency (dependency to a different recipe), this
> will work just fine. The CVE entry for this vuln has nghttp2 well marked.
> However, if the nghttp2 code is just copied in, without a trace in the OE
> build system
On Wed, Jul 31, 2024 at 10:03 AM Steven Dorigotti via lists.yoctoproject.org
wrote:
> Hello,
>
> I think I have come across some limitations in CVE and OSS handling for
> internal dependencies.
>
> As a practical example to make this clear, let’s take this CVE:
> https://nvd.nist.gov/vuln/detail/
nt: Wednesday, July 31, 2024 10:03
> To: yocto@lists.yoctoproject.org
> Subject: [yocto] CVEs and OSS info for nested dependencies
>
> Hello,
>
> I think I have come across some limitations in CVE and OSS handling for
> internal dependencies.
>
> As a practical example to
Hello,
I think I have come across some limitations in CVE and OSS handling for
internal dependencies.
As a practical example to make this clear, let’s take this CVE:
https://nvd.nist.gov/vuln/detail/CVE-2023-35945
which doesn’t show up in the cve-check report, and the nghttp2 dependency is
not