This topic comes up from time to time. There was already a patch proposed for this: https://lists.openembedded.org/g/openembedded-core/topic/101991269#msg189260 https://lists.openembedded.org/g/openembedded-core/topic/102076964#msg189501
Maybe it wouldn't be that difficult to finish it, but it's possible that it needs to get a bit broader to also update generated spdx as there is ongoing activity to separate cve-check into offline tool processing the spdx file. Peter > From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On Behalf > Of Steven Dorigotti via lists.yoctoproject.org > Sent: Wednesday, July 31, 2024 10:03 > To: yocto@lists.yoctoproject.org > Subject: [yocto] CVEs and OSS info for nested dependencies > > Hello, > > I think I have come across some limitations in CVE and OSS handling for > internal dependencies. > > As a practical example to make this clear, let’s take this CVE: > https://nvd.nist.gov/vuln/detail/CVE-2023-35945 > > which doesn’t show up in the cve-check report, and the nghttp2 dependency is > not listed in the license manifest file. > > The CVE is applicable to all versions of nghttp2 “Up to (excluding) 1.55.1” > which affects an internal dependency of nodejs. The latest openembedded > recipes are unaffected but Kirkstone uses node 16.20.2 and nghttp2 1.47.0 > which does seem affected. > > Can you confirm that there is currently no way to define CVE_PRODUCT / > CVE_VERSION pairs for nested package dependencies? Is this planned at all for > the future or do you have any suggestions here? > > Otherwise I’ll need to consider some kind of workaround, perhaps defining N > dummy/empty packages such as “nodejs-ngttp2” so that CVEs are detected and > complete manifest license info is generated. > > The same issue applies to many large projects such as Qt, which have many > nested/static (and at this stage hidden) dependencies. > > Thanks a lot in advance, > > Steven > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63623): https://lists.yoctoproject.org/g/yocto/message/63623 Mute This Topic: https://lists.yoctoproject.org/mt/107642720/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
