On Mon, 25 Apr 2022, Shengjing Zhu wrote:
If you look at package crowdsec, you find no dependency on golang-github-tidwall-gjson in its Built-Using:, but only an entry for golang-github-appleboy-gin-jwt. golang-github-appleboy-gin-jwt for its part depends on golang-github-tidwall-gjson-dev. So wouldn't be crowdsec affected by a CVE in golang-github-tidwall-gjson, which is not detected when using Built-Using: but only by Build-Depends:? At least I got more packages to be rebuilt when using ratt than with Built-Using: ...This is exactly the case for false positives of Build-Depends.
Ah, ok, do you have an example with a similar dependency chain with packages not only used for tests and a correct Built-Using:-entry?
Otherwise a false positive would be much better than an unfixed package, wouldn't it.
Thorsten