Skip to content

Detect missing package assignments for embedded code copies

Parse security-tracker:data/embedded-code-copies and better report on packages that embed the code of vulnerable packages. For example, a CVE for the zlib package likely also affects the rsync package, which is listed in data/embedded-code-copies as embedding zlib. Other packages listed under zlib also embed some of its code.

Caution: take the tags from data/embedded-code-copies into account.

Any script or modification developed for this task should be coordinated with the security team, as they may have a more general use for it as well.

History:

Do not confuse with #12 (tracking renamed/branched/forked packages) which targets a different workflow with more certainty. Previous attempts to generalize it with this issue were rejected (see history above).

Edited by Sylvain Beucler