A CVE was published and I must determine if the related library "libFoo" is used in our software. We're using a small number of statically linked libraries from VCPkg. I ran the text search below on our vcpkg/ folder and got some matches for packages we don't knowingly include.
Intuitively, we're off the hook. I have to provide proof-positive that none of the packages we use from VCPkg are directly or indirectly linking in the CVE indicted libFoo without our realizing it. How would one determine or demonstrate this?
./vcpkg/$ grep -lsri libFoo ./*
./buildtrees/versioning/baselines/...hash-number.../baseline.json
./buildtrees/versioning_/baselines/...hash-number.../baseline.json
./CHANGELOG.md
./downloads/strawberry-perl-5.32.1.1-32bit.zip
./downloads/tools/msys2/...
./downloads/tools/perl/...
...
./ports/ffmpeg/0010-Fix-x264-detection.patch
./ports/ffmpeg/0019-libx264-Do-not-explicitly-set-X264_API_IMPORTS.patch
./ports/ffmpeg/portfile.cmake
./ports/ffmpeg/vcpkg.json
./ports/libFoo/0001-build.patch
./ports/libFoo/portfile.cmake
./ports/libFoo/vcpkg.json
...
// and a dozen more ports we're not obviously using ....
This really can only be achieved by doing a rebuild and checking the build logs explicitly if the library is linked or not.
Secondly you need to check if any of the libraries does an unwanted vendoring of the affected library which could be checked by searching for a common header of that library in the
buildtree