Skip to content

Commit

Permalink
Ghaf vulnerability scan update
Browse files Browse the repository at this point in the history
  • Loading branch information
@henrirosten
henrirosten committed Sep 8, 2023
1 parent 47b8033 commit 3bdcf97
Show file tree
Hide file tree
Showing 5 changed files with 101 additions and 303 deletions.
19 changes: 6 additions & 13 deletions reports/ghaf-23.06/data.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,12 +105,9 @@ https://github.com/NixOS/nixpkgs/pull/239595"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2829","https://nvd.nist.gov/vuln/detail/CVE-2023-2829","bind","9.18.14","9.18.18","9.18.18","bind","2023A0000002829","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/250135"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2828","https://nvd.nist.gov/vuln/detail/CVE-2023-2828","bind","9.18.14","9.18.18","9.18.18","bind","2023A0000002828","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239161
https://github.com/NixOS/nixpkgs/pull/250135"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484
https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484
https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484
https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-1999","https://nvd.nist.gov/vuln/detail/CVE-2023-1999","libwebp","1.3.0","1.3.1","1.3.1","libwebp","2023A0000001999","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/240893
https://github.com/NixOS/nixpkgs/pull/241036"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-1916","https://nvd.nist.gov/vuln/detail/CVE-2023-1916","libtiff","4.5.0","4.5.1","4.5.1","tiff","2023A0000001916","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239544
Expand Down Expand Up @@ -324,12 +321,9 @@ https://github.com/NixOS/nixpkgs/pull/253738"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484
https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484
https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484
https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology",""
Expand Down Expand Up @@ -478,7 +472,6 @@ https://github.com/NixOS/nixpkgs/pull/84664"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","7.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.2.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","nix_unstable","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.71.1","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","nix_unstable","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","nix_unstable","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","nix_unstable","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862
Expand Down
Loading

0 comments on commit 3bdcf97

Please sign in to comment.