Skip to content

Commit

Permalink
Automatic vulnerability report update
Browse files Browse the repository at this point in the history
  • Loading branch information
@henrirosten @github-actions
henrirosten authored and github-actions[bot] committed Oct 5, 2023
1 parent 05b11cb commit 78ba0f0
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 25 deletions.
17 changes: 11 additions & 6 deletions reports/ghaf-23.06/data.csv
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
"target","flakeref","pintype","vuln_id","url","package","severity","version_local","version_nixpkgs","version_upstream","package_repology","sortcol","whitelist","whitelist_comment","classify","nixpkgs_pr"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-j7hp-h8jx-5ppr","https://osv.dev/GHSA-j7hp-h8jx-5ppr","electron","","25.1.1","26.2.4","26.2.4","electron","2023A1696291200","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-j7hp-h8jx-5ppr","https://osv.dev/GHSA-j7hp-h8jx-5ppr","electron","","25.1.1","26.2.4","26.3.0","electron","2023A1696291200","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","","0.8.2","","","","2023A1694131200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-7x97-j373-85x5","https://osv.dev/GHSA-7x97-j373-85x5","electron","","25.1.1","26.2.4","26.2.4","electron","2023A1693958400","False","Nixpkgs fix PR: https://github.com/NixOS/nixpkgs/pull/251189.","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-7x97-j373-85x5","https://osv.dev/GHSA-7x97-j373-85x5","electron","","25.1.1","26.2.4","26.3.0","electron","2023A1693958400","False","Nixpkgs fix PR: https://github.com/NixOS/nixpkgs/pull/251189.","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","","1.69.0","","","","2023A1692835200","True","Duplicate to CVE-2023-40030.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-44488","https://nvd.nist.gov/vuln/detail/CVE-2023-44488","libvpx","7.5","1.13.0","1.13.0","1.13.1","libvpx","2023A0000044488","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/258295
https://github.com/NixOS/nixpkgs/pull/258350"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-42467","https://nvd.nist.gov/vuln/detail/CVE-2023-42467","qemu","5.5","8.0.0","8.1.1","8.1.1","qemu","2023A0000042467","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/256632"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-41330","https://nvd.nist.gov/vuln/detail/CVE-2023-41330","snappy","9.8","1.1.10","","","","2023A0000041330","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-40360","https://nvd.nist.gov/vuln/detail/CVE-2023-40360","qemu","5.5","8.0.0","8.1.1","8.1.1","qemu","2023A0000040360","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251154
https://github.com/NixOS/nixpkgs/pull/256632"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-40359","https://nvd.nist.gov/vuln/detail/CVE-2023-40359","xterm","9.8","379","384","385","xterm","2023A0000040359","False","Backport to 23.05 ongoing in PR: https://github.com/NixOS/nixpkgs/pull/254541.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/244141
https://github.com/NixOS/nixpkgs/pull/254541
https://github.com/NixOS/nixpkgs/pull/258619"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39956","https://nvd.nist.gov/vuln/detail/CVE-2023-39956","electron","6.6","25.1.1","26.2.4","26.2.4","electron","2023A0000039956","False","","fix_update_to_version_nixpkgs",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39956","https://nvd.nist.gov/vuln/detail/CVE-2023-39956","electron","6.6","25.1.1","26.2.4","26.3.0","electron","2023A0000039956","False","","fix_update_to_version_nixpkgs",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.20.4","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738"
Expand Down Expand Up @@ -87,7 +89,7 @@ https://github.com/NixOS/nixpkgs/pull/239595"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/258857"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-4863","https://nvd.nist.gov/vuln/detail/CVE-2023-4863","libwebp","8.8","1.3.0","1.3.2","1.3.2","libwebp","2023A0000004863","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/255169
https://github.com/NixOS/nixpkgs/pull/255786
https://github.com/NixOS/nixpkgs/pull/255959
Expand Down Expand Up @@ -133,7 +135,8 @@ https://github.com/NixOS/nixpkgs/pull/256632"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","6.5","8.0.0","8.1.1","8.1.1","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-3138","https://nvd.nist.gov/vuln/detail/CVE-2023-3138","libX11","7.5","1.8.4","1.8.6","1.8.7","libx11","2023A0000003138","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/238116
https://github.com/NixOS/nixpkgs/pull/238150
https://github.com/NixOS/nixpkgs/pull/258841"
https://github.com/NixOS/nixpkgs/pull/258841
https://github.com/NixOS/nixpkgs/pull/258996"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","6.5","8.0.0","8.1.1","8.1.1","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2975","https://nvd.nist.gov/vuln/detail/CVE-2023-2975","openssl","5.3","3.0.9","3.1.0","3.2.0","ruby:openssl","2023A0000002975","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/243625
https://github.com/NixOS/nixpkgs/pull/243938
Expand Down Expand Up @@ -315,6 +318,8 @@ https://github.com/NixOS/nixpkgs/pull/84664"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","","0.8.2","","","","2023A1694131200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","","1.69.0","","","","2023A1692835200","True","Duplicate to CVE-2023-40030.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-44488","https://nvd.nist.gov/vuln/detail/CVE-2023-44488","libvpx","7.5","1.13.0","1.13.0","1.13.1","libvpx","2023A0000044488","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/258295
https://github.com/NixOS/nixpkgs/pull/258350"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-41330","https://nvd.nist.gov/vuln/detail/CVE-2023-41330","snappy","9.8","1.1.10","","","","2023A0000041330","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738"
Expand Down Expand Up @@ -368,7 +373,7 @@ https://github.com/NixOS/nixpkgs/pull/232535"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/258857"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.10","3.1.3","openssl","2023A0000004807","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/254106
https://github.com/NixOS/nixpkgs/pull/254185
https://github.com/NixOS/nixpkgs/pull/254574
Expand Down
Loading

0 comments on commit 78ba0f0

Please sign in to comment.