From 7dd01b26022f43f157612958e197a73c6728b70d Mon Sep 17 00:00:00 2001 From: Henri Rosten Date: Wed, 6 Sep 2023 17:14:31 +0300 Subject: [PATCH] Initial commit Signed-off-by: Henri Rosten --- .github/workflows/test-ghafscan.yml | 24 + .github/workflows/vulnerability-scan.yml | 28 + .gitignore | 12 + LICENSES/Apache-2.0.txt | 73 ++ LICENSES/CC-BY-SA-4.0.txt | 170 +++ Makefile | 72 ++ README.md | 9 + VERSION | 1 + VERSION.license | 3 + csvdiff.nix | 7 + default.nix | 30 + flake.lock | 27 + flake.lock.license | 3 + flake.nix | 34 + manual_analysis.csv | 120 +++ manual_analysis.csv.license | 3 + requirements.txt | 15 + result/README.md | 13 + result/data.csv | 993 ++++++++++++++++++ result/data.csv.license | 3 + ...cv64-linux.microchip-icicle-kit-release.md | 328 ++++++ ...ges.x86_64-linux.generic-x86_64-release.md | 373 +++++++ sbomnix.nix | 7 + setup.py | 52 + shell.nix | 39 + src/ghafscan/__init__.py | 3 + src/ghafscan/main.py | 554 ++++++++++ src/ghafscan/templates/ghaf_landing.md | 11 + src/ghafscan/templates/ghaf_target.md | 68 ++ tests/test_ghafscan.py | 77 ++ 30 files changed, 3152 insertions(+) create mode 100644 .github/workflows/test-ghafscan.yml create mode 100644 .github/workflows/vulnerability-scan.yml create mode 100644 .gitignore create mode 100644 LICENSES/Apache-2.0.txt create mode 100644 LICENSES/CC-BY-SA-4.0.txt create mode 100644 Makefile create mode 100644 README.md create mode 100644 VERSION create mode 100644 VERSION.license create mode 100644 csvdiff.nix create mode 100644 default.nix create mode 100644 flake.lock create mode 100644 flake.lock.license create mode 100644 flake.nix create mode 100644 manual_analysis.csv create mode 100644 manual_analysis.csv.license create mode 100644 requirements.txt create mode 100644 result/README.md create mode 100644 result/data.csv create mode 100644 result/data.csv.license create mode 100644 result/packages.riscv64-linux.microchip-icicle-kit-release.md create mode 100644 result/packages.x86_64-linux.generic-x86_64-release.md create mode 100644 sbomnix.nix create mode 100644 setup.py create mode 100644 shell.nix create mode 100644 src/ghafscan/__init__.py create mode 100755 src/ghafscan/main.py create mode 100644 src/ghafscan/templates/ghaf_landing.md create mode 100644 src/ghafscan/templates/ghaf_target.md create mode 100644 tests/test_ghafscan.py diff --git a/.github/workflows/test-ghafscan.yml b/.github/workflows/test-ghafscan.yml new file mode 100644 index 0000000..91c1a5e --- /dev/null +++ b/.github/workflows/test-ghafscan.yml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +name: Test Ghafscan + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: cachix/install-nix-action@v22 + with: + nix_path: nixpkgs=channel:nixpkgs-unstable + - name: Run Ghafscan CI tests + run: nix develop --command make test-ci diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml new file mode 100644 index 0000000..2f97262 --- /dev/null +++ b/.github/workflows/vulnerability-scan.yml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +name: Ghaf Vulnerability Scan + +on: + pull_request: + branches: + - main + schedule: + - cron: "0 2 * * *" + +jobs: + scheduled: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v3 + - uses: cachix/install-nix-action@v22 + with: + nix_path: nixpkgs=channel:nixpkgs-unstable + - name: Ghaf Vulnerability Scan + run: nix run .#ghafscan -- --verbose=2 --whitelist=manual_analysis.csv --flakeref=github:tiiuae/ghaf?ref=main --target=packages.x86_64-linux.generic-x86_64-release --target=packages.riscv64-linux.microchip-icicle-kit-release + - uses: stefanzweifel/git-auto-commit-action@v4 + with: + commit_message: Ghaf vulnerability scan diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4b238c3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,12 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +venv/ +*.egg-info/ +.eggs/ +__pycache__/ +*.py[cod] +*.sqlite +/*.log +*.csv \ No newline at end of file diff --git a/LICENSES/Apache-2.0.txt b/LICENSES/Apache-2.0.txt new file mode 100644 index 0000000..137069b --- /dev/null +++ b/LICENSES/Apache-2.0.txt @@ -0,0 +1,73 @@ +Apache License +Version 2.0, January 2004 +http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. + +"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). + +"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: + + (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. + + You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/LICENSES/CC-BY-SA-4.0.txt b/LICENSES/CC-BY-SA-4.0.txt new file mode 100644 index 0000000..835a683 --- /dev/null +++ b/LICENSES/CC-BY-SA-4.0.txt @@ -0,0 +1,170 @@ +Creative Commons Attribution-ShareAlike 4.0 International + + Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses. + +Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors. + +Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. + +Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public. + +Creative Commons Attribution-ShareAlike 4.0 International Public License + +By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. + +Section 1 – Definitions. + + a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. + + b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. + + c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License. + + d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. + + e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. + + f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. + + g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike. + + h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License. + + i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. + + j. Licensor means the individual(s) or entity(ies) granting rights under this Public License. + + k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. + + l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. + + m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. + +Section 2 – Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: + + A. reproduce and Share the Licensed Material, in whole or in part; and + + B. produce, reproduce, and Share Adapted Material. + + 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. + + 3. Term. The term of this Public License is specified in Section 6(a). + + 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. + + 5. Downstream recipients. + + A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. + + B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply. + + C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. + + 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this Public License. + + 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. + +Section 3 – License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material (including in modified form), You must: + + A. retain the following if it is supplied by the Licensor with the Licensed Material: + + i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of warranties; + + v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; + + B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and + + C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. + + 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. + + b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply. + + 1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License. + + 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material. + + 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply. + +Section 4 – Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; + + b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and + + c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. +For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. + +Section 5 – Disclaimer of Warranties and Limitation of Liability. + + a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You. + + b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You. + + c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +Section 6 – Term and Termination. + + a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or + + 2. upon express reinstatement by the Licensor. + + c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. + + d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. + + e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. + +Section 7 – Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. + +Section 8 – Interpretation. + + a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. + + c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. + + d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. + +Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. + +Creative Commons may be contacted at creativecommons.org. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..596712d --- /dev/null +++ b/Makefile @@ -0,0 +1,72 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +SHELL := bash +PYTHON_TARGETS := $(shell find . -name "*.py" ! -path "*venv*" ! -path "*eggs*") + +define target_success + @printf "\033[32m==> Target \"$(1)\" passed\033[0m\n\n" +endef + +.DEFAULT_GOAL := help + +TARGET: ## DESCRIPTION + @echo "TARGET is here only to provide the header for 'help'" + +help: ## Show this help message + @grep -E '^[a-zA-Z_-]+:.*?##.*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[32m%-30s\033[0m %s\n", $$1, $$2}' + +install: ## Install + pip install --user . + $(call target_success,$@) + +install-dev: uninstall install-dev-requirements ## Install for development + pip install --editable . + $(call target_success,$@) + +uninstall: ## Uninstall + find . -name '*.egg-info' -exec rm -fr {} + + pip uninstall -y ghafscan + $(call target_success,$@) + +install-dev-requirements: clean ## Install all requirements + pip install -q -r requirements.txt --no-cache-dir + $(call target_success,$@) + +pre-push: test black style pylint reuse-lint ## Run tests, style checks, pylint, reuse-lint + $(call target_success,$@) + +test: install-dev-requirements ## Run tests + pytest -vx tests/ + $(call target_success,$@) + +black: clean ## Reformat with black + @for py in $(PYTHON_TARGETS); \ + do echo "$$py:"; \ + black -q $$py; \ + done + $(call target_success,$@) + +style: clean ## Check with pycodestyle (pep8) + pycodestyle --max-line-length 90 --exclude='venv/' . + $(call target_success,$@) + +pylint: clean ## Check with pylint + pylint -rn $(PYTHON_TARGETS) || exit 1 + $(call target_success,$@) + +reuse-lint: clean ## Check with reuse lint + reuse lint + $(call target_success,$@) + +clean: ## Remove build artifacts + find . -name '*.pyc' -exec rm -f {} + + find . -name '__pycache__' -exec rm -fr {} + + find . -name '.eggs' -exec rm -rf {} + + rm -fr .pytest_cache/ + $(call target_success,$@) + +pristine: clean ## Pristine clean: remove all untracked files and folders + git clean -f -d -x + $(call target_success,$@) diff --git a/README.md b/README.md new file mode 100644 index 0000000..fda1b35 --- /dev/null +++ b/README.md @@ -0,0 +1,9 @@ + + +# Ghafscan + +Run and summarize vulnerability scans for Ghaf flake targets diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..8a9ecc2 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.0.1 \ No newline at end of file diff --git a/VERSION.license b/VERSION.license new file mode 100644 index 0000000..fde5380 --- /dev/null +++ b/VERSION.license @@ -0,0 +1,3 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 \ No newline at end of file diff --git a/csvdiff.nix b/csvdiff.nix new file mode 100644 index 0000000..e0e38de --- /dev/null +++ b/csvdiff.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +builtins.fetchGit { + url = "https://github.com/tiiuae/ci-public.git"; + rev = "7940fd33fef616e9daa73795044da0b5ddf9f563"; +} diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..c2182d0 --- /dev/null +++ b/default.nix @@ -0,0 +1,30 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + pkgs ? import {}, + pythonPackages ? pkgs.python3Packages, +}: +pythonPackages.buildPythonPackage rec { + pname = "ghafscan"; + version = pkgs.lib.removeSuffix "\n" (builtins.readFile ./VERSION); + format = "setuptools"; + + src = ./.; + + sbomnix = import ./sbomnix.nix; + vulnxscan = import "${sbomnix}/scripts/vulnxscan/vulnxscan.nix" {pkgs = pkgs;}; + csvdiff_nix = import ./csvdiff.nix; + csvdiff = import "${csvdiff_nix}/csvdiff/default.nix" {pkgs = pkgs;}; + + propagatedBuildInputs = [ + pkgs.nix + pkgs.reuse + vulnxscan + csvdiff + pythonPackages.colorlog + pythonPackages.gitpython + pythonPackages.pandas + pythonPackages.tabulate + ]; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..c8936a8 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1692084312, + "narHash": "sha256-Za++qKVK6ovjNL9poQZtLKRM/re663pxzbJ+9M4Pgwg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8353344d3236d3fda429bb471c1ee008857d3b7c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.lock.license b/flake.lock.license new file mode 100644 index 0000000..5cc74e1 --- /dev/null +++ b/flake.lock.license @@ -0,0 +1,3 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..331a93b --- /dev/null +++ b/flake.nix @@ -0,0 +1,34 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + description = "Flakes file for ghafscan"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + + outputs = { + self, + nixpkgs, + }: let + pkgs = import nixpkgs {system = "x86_64-linux";}; + ghafscan = import ./default.nix {pkgs = pkgs;}; + ghafscan-shell = import ./shell.nix {pkgs = pkgs;}; + in rec { + # nix package + packages.x86_64-linux = { + inherit ghafscan; + default = ghafscan; + }; + + # nix run .#ghafscan + apps.x86_64-linux.ghafscan = { + type = "app"; + program = "${self.packages.x86_64-linux.ghafscan}/bin/ghafscan"; + }; + + # nix develop + devShells.x86_64-linux.default = ghafscan-shell; + }; +} diff --git a/manual_analysis.csv b/manual_analysis.csv new file mode 100644 index 0000000..094781b --- /dev/null +++ b/manual_analysis.csv @@ -0,0 +1,120 @@ +"vuln_id","whitelist","package","version_local","version_nixpkgs","version_upstream","comment" +"CVE-2023-4135","False","qemu","8.0.2",,,"Fixed upstream in 8.1.0." +"CVE-2023-40359","False","xterm","379","384","384","Requested backport for PR: https://github.com/NixOS/nixpkgs/pull/244141." +"CVE-2023-4016","False","procps","3.3.17","3.3.17","4.0.3","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions." +"CVE-2023-39533","False","go","1.20.6"," 1.21.0 "," 1.21.0 ","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports." +"CVE-2023-39533","False","go","1.20.6",,,"Nixpkgs fix PR: https://github.com/NixOS/nixpkgs/pull/246663." +"CVE-2023-38633","False","librsvg","2.55.1","2.56.3 ","2.56.3 ","Nixpkgs fix PR: https://github.com/NixOS/nixpkgs/pull/246763." +"CVE-2023-3817","False","openssl"," 3.0.9","3.1.0","3.1.0","openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/246579." +"CVE-2023-3817","False","openssl","3.0.9",,,"Fixed in openssl 3.0.10, nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/246579." +"CVE-2023-37769","False","pixman","0.42.2","0.42.2","0.42.2","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable""." +"CVE-2023-3724","False","wolfssl","5.5.4","5.5.4","5.6.3","Issue is fixed in 5.6.2: https://www.wolfssl.com/docs/security-vulnerabilities/. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/239027." +"CVE-2023-3724","False","wolfssl","5.5.4",,,"Fixed in 5.6.2 based on https://www.wolfssl.com/docs/security-vulnerabilities/. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/239027." +"CVE-2023-3603",,"libssh","0.10.5","0.10.5","0.10.5","Based on https://security-tracker.debian.org/tracker/CVE-2023-3603 and https://bugzilla.redhat.com/show_bug.cgi?id=2221791, vulnerable code is not present in 0.10.5 or any currently released version." +"CVE-2023-3354","False","qemu","8.0.2",,,"Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036." +"CVE-2023-31975",,"yasm","1.3.0",,,"Memory leak in CLI tool, no security impact." +"CVE-2023-31974",,"yasm","1.3.0",,,"Crash in CLI tool, no security impact." +"CVE-2023-31973",,"yasm","1.3.0",,,"Crash in CLI tool, no security impact." +"CVE-2023-31972",,"yasm","1.3.0",,,"Crash in CLI tool, no security impact." +"CVE-2023-3180","False","qemu","8.0.2",,,"Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036." +"CVE-2023-31486",,"perl","5.36.0","5.38.0","5.38.0","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480." +"CVE-2023-30571","False","libarchive","3.6.2","3.6.2","3.7.1","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876." +"CVE-2023-30402",,"yasm","1.3.0",,,"Crash in CLI tool, no security impact." +"CVE-2023-3019","False","qemu","8.0.2",,,"Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html." +"CVE-2023-29409","False","go","1.20.6",,,"See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663." +"CVE-2023-29406",,"go","1.17.13-linux-am",,,"See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776." +"CVE-2023-29405",,"go","1.17.13-linux-am",,,"See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776." +"CVE-2023-29404",,"go","1.17.13-linux-am",,,"See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776." +"CVE-2023-29403",,"go","1.17.13-linux-am",,,"See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776." +"CVE-2023-29402",,"go","1.17.13-linux-am",,,"See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776." +"CVE-2023-29400",,"go","1.17.13-linux-am",,,"See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776." +"CVE-2023-29383","False","shadow","4.13","4.13","4.14","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases." +"CVE-2023-2610","False","vim","9.0.1441","9.0.1642","9.0.1786","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05." +"CVE-2023-2609","False","vim","9.0.1441","9.0.1642","9.0.1786","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05." +"CVE-2023-2426","False","vim","9.0.1441","9.0.1642","9.0.1786","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05." +"CVE-2023-24.*",,"go","1.17.13-linux-am",,,"See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776." +"CVE-2023-1386","False","qemu","8.0.3",,,"Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29." +"CVE-2022-[24].*",,"go","1.17.13-linux-am",,,"See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776." +"CVE-2022-48434",,"ffmpeg",,,,"Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db." +"CVE-2022-42969",,"py","1.11.0",,,"Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565." +"CVE-2022-3965",,"ffmpeg","5.1.3",,,"Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257." +"CVE-2022-3964",,"ffmpeg","4.4.4",,,"Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0." +"CVE-2022-37416",,"libmpeg2","0.5.1",,,"NVD data issue: concerns Android only." +"CVE-2022-3637",,"bluez","5.66","5.66","5.68","Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue." +"CVE-2022-36073",,"rubygems","3.4.13",,,"Latest impacted version in 3.x is 3.0.4." +"CVE-2022-3563",,"bluez","5.66","5.66","5.68","Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e3c92f1f786f0b55440bd908b55894d0c792cf0e was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue." +"CVE-2022-3341",,"ffmpeg","4.4.4",,,"Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b." +"CVE-2022-3219",,"gnupg","2.4.0",,,"Fix patch is not accepted upstream: https://dev.gnupg.org/D556." +"CVE-2022-3109",,"ffmpeg","4.4.4",,,"Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2." +"CVE-2022-3.*",,"git","2.40.1",,,"Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96." +"CVE-2022-28321",,"linux-pam","1.5.2","1.5.2","1.5.3","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions." +"CVE-2022-26691",,"cups","2.4.6",,,"Fixed in nixpkgs with PR: https://github.com/NixOS/nixpkgs/pull/174898." +"CVE-2022-0856","False","libcaca","0.99.beta20",,,"Not fixed upstream: https://github.com/cacalabs/libcaca/issues/65." +"CVE-2021-4336",,"ninja","1.11.1","1.11.1","1.11.1","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja." +"CVE-2021-4217",,"unzip","6.0",,,"Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217." +"CVE-2021-39205",,"jitsi-meet","1.0.6943",,,"Does not impact the version in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845." +"CVE-2021-3605",,"openexr","2.5.8",,,"False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7." +"CVE-2021-3598",,"openexr","2.5.8",,,"False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7." +"CVE-2021-3468",,"avahi","0.8","0.8","0.8","Fixed in nixpgs with https://github.com/NixOS/nixpkgs/pull/195331." +"CVE-2021-33506",,"jitsi-meet","1.0.6943",,,"Fixed in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135." +"CVE-2021-334.*",,"yasm","1.3.0",,,"Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'." +"CVE-2021-30499",,"libcaca","0.99.beta20",,,"NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20." +"CVE-2021-26945",,"openexr","2.5.8",,,"Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8." +"CVE-2021-26720",,"avahi","0.8","0.8","0.8","False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives." +"CVE-2021-26260",,"openexr","2.5.8",,,"False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5." +"CVE-2021-23215",,"openexr","2.5.8",,,"False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5." +"CVE-2021-23169",,"openexr","2.5.8",,,"False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7." +"CVE-2021-21684",,"git",,,,"Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96." +"CVE-2021-20255",,"qemu","8.0.2",,,"Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream." +"CVE-2021-3.*","False","djvulibre","3.5.28",,,"Pending merge: https://github.com/NixOS/nixpkgs/pull/246773." +"CVE-2020-24490",,"bluez",,,,"Fixed in linux kernel (5.8) with: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e." +"CVE-2020-16194",,"quote",,,,"Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/." +"CVE-201[89]-.*",,"git","2.40.1",,,"Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96." +"CVE-2019-6470",,"bind","9.18.16",,,"Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606." +"CVE-2019-6462",,"cairo","1.16.0","1.17.12","1.17.12","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129." +"CVE-2019-6461",,"cairo","1.16.0","1.17.12","1.17.12","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129." +"CVE-2019-6293",,"flex","2.6.4",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2019-20633",,"patch","2.7.6","2.7.6","2.7.6","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream." +"CVE-2019-14.*",,"fuse","3.11.0",,,"Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives." +"CVE-2019-12749",,"dbus","1","1.14.8","1.14.8","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8)." +"CVE-2019-12067",,"qemu","8.0.2",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2019-.*",,"edk2","202211",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2018-7263",,"libmad","0.15.1b","0.15.1b","0.16.3","Based on https://github.com/NixOS/nixpkgs/issues/57154, issue is fixed by https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed." +"CVE-2018-6553",,"cups","2.4.6",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2018-18438",,"qemu","8.0.2",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2018-13410",,"zip","3.0",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2017-5436",,"graphite2","1.3.14",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2017-.*",,"mujs","1.3.3",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2016-2781",,"coreutils","9.1",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2016-.*",,"libiberty","12.2.0",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2016-.*",,"mujs","1.3.3",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2015-7313",,"libtiff","4.5.1",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2014-9157",,"graphviz","7.1.0",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2014-4860",,"edk2","202211",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2014-4859",,"edk2","202211",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2012-3509",,"libiberty","12.2.0",,,"NVD data issue: CPE entry does not correctly state the version numbers." +"CVE-2010-4226",,"cpio","2.14",,,"NVD data issue: concerns OpenSuSE, not cpio." +"PYSEC-2022-42969",,"py","1.11.0",,,"Same as CVE-2022-42969." +"OSV-202[12]-.*","False","espeak-ng","1.51.1",,,"Unclear if this is still valid." +"OSV-2023-505","False","file","5.44",,,"Unclear if this is still valid." +"OSV-2023-390","False","qemu","8.0.2",,,"Unclear if this is still valid." +"OSV-2023-137",,"harfbuzz","7.2.0",,,"Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0." +"OSV-2023-101","False","qemu","8.0.2","8.0.3","8.1.0","Fixed in qemu 8.0.4: https://github.com/NixOS/nixpkgs/pull/248659." +"OSV-2022-908","False","bluez","5.66",,,"Unclear if this is still valid." +"OSV-2022-896","False","libsass","3.6.5",,,"Unclear if this is still valid." +"OSV-2022-859","False","bluez","5.66",,,"Unclear if this is still valid." +"OSV-2022-842","False","wolfssl","5.5.4",,,"Unclear if this is still valid." +"OSV-2022-725","False","libjxl","0.8.2",,,"Unclear if this is still valid." +"OSV-2022-608","False","libjxl","0.8.2",,,"Unclear if this is still valid." +"OSV-2022-581","False","qemu","8.0.2",,,"Unclear if this is still valid." +"OSV-2022-416",,"openjpeg","2.5.0",,,"Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2." +"OSV-2022-193","False","w3m","0.5.3+git2023012",,,"Unclear if this is still valid." +"OSV-2022-183",,"binutils","2.40",,,"Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2." +"OSV-2022-1193",,"libarchive","3.6.2",,,"Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3." +"OSV-2021-820",,"qemu","8.0.2",,,"Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2." +"OSV-2021-777",,"libxml2","2.10.4",,,"Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4." +"OSV-2021-508","False","libsass","3.6.5","3.6.5","3.6.5","Unclear if this is still valid." +"MAL-2022-4301",,"libidn2","2.3.4",,,"Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2." +"GHSA-mc7w-4cjf-c973",,"opencv","4.7.0",,,"Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv https://github.com/opencv/opencv." +"GHSA-f698-m2v9-5fh3",,"opencv",,,,"Incorrect package: issue refers node-opencv https://www.npmjs.com/package/opencv, whereas nixpkgs refers https://github.com/opencv/opencv." +"GHSA-6898-wx94-8jq8",,"libnotify","0.8.2",,,"Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify." \ No newline at end of file diff --git a/manual_analysis.csv.license b/manual_analysis.csv.license new file mode 100644 index 0000000..fde5380 --- /dev/null +++ b/manual_analysis.csv.license @@ -0,0 +1,3 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..cf2b0c7 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +# common +colorlog +gitpython +pandas +tabulate + +# dev requirements +black +pycodestyle +pylint +pytest diff --git a/result/README.md b/result/README.md new file mode 100644 index 0000000..9eb1a52 --- /dev/null +++ b/result/README.md @@ -0,0 +1,13 @@ + + +# Ghaf Vulnerability Reports + +See the following links for detailled Ghaf vulnerability reports: + +* [Vulnerability Report: 'packages.x86_64-linux.generic-x86_64-release'](packages.x86_64-linux.generic-x86_64-release.md) +* [Vulnerability Report: 'packages.riscv64-linux.microchip-icicle-kit-release'](packages.riscv64-linux.microchip-icicle-kit-release.md) + diff --git a/result/data.csv b/result/data.csv new file mode 100644 index 0000000..70124d5 --- /dev/null +++ b/result/data.csv @@ -0,0 +1,993 @@ +"target","flakeref","pintype","vuln_id","url","package","version_local","version_nixpkgs","version_upstream","package_repology","sortcol","whitelist","whitelist_comment","classify","nixpkgs_pr" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.69.0","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-40360","https://nvd.nist.gov/vuln/detail/CVE-2023-40360","qemu","8.0.2","8.0.4","8.1.0","qemu","2023A0000040360","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/251154" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-40359","https://nvd.nist.gov/vuln/detail/CVE-2023-40359","xterm","379","384","384","xterm","2023A0000040359","False","Requested backport for PR: https://github.com/NixOS/nixpkgs/pull/244141.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/244141" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","1.20.6","1.21.0","1.21.0","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 +https://github.com/NixOS/nixpkgs/pull/130806 +https://github.com/NixOS/nixpkgs/pull/248027" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.0","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 +https://github.com/NixOS/nixpkgs/pull/130806 +https://github.com/NixOS/nixpkgs/pull/248027" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","2.10.1","2.10.1","2.10.1","faad2","2023A0000038858","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","2.10.1","2.10.1","2.10.1","faad2","2023A0000038857","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-38633","https://nvd.nist.gov/vuln/detail/CVE-2023-38633","librsvg","2.55.1","2.56.3","2.56.3","librsvg","2023A0000038633","False","Nixpkgs fix PR: https://github.com/NixOS/nixpkgs/pull/246763.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/246763 +https://github.com/NixOS/nixpkgs/pull/246860" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","5.36.0-env","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","5.36.0","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","5.36.0-env","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","5.36.0","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","3.6.2","3.6.2","3.7.1","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","1.20.6","1.21.0","1.21.0","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 +https://github.com/NixOS/nixpkgs/pull/130806 +https://github.com/NixOS/nixpkgs/pull/247034 +https://github.com/NixOS/nixpkgs/pull/248027" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.0","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 +https://github.com/NixOS/nixpkgs/pull/130806 +https://github.com/NixOS/nixpkgs/pull/247034 +https://github.com/NixOS/nixpkgs/pull/248027" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29404","https://nvd.nist.gov/vuln/detail/CVE-2023-29404","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029404","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","4.13","4.13","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/233924" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","1.1.10","","","","2023A0000028115","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24540","https://nvd.nist.gov/vuln/detail/CVE-2023-24540","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024540","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24539","https://nvd.nist.gov/vuln/detail/CVE-2023-24539","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024539","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24538","https://nvd.nist.gov/vuln/detail/CVE-2023-24538","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024538","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24537","https://nvd.nist.gov/vuln/detail/CVE-2023-24537","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024537","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","8.0.2","8.0.4","8.1.0","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3817","https://nvd.nist.gov/vuln/detail/CVE-2023-3817","openssl","3.0.9","3.1.0","3.1.0","ruby:openssl","2023A0000003817","False","openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/246579.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/247537 +https://github.com/NixOS/nixpkgs/pull/248715" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3724","https://nvd.nist.gov/vuln/detail/CVE-2023-3724","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2023A0000003724","False","Issue is fixed in 5.6.2: https://www.wolfssl.com/docs/security-vulnerabilities/. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/239027.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/239027 +https://github.com/NixOS/nixpkgs/pull/246451" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3603","https://nvd.nist.gov/vuln/detail/CVE-2023-3603","libssh","0.10.5","","","","2023A0000003603","True","Based on https://security-tracker.debian.org/tracker/CVE-2023-3603 and https://bugzilla.redhat.com/show_bug.cgi?id=2221791, vulnerable code is not present in 0.10.5 or any currently released version.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.2","8.0.4","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.2","8.0.4","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.2","8.0.4","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.2","8.0.4","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.2","8.0.4","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","7.2.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-101","https://osv.dev/OSV-2023-101","qemu","8.0.2","8.0.4","8.1.0","qemu","2023A0000000101","False","Fixed in qemu 8.0.4: https://github.com/NixOS/nixpkgs/pull/248659.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-48434","https://nvd.nist.gov/vuln/detail/CVE-2022-48434","ffmpeg","4.4.4","","","","2022A0000048434","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-43357","https://nvd.nist.gov/vuln/detail/CVE-2022-43357","sassc","3.6.2","3.6.2","3.6.2","sassc","2022A0000043357","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-41725","https://nvd.nist.gov/vuln/detail/CVE-2022-41725","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041725","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-41724","https://nvd.nist.gov/vuln/detail/CVE-2022-41724","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041724","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-41723","https://nvd.nist.gov/vuln/detail/CVE-2022-41723","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041723","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-41722","https://nvd.nist.gov/vuln/detail/CVE-2022-41722","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041722","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-41720","https://nvd.nist.gov/vuln/detail/CVE-2022-41720","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041720","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-41717","https://nvd.nist.gov/vuln/detail/CVE-2022-41717","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041717","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-41716","https://nvd.nist.gov/vuln/detail/CVE-2022-41716","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041716","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-41715","https://nvd.nist.gov/vuln/detail/CVE-2022-41715","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041715","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.40.1","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-37416","https://nvd.nist.gov/vuln/detail/CVE-2022-37416","libmpeg2","0.5.1","","","","2022A0000037416","True","NVD data issue: concerns Android only.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.40.1","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.40.1","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.40.1","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36073","https://nvd.nist.gov/vuln/detail/CVE-2022-36073","rubygems","3.4.13","","","","2022A0000036073","True","Latest impacted version in 3.x is 3.0.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.40.1","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.40.1","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.40.1","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-27664","https://nvd.nist.gov/vuln/detail/CVE-2022-27664","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000027664","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-26691","https://nvd.nist.gov/vuln/detail/CVE-2022-26691","cups","2.4.6","","","","2022A0000026691","True","Fixed in nixpkgs with PR: https://github.com/NixOS/nixpkgs/pull/174898.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-26592","https://nvd.nist.gov/vuln/detail/CVE-2022-26592","libsass","3.6.5","3.6.5","3.6.5","libsass","2022A0000026592","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3965","https://nvd.nist.gov/vuln/detail/CVE-2022-3965","ffmpeg","5.1.3","","","","2022A0000003965","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","5.1.3","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","4.4.4","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3637","https://nvd.nist.gov/vuln/detail/CVE-2022-3637","bluez","5.66","","","","2022A0000003637","True","Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3563","https://nvd.nist.gov/vuln/detail/CVE-2022-3563","bluez","5.66","","","","2022A0000003563","True","Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e3c92f1f786f0b55440bd908b55894d0c792cf0e was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3341","https://nvd.nist.gov/vuln/detail/CVE-2022-3341","ffmpeg","4.4.4","","","","2022A0000003341","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.0","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3109","https://nvd.nist.gov/vuln/detail/CVE-2022-3109","ffmpeg","4.4.4","","","","2022A0000003109","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-2880","https://nvd.nist.gov/vuln/detail/CVE-2022-2880","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000002880","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-2879","https://nvd.nist.gov/vuln/detail/CVE-2022-2879","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000002879","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-908","https://osv.dev/OSV-2022-908","bluez","5.66","5.66","5.69","bluez","2022A0000000908","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-896","https://osv.dev/OSV-2022-896","libsass","3.6.5","3.6.5","3.6.5","libsass","2022A0000000896","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-859","https://osv.dev/OSV-2022-859","bluez","5.66","5.66","5.69","bluez","2022A0000000859","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-0856","https://nvd.nist.gov/vuln/detail/CVE-2022-0856","libcaca","0.99.beta20","0.99.beta20","","libcaca","2022A0000000856","False","Not fixed upstream: https://github.com/cacalabs/libcaca/issues/65.","err_invalid_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","8.0.2","8.0.4","8.1.0","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-530","https://osv.dev/OSV-2022-530","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000530","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-519","https://osv.dev/OSV-2022-519","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000519","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-462","https://osv.dev/OSV-2022-462","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000462","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-416","https://osv.dev/OSV-2022-416","openjpeg","2.5.0","","","","2022A0000000416","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-394","https://osv.dev/OSV-2022-394","opencv","4.7.0","4.7.0","4.8.0","opencv","2022A0000000394","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-mc7w-4cjf-c973","https://osv.dev/GHSA-mc7w-4cjf-c973","opencv","4.7.0","","","","2021A1633564800","True","Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv https://github.com/opencv/opencv.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","0.8.2","","","","2021A1632355200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-46312","https://nvd.nist.gov/vuln/detail/CVE-2021-46312","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046312","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-46310","https://nvd.nist.gov/vuln/detail/CVE-2021-46310","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046310","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-39205","https://nvd.nist.gov/vuln/detail/CVE-2021-39205","jitsi-meet","1.0.6943","","","","2021A0000039205","True","Does not impact the version in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33506","https://nvd.nist.gov/vuln/detail/CVE-2021-33506","jitsi-meet","1.0.6943","","","","2021A0000033506","True","Fixed in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-32493","https://nvd.nist.gov/vuln/detail/CVE-2021-32493","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000032493","False","Pending merge: https://github.com/NixOS/nixpkgs/pull/246773.","fix_not_available","https://github.com/NixOS/nixpkgs/pull/246773" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-32492","https://nvd.nist.gov/vuln/detail/CVE-2021-32492","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000032492","False","Pending merge: https://github.com/NixOS/nixpkgs/pull/246773.","fix_not_available","https://github.com/NixOS/nixpkgs/pull/246773" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-32491","https://nvd.nist.gov/vuln/detail/CVE-2021-32491","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000032491","False","Pending merge: https://github.com/NixOS/nixpkgs/pull/246773.","fix_not_available","https://github.com/NixOS/nixpkgs/pull/246773" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-32490","https://nvd.nist.gov/vuln/detail/CVE-2021-32490","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000032490","False","Pending merge: https://github.com/NixOS/nixpkgs/pull/246773.","fix_not_available","https://github.com/NixOS/nixpkgs/pull/246773" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-30499","https://nvd.nist.gov/vuln/detail/CVE-2021-30499","libcaca","0.99.beta20","","","","2021A0000030499","True","NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-26720","https://nvd.nist.gov/vuln/detail/CVE-2021-26720","avahi","0.8","","","","2021A0000026720","True","False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.40.1","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","8.0.2","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-3500","https://nvd.nist.gov/vuln/detail/CVE-2021-3500","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000003500","False","Pending merge: https://github.com/NixOS/nixpkgs/pull/246773.","fix_not_available","https://github.com/NixOS/nixpkgs/pull/246773" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-3468","https://nvd.nist.gov/vuln/detail/CVE-2021-3468","avahi","0.8","","","","2021A0000003468","True","Fixed in nixpgs with https://github.com/NixOS/nixpkgs/pull/195331.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-1157","https://osv.dev/OSV-2021-1157","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001157","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-1141","https://osv.dev/OSV-2021-1141","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001141","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-1110","https://osv.dev/OSV-2021-1110","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001110","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-1041","https://osv.dev/OSV-2021-1041","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001041","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-1024","https://osv.dev/OSV-2021-1024","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001024","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","8.0.2","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-802","https://osv.dev/OSV-2021-802","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000802","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-787","https://osv.dev/OSV-2021-787","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000787","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.10.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-765","https://osv.dev/OSV-2021-765","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000765","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-508","https://osv.dev/OSV-2021-508","libsass","3.6.5","3.6.5","3.6.5","libsass","2021A0000000508","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-f698-m2v9-5fh3","https://osv.dev/GHSA-f698-m2v9-5fh3","opencv","4.7.0","","","","2020A1598832000","True","Incorrect package: issue refers node-opencv https://www.npmjs.com/package/opencv, whereas nixpkgs refers https://github.com/opencv/opencv.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-24490","https://nvd.nist.gov/vuln/detail/CVE-2020-24490","bluez","5.66","","","","2020A0000024490","True","Fixed in linux kernel (5.8) with: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-18781","https://nvd.nist.gov/vuln/detail/CVE-2020-18781","audiofile","0.3.6","0.3.6","0.3.6","audiofile","2020A0000018781","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.21","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.40.1","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +https://github.com/NixOS/nixpkgs/pull/84664" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","2.5.8","3.1.10","3.2.0","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-1420","https://osv.dev/OSV-2020-1420","libsass","3.6.5","3.6.5","3.6.5","libsass","2020A0000001420","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-862","https://osv.dev/OSV-2020-862","libsass","3.6.5","3.6.5","3.6.5","libsass","2020A0000000862","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-822","https://osv.dev/OSV-2020-822","jbig2dec","0.19","0.19","0.19","jbig2dec","2020A0000000822","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-521","https://osv.dev/OSV-2020-521","aspell","0.60.8","0.60.8","0.60.8","aspell","2020A0000000521","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.40.1","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14587","https://nvd.nist.gov/vuln/detail/CVE-2019-14587","edk2","202211","","","","2019A0000014587","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14586","https://nvd.nist.gov/vuln/detail/CVE-2019-14586","edk2","202211","","","","2019A0000014586","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14575","https://nvd.nist.gov/vuln/detail/CVE-2019-14575","edk2","202211","","","","2019A0000014575","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14563","https://nvd.nist.gov/vuln/detail/CVE-2019-14563","edk2","202211","","","","2019A0000014563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14562","https://nvd.nist.gov/vuln/detail/CVE-2019-14562","edk2","202211","","","","2019A0000014562","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14559","https://nvd.nist.gov/vuln/detail/CVE-2019-14559","edk2","202211","","","","2019A0000014559","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14553","https://nvd.nist.gov/vuln/detail/CVE-2019-14553","edk2","202211","","","","2019A0000014553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","8.0.2","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.16","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.40.1","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.40.1","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","8.0.2","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-13410","https://nvd.nist.gov/vuln/detail/CVE-2018-13410","zip","3.0","","","","2018A0000013410","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-7263","https://nvd.nist.gov/vuln/detail/CVE-2018-7263","libmad","0.15.1b","","","","2018A0000007263","True","Based on https://github.com/NixOS/nixpkgs/issues/57154, issue is fixed by https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-6553","https://nvd.nist.gov/vuln/detail/CVE-2018-6553","cups","2.4.6","","","","2018A0000006553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2017-5628","https://nvd.nist.gov/vuln/detail/CVE-2017-5628","mujs","1.3.3","","","","2017A0000005628","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2017-5627","https://nvd.nist.gov/vuln/detail/CVE-2017-5627","mujs","1.3.3","","","","2017A0000005627","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-10141","https://nvd.nist.gov/vuln/detail/CVE-2016-10141","mujs","1.3.3","","","","2016A0000010141","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-10133","https://nvd.nist.gov/vuln/detail/CVE-2016-10133","mujs","1.3.3","","","","2016A0000010133","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-10132","https://nvd.nist.gov/vuln/detail/CVE-2016-10132","mujs","1.3.3","","","","2016A0000010132","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-9294","https://nvd.nist.gov/vuln/detail/CVE-2016-9294","mujs","1.3.3","","","","2016A0000009294","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-9136","https://nvd.nist.gov/vuln/detail/CVE-2016-9136","mujs","1.3.3","","","","2016A0000009136","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-9109","https://nvd.nist.gov/vuln/detail/CVE-2016-9109","mujs","1.3.3","","","","2016A0000009109","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-9108","https://nvd.nist.gov/vuln/detail/CVE-2016-9108","mujs","1.3.3","","","","2016A0000009108","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-9017","https://nvd.nist.gov/vuln/detail/CVE-2016-9017","mujs","1.3.3","","","","2016A0000009017","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-7564","https://nvd.nist.gov/vuln/detail/CVE-2016-7564","mujs","1.3.3","","","","2016A0000007564","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-7563","https://nvd.nist.gov/vuln/detail/CVE-2016-7563","mujs","1.3.3","","","","2016A0000007563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-7506","https://nvd.nist.gov/vuln/detail/CVE-2016-7506","mujs","1.3.3","","","","2016A0000007506","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-7504","https://nvd.nist.gov/vuln/detail/CVE-2016-7504","mujs","1.3.3","","","","2016A0000007504","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","12.2.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","12.2.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","12.2.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","12.2.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","12.2.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","12.2.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","12.2.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","12.2.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.1","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","12.2.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","7.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2014-4860","https://nvd.nist.gov/vuln/detail/CVE-2014-4860","edk2","202211","","","","2014A0000004860","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2014-4859","https://nvd.nist.gov/vuln/detail/CVE-2014-4859","edk2","202211","","","","2014A0000004859","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.2.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.69.0","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-40360","https://nvd.nist.gov/vuln/detail/CVE-2023-40360","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000040360","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/251154" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-40359","https://nvd.nist.gov/vuln/detail/CVE-2023-40359","xterm","379","384","384","xterm","2023A0000040359","False","Requested backport for PR: https://github.com/NixOS/nixpkgs/pull/244141.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/244141" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.0","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 +https://github.com/NixOS/nixpkgs/pull/130806 +https://github.com/NixOS/nixpkgs/pull/248027" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","2.10.1","2.10.1","2.10.1","faad2","2023A0000038858","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","2.10.1","2.10.1","2.10.1","faad2","2023A0000038857","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","5.36.0-env","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","5.36.0","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","5.36.0-env","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","5.36.0","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","3.6.2","3.6.2","3.7.1","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.0","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 +https://github.com/NixOS/nixpkgs/pull/130806 +https://github.com/NixOS/nixpkgs/pull/247034 +https://github.com/NixOS/nixpkgs/pull/248027" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29404","https://nvd.nist.gov/vuln/detail/CVE-2023-29404","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029404","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","4.13","4.13","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/233924" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","1.1.10","","","","2023A0000028115","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24540","https://nvd.nist.gov/vuln/detail/CVE-2023-24540","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024540","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24539","https://nvd.nist.gov/vuln/detail/CVE-2023-24539","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024539","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24538","https://nvd.nist.gov/vuln/detail/CVE-2023-24538","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024538","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24537","https://nvd.nist.gov/vuln/detail/CVE-2023-24537","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024537","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-3603","https://nvd.nist.gov/vuln/detail/CVE-2023-3603","libssh","0.10.5","","","","2023A0000003603","True","Based on https://security-tracker.debian.org/tracker/CVE-2023-3603 and https://bugzilla.redhat.com/show_bug.cgi?id=2221791, vulnerable code is not present in 0.10.5 or any currently released version.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","7.2.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-48434","https://nvd.nist.gov/vuln/detail/CVE-2022-48434","ffmpeg","4.4.4","","","","2022A0000048434","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-43357","https://nvd.nist.gov/vuln/detail/CVE-2022-43357","sassc","3.6.2","3.6.2","3.6.2","sassc","2022A0000043357","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-41725","https://nvd.nist.gov/vuln/detail/CVE-2022-41725","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041725","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-41724","https://nvd.nist.gov/vuln/detail/CVE-2022-41724","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041724","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-41723","https://nvd.nist.gov/vuln/detail/CVE-2022-41723","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041723","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-41722","https://nvd.nist.gov/vuln/detail/CVE-2022-41722","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041722","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-41720","https://nvd.nist.gov/vuln/detail/CVE-2022-41720","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041720","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-41717","https://nvd.nist.gov/vuln/detail/CVE-2022-41717","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041717","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-41716","https://nvd.nist.gov/vuln/detail/CVE-2022-41716","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041716","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-41715","https://nvd.nist.gov/vuln/detail/CVE-2022-41715","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041715","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.40.1","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-37416","https://nvd.nist.gov/vuln/detail/CVE-2022-37416","libmpeg2","0.5.1","","","","2022A0000037416","True","NVD data issue: concerns Android only.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.40.1","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.40.1","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.40.1","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-36073","https://nvd.nist.gov/vuln/detail/CVE-2022-36073","rubygems","3.4.13","","","","2022A0000036073","True","Latest impacted version in 3.x is 3.0.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.40.1","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.40.1","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.40.1","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-27664","https://nvd.nist.gov/vuln/detail/CVE-2022-27664","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000027664","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-26691","https://nvd.nist.gov/vuln/detail/CVE-2022-26691","cups","2.4.6","","","","2022A0000026691","True","Fixed in nixpkgs with PR: https://github.com/NixOS/nixpkgs/pull/174898.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-26592","https://nvd.nist.gov/vuln/detail/CVE-2022-26592","libsass","3.6.5","3.6.5","3.6.5","libsass","2022A0000026592","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3965","https://nvd.nist.gov/vuln/detail/CVE-2022-3965","ffmpeg","5.1.3","","","","2022A0000003965","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","5.1.3","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","4.4.4","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3637","https://nvd.nist.gov/vuln/detail/CVE-2022-3637","bluez","5.66","","","","2022A0000003637","True","Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3563","https://nvd.nist.gov/vuln/detail/CVE-2022-3563","bluez","5.66","","","","2022A0000003563","True","Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e3c92f1f786f0b55440bd908b55894d0c792cf0e was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3341","https://nvd.nist.gov/vuln/detail/CVE-2022-3341","ffmpeg","4.4.4","","","","2022A0000003341","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.0","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3109","https://nvd.nist.gov/vuln/detail/CVE-2022-3109","ffmpeg","4.4.4","","","","2022A0000003109","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-2880","https://nvd.nist.gov/vuln/detail/CVE-2022-2880","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000002880","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-2879","https://nvd.nist.gov/vuln/detail/CVE-2022-2879","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000002879","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-908","https://osv.dev/OSV-2022-908","bluez","5.66","5.66","5.69","bluez","2022A0000000908","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-896","https://osv.dev/OSV-2022-896","libsass","3.6.5","3.6.5","3.6.5","libsass","2022A0000000896","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-859","https://osv.dev/OSV-2022-859","bluez","5.66","5.66","5.69","bluez","2022A0000000859","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-0856","https://nvd.nist.gov/vuln/detail/CVE-2022-0856","libcaca","0.99.beta20","0.99.beta20","","libcaca","2022A0000000856","False","Not fixed upstream: https://github.com/cacalabs/libcaca/issues/65.","err_invalid_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","8.0.4","8.0.4","8.1.0","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-530","https://osv.dev/OSV-2022-530","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000530","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-519","https://osv.dev/OSV-2022-519","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000519","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-462","https://osv.dev/OSV-2022-462","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000462","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-416","https://osv.dev/OSV-2022-416","openjpeg","2.5.0","","","","2022A0000000416","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-394","https://osv.dev/OSV-2022-394","opencv","4.7.0","4.7.0","4.8.0","opencv","2022A0000000394","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-mc7w-4cjf-c973","https://osv.dev/GHSA-mc7w-4cjf-c973","opencv","4.7.0","","","","2021A1633564800","True","Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv https://github.com/opencv/opencv.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","0.8.2","","","","2021A1632355200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-46312","https://nvd.nist.gov/vuln/detail/CVE-2021-46312","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046312","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-46310","https://nvd.nist.gov/vuln/detail/CVE-2021-46310","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046310","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-39205","https://nvd.nist.gov/vuln/detail/CVE-2021-39205","jitsi-meet","1.0.6943","","","","2021A0000039205","True","Does not impact the version in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33506","https://nvd.nist.gov/vuln/detail/CVE-2021-33506","jitsi-meet","1.0.6943","","","","2021A0000033506","True","Fixed in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-30499","https://nvd.nist.gov/vuln/detail/CVE-2021-30499","libcaca","0.99.beta20","","","","2021A0000030499","True","NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-26720","https://nvd.nist.gov/vuln/detail/CVE-2021-26720","avahi","0.8","","","","2021A0000026720","True","False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.40.1","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","8.0.4","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-1157","https://osv.dev/OSV-2021-1157","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001157","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-1141","https://osv.dev/OSV-2021-1141","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001141","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-1110","https://osv.dev/OSV-2021-1110","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001110","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-1041","https://osv.dev/OSV-2021-1041","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001041","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-1024","https://osv.dev/OSV-2021-1024","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001024","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","8.0.4","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-802","https://osv.dev/OSV-2021-802","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000802","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-787","https://osv.dev/OSV-2021-787","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000787","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.10.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-765","https://osv.dev/OSV-2021-765","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000765","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-508","https://osv.dev/OSV-2021-508","libsass","3.6.5","3.6.5","3.6.5","libsass","2021A0000000508","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-f698-m2v9-5fh3","https://osv.dev/GHSA-f698-m2v9-5fh3","opencv","4.7.0","","","","2020A1598832000","True","Incorrect package: issue refers node-opencv https://www.npmjs.com/package/opencv, whereas nixpkgs refers https://github.com/opencv/opencv.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2020-24490","https://nvd.nist.gov/vuln/detail/CVE-2020-24490","bluez","5.66","","","","2020A0000024490","True","Fixed in linux kernel (5.8) with: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2020-18781","https://nvd.nist.gov/vuln/detail/CVE-2020-18781","audiofile","0.3.6","0.3.6","0.3.6","audiofile","2020A0000018781","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.21","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.40.1","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +https://github.com/NixOS/nixpkgs/pull/84664" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","2.5.8","3.1.10","3.2.0","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2020-1420","https://osv.dev/OSV-2020-1420","libsass","3.6.5","3.6.5","3.6.5","libsass","2020A0000001420","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2020-862","https://osv.dev/OSV-2020-862","libsass","3.6.5","3.6.5","3.6.5","libsass","2020A0000000862","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2020-822","https://osv.dev/OSV-2020-822","jbig2dec","0.19","0.19","0.19","jbig2dec","2020A0000000822","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2020-521","https://osv.dev/OSV-2020-521","aspell","0.60.8","0.60.8","0.60.8","aspell","2020A0000000521","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.40.1","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14587","https://nvd.nist.gov/vuln/detail/CVE-2019-14587","edk2","202211","","","","2019A0000014587","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14586","https://nvd.nist.gov/vuln/detail/CVE-2019-14586","edk2","202211","","","","2019A0000014586","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14575","https://nvd.nist.gov/vuln/detail/CVE-2019-14575","edk2","202211","","","","2019A0000014575","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14563","https://nvd.nist.gov/vuln/detail/CVE-2019-14563","edk2","202211","","","","2019A0000014563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14562","https://nvd.nist.gov/vuln/detail/CVE-2019-14562","edk2","202211","","","","2019A0000014562","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14559","https://nvd.nist.gov/vuln/detail/CVE-2019-14559","edk2","202211","","","","2019A0000014559","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14553","https://nvd.nist.gov/vuln/detail/CVE-2019-14553","edk2","202211","","","","2019A0000014553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","8.0.4","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.16","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.40.1","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.40.1","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","8.0.4","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2018-13410","https://nvd.nist.gov/vuln/detail/CVE-2018-13410","zip","3.0","","","","2018A0000013410","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2018-7263","https://nvd.nist.gov/vuln/detail/CVE-2018-7263","libmad","0.15.1b","","","","2018A0000007263","True","Based on https://github.com/NixOS/nixpkgs/issues/57154, issue is fixed by https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2018-6553","https://nvd.nist.gov/vuln/detail/CVE-2018-6553","cups","2.4.6","","","","2018A0000006553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2017-5628","https://nvd.nist.gov/vuln/detail/CVE-2017-5628","mujs","1.3.3","","","","2017A0000005628","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2017-5627","https://nvd.nist.gov/vuln/detail/CVE-2017-5627","mujs","1.3.3","","","","2017A0000005627","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-10141","https://nvd.nist.gov/vuln/detail/CVE-2016-10141","mujs","1.3.3","","","","2016A0000010141","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-10133","https://nvd.nist.gov/vuln/detail/CVE-2016-10133","mujs","1.3.3","","","","2016A0000010133","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-10132","https://nvd.nist.gov/vuln/detail/CVE-2016-10132","mujs","1.3.3","","","","2016A0000010132","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-9294","https://nvd.nist.gov/vuln/detail/CVE-2016-9294","mujs","1.3.3","","","","2016A0000009294","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-9136","https://nvd.nist.gov/vuln/detail/CVE-2016-9136","mujs","1.3.3","","","","2016A0000009136","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-9109","https://nvd.nist.gov/vuln/detail/CVE-2016-9109","mujs","1.3.3","","","","2016A0000009109","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-9108","https://nvd.nist.gov/vuln/detail/CVE-2016-9108","mujs","1.3.3","","","","2016A0000009108","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-9017","https://nvd.nist.gov/vuln/detail/CVE-2016-9017","mujs","1.3.3","","","","2016A0000009017","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-7564","https://nvd.nist.gov/vuln/detail/CVE-2016-7564","mujs","1.3.3","","","","2016A0000007564","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-7563","https://nvd.nist.gov/vuln/detail/CVE-2016-7563","mujs","1.3.3","","","","2016A0000007563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-7506","https://nvd.nist.gov/vuln/detail/CVE-2016-7506","mujs","1.3.3","","","","2016A0000007506","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-7504","https://nvd.nist.gov/vuln/detail/CVE-2016-7504","mujs","1.3.3","","","","2016A0000007504","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","12.2.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","12.2.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","12.2.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","12.2.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","12.2.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","12.2.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","12.2.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","12.2.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.1","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","12.2.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","7.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2014-4860","https://nvd.nist.gov/vuln/detail/CVE-2014-4860","edk2","202211","","","","2014A0000004860","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2014-4859","https://nvd.nist.gov/vuln/detail/CVE-2014-4859","edk2","202211","","","","2014A0000004859","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.2.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.71.1","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-40360","https://nvd.nist.gov/vuln/detail/CVE-2023-40360","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000040360","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/251154" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.0","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 +https://github.com/NixOS/nixpkgs/pull/130806 +https://github.com/NixOS/nixpkgs/pull/248027" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","2.10.1","2.10.1","2.10.1","faad2","2023A0000038858","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","2.10.1","2.10.1","2.10.1","faad2","2023A0000038857","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","3.6.2","3.6.2","3.7.1","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.0","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 +https://github.com/NixOS/nixpkgs/pull/130806 +https://github.com/NixOS/nixpkgs/pull/247034 +https://github.com/NixOS/nixpkgs/pull/248027" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29404","https://nvd.nist.gov/vuln/detail/CVE-2023-29404","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029404","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","4.13","4.13","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/233924" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28322","https://nvd.nist.gov/vuln/detail/CVE-2023-28322","curl","0.4.44","","","","2023A0000028322","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 +https://github.com/NixOS/nixpkgs/pull/232535" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28321","https://nvd.nist.gov/vuln/detail/CVE-2023-28321","curl","0.4.44","","","","2023A0000028321","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 +https://github.com/NixOS/nixpkgs/pull/232535" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28320","https://nvd.nist.gov/vuln/detail/CVE-2023-28320","curl","0.4.44","","","","2023A0000028320","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 +https://github.com/NixOS/nixpkgs/pull/232535" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28319","https://nvd.nist.gov/vuln/detail/CVE-2023-28319","curl","0.4.44","","","","2023A0000028319","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","1.1.10","","","","2023A0000028115","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24540","https://nvd.nist.gov/vuln/detail/CVE-2023-24540","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024540","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24539","https://nvd.nist.gov/vuln/detail/CVE-2023-24539","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024539","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24538","https://nvd.nist.gov/vuln/detail/CVE-2023-24538","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024538","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24537","https://nvd.nist.gov/vuln/detail/CVE-2023-24537","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024537","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3724","https://nvd.nist.gov/vuln/detail/CVE-2023-3724","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2023A0000003724","False","Issue is fixed in 5.6.2: https://www.wolfssl.com/docs/security-vulnerabilities/. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/239027.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/239027 +https://github.com/NixOS/nixpkgs/pull/246451" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3603","https://nvd.nist.gov/vuln/detail/CVE-2023-3603","libssh","0.10.5","","","","2023A0000003603","True","Based on https://security-tracker.debian.org/tracker/CVE-2023-3603 and https://bugzilla.redhat.com/show_bug.cgi?id=2221791, vulnerable code is not present in 0.10.5 or any currently released version.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.45","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-197","https://osv.dev/OSV-2023-197","p11-kit","0.25.0","0.25.0","0.25.0","p11-kit","2023A0000000197","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","7.3.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-48434","https://nvd.nist.gov/vuln/detail/CVE-2022-48434","ffmpeg","4.4.4","","","","2022A0000048434","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-43552","https://nvd.nist.gov/vuln/detail/CVE-2022-43552","curl","0.4.44","","","","2022A0000043552","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/207158 +https://github.com/NixOS/nixpkgs/pull/207162 +https://github.com/NixOS/nixpkgs/pull/207165" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-43357","https://nvd.nist.gov/vuln/detail/CVE-2022-43357","sassc","3.6.2","3.6.2","3.6.2","sassc","2022A0000043357","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-41725","https://nvd.nist.gov/vuln/detail/CVE-2022-41725","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041725","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-41724","https://nvd.nist.gov/vuln/detail/CVE-2022-41724","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041724","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-41723","https://nvd.nist.gov/vuln/detail/CVE-2022-41723","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041723","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-41722","https://nvd.nist.gov/vuln/detail/CVE-2022-41722","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041722","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-41720","https://nvd.nist.gov/vuln/detail/CVE-2022-41720","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041720","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-41717","https://nvd.nist.gov/vuln/detail/CVE-2022-41717","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041717","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-41716","https://nvd.nist.gov/vuln/detail/CVE-2022-41716","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041716","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-41715","https://nvd.nist.gov/vuln/detail/CVE-2022-41715","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000041715","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.41.0","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-37416","https://nvd.nist.gov/vuln/detail/CVE-2022-37416","libmpeg2","0.5.1","","","","2022A0000037416","True","NVD data issue: concerns Android only.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.41.0","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.41.0","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.41.0","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36073","https://nvd.nist.gov/vuln/detail/CVE-2022-36073","rubygems","3.4.19","","","","2022A0000036073","True","Latest impacted version in 3.x is 3.0.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-35252","https://nvd.nist.gov/vuln/detail/CVE-2022-35252","curl","0.4.44","","","","2022A0000035252","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/189083 +https://github.com/NixOS/nixpkgs/pull/198730" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-32221","https://nvd.nist.gov/vuln/detail/CVE-2022-32221","curl","0.4.44","","","","2022A0000032221","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/198730" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-32206","https://nvd.nist.gov/vuln/detail/CVE-2022-32206","curl","0.4.44","","","","2022A0000032206","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/179314 +https://github.com/NixOS/nixpkgs/pull/180021" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.41.0","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.41.0","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.41.0","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-27782","https://nvd.nist.gov/vuln/detail/CVE-2022-27782","curl","0.4.44","","","","2022A0000027782","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-27781","https://nvd.nist.gov/vuln/detail/CVE-2022-27781","curl","0.4.44","","","","2022A0000027781","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-27776","https://nvd.nist.gov/vuln/detail/CVE-2022-27776","curl","0.4.44","","","","2022A0000027776","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/170654 +https://github.com/NixOS/nixpkgs/pull/170659" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-27664","https://nvd.nist.gov/vuln/detail/CVE-2022-27664","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000027664","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-26691","https://nvd.nist.gov/vuln/detail/CVE-2022-26691","cups","2.4.6","","","","2022A0000026691","True","Fixed in nixpkgs with PR: https://github.com/NixOS/nixpkgs/pull/174898.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-26592","https://nvd.nist.gov/vuln/detail/CVE-2022-26592","libsass","3.6.5","3.6.5","3.6.5","libsass","2022A0000026592","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3965","https://nvd.nist.gov/vuln/detail/CVE-2022-3965","ffmpeg","5.1.3","","","","2022A0000003965","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","5.1.3","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","4.4.4","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3637","https://nvd.nist.gov/vuln/detail/CVE-2022-3637","bluez","5.66","","","","2022A0000003637","True","Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3563","https://nvd.nist.gov/vuln/detail/CVE-2022-3563","bluez","5.66","","","","2022A0000003563","True","Upstream fix commit: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e3c92f1f786f0b55440bd908b55894d0c792cf0e was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3341","https://nvd.nist.gov/vuln/detail/CVE-2022-3341","ffmpeg","4.4.4","","","","2022A0000003341","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.1","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3109","https://nvd.nist.gov/vuln/detail/CVE-2022-3109","ffmpeg","4.4.4","","","","2022A0000003109","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-2880","https://nvd.nist.gov/vuln/detail/CVE-2022-2880","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000002880","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-2879","https://nvd.nist.gov/vuln/detail/CVE-2022-2879","go","1.17.13-linux-amd64-bootstrap","","","","2022A0000002879","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-908","https://osv.dev/OSV-2022-908","bluez","5.66","5.66","5.69","bluez","2022A0000000908","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-896","https://osv.dev/OSV-2022-896","libsass","3.6.5","3.6.5","3.6.5","libsass","2022A0000000896","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-859","https://osv.dev/OSV-2022-859","bluez","5.66","5.66","5.69","bluez","2022A0000000859","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","8.0.4","8.0.4","8.1.0","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-530","https://osv.dev/OSV-2022-530","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000530","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-519","https://osv.dev/OSV-2022-519","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000519","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-462","https://osv.dev/OSV-2022-462","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000462","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-416","https://osv.dev/OSV-2022-416","openjpeg","2.5.0","","","","2022A0000000416","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","0.8.2","","","","2021A1632355200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-46312","https://nvd.nist.gov/vuln/detail/CVE-2021-46312","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046312","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-46310","https://nvd.nist.gov/vuln/detail/CVE-2021-46310","djvulibre","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046310","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-39205","https://nvd.nist.gov/vuln/detail/CVE-2021-39205","jitsi-meet","1.0.7322","","","","2021A0000039205","True","Does not impact the version in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33506","https://nvd.nist.gov/vuln/detail/CVE-2021-33506","jitsi-meet","1.0.7322","","","","2021A0000033506","True","Fixed in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-26720","https://nvd.nist.gov/vuln/detail/CVE-2021-26720","avahi","0.8","","","","2021A0000026720","True","False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.41.0","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","8.0.4","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-1157","https://osv.dev/OSV-2021-1157","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001157","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-1141","https://osv.dev/OSV-2021-1141","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001141","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-1110","https://osv.dev/OSV-2021-1110","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001110","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-1041","https://osv.dev/OSV-2021-1041","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001041","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-1024","https://osv.dev/OSV-2021-1024","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001024","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","8.0.4","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-802","https://osv.dev/OSV-2021-802","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000802","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-787","https://osv.dev/OSV-2021-787","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000787","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.11.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-765","https://osv.dev/OSV-2021-765","espeak-ng","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000765","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-508","https://osv.dev/OSV-2021-508","libsass","3.6.5","3.6.5","3.6.5","libsass","2021A0000000508","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-35669","https://nvd.nist.gov/vuln/detail/CVE-2020-35669","http","0.2.9","0.3-0","0.4","lua:http","2020A0000035669","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-24490","https://nvd.nist.gov/vuln/detail/CVE-2020-24490","bluez","5.66","","","","2020A0000024490","True","Fixed in linux kernel (5.8) with: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-18781","https://nvd.nist.gov/vuln/detail/CVE-2020-18781","audiofile","0.3.6","0.3.6","0.3.6","audiofile","2020A0000018781","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.29","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-8284","https://nvd.nist.gov/vuln/detail/CVE-2020-8284","curl","0.4.44","","","","2020A0000008284","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/106452" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.41.0","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +https://github.com/NixOS/nixpkgs/pull/84664" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","2.5.8","3.1.10","3.2.0","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-1420","https://osv.dev/OSV-2020-1420","libsass","3.6.5","3.6.5","3.6.5","libsass","2020A0000001420","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-862","https://osv.dev/OSV-2020-862","libsass","3.6.5","3.6.5","3.6.5","libsass","2020A0000000862","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-822","https://osv.dev/OSV-2020-822","jbig2dec","0.19","0.19","0.19","jbig2dec","2020A0000000822","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-521","https://osv.dev/OSV-2020-521","aspell","0.60.8","0.60.8","0.60.8","aspell","2020A0000000521","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.41.0","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-20503","https://nvd.nist.gov/vuln/detail/CVE-2019-20503","usrsctp","0.9.5.0","0.9.5.0","0.9.5.0","usrsctp","2019A0000020503","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/82874 +https://github.com/NixOS/nixpkgs/pull/82958" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14587","https://nvd.nist.gov/vuln/detail/CVE-2019-14587","edk2","202305","","","","2019A0000014587","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14586","https://nvd.nist.gov/vuln/detail/CVE-2019-14586","edk2","202305","","","","2019A0000014586","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14575","https://nvd.nist.gov/vuln/detail/CVE-2019-14575","edk2","202305","","","","2019A0000014575","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14563","https://nvd.nist.gov/vuln/detail/CVE-2019-14563","edk2","202305","","","","2019A0000014563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14562","https://nvd.nist.gov/vuln/detail/CVE-2019-14562","edk2","202305","","","","2019A0000014562","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14559","https://nvd.nist.gov/vuln/detail/CVE-2019-14559","edk2","202305","","","","2019A0000014559","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14553","https://nvd.nist.gov/vuln/detail/CVE-2019-14553","edk2","202305","","","","2019A0000014553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","8.0.4","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.18","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-5443","https://nvd.nist.gov/vuln/detail/CVE-2019-5443","curl","0.4.44","","","","2019A0000005443","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.41.0","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.41.0","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","8.0.4","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-13410","https://nvd.nist.gov/vuln/detail/CVE-2018-13410","zip","3.0","","","","2018A0000013410","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-7263","https://nvd.nist.gov/vuln/detail/CVE-2018-7263","libmad","0.15.1b","","","","2018A0000007263","True","Based on https://github.com/NixOS/nixpkgs/issues/57154, issue is fixed by https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-6553","https://nvd.nist.gov/vuln/detail/CVE-2018-6553","cups","2.4.6","","","","2018A0000006553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2017-8806","https://nvd.nist.gov/vuln/detail/CVE-2017-8806","postgresql","14.9","15.4","15.4","postgresql","2017A0000008806","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2017-5628","https://nvd.nist.gov/vuln/detail/CVE-2017-5628","mujs","1.3.3","","","","2017A0000005628","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2017-5627","https://nvd.nist.gov/vuln/detail/CVE-2017-5627","mujs","1.3.3","","","","2017A0000005627","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-10141","https://nvd.nist.gov/vuln/detail/CVE-2016-10141","mujs","1.3.3","","","","2016A0000010141","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-10133","https://nvd.nist.gov/vuln/detail/CVE-2016-10133","mujs","1.3.3","","","","2016A0000010133","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-10132","https://nvd.nist.gov/vuln/detail/CVE-2016-10132","mujs","1.3.3","","","","2016A0000010132","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-9294","https://nvd.nist.gov/vuln/detail/CVE-2016-9294","mujs","1.3.3","","","","2016A0000009294","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-9136","https://nvd.nist.gov/vuln/detail/CVE-2016-9136","mujs","1.3.3","","","","2016A0000009136","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-9109","https://nvd.nist.gov/vuln/detail/CVE-2016-9109","mujs","1.3.3","","","","2016A0000009109","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-9108","https://nvd.nist.gov/vuln/detail/CVE-2016-9108","mujs","1.3.3","","","","2016A0000009108","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-9017","https://nvd.nist.gov/vuln/detail/CVE-2016-9017","mujs","1.3.3","","","","2016A0000009017","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-7564","https://nvd.nist.gov/vuln/detail/CVE-2016-7564","mujs","1.3.3","","","","2016A0000007564","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-7563","https://nvd.nist.gov/vuln/detail/CVE-2016-7563","mujs","1.3.3","","","","2016A0000007563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-7506","https://nvd.nist.gov/vuln/detail/CVE-2016-7506","mujs","1.3.3","","","","2016A0000007506","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-7504","https://nvd.nist.gov/vuln/detail/CVE-2016-7504","mujs","1.3.3","","","","2016A0000007504","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","12.3.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","12.3.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","12.3.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","12.3.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","12.3.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","12.3.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","12.3.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","12.3.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.3","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","12.3.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","8.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2014-4860","https://nvd.nist.gov/vuln/detail/CVE-2014-4860","edk2","202305","","","","2014A0000004860","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2014-4859","https://nvd.nist.gov/vuln/detail/CVE-2014-4859","edk2","202305","","","","2014A0000004859","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.3.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.71.1","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-40360","https://nvd.nist.gov/vuln/detail/CVE-2023-40360","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000040360","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/251154" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","3.6.2","3.6.2","3.7.1","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","4.13","4.13","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/233924" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","1.1.10","","","","2023A0000028115","False","","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3724","https://nvd.nist.gov/vuln/detail/CVE-2023-3724","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2023A0000003724","False","Issue is fixed in 5.6.2: https://www.wolfssl.com/docs/security-vulnerabilities/. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/239027.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/239027 +https://github.com/NixOS/nixpkgs/pull/246451" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.45","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-197","https://osv.dev/OSV-2023-197","p11-kit","0.25.0","0.25.0","0.25.0","p11-kit","2023A0000000197","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","7.3.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.41.0","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.41.0","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.41.0","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.41.0","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.41.0","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.41.0","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.41.0","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.1","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","8.0.4","8.0.4","8.1.0","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.41.0","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","8.0.4","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","8.0.4","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.11.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.41.0","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +https://github.com/NixOS/nixpkgs/pull/84664" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","2.5.8","3.1.10","3.2.0","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.41.0","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","8.0.4","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.18","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.41.0","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.41.0","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","8.0.4","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","12.3.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","12.3.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","12.3.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","12.3.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","12.3.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","12.3.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","12.3.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","12.3.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.3","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","12.3.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","8.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.3.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.69.0","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","5.36.0","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","5.36.0","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","3.6.2","3.6.2","3.7.1","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","4.13","4.13","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/233924" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1876","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 +https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.40.1","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.40.1","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.40.1","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.40.1","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.40.1","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.40.1","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.40.1","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.0","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.40.1","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.10.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.40.1","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +https://github.com/NixOS/nixpkgs/pull/84664" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.40.1","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.16","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.40.1","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.40.1","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.1","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.71.1","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-40360","https://nvd.nist.gov/vuln/detail/CVE-2023-40360","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000040360","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/251154" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","3.6.2","3.6.2","3.7.1","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","4.13","4.13","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/233924" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","1.1.10","","","","2023A0000028115","False","","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3724","https://nvd.nist.gov/vuln/detail/CVE-2023-3724","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2023A0000003724","False","Issue is fixed in 5.6.2: https://www.wolfssl.com/docs/security-vulnerabilities/. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/239027.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/239027 +https://github.com/NixOS/nixpkgs/pull/246451" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.45","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.4","8.0.4","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-197","https://osv.dev/OSV-2023-197","p11-kit","0.25.0","0.25.0","0.25.0","p11-kit","2023A0000000197","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","7.3.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.41.0","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.41.0","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.41.0","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.41.0","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.41.0","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.41.0","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.41.0","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.1","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","8.0.4","8.0.4","8.1.0","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.41.0","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","8.0.4","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","8.0.4","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.11.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.41.0","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +https://github.com/NixOS/nixpkgs/pull/84664" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","2.5.8","3.1.10","3.2.0","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.41.0","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","8.0.4","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.18","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.41.0","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.41.0","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","8.0.4","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","12.3.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","12.3.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","12.3.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","12.3.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","12.3.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","12.3.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","12.3.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","12.3.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.3","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","12.3.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","8.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.3.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" diff --git a/result/data.csv.license b/result/data.csv.license new file mode 100644 index 0000000..fde5380 --- /dev/null +++ b/result/data.csv.license @@ -0,0 +1,3 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 \ No newline at end of file diff --git a/result/packages.riscv64-linux.microchip-icicle-kit-release.md b/result/packages.riscv64-linux.microchip-icicle-kit-release.md new file mode 100644 index 0000000..1f24ad0 --- /dev/null +++ b/result/packages.riscv64-linux.microchip-icicle-kit-release.md @@ -0,0 +1,328 @@ + + +# Vulnerability Report + +This vulnerability report is generated for Ghaf target '`github:tiiuae/ghaf?ref=main#packages.riscv64-linux.microchip-icicle-kit-release`'. The tables on this page include known vulnerabilities impacting any buildtime or runtime dependencies of the given target. + +This report is automatically generated as specified on the [Vulnerability Scan](../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../manual_analysis.csv) file. + + +Reports +================= + +* [Vulnerabilities Fixed in Ghaf nixpkgs Upstream](#vulnerabilities-fixed-in-ghaf-nixpkgs-upstream) +* [Vulnerabilities Fixed in nix-unstable](#vulnerabilities-fixed-in-nix-unstable) +* [New Vulnerabilities Since Last Run](#new-vulnerabilities-since-last-run) +* [All Vulnerabilities Impacting Ghaf](#all-vulnerabilities-impacting-ghaf) +* [Whitelisted Vulnerabilities](#whitelisted-vulnerabilities) + +## Vulnerabilities Fixed in Ghaf nixpkgs Upstream + +Following table lists vulnerabilities that have been fixed in the nixpkgs channel the Ghaf target is currently pinned to, but the fixes have not been included in Ghaf. + +Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/flake.lock) file to mitigate the following issues: + + +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154)]* | +| [CVE-2023-37769](https://nvd.nist.gov/vuln/detail/CVE-2023-37769) | pixman | 0.42.2 | 0.42.2 | 0.42.2 | See: [link](https://gitlab.freedesktop.org/pixman/pixman/-/issues/76): "This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable". | +| [CVE-2023-28115](https://nvd.nist.gov/vuln/detail/CVE-2023-28115) | snappy | 1.1.10 | | | | +| [CVE-2023-4135](https://nvd.nist.gov/vuln/detail/CVE-2023-4135) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Fixed upstream in 8.1.0. | +| [CVE-2023-3724](https://nvd.nist.gov/vuln/detail/CVE-2023-3724) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Issue is fixed in 5.6.2: [link](https://www.wolfssl.com/docs/security-vulnerabilities/). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/239027). *[[PR](https://github.com/NixOS/nixpkgs/pull/239027), [PR](https://github.com/NixOS/nixpkgs/pull/246451)]* | +| [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | +| [CVE-2023-3180](https://nvd.nist.gov/vuln/detail/CVE-2023-3180) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | +| [CVE-2023-3019](https://nvd.nist.gov/vuln/detail/CVE-2023-3019) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Revisit when fixed upstream: [link](https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html). | +| [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | +| [OSV-2023-390](https://osv.dev/OSV-2023-390) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Unclear if this is still valid. | +| [OSV-2023-197](https://osv.dev/OSV-2023-197) | p11-kit | 0.25.0 | 0.25.0 | 0.25.0 | | +| [OSV-2022-842](https://osv.dev/OSV-2022-842) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Unclear if this is still valid. | +| [OSV-2022-725](https://osv.dev/OSV-2022-725) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | +| [OSV-2022-608](https://osv.dev/OSV-2022-608) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | +| [OSV-2022-581](https://osv.dev/OSV-2022-581) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Unclear if this is still valid. | +| [OSV-2020-1610](https://osv.dev/OSV-2020-1610) | openexr | 2.5.8 | 3.1.10 | 3.2.0 | | +| [OSV-2020-438](https://osv.dev/OSV-2020-438) | capstone | 4.0.2 | 4.0.2 | 5.0.1 | | + + +## Vulnerabilities Fixed in nix-unstable + +Following table lists vulnerabilities that have been fixed in nixpgks nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. + +Following issues potentially require backporting the fix from nixpkgs-unstable to the correct nixpkgs release branch. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community backport the fix to the correct nixpkgs branch: + + +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | + + + +## New Vulnerabilities Since Last Run + +Following table lists vulnerabilities currently impacting the Ghaf target that have emerged since the last time this vulnerability report was generated. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: + +```No vulnerabilities``` + + +## All Vulnerabilities Impacting Ghaf + +Following table lists all vulnerabilities currently impacting the Ghaf target. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: + + +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|------------|------------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [GHSA-wrrj-h57r-vx9p](https://osv.dev/GHSA-wrrj-h57r-vx9p) | cargo | 1.71.1 | 0.4.9 | 0.4.9 | | +| [GHSA-w596-4wvx-j9j6](https://osv.dev/GHSA-w596-4wvx-j9j6) | py | 1.11.0 | 1.11.0 | 1.11.0 | | +| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154)]* | +| [CVE-2023-39742](https://nvd.nist.gov/vuln/detail/CVE-2023-39742) | giflib | 5.2.1 | 5.2.1 | 5.2.1 | | +| [CVE-2023-37769](https://nvd.nist.gov/vuln/detail/CVE-2023-37769) | pixman | 0.42.2 | 0.42.2 | 0.42.2 | See: [link](https://gitlab.freedesktop.org/pixman/pixman/-/issues/76): "This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable". | +| [CVE-2023-30571](https://nvd.nist.gov/vuln/detail/CVE-2023-30571) | libarchive | 3.6.2 | 3.6.2 | 3.7.1 | No upstream fix available, see: [link](https://github.com/libarchive/libarchive/issues/1876). | +| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 4.13 | 4.13 | 4.14.0 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/233924)]* | +| [CVE-2023-28938](https://nvd.nist.gov/vuln/detail/CVE-2023-28938) | mdadm | 4.2 | 4.2 | 4.2 | | +| [CVE-2023-28736](https://nvd.nist.gov/vuln/detail/CVE-2023-28736) | mdadm | 4.2 | 4.2 | 4.2 | | +| [CVE-2023-28115](https://nvd.nist.gov/vuln/detail/CVE-2023-28115) | snappy | 1.1.10 | | | | +| [CVE-2023-4135](https://nvd.nist.gov/vuln/detail/CVE-2023-4135) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Fixed upstream in 8.1.0. | +| [CVE-2023-4016](https://nvd.nist.gov/vuln/detail/CVE-2023-4016) | procps | 3.3.17 | | | See: [link](https://gitlab.com/procps-ng/procps/-/issues/297). Notice: repology package name is procps-ng: [link](https://repology.org/project/procps-ng/versions). | +| [CVE-2023-3724](https://nvd.nist.gov/vuln/detail/CVE-2023-3724) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Issue is fixed in 5.6.2: [link](https://www.wolfssl.com/docs/security-vulnerabilities/). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/239027). *[[PR](https://github.com/NixOS/nixpkgs/pull/239027), [PR](https://github.com/NixOS/nixpkgs/pull/246451)]* | +| [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | +| [CVE-2023-3180](https://nvd.nist.gov/vuln/detail/CVE-2023-3180) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | +| [CVE-2023-3019](https://nvd.nist.gov/vuln/detail/CVE-2023-3019) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Revisit when fixed upstream: [link](https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html). | +| [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | +| [OSV-2023-505](https://osv.dev/OSV-2023-505) | file | 5.45 | 5.45 | 5.45 | Unclear if this is still valid. | +| [OSV-2023-390](https://osv.dev/OSV-2023-390) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Unclear if this is still valid. | +| [OSV-2023-197](https://osv.dev/OSV-2023-197) | p11-kit | 0.25.0 | 0.25.0 | 0.25.0 | | +| [OSV-2022-842](https://osv.dev/OSV-2022-842) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Unclear if this is still valid. | +| [OSV-2022-725](https://osv.dev/OSV-2022-725) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | +| [OSV-2022-608](https://osv.dev/OSV-2022-608) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | +| [OSV-2022-581](https://osv.dev/OSV-2022-581) | qemu | 8.0.4 | 8.0.4 | 8.1.0 | Unclear if this is still valid. | +| [OSV-2022-193](https://osv.dev/OSV-2022-193) | w3m | 0.5.3+git2023012 | 0.5.3+git2023012 | 0.5.3+git2023012 | Unclear if this is still valid. | +| [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 2.41.0 | 2.41.0 | 2.42.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* | +| [OSV-2020-1610](https://osv.dev/OSV-2020-1610) | openexr | 2.5.8 | 3.1.10 | 3.2.0 | | +| [OSV-2020-438](https://osv.dev/OSV-2020-438) | capstone | 4.0.2 | 4.0.2 | 5.0.1 | | + + + +## Whitelisted Vulnerabilities + +Following table lists vulnerabilities that would otherwise have been included to the report, but were left out due to whitelisting. + +
+Whitelisted vulnerabilities +
+ +| vuln_id | package | version_local | comment | +|-----------------------------------------------------------------------|------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-31975](https://nvd.nist.gov/vuln/detail/CVE-2023-31975) | yasm | 1.3.0 | Memory leak in CLI tool, no security impact. | +| [CVE-2023-31974](https://nvd.nist.gov/vuln/detail/CVE-2023-31974) | yasm | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-31973](https://nvd.nist.gov/vuln/detail/CVE-2023-31973) | yasm | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-31972](https://nvd.nist.gov/vuln/detail/CVE-2023-31972) | yasm | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-31486](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) | perl | 5.36.0-env | Fixed upstream with [link](https://github.com/chansen/p5-http-tiny/pull/153) and nixpkgs patched the issue already in 08/2022 with [link](https://github.com/NixOS/nixpkgs/pull/187480). | +| [CVE-2023-31486](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) | perl | 5.36.0 | Fixed upstream with [link](https://github.com/chansen/p5-http-tiny/pull/153) and nixpkgs patched the issue already in 08/2022 with [link](https://github.com/NixOS/nixpkgs/pull/187480). | +| [CVE-2023-30402](https://nvd.nist.gov/vuln/detail/CVE-2023-30402) | yasm | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-29406](https://nvd.nist.gov/vuln/detail/CVE-2023-29406) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29405](https://nvd.nist.gov/vuln/detail/CVE-2023-29405) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29404](https://nvd.nist.gov/vuln/detail/CVE-2023-29404) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29400](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24540](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24539](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24538](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24537](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24534](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24532](https://nvd.nist.gov/vuln/detail/CVE-2023-24532) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-3603](https://nvd.nist.gov/vuln/detail/CVE-2023-3603) | libssh | 0.10.5 | Based on [link](https://security-tracker.debian.org/tracker/CVE-2023-3603) and [link](https://bugzilla.redhat.com/show_bug.cgi?id=2221791), vulnerable code is not present in 0.10.5 or any currently released version. | +| [OSV-2023-137](https://osv.dev/OSV-2023-137) | harfbuzz | 7.3.0 | Based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2), the issue is fixed in range [link](https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc) all of which have been merged in 7.1.0. | +| [OSV-2023-137](https://osv.dev/OSV-2023-137) | harfbuzz | 7.2.0 | Based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2), the issue is fixed in range [link](https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc) all of which have been merged in 7.1.0. | +| [CVE-2022-48434](https://nvd.nist.gov/vuln/detail/CVE-2022-48434) | ffmpeg | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 [link](https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db). | +| [PYSEC-2022-42969](https://osv.dev/PYSEC-2022-42969) | py | 1.11.0 | Same as CVE-2022-42969. | +| [CVE-2022-42969](https://nvd.nist.gov/vuln/detail/CVE-2022-42969) | py | 1.11.0 | Disputed upstream: [link](https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565). | +| [CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41722](https://nvd.nist.gov/vuln/detail/CVE-2022-41722) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41720](https://nvd.nist.gov/vuln/detail/CVE-2022-41720) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41717](https://nvd.nist.gov/vuln/detail/CVE-2022-41717) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41716](https://nvd.nist.gov/vuln/detail/CVE-2022-41716) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41715](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-38663](https://nvd.nist.gov/vuln/detail/CVE-2022-38663) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-38663](https://nvd.nist.gov/vuln/detail/CVE-2022-38663) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-37416](https://nvd.nist.gov/vuln/detail/CVE-2022-37416) | libmpeg2 | 0.5.1 | NVD data issue: concerns Android only. | +| [CVE-2022-36884](https://nvd.nist.gov/vuln/detail/CVE-2022-36884) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36884](https://nvd.nist.gov/vuln/detail/CVE-2022-36884) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36883](https://nvd.nist.gov/vuln/detail/CVE-2022-36883) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36883](https://nvd.nist.gov/vuln/detail/CVE-2022-36883) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36882](https://nvd.nist.gov/vuln/detail/CVE-2022-36882) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36882](https://nvd.nist.gov/vuln/detail/CVE-2022-36882) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36073](https://nvd.nist.gov/vuln/detail/CVE-2022-36073) | rubygems | 3.4.19 | Latest impacted version in 3.x is 3.0.4. | +| [CVE-2022-36073](https://nvd.nist.gov/vuln/detail/CVE-2022-36073) | rubygems | 3.4.13 | Latest impacted version in 3.x is 3.0.4. | +| [CVE-2022-30949](https://nvd.nist.gov/vuln/detail/CVE-2022-30949) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30949](https://nvd.nist.gov/vuln/detail/CVE-2022-30949) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30948](https://nvd.nist.gov/vuln/detail/CVE-2022-30948) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30948](https://nvd.nist.gov/vuln/detail/CVE-2022-30948) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30947](https://nvd.nist.gov/vuln/detail/CVE-2022-30947) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30947](https://nvd.nist.gov/vuln/detail/CVE-2022-30947) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-28321](https://nvd.nist.gov/vuln/detail/CVE-2022-28321) | linux-pam | 1.5.2 | Only impacts SUSE-specific patch version. Notice: repology package name is pam: [link](https://repology.org/project/pam/versions). | +| [CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-26691](https://nvd.nist.gov/vuln/detail/CVE-2022-26691) | cups | 2.4.6 | Fixed in nixpkgs with PR: [link](https://github.com/NixOS/nixpkgs/pull/174898). | +| [MAL-2022-4301](https://osv.dev/MAL-2022-4301) | libidn2 | 2.3.4 | Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 [link](https://gitlab.com/libidn/libidn2). | +| [CVE-2022-3965](https://nvd.nist.gov/vuln/detail/CVE-2022-3965) | ffmpeg | 5.1.3 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 [link](https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257). | +| [CVE-2022-3964](https://nvd.nist.gov/vuln/detail/CVE-2022-3964) | ffmpeg | 5.1.3 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0). | +| [CVE-2022-3964](https://nvd.nist.gov/vuln/detail/CVE-2022-3964) | ffmpeg | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0). | +| [CVE-2022-3637](https://nvd.nist.gov/vuln/detail/CVE-2022-3637) | bluez | 5.66 | Upstream fix commit: [link](https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f) was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue. | +| [CVE-2022-3563](https://nvd.nist.gov/vuln/detail/CVE-2022-3563) | bluez | 5.66 | Upstream fix commit: [link](https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e3c92f1f786f0b55440bd908b55894d0c792cf0e) was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue. | +| [CVE-2022-3341](https://nvd.nist.gov/vuln/detail/CVE-2022-3341) | ffmpeg | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b). | +| [CVE-2022-3219](https://nvd.nist.gov/vuln/detail/CVE-2022-3219) | gnupg | 2.4.1 | Fix patch is not accepted upstream: [link](https://dev.gnupg.org/D556). | +| [CVE-2022-3219](https://nvd.nist.gov/vuln/detail/CVE-2022-3219) | gnupg | 2.4.0 | Fix patch is not accepted upstream: [link](https://dev.gnupg.org/D556). | +| [CVE-2022-3109](https://nvd.nist.gov/vuln/detail/CVE-2022-3109) | ffmpeg | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2). | +| [CVE-2022-2880](https://nvd.nist.gov/vuln/detail/CVE-2022-2880) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-2879](https://nvd.nist.gov/vuln/detail/CVE-2022-2879) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [OSV-2022-1193](https://osv.dev/OSV-2022-1193) | libarchive | 3.6.2 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3). | +| [OSV-2022-416](https://osv.dev/OSV-2022-416) | openjpeg | 2.5.0 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2). | +| [OSV-2022-183](https://osv.dev/OSV-2022-183) | binutils | 2.40 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2). | +| [GHSA-mc7w-4cjf-c973](https://osv.dev/GHSA-mc7w-4cjf-c973) | opencv | 4.7.0 | Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv [link](https://github.com/opencv/opencv). | +| [GHSA-6898-wx94-8jq8](https://osv.dev/GHSA-6898-wx94-8jq8) | libnotify | 0.8.2 | Incorrect package: Issue refers node-libnotify [link](https://github.com/mytrile/node-libnotify), whereas nixpkgs refers gnome-libnotify [link](https://gitlab.gnome.org/GNOME/libnotify). | +| [CVE-2021-39205](https://nvd.nist.gov/vuln/detail/CVE-2021-39205) | jitsi-meet | 1.0.7322 | Does not impact the version in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845). | +| [CVE-2021-39205](https://nvd.nist.gov/vuln/detail/CVE-2021-39205) | jitsi-meet | 1.0.6943 | Does not impact the version in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845). | +| [CVE-2021-33506](https://nvd.nist.gov/vuln/detail/CVE-2021-33506) | jitsi-meet | 1.0.7322 | Fixed in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135). | +| [CVE-2021-33506](https://nvd.nist.gov/vuln/detail/CVE-2021-33506) | jitsi-meet | 1.0.6943 | Fixed in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135). | +| [CVE-2021-33468](https://nvd.nist.gov/vuln/detail/CVE-2021-33468) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33467](https://nvd.nist.gov/vuln/detail/CVE-2021-33467) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33466](https://nvd.nist.gov/vuln/detail/CVE-2021-33466) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33465](https://nvd.nist.gov/vuln/detail/CVE-2021-33465) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33464](https://nvd.nist.gov/vuln/detail/CVE-2021-33464) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33463](https://nvd.nist.gov/vuln/detail/CVE-2021-33463) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33462](https://nvd.nist.gov/vuln/detail/CVE-2021-33462) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33461](https://nvd.nist.gov/vuln/detail/CVE-2021-33461) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33460](https://nvd.nist.gov/vuln/detail/CVE-2021-33460) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33459](https://nvd.nist.gov/vuln/detail/CVE-2021-33459) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33458](https://nvd.nist.gov/vuln/detail/CVE-2021-33458) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33457](https://nvd.nist.gov/vuln/detail/CVE-2021-33457) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33456](https://nvd.nist.gov/vuln/detail/CVE-2021-33456) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33455](https://nvd.nist.gov/vuln/detail/CVE-2021-33455) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33454](https://nvd.nist.gov/vuln/detail/CVE-2021-33454) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-30499](https://nvd.nist.gov/vuln/detail/CVE-2021-30499) | libcaca | 0.99.beta20 | NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: [link](https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20). | +| [CVE-2021-26945](https://nvd.nist.gov/vuln/detail/CVE-2021-26945) | openexr | 2.5.8 | Fix patch [link](https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e) modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8. | +| [CVE-2021-26720](https://nvd.nist.gov/vuln/detail/CVE-2021-26720) | avahi | 0.8 | False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives. | +| [CVE-2021-26260](https://nvd.nist.gov/vuln/detail/CVE-2021-26260) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d) which went to 2.5.5. | +| [CVE-2021-23215](https://nvd.nist.gov/vuln/detail/CVE-2021-23215) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d) which went to 2.5.5. | +| [CVE-2021-23169](https://nvd.nist.gov/vuln/detail/CVE-2021-23169) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2021-21684](https://nvd.nist.gov/vuln/detail/CVE-2021-21684) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2021-21684](https://nvd.nist.gov/vuln/detail/CVE-2021-21684) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) | qemu | 8.0.4 | Upstream patch not merged: [link](https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html). No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) | qemu | 8.0.2 | Upstream patch not merged: [link](https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html). No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2021-4336](https://nvd.nist.gov/vuln/detail/CVE-2021-4336) | ninja | 1.11.1 | Incorrect package: nixpkgs 'ninja' refers [link](https://github.com/ninja-build/ninja), not [link](https://github.com/ITRS-Group/monitor-ninja). | +| [CVE-2021-4217](https://nvd.nist.gov/vuln/detail/CVE-2021-4217) | unzip | 6.0 | Ignored by other distribution as 'no security impact', e.g. Debian: [link](https://security-tracker.debian.org/tracker/CVE-2021-4217). | +| [CVE-2021-3605](https://nvd.nist.gov/vuln/detail/CVE-2021-3605) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2021-3598](https://nvd.nist.gov/vuln/detail/CVE-2021-3598) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2021-3468](https://nvd.nist.gov/vuln/detail/CVE-2021-3468) | avahi | 0.8 | Fixed in nixpgs with [link](https://github.com/NixOS/nixpkgs/pull/195331). | +| [OSV-2021-820](https://osv.dev/OSV-2021-820) | qemu | 8.0.4 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2). | +| [OSV-2021-820](https://osv.dev/OSV-2021-820) | qemu | 8.0.2 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2). | +| [OSV-2021-777](https://osv.dev/OSV-2021-777) | libxml2 | 2.11.4 | Fixed by [link](https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325), which went to 2.9.13. Therefore, this issue is fixed in 2.10.4. | +| [OSV-2021-777](https://osv.dev/OSV-2021-777) | libxml2 | 2.10.4 | Fixed by [link](https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325), which went to 2.9.13. Therefore, this issue is fixed in 2.10.4. | +| [GHSA-f698-m2v9-5fh3](https://osv.dev/GHSA-f698-m2v9-5fh3) | opencv | 4.7.0 | Incorrect package: issue refers node-opencv [link](https://www.npmjs.com/package/opencv), whereas nixpkgs refers [link](https://github.com/opencv/opencv). | +| [CVE-2020-24490](https://nvd.nist.gov/vuln/detail/CVE-2020-24490) | bluez | 5.66 | Fixed in linux kernel (5.8) with: [link](https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 1.0.29 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 1.0.21 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 1.0.20 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2019-1003010](https://nvd.nist.gov/vuln/detail/CVE-2019-1003010) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2019-1003010](https://nvd.nist.gov/vuln/detail/CVE-2019-1003010) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2019-20633](https://nvd.nist.gov/vuln/detail/CVE-2019-20633) | patch | 2.7.6 | Upstream patch is not merged: [link](https://savannah.gnu.org/bugs/index.php?56683). Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 3.11.0 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 2.9.9-closefrom- | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 2.9.9 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 3.11.0 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 2.9.9-closefrom- | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 2.9.9 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14587](https://nvd.nist.gov/vuln/detail/CVE-2019-14587) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14587](https://nvd.nist.gov/vuln/detail/CVE-2019-14587) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14586](https://nvd.nist.gov/vuln/detail/CVE-2019-14586) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14586](https://nvd.nist.gov/vuln/detail/CVE-2019-14586) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14575](https://nvd.nist.gov/vuln/detail/CVE-2019-14575) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14575](https://nvd.nist.gov/vuln/detail/CVE-2019-14575) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14563](https://nvd.nist.gov/vuln/detail/CVE-2019-14563) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14563](https://nvd.nist.gov/vuln/detail/CVE-2019-14563) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14562](https://nvd.nist.gov/vuln/detail/CVE-2019-14562) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14562](https://nvd.nist.gov/vuln/detail/CVE-2019-14562) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14559](https://nvd.nist.gov/vuln/detail/CVE-2019-14559) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14559](https://nvd.nist.gov/vuln/detail/CVE-2019-14559) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14553](https://nvd.nist.gov/vuln/detail/CVE-2019-14553) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14553](https://nvd.nist.gov/vuln/detail/CVE-2019-14553) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-12749](https://nvd.nist.gov/vuln/detail/CVE-2019-12749) | dbus | 1 | Fixed with [link](https://github.com/NixOS/nixpkgs/pull/63021) (dbus version '1' in nixpkgs currently refers 1.14.8). | +| [CVE-2019-12067](https://nvd.nist.gov/vuln/detail/CVE-2019-12067) | qemu | 8.0.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-12067](https://nvd.nist.gov/vuln/detail/CVE-2019-12067) | qemu | 8.0.2 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-6470](https://nvd.nist.gov/vuln/detail/CVE-2019-6470) | bind | 9.18.18 | Not valid: [link](https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606). | +| [CVE-2019-6470](https://nvd.nist.gov/vuln/detail/CVE-2019-6470) | bind | 9.18.16 | Not valid: [link](https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606). | +| [CVE-2019-6462](https://nvd.nist.gov/vuln/detail/CVE-2019-6462) | cairo | 1.16.0 | Not a valid: [link](https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129). | +| [CVE-2019-6461](https://nvd.nist.gov/vuln/detail/CVE-2019-6461) | cairo | 1.16.0 | Not valid: [link](https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129). | +| [CVE-2019-6293](https://nvd.nist.gov/vuln/detail/CVE-2019-6293) | flex | 2.6.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-1000182](https://nvd.nist.gov/vuln/detail/CVE-2018-1000182) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2018-1000182](https://nvd.nist.gov/vuln/detail/CVE-2018-1000182) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2018-1000110](https://nvd.nist.gov/vuln/detail/CVE-2018-1000110) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2018-1000110](https://nvd.nist.gov/vuln/detail/CVE-2018-1000110) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2018-18438](https://nvd.nist.gov/vuln/detail/CVE-2018-18438) | qemu | 8.0.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-18438](https://nvd.nist.gov/vuln/detail/CVE-2018-18438) | qemu | 8.0.2 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-13410](https://nvd.nist.gov/vuln/detail/CVE-2018-13410) | zip | 3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-7263](https://nvd.nist.gov/vuln/detail/CVE-2018-7263) | libmad | 0.15.1b | Based on [link](https://github.com/NixOS/nixpkgs/issues/57154), issue is fixed by [link](https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed). | +| [CVE-2018-6553](https://nvd.nist.gov/vuln/detail/CVE-2018-6553) | cups | 2.4.6 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5628](https://nvd.nist.gov/vuln/detail/CVE-2017-5628) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5627](https://nvd.nist.gov/vuln/detail/CVE-2017-5627) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5436](https://nvd.nist.gov/vuln/detail/CVE-2017-5436) | graphite2 | 1.3.14 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-10141](https://nvd.nist.gov/vuln/detail/CVE-2016-10141) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-10133](https://nvd.nist.gov/vuln/detail/CVE-2016-10133) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-10132](https://nvd.nist.gov/vuln/detail/CVE-2016-10132) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9294](https://nvd.nist.gov/vuln/detail/CVE-2016-9294) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9136](https://nvd.nist.gov/vuln/detail/CVE-2016-9136) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9109](https://nvd.nist.gov/vuln/detail/CVE-2016-9109) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9108](https://nvd.nist.gov/vuln/detail/CVE-2016-9108) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9017](https://nvd.nist.gov/vuln/detail/CVE-2016-9017) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7564](https://nvd.nist.gov/vuln/detail/CVE-2016-7564) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7563](https://nvd.nist.gov/vuln/detail/CVE-2016-7563) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7506](https://nvd.nist.gov/vuln/detail/CVE-2016-7506) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7504](https://nvd.nist.gov/vuln/detail/CVE-2016-7504) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-6131](https://nvd.nist.gov/vuln/detail/CVE-2016-6131) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-6131](https://nvd.nist.gov/vuln/detail/CVE-2016-6131) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4493](https://nvd.nist.gov/vuln/detail/CVE-2016-4493) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4493](https://nvd.nist.gov/vuln/detail/CVE-2016-4493) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4492](https://nvd.nist.gov/vuln/detail/CVE-2016-4492) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4492](https://nvd.nist.gov/vuln/detail/CVE-2016-4492) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4491](https://nvd.nist.gov/vuln/detail/CVE-2016-4491) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4491](https://nvd.nist.gov/vuln/detail/CVE-2016-4491) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4490](https://nvd.nist.gov/vuln/detail/CVE-2016-4490) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4490](https://nvd.nist.gov/vuln/detail/CVE-2016-4490) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4489](https://nvd.nist.gov/vuln/detail/CVE-2016-4489) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4489](https://nvd.nist.gov/vuln/detail/CVE-2016-4489) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4488](https://nvd.nist.gov/vuln/detail/CVE-2016-4488) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4488](https://nvd.nist.gov/vuln/detail/CVE-2016-4488) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4487](https://nvd.nist.gov/vuln/detail/CVE-2016-4487) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4487](https://nvd.nist.gov/vuln/detail/CVE-2016-4487) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2781](https://nvd.nist.gov/vuln/detail/CVE-2016-2781) | coreutils | 9.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2781](https://nvd.nist.gov/vuln/detail/CVE-2016-2781) | coreutils | 9.1 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2226](https://nvd.nist.gov/vuln/detail/CVE-2016-2226) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2226](https://nvd.nist.gov/vuln/detail/CVE-2016-2226) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2015-7313](https://nvd.nist.gov/vuln/detail/CVE-2015-7313) | libtiff | 4.5.1 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-9157](https://nvd.nist.gov/vuln/detail/CVE-2014-9157) | graphviz | 8.1.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-9157](https://nvd.nist.gov/vuln/detail/CVE-2014-9157) | graphviz | 7.1.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4860](https://nvd.nist.gov/vuln/detail/CVE-2014-4860) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4860](https://nvd.nist.gov/vuln/detail/CVE-2014-4860) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4859](https://nvd.nist.gov/vuln/detail/CVE-2014-4859) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4859](https://nvd.nist.gov/vuln/detail/CVE-2014-4859) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2012-3509](https://nvd.nist.gov/vuln/detail/CVE-2012-3509) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2012-3509](https://nvd.nist.gov/vuln/detail/CVE-2012-3509) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2010-4226](https://nvd.nist.gov/vuln/detail/CVE-2010-4226) | cpio | 2.14 | NVD data issue: concerns OpenSuSE, not cpio. | + +
diff --git a/result/packages.x86_64-linux.generic-x86_64-release.md b/result/packages.x86_64-linux.generic-x86_64-release.md new file mode 100644 index 0000000..cbe9e38 --- /dev/null +++ b/result/packages.x86_64-linux.generic-x86_64-release.md @@ -0,0 +1,373 @@ + + +# Vulnerability Report + +This vulnerability report is generated for Ghaf target '`github:tiiuae/ghaf?ref=main#packages.x86_64-linux.generic-x86_64-release`'. The tables on this page include known vulnerabilities impacting any buildtime or runtime dependencies of the given target. + +This report is automatically generated as specified on the [Vulnerability Scan](../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../manual_analysis.csv) file. + + +Reports +================= + +* [Vulnerabilities Fixed in Ghaf nixpkgs Upstream](#vulnerabilities-fixed-in-ghaf-nixpkgs-upstream) +* [Vulnerabilities Fixed in nix-unstable](#vulnerabilities-fixed-in-nix-unstable) +* [New Vulnerabilities Since Last Run](#new-vulnerabilities-since-last-run) +* [All Vulnerabilities Impacting Ghaf](#all-vulnerabilities-impacting-ghaf) +* [Whitelisted Vulnerabilities](#whitelisted-vulnerabilities) + +## Vulnerabilities Fixed in Ghaf nixpkgs Upstream + +Following table lists vulnerabilities that have been fixed in the nixpkgs channel the Ghaf target is currently pinned to, but the fixes have not been included in Ghaf. + +Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/flake.lock) file to mitigate the following issues: + + +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|------------------|----------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 1.20.6 | 1.21.0 | 1.21.0 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/113862), [PR](https://github.com/NixOS/nixpkgs/pull/130806), [PR](https://github.com/NixOS/nixpkgs/pull/248027)]* | +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 1.17.13-linux-am | 1.21.0 | 1.21.0 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/113862), [PR](https://github.com/NixOS/nixpkgs/pull/130806), [PR](https://github.com/NixOS/nixpkgs/pull/248027)]* | +| [CVE-2023-38633](https://nvd.nist.gov/vuln/detail/CVE-2023-38633) | librsvg | 2.55.1 | 2.56.3 | 2.56.3 | Nixpkgs fix PR: [link](https://github.com/NixOS/nixpkgs/pull/246763). *[[PR](https://github.com/NixOS/nixpkgs/pull/246763), [PR](https://github.com/NixOS/nixpkgs/pull/246860)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 1.20.6 | 1.21.0 | 1.21.0 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/113862), [PR](https://github.com/NixOS/nixpkgs/pull/130806), [PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/248027)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 1.17.13-linux-am | 1.21.0 | 1.21.0 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/113862), [PR](https://github.com/NixOS/nixpkgs/pull/130806), [PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/248027)]* | +| [CVE-2023-3817](https://nvd.nist.gov/vuln/detail/CVE-2023-3817) | openssl | 3.0.9 | 3.1.0 | 3.1.0 | openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/246579). *[[PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | +| [CVE-2023-3724](https://nvd.nist.gov/vuln/detail/CVE-2023-3724) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Issue is fixed in 5.6.2: [link](https://www.wolfssl.com/docs/security-vulnerabilities/). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/239027). *[[PR](https://github.com/NixOS/nixpkgs/pull/239027), [PR](https://github.com/NixOS/nixpkgs/pull/246451)]* | +| [OSV-2023-101](https://osv.dev/OSV-2023-101) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Fixed in qemu 8.0.4: [link](https://github.com/NixOS/nixpkgs/pull/248659). | +| [CVE-2021-32493](https://nvd.nist.gov/vuln/detail/CVE-2021-32493) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [CVE-2021-32492](https://nvd.nist.gov/vuln/detail/CVE-2021-32492) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [CVE-2021-32491](https://nvd.nist.gov/vuln/detail/CVE-2021-32491) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [CVE-2021-32490](https://nvd.nist.gov/vuln/detail/CVE-2021-32490) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [CVE-2021-3500](https://nvd.nist.gov/vuln/detail/CVE-2021-3500) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | + + +## Vulnerabilities Fixed in nix-unstable + +Following table lists vulnerabilities that have been fixed in nixpgks nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. + +Following issues potentially require backporting the fix from nixpkgs-unstable to the correct nixpkgs release branch. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community backport the fix to the correct nixpkgs branch: + + +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-40359](https://nvd.nist.gov/vuln/detail/CVE-2023-40359) | xterm | 379 | 384 | 384 | Requested backport for PR: [link](https://github.com/NixOS/nixpkgs/pull/244141). *[[PR](https://github.com/NixOS/nixpkgs/pull/244141)]* | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0-env | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2022-0856](https://nvd.nist.gov/vuln/detail/CVE-2022-0856) | libcaca | 0.99.beta20 | 0.99.beta20 | | Not fixed upstream: [link](https://github.com/cacalabs/libcaca/issues/65). | +| [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | 4.7.0 | 4.7.0 | 4.8.0 | | + + + +## New Vulnerabilities Since Last Run + +Following table lists vulnerabilities currently impacting the Ghaf target that have emerged since the last time this vulnerability report was generated. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: + +```No vulnerabilities``` + + +## All Vulnerabilities Impacting Ghaf + +Following table lists all vulnerabilities currently impacting the Ghaf target. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: + + +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|------------|------------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [GHSA-wrrj-h57r-vx9p](https://osv.dev/GHSA-wrrj-h57r-vx9p) | cargo | 1.69.0 | 0.4.9 | 0.4.9 | | +| [GHSA-w596-4wvx-j9j6](https://osv.dev/GHSA-w596-4wvx-j9j6) | py | 1.11.0 | 1.11.0 | 1.11.0 | | +| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154)]* | +| [CVE-2023-40359](https://nvd.nist.gov/vuln/detail/CVE-2023-40359) | xterm | 379 | 384 | 384 | Requested backport for PR: [link](https://github.com/NixOS/nixpkgs/pull/244141). *[[PR](https://github.com/NixOS/nixpkgs/pull/244141)]* | +| [CVE-2023-39742](https://nvd.nist.gov/vuln/detail/CVE-2023-39742) | giflib | 5.2.1 | 5.2.1 | 5.2.1 | | +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 1.20.6 | 1.21.0 | 1.21.0 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/113862), [PR](https://github.com/NixOS/nixpkgs/pull/130806), [PR](https://github.com/NixOS/nixpkgs/pull/248027)]* | +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 1.17.13-linux-am | 1.21.0 | 1.21.0 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/113862), [PR](https://github.com/NixOS/nixpkgs/pull/130806), [PR](https://github.com/NixOS/nixpkgs/pull/248027)]* | +| [CVE-2023-38858](https://nvd.nist.gov/vuln/detail/CVE-2023-38858) | faad2 | 2.10.1 | 2.10.1 | 2.10.1 | | +| [CVE-2023-38857](https://nvd.nist.gov/vuln/detail/CVE-2023-38857) | faad2 | 2.10.1 | 2.10.1 | 2.10.1 | | +| [CVE-2023-38633](https://nvd.nist.gov/vuln/detail/CVE-2023-38633) | librsvg | 2.55.1 | 2.56.3 | 2.56.3 | Nixpkgs fix PR: [link](https://github.com/NixOS/nixpkgs/pull/246763). *[[PR](https://github.com/NixOS/nixpkgs/pull/246763), [PR](https://github.com/NixOS/nixpkgs/pull/246860)]* | +| [CVE-2023-37769](https://nvd.nist.gov/vuln/detail/CVE-2023-37769) | pixman | 0.42.2 | 0.42.2 | 0.42.2 | See: [link](https://gitlab.freedesktop.org/pixman/pixman/-/issues/76): "This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable". | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0-env | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-30571](https://nvd.nist.gov/vuln/detail/CVE-2023-30571) | libarchive | 3.6.2 | 3.6.2 | 3.7.1 | No upstream fix available, see: [link](https://github.com/libarchive/libarchive/issues/1876). | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 1.20.6 | 1.21.0 | 1.21.0 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/113862), [PR](https://github.com/NixOS/nixpkgs/pull/130806), [PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/248027)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 1.17.13-linux-am | 1.21.0 | 1.21.0 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/113862), [PR](https://github.com/NixOS/nixpkgs/pull/130806), [PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/248027)]* | +| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 4.13 | 4.13 | 4.14.0 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/233924)]* | +| [CVE-2023-28938](https://nvd.nist.gov/vuln/detail/CVE-2023-28938) | mdadm | 4.2 | 4.2 | 4.2 | | +| [CVE-2023-28736](https://nvd.nist.gov/vuln/detail/CVE-2023-28736) | mdadm | 4.2 | 4.2 | 4.2 | | +| [CVE-2023-28115](https://nvd.nist.gov/vuln/detail/CVE-2023-28115) | snappy | 1.1.10 | | | | +| [CVE-2023-4135](https://nvd.nist.gov/vuln/detail/CVE-2023-4135) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Fixed upstream in 8.1.0. | +| [CVE-2023-4016](https://nvd.nist.gov/vuln/detail/CVE-2023-4016) | procps | 3.3.17 | | | See: [link](https://gitlab.com/procps-ng/procps/-/issues/297). Notice: repology package name is procps-ng: [link](https://repology.org/project/procps-ng/versions). | +| [CVE-2023-3817](https://nvd.nist.gov/vuln/detail/CVE-2023-3817) | openssl | 3.0.9 | 3.1.0 | 3.1.0 | openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/246579). *[[PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | +| [CVE-2023-3724](https://nvd.nist.gov/vuln/detail/CVE-2023-3724) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Issue is fixed in 5.6.2: [link](https://www.wolfssl.com/docs/security-vulnerabilities/). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/239027). *[[PR](https://github.com/NixOS/nixpkgs/pull/239027), [PR](https://github.com/NixOS/nixpkgs/pull/246451)]* | +| [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | +| [CVE-2023-3180](https://nvd.nist.gov/vuln/detail/CVE-2023-3180) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | +| [CVE-2023-3019](https://nvd.nist.gov/vuln/detail/CVE-2023-3019) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Revisit when fixed upstream: [link](https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html). | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1642 | 9.0.1876 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | +| [OSV-2023-505](https://osv.dev/OSV-2023-505) | file | 5.44 | 5.45 | 5.45 | Unclear if this is still valid. | +| [OSV-2023-390](https://osv.dev/OSV-2023-390) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Unclear if this is still valid. | +| [OSV-2023-101](https://osv.dev/OSV-2023-101) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Fixed in qemu 8.0.4: [link](https://github.com/NixOS/nixpkgs/pull/248659). | +| [CVE-2022-43357](https://nvd.nist.gov/vuln/detail/CVE-2022-43357) | sassc | 3.6.2 | 3.6.2 | 3.6.2 | | +| [CVE-2022-26592](https://nvd.nist.gov/vuln/detail/CVE-2022-26592) | libsass | 3.6.5 | 3.6.5 | 3.6.5 | | +| [OSV-2022-908](https://osv.dev/OSV-2022-908) | bluez | 5.66 | 5.66 | 5.69 | Unclear if this is still valid. | +| [OSV-2022-896](https://osv.dev/OSV-2022-896) | libsass | 3.6.5 | 3.6.5 | 3.6.5 | Unclear if this is still valid. | +| [OSV-2022-859](https://osv.dev/OSV-2022-859) | bluez | 5.66 | 5.66 | 5.69 | Unclear if this is still valid. | +| [CVE-2022-0856](https://nvd.nist.gov/vuln/detail/CVE-2022-0856) | libcaca | 0.99.beta20 | 0.99.beta20 | | Not fixed upstream: [link](https://github.com/cacalabs/libcaca/issues/65). | +| [OSV-2022-842](https://osv.dev/OSV-2022-842) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Unclear if this is still valid. | +| [OSV-2022-725](https://osv.dev/OSV-2022-725) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | +| [OSV-2022-608](https://osv.dev/OSV-2022-608) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | +| [OSV-2022-581](https://osv.dev/OSV-2022-581) | qemu | 8.0.2 | 8.0.4 | 8.1.0 | Unclear if this is still valid. | +| [OSV-2022-530](https://osv.dev/OSV-2022-530) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2022-519](https://osv.dev/OSV-2022-519) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2022-462](https://osv.dev/OSV-2022-462) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | 4.7.0 | 4.7.0 | 4.8.0 | | +| [OSV-2022-193](https://osv.dev/OSV-2022-193) | w3m | 0.5.3+git2023012 | 0.5.3+git2023012 | 0.5.3+git2023012 | Unclear if this is still valid. | +| [CVE-2021-46312](https://nvd.nist.gov/vuln/detail/CVE-2021-46312) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | | +| [CVE-2021-46310](https://nvd.nist.gov/vuln/detail/CVE-2021-46310) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | | +| [CVE-2021-32493](https://nvd.nist.gov/vuln/detail/CVE-2021-32493) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [CVE-2021-32492](https://nvd.nist.gov/vuln/detail/CVE-2021-32492) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [CVE-2021-32491](https://nvd.nist.gov/vuln/detail/CVE-2021-32491) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [CVE-2021-32490](https://nvd.nist.gov/vuln/detail/CVE-2021-32490) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [CVE-2021-3500](https://nvd.nist.gov/vuln/detail/CVE-2021-3500) | djvulibre | 3.5.28 | 3.5.28 | 3.5.28 | Pending merge: [link](https://github.com/NixOS/nixpkgs/pull/246773). *[[PR](https://github.com/NixOS/nixpkgs/pull/246773)]* | +| [OSV-2021-1157](https://osv.dev/OSV-2021-1157) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-1141](https://osv.dev/OSV-2021-1141) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-1110](https://osv.dev/OSV-2021-1110) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-1041](https://osv.dev/OSV-2021-1041) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-1024](https://osv.dev/OSV-2021-1024) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-802](https://osv.dev/OSV-2021-802) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-787](https://osv.dev/OSV-2021-787) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-765](https://osv.dev/OSV-2021-765) | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-508](https://osv.dev/OSV-2021-508) | libsass | 3.6.5 | 3.6.5 | 3.6.5 | Unclear if this is still valid. | +| [CVE-2020-18781](https://nvd.nist.gov/vuln/detail/CVE-2020-18781) | audiofile | 0.3.6 | 0.3.6 | 0.3.6 | | +| [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 2.40.1 | 2.41.0 | 2.42.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* | +| [OSV-2020-1610](https://osv.dev/OSV-2020-1610) | openexr | 2.5.8 | 3.1.10 | 3.2.0 | | +| [OSV-2020-1420](https://osv.dev/OSV-2020-1420) | libsass | 3.6.5 | 3.6.5 | 3.6.5 | | +| [OSV-2020-862](https://osv.dev/OSV-2020-862) | libsass | 3.6.5 | 3.6.5 | 3.6.5 | | +| [OSV-2020-822](https://osv.dev/OSV-2020-822) | jbig2dec | 0.19 | 0.19 | 0.19 | | +| [OSV-2020-521](https://osv.dev/OSV-2020-521) | aspell | 0.60.8 | 0.60.8 | 0.60.8 | | +| [OSV-2020-438](https://osv.dev/OSV-2020-438) | capstone | 4.0.2 | 4.0.2 | 5.0.1 | | + + + +## Whitelisted Vulnerabilities + +Following table lists vulnerabilities that would otherwise have been included to the report, but were left out due to whitelisting. + +
+Whitelisted vulnerabilities +
+ +| vuln_id | package | version_local | comment | +|-----------------------------------------------------------------------|------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-31975](https://nvd.nist.gov/vuln/detail/CVE-2023-31975) | yasm | 1.3.0 | Memory leak in CLI tool, no security impact. | +| [CVE-2023-31974](https://nvd.nist.gov/vuln/detail/CVE-2023-31974) | yasm | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-31973](https://nvd.nist.gov/vuln/detail/CVE-2023-31973) | yasm | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-31972](https://nvd.nist.gov/vuln/detail/CVE-2023-31972) | yasm | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-31486](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) | perl | 5.36.0-env | Fixed upstream with [link](https://github.com/chansen/p5-http-tiny/pull/153) and nixpkgs patched the issue already in 08/2022 with [link](https://github.com/NixOS/nixpkgs/pull/187480). | +| [CVE-2023-31486](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) | perl | 5.36.0 | Fixed upstream with [link](https://github.com/chansen/p5-http-tiny/pull/153) and nixpkgs patched the issue already in 08/2022 with [link](https://github.com/NixOS/nixpkgs/pull/187480). | +| [CVE-2023-30402](https://nvd.nist.gov/vuln/detail/CVE-2023-30402) | yasm | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-29406](https://nvd.nist.gov/vuln/detail/CVE-2023-29406) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29405](https://nvd.nist.gov/vuln/detail/CVE-2023-29405) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29404](https://nvd.nist.gov/vuln/detail/CVE-2023-29404) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29400](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24540](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24539](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24538](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24537](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24534](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24532](https://nvd.nist.gov/vuln/detail/CVE-2023-24532) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-3603](https://nvd.nist.gov/vuln/detail/CVE-2023-3603) | libssh | 0.10.5 | Based on [link](https://security-tracker.debian.org/tracker/CVE-2023-3603) and [link](https://bugzilla.redhat.com/show_bug.cgi?id=2221791), vulnerable code is not present in 0.10.5 or any currently released version. | +| [OSV-2023-137](https://osv.dev/OSV-2023-137) | harfbuzz | 7.3.0 | Based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2), the issue is fixed in range [link](https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc) all of which have been merged in 7.1.0. | +| [OSV-2023-137](https://osv.dev/OSV-2023-137) | harfbuzz | 7.2.0 | Based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2), the issue is fixed in range [link](https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc) all of which have been merged in 7.1.0. | +| [CVE-2022-48434](https://nvd.nist.gov/vuln/detail/CVE-2022-48434) | ffmpeg | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 [link](https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db). | +| [PYSEC-2022-42969](https://osv.dev/PYSEC-2022-42969) | py | 1.11.0 | Same as CVE-2022-42969. | +| [CVE-2022-42969](https://nvd.nist.gov/vuln/detail/CVE-2022-42969) | py | 1.11.0 | Disputed upstream: [link](https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565). | +| [CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41722](https://nvd.nist.gov/vuln/detail/CVE-2022-41722) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41720](https://nvd.nist.gov/vuln/detail/CVE-2022-41720) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41717](https://nvd.nist.gov/vuln/detail/CVE-2022-41717) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41716](https://nvd.nist.gov/vuln/detail/CVE-2022-41716) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41715](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-38663](https://nvd.nist.gov/vuln/detail/CVE-2022-38663) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-38663](https://nvd.nist.gov/vuln/detail/CVE-2022-38663) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-37416](https://nvd.nist.gov/vuln/detail/CVE-2022-37416) | libmpeg2 | 0.5.1 | NVD data issue: concerns Android only. | +| [CVE-2022-36884](https://nvd.nist.gov/vuln/detail/CVE-2022-36884) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36884](https://nvd.nist.gov/vuln/detail/CVE-2022-36884) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36883](https://nvd.nist.gov/vuln/detail/CVE-2022-36883) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36883](https://nvd.nist.gov/vuln/detail/CVE-2022-36883) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36882](https://nvd.nist.gov/vuln/detail/CVE-2022-36882) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36882](https://nvd.nist.gov/vuln/detail/CVE-2022-36882) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36073](https://nvd.nist.gov/vuln/detail/CVE-2022-36073) | rubygems | 3.4.19 | Latest impacted version in 3.x is 3.0.4. | +| [CVE-2022-36073](https://nvd.nist.gov/vuln/detail/CVE-2022-36073) | rubygems | 3.4.13 | Latest impacted version in 3.x is 3.0.4. | +| [CVE-2022-30949](https://nvd.nist.gov/vuln/detail/CVE-2022-30949) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30949](https://nvd.nist.gov/vuln/detail/CVE-2022-30949) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30948](https://nvd.nist.gov/vuln/detail/CVE-2022-30948) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30948](https://nvd.nist.gov/vuln/detail/CVE-2022-30948) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30947](https://nvd.nist.gov/vuln/detail/CVE-2022-30947) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30947](https://nvd.nist.gov/vuln/detail/CVE-2022-30947) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-28321](https://nvd.nist.gov/vuln/detail/CVE-2022-28321) | linux-pam | 1.5.2 | Only impacts SUSE-specific patch version. Notice: repology package name is pam: [link](https://repology.org/project/pam/versions). | +| [CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-26691](https://nvd.nist.gov/vuln/detail/CVE-2022-26691) | cups | 2.4.6 | Fixed in nixpkgs with PR: [link](https://github.com/NixOS/nixpkgs/pull/174898). | +| [MAL-2022-4301](https://osv.dev/MAL-2022-4301) | libidn2 | 2.3.4 | Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 [link](https://gitlab.com/libidn/libidn2). | +| [CVE-2022-3965](https://nvd.nist.gov/vuln/detail/CVE-2022-3965) | ffmpeg | 5.1.3 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 [link](https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257). | +| [CVE-2022-3964](https://nvd.nist.gov/vuln/detail/CVE-2022-3964) | ffmpeg | 5.1.3 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0). | +| [CVE-2022-3964](https://nvd.nist.gov/vuln/detail/CVE-2022-3964) | ffmpeg | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0). | +| [CVE-2022-3637](https://nvd.nist.gov/vuln/detail/CVE-2022-3637) | bluez | 5.66 | Upstream fix commit: [link](https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f) was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue. | +| [CVE-2022-3563](https://nvd.nist.gov/vuln/detail/CVE-2022-3563) | bluez | 5.66 | Upstream fix commit: [link](https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e3c92f1f786f0b55440bd908b55894d0c792cf0e) was merged to release 5.65, so this issue is fixed in 5.66. NVD data issue. | +| [CVE-2022-3341](https://nvd.nist.gov/vuln/detail/CVE-2022-3341) | ffmpeg | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b). | +| [CVE-2022-3219](https://nvd.nist.gov/vuln/detail/CVE-2022-3219) | gnupg | 2.4.1 | Fix patch is not accepted upstream: [link](https://dev.gnupg.org/D556). | +| [CVE-2022-3219](https://nvd.nist.gov/vuln/detail/CVE-2022-3219) | gnupg | 2.4.0 | Fix patch is not accepted upstream: [link](https://dev.gnupg.org/D556). | +| [CVE-2022-3109](https://nvd.nist.gov/vuln/detail/CVE-2022-3109) | ffmpeg | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2). | +| [CVE-2022-2880](https://nvd.nist.gov/vuln/detail/CVE-2022-2880) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-2879](https://nvd.nist.gov/vuln/detail/CVE-2022-2879) | go | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [OSV-2022-1193](https://osv.dev/OSV-2022-1193) | libarchive | 3.6.2 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3). | +| [OSV-2022-416](https://osv.dev/OSV-2022-416) | openjpeg | 2.5.0 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2). | +| [OSV-2022-183](https://osv.dev/OSV-2022-183) | binutils | 2.40 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2). | +| [GHSA-mc7w-4cjf-c973](https://osv.dev/GHSA-mc7w-4cjf-c973) | opencv | 4.7.0 | Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv [link](https://github.com/opencv/opencv). | +| [GHSA-6898-wx94-8jq8](https://osv.dev/GHSA-6898-wx94-8jq8) | libnotify | 0.8.2 | Incorrect package: Issue refers node-libnotify [link](https://github.com/mytrile/node-libnotify), whereas nixpkgs refers gnome-libnotify [link](https://gitlab.gnome.org/GNOME/libnotify). | +| [CVE-2021-39205](https://nvd.nist.gov/vuln/detail/CVE-2021-39205) | jitsi-meet | 1.0.7322 | Does not impact the version in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845). | +| [CVE-2021-39205](https://nvd.nist.gov/vuln/detail/CVE-2021-39205) | jitsi-meet | 1.0.6943 | Does not impact the version in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845). | +| [CVE-2021-33506](https://nvd.nist.gov/vuln/detail/CVE-2021-33506) | jitsi-meet | 1.0.7322 | Fixed in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135). | +| [CVE-2021-33506](https://nvd.nist.gov/vuln/detail/CVE-2021-33506) | jitsi-meet | 1.0.6943 | Fixed in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135). | +| [CVE-2021-33468](https://nvd.nist.gov/vuln/detail/CVE-2021-33468) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33467](https://nvd.nist.gov/vuln/detail/CVE-2021-33467) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33466](https://nvd.nist.gov/vuln/detail/CVE-2021-33466) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33465](https://nvd.nist.gov/vuln/detail/CVE-2021-33465) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33464](https://nvd.nist.gov/vuln/detail/CVE-2021-33464) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33463](https://nvd.nist.gov/vuln/detail/CVE-2021-33463) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33462](https://nvd.nist.gov/vuln/detail/CVE-2021-33462) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33461](https://nvd.nist.gov/vuln/detail/CVE-2021-33461) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33460](https://nvd.nist.gov/vuln/detail/CVE-2021-33460) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33459](https://nvd.nist.gov/vuln/detail/CVE-2021-33459) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33458](https://nvd.nist.gov/vuln/detail/CVE-2021-33458) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33457](https://nvd.nist.gov/vuln/detail/CVE-2021-33457) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33456](https://nvd.nist.gov/vuln/detail/CVE-2021-33456) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33455](https://nvd.nist.gov/vuln/detail/CVE-2021-33455) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33454](https://nvd.nist.gov/vuln/detail/CVE-2021-33454) | yasm | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-30499](https://nvd.nist.gov/vuln/detail/CVE-2021-30499) | libcaca | 0.99.beta20 | NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: [link](https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20). | +| [CVE-2021-26945](https://nvd.nist.gov/vuln/detail/CVE-2021-26945) | openexr | 2.5.8 | Fix patch [link](https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e) modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8. | +| [CVE-2021-26720](https://nvd.nist.gov/vuln/detail/CVE-2021-26720) | avahi | 0.8 | False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives. | +| [CVE-2021-26260](https://nvd.nist.gov/vuln/detail/CVE-2021-26260) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d) which went to 2.5.5. | +| [CVE-2021-23215](https://nvd.nist.gov/vuln/detail/CVE-2021-23215) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d) which went to 2.5.5. | +| [CVE-2021-23169](https://nvd.nist.gov/vuln/detail/CVE-2021-23169) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2021-21684](https://nvd.nist.gov/vuln/detail/CVE-2021-21684) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2021-21684](https://nvd.nist.gov/vuln/detail/CVE-2021-21684) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) | qemu | 8.0.4 | Upstream patch not merged: [link](https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html). No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) | qemu | 8.0.2 | Upstream patch not merged: [link](https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html). No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2021-4336](https://nvd.nist.gov/vuln/detail/CVE-2021-4336) | ninja | 1.11.1 | Incorrect package: nixpkgs 'ninja' refers [link](https://github.com/ninja-build/ninja), not [link](https://github.com/ITRS-Group/monitor-ninja). | +| [CVE-2021-4217](https://nvd.nist.gov/vuln/detail/CVE-2021-4217) | unzip | 6.0 | Ignored by other distribution as 'no security impact', e.g. Debian: [link](https://security-tracker.debian.org/tracker/CVE-2021-4217). | +| [CVE-2021-3605](https://nvd.nist.gov/vuln/detail/CVE-2021-3605) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2021-3598](https://nvd.nist.gov/vuln/detail/CVE-2021-3598) | openexr | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2021-3468](https://nvd.nist.gov/vuln/detail/CVE-2021-3468) | avahi | 0.8 | Fixed in nixpgs with [link](https://github.com/NixOS/nixpkgs/pull/195331). | +| [OSV-2021-820](https://osv.dev/OSV-2021-820) | qemu | 8.0.4 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2). | +| [OSV-2021-820](https://osv.dev/OSV-2021-820) | qemu | 8.0.2 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2). | +| [OSV-2021-777](https://osv.dev/OSV-2021-777) | libxml2 | 2.11.4 | Fixed by [link](https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325), which went to 2.9.13. Therefore, this issue is fixed in 2.10.4. | +| [OSV-2021-777](https://osv.dev/OSV-2021-777) | libxml2 | 2.10.4 | Fixed by [link](https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325), which went to 2.9.13. Therefore, this issue is fixed in 2.10.4. | +| [GHSA-f698-m2v9-5fh3](https://osv.dev/GHSA-f698-m2v9-5fh3) | opencv | 4.7.0 | Incorrect package: issue refers node-opencv [link](https://www.npmjs.com/package/opencv), whereas nixpkgs refers [link](https://github.com/opencv/opencv). | +| [CVE-2020-24490](https://nvd.nist.gov/vuln/detail/CVE-2020-24490) | bluez | 5.66 | Fixed in linux kernel (5.8) with: [link](https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 1.0.29 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 1.0.21 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 1.0.20 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2019-1003010](https://nvd.nist.gov/vuln/detail/CVE-2019-1003010) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2019-1003010](https://nvd.nist.gov/vuln/detail/CVE-2019-1003010) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2019-20633](https://nvd.nist.gov/vuln/detail/CVE-2019-20633) | patch | 2.7.6 | Upstream patch is not merged: [link](https://savannah.gnu.org/bugs/index.php?56683). Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 3.11.0 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 2.9.9-closefrom- | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 2.9.9 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 3.11.0 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 2.9.9-closefrom- | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 2.9.9 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14587](https://nvd.nist.gov/vuln/detail/CVE-2019-14587) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14587](https://nvd.nist.gov/vuln/detail/CVE-2019-14587) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14586](https://nvd.nist.gov/vuln/detail/CVE-2019-14586) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14586](https://nvd.nist.gov/vuln/detail/CVE-2019-14586) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14575](https://nvd.nist.gov/vuln/detail/CVE-2019-14575) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14575](https://nvd.nist.gov/vuln/detail/CVE-2019-14575) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14563](https://nvd.nist.gov/vuln/detail/CVE-2019-14563) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14563](https://nvd.nist.gov/vuln/detail/CVE-2019-14563) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14562](https://nvd.nist.gov/vuln/detail/CVE-2019-14562) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14562](https://nvd.nist.gov/vuln/detail/CVE-2019-14562) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14559](https://nvd.nist.gov/vuln/detail/CVE-2019-14559) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14559](https://nvd.nist.gov/vuln/detail/CVE-2019-14559) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14553](https://nvd.nist.gov/vuln/detail/CVE-2019-14553) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14553](https://nvd.nist.gov/vuln/detail/CVE-2019-14553) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-12749](https://nvd.nist.gov/vuln/detail/CVE-2019-12749) | dbus | 1 | Fixed with [link](https://github.com/NixOS/nixpkgs/pull/63021) (dbus version '1' in nixpkgs currently refers 1.14.8). | +| [CVE-2019-12067](https://nvd.nist.gov/vuln/detail/CVE-2019-12067) | qemu | 8.0.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-12067](https://nvd.nist.gov/vuln/detail/CVE-2019-12067) | qemu | 8.0.2 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-6470](https://nvd.nist.gov/vuln/detail/CVE-2019-6470) | bind | 9.18.18 | Not valid: [link](https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606). | +| [CVE-2019-6470](https://nvd.nist.gov/vuln/detail/CVE-2019-6470) | bind | 9.18.16 | Not valid: [link](https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606). | +| [CVE-2019-6462](https://nvd.nist.gov/vuln/detail/CVE-2019-6462) | cairo | 1.16.0 | Not a valid: [link](https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129). | +| [CVE-2019-6461](https://nvd.nist.gov/vuln/detail/CVE-2019-6461) | cairo | 1.16.0 | Not valid: [link](https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129). | +| [CVE-2019-6293](https://nvd.nist.gov/vuln/detail/CVE-2019-6293) | flex | 2.6.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-1000182](https://nvd.nist.gov/vuln/detail/CVE-2018-1000182) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2018-1000182](https://nvd.nist.gov/vuln/detail/CVE-2018-1000182) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2018-1000110](https://nvd.nist.gov/vuln/detail/CVE-2018-1000110) | git | 2.41.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2018-1000110](https://nvd.nist.gov/vuln/detail/CVE-2018-1000110) | git | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2018-18438](https://nvd.nist.gov/vuln/detail/CVE-2018-18438) | qemu | 8.0.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-18438](https://nvd.nist.gov/vuln/detail/CVE-2018-18438) | qemu | 8.0.2 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-13410](https://nvd.nist.gov/vuln/detail/CVE-2018-13410) | zip | 3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-7263](https://nvd.nist.gov/vuln/detail/CVE-2018-7263) | libmad | 0.15.1b | Based on [link](https://github.com/NixOS/nixpkgs/issues/57154), issue is fixed by [link](https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed). | +| [CVE-2018-6553](https://nvd.nist.gov/vuln/detail/CVE-2018-6553) | cups | 2.4.6 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5628](https://nvd.nist.gov/vuln/detail/CVE-2017-5628) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5627](https://nvd.nist.gov/vuln/detail/CVE-2017-5627) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5436](https://nvd.nist.gov/vuln/detail/CVE-2017-5436) | graphite2 | 1.3.14 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-10141](https://nvd.nist.gov/vuln/detail/CVE-2016-10141) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-10133](https://nvd.nist.gov/vuln/detail/CVE-2016-10133) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-10132](https://nvd.nist.gov/vuln/detail/CVE-2016-10132) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9294](https://nvd.nist.gov/vuln/detail/CVE-2016-9294) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9136](https://nvd.nist.gov/vuln/detail/CVE-2016-9136) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9109](https://nvd.nist.gov/vuln/detail/CVE-2016-9109) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9108](https://nvd.nist.gov/vuln/detail/CVE-2016-9108) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9017](https://nvd.nist.gov/vuln/detail/CVE-2016-9017) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7564](https://nvd.nist.gov/vuln/detail/CVE-2016-7564) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7563](https://nvd.nist.gov/vuln/detail/CVE-2016-7563) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7506](https://nvd.nist.gov/vuln/detail/CVE-2016-7506) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7504](https://nvd.nist.gov/vuln/detail/CVE-2016-7504) | mujs | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-6131](https://nvd.nist.gov/vuln/detail/CVE-2016-6131) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-6131](https://nvd.nist.gov/vuln/detail/CVE-2016-6131) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4493](https://nvd.nist.gov/vuln/detail/CVE-2016-4493) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4493](https://nvd.nist.gov/vuln/detail/CVE-2016-4493) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4492](https://nvd.nist.gov/vuln/detail/CVE-2016-4492) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4492](https://nvd.nist.gov/vuln/detail/CVE-2016-4492) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4491](https://nvd.nist.gov/vuln/detail/CVE-2016-4491) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4491](https://nvd.nist.gov/vuln/detail/CVE-2016-4491) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4490](https://nvd.nist.gov/vuln/detail/CVE-2016-4490) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4490](https://nvd.nist.gov/vuln/detail/CVE-2016-4490) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4489](https://nvd.nist.gov/vuln/detail/CVE-2016-4489) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4489](https://nvd.nist.gov/vuln/detail/CVE-2016-4489) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4488](https://nvd.nist.gov/vuln/detail/CVE-2016-4488) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4488](https://nvd.nist.gov/vuln/detail/CVE-2016-4488) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4487](https://nvd.nist.gov/vuln/detail/CVE-2016-4487) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4487](https://nvd.nist.gov/vuln/detail/CVE-2016-4487) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2781](https://nvd.nist.gov/vuln/detail/CVE-2016-2781) | coreutils | 9.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2781](https://nvd.nist.gov/vuln/detail/CVE-2016-2781) | coreutils | 9.1 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2226](https://nvd.nist.gov/vuln/detail/CVE-2016-2226) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2226](https://nvd.nist.gov/vuln/detail/CVE-2016-2226) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2015-7313](https://nvd.nist.gov/vuln/detail/CVE-2015-7313) | libtiff | 4.5.1 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-9157](https://nvd.nist.gov/vuln/detail/CVE-2014-9157) | graphviz | 8.1.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-9157](https://nvd.nist.gov/vuln/detail/CVE-2014-9157) | graphviz | 7.1.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4860](https://nvd.nist.gov/vuln/detail/CVE-2014-4860) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4860](https://nvd.nist.gov/vuln/detail/CVE-2014-4860) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4859](https://nvd.nist.gov/vuln/detail/CVE-2014-4859) | edk2 | 202305 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4859](https://nvd.nist.gov/vuln/detail/CVE-2014-4859) | edk2 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2012-3509](https://nvd.nist.gov/vuln/detail/CVE-2012-3509) | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2012-3509](https://nvd.nist.gov/vuln/detail/CVE-2012-3509) | libiberty | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2010-4226](https://nvd.nist.gov/vuln/detail/CVE-2010-4226) | cpio | 2.14 | NVD data issue: concerns OpenSuSE, not cpio. | + +
diff --git a/sbomnix.nix b/sbomnix.nix new file mode 100644 index 0000000..833e296 --- /dev/null +++ b/sbomnix.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +builtins.fetchGit { + url = "https://github.com/tiiuae/sbomnix.git"; + rev = "7cd25846d2de69ff1c4fa6a798f05ee190636cc0"; +} diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..2a815aa --- /dev/null +++ b/setup.py @@ -0,0 +1,52 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +# pylint: disable=invalid-name, import-error, missing-function-docstring + +""" setup.py for setuptools """ + +import os.path +import setuptools + + +def project_path(*names): + return os.path.join(os.path.dirname(__file__), *names) + + +with open(project_path("VERSION"), encoding="utf-8") as f: + version = f.read().strip() + +requires = [ + "colorlog", + "gitpython", + "pandas", + "tabulate", + "wheel", +] + +setuptools.setup( + name="ghafscan", + version=version, + description="Run and summarize vulnerability scans", + author="TII", + author_email="henri.rosten@unikie.com", + python_requires=">=3.8", + install_requires=requires, + license="Apache-2.0", + classifiers=[ # See:https://pypi.org/classifiers/ + "Development Status :: 3 - Alpha", + "License :: OSI Approved :: Apache Software License", + "Operating System :: POSIX :: Linux", + "Programming Language :: Python :: 3 :: Only", + ], + # packages=["ghafscan"], + packages=setuptools.find_namespace_packages(where="src"), + package_dir={"": "src"}, + package_data={"ghafscan.templates": ["*.md"]}, + entry_points={ + "console_scripts": [ + "ghafscan = ghafscan.main:main", + ] + }, +) diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..f2984f1 --- /dev/null +++ b/shell.nix @@ -0,0 +1,39 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + pkgs ? import {}, + pythonPackages ? pkgs.python3Packages, +}: +pkgs.mkShell rec { + name = "ghafscan-dev-shell"; + sbomnix = import ./sbomnix.nix; + vulnxscan = import "${sbomnix}/scripts/vulnxscan/vulnxscan.nix" {pkgs = pkgs;}; + csvdiff_nix = import ./csvdiff.nix; + csvdiff = import "${csvdiff_nix}/csvdiff/default.nix" {pkgs = pkgs;}; + buildInputs = [ + pkgs.nix + pkgs.reuse + vulnxscan + csvdiff + pythonPackages.black + pythonPackages.colorlog + pythonPackages.gitpython + pythonPackages.pandas + pythonPackages.pycodestyle + pythonPackages.pylint + pythonPackages.pytest + pythonPackages.tabulate + pythonPackages.venvShellHook + ]; + venvDir = "venv"; + postShellHook = '' + export PYTHONPATH="$PWD/src:$PYTHONPATH" + + # https://github.com/NixOS/nix/issues/1009: + export TMPDIR="/tmp" + + # Enter python development environment + make install-dev + ''; +} diff --git a/src/ghafscan/__init__.py b/src/ghafscan/__init__.py new file mode 100644 index 0000000..5cc74e1 --- /dev/null +++ b/src/ghafscan/__init__.py @@ -0,0 +1,3 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 diff --git a/src/ghafscan/main.py b/src/ghafscan/main.py new file mode 100755 index 0000000..c9f6b3f --- /dev/null +++ b/src/ghafscan/main.py @@ -0,0 +1,554 @@ +#!/usr/bin/env python3 + +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +# pylint: disable=invalid-name, too-many-instance-attributes +# pylint: disable=too-many-statements, too-many-locals + +""" Run and summarize vulnerability scans for flake targets """ + +import os +import sys +import re +import argparse +import logging +import subprocess +import tempfile +import shutil +import difflib +import csv +from pathlib import Path + +import git +import pandas as pd +from colorlog import ColoredFormatter, default_log_colors +from tabulate import tabulate + + +################################################################################ + +LOG_SPAM = logging.DEBUG - 1 +LOG = logging.getLogger(os.path.abspath(__file__)) + +################################################################################ + + +def _getargs(): + """Parse command line arguments""" + desc = "Run and summarize vulnerability scans for Ghaf flake targets." + epil = ( + "Example: ghafscan --flakeref=github:tiiuae/ghaf?ref=main " + "--target=packages.x86_64-linux.generic-x86_64-release" + ) + parser = argparse.ArgumentParser(description=desc, epilog=epil) + helps = ( + "Flake reference to specify the location of the flake target. " + "For more details, see: " + "https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-flake" + "#flake-references." + ) + parser.add_argument("-f", "--flakeref", required=True, help=helps) + helps = "Target flake output, repeat to scan many outputs." + parser.add_argument( + "-t", "--target", required=True, action="append", help=helps, nargs="+" + ) + helps = "Path to output directory (default=./result)." + parser.add_argument("-o", "--outdir", help=helps, default="./result", type=Path) + helps = ( + "Path to whitelist file. Vulnerabilities that match any whitelisted " + "entries will not be included to the console output and are annotated " + "accordingly in the output csv. See more details in the vulnxscan " + "README.md." + ) + parser.add_argument("-w", "--whitelist", help=helps, type=Path) + helps = "Set the debug verbosity level between 0-3 (default: --verbose=1)" + parser.add_argument("--verbose", help=helps, type=int, default=1) + return parser.parse_args() + + +################################################################################ + + +# Utils + + +def _set_log_verbosity(verbosity=1): + """Set logging verbosity""" + log_levels = [logging.NOTSET, logging.INFO, logging.DEBUG, LOG_SPAM] + verbosity = min(len(log_levels) - 1, max(verbosity, 0)) + _init_logging(verbosity) + + +def _init_logging(verbosity=1): + """Initialize logging""" + if verbosity == 0: + level = logging.NOTSET + elif verbosity == 1: + level = logging.INFO + elif verbosity == 2: + level = logging.DEBUG + else: + level = LOG_SPAM + if level <= logging.DEBUG: + logformat = ( + "%(log_color)s%(levelname)-8s%(reset)s " + "%(filename)s:%(funcName)s():%(lineno)d " + "%(message)s" + ) + else: + logformat = "%(log_color)s%(levelname)-8s%(reset)s %(message)s" + logging.addLevelName(LOG_SPAM, "SPAM") + default_log_colors["INFO"] = "fg_bold_white" + default_log_colors["DEBUG"] = "fg_bold_white" + default_log_colors["SPAM"] = "fg_bold_white" + formatter = ColoredFormatter(logformat, log_colors=default_log_colors) + if LOG.hasHandlers() and len(LOG.handlers) > 0: + stream = LOG.handlers[0] + else: + stream = logging.StreamHandler() + stream.setFormatter(formatter) + if not LOG.hasHandlers(): + LOG.addHandler(stream) + LOG.setLevel(level) + + +def exit_unless_command_exists(name): + """Check if `name` is an executable in PATH""" + name_is_in_path = shutil.which(name) is not None + if not name_is_in_path: + LOG.fatal("command '%s' is not in PATH", name) + sys.exit(1) + + +def exec_cmd(cmd, raise_on_error=True, return_error=False, loglevel=logging.DEBUG): + """Run shell command cmd""" + command_str = " ".join(cmd) + LOG.log(loglevel, "Running: %s", command_str) + try: + ret = subprocess.run(cmd, capture_output=True, encoding="utf-8", check=True) + return ret + except subprocess.CalledProcessError as error: + LOG.debug( + "Error running shell command:\n cmd: '%s'\n stdout: %s\n stderr: %s", + command_str, + error.stdout, + error.stderr, + ) + if raise_on_error: + raise error + if return_error: + return error + return None + + +def df_from_csv_file(name): + """Read csv file into dataframe""" + LOG.debug("Reading: %s", name) + if not Path(name).exists(): + # Return empty dataframe if path isn't valid + return pd.DataFrame() + try: + df = pd.read_csv(name, keep_default_na=False, dtype=str) + df.reset_index(drop=True, inplace=True) + return df + except pd.errors.ParserError: + LOG.fatal("Not a csv file: '%s'", name) + sys.exit(1) + + +def df_to_csv_file(df, name, loglevel=logging.INFO): + """Write dataframe to csv file""" + df.to_csv( + path_or_buf=name, quoting=csv.QUOTE_ALL, sep=",", index=False, encoding="utf-8" + ) + LOG.log(loglevel, "Wrote: %s", name) + + +def df_log(df, loglevel, tablefmt="presto"): + """Log dataframe with given loglevel and tablefmt""" + if LOG.level <= loglevel: + if df.empty: + return + df = df.fillna("") + table = tabulate( + df, headers="keys", tablefmt=tablefmt, stralign="left", showindex=False + ) + LOG.log(loglevel, "\n%s\n", table) + + +def filediff(file1, file2): + """Return unified diff between `file1` and `file2` as a string""" + f1 = Path(file1) + f2 = Path(file2) + if not f1.exists(): + LOG.error("Diff failed: '%s' does not exist", str(f1)) + return "" + if not f2.exists(): + LOG.error("Diff failed: '%s' does not exist", str(f2)) + return "" + f1_lines = f1.read_text(encoding="utf-8").splitlines() + f2_lines = f2.read_text(encoding="utf-8").splitlines() + diff = difflib.unified_diff(f1_lines, f2_lines, fromfile=file1, tofile=file2) + return "\n".join(diff).strip(" \n\t") + + +################################################################################ + + +class FlakeScanner: + """Scan and report nix flake target vulnerabilities""" + + def __init__(self, flakeref): + self.df_scan = None + self.flakeref = flakeref + LOG.info("Scanning '%s'", flakeref) + self.tmpdir = Path(tempfile.mkdtemp()) + LOG.debug("Using tmpdir: %s", self.tmpdir) + self.repodir = self.tmpdir / "repo" + self.repodir.mkdir(parents=True, exist_ok=True) + self._nix_clone_flakeref(flakeref) + self.repo = git.Repo(self.repodir.as_posix()) + LOG.info("Target repo HEAD at '%s'", self.repo.rev_parse("HEAD")) + self.lockfile = None + self.lockfile_bak = None + self.flakefile = None + self.flakefile_bak = None + self._init_flakefiles() + + def __del__(self): + if self.tmpdir: + LOG.debug("Removing tmpdir: %s", self.tmpdir) + shutil.rmtree(self.tmpdir) + + def _nix_clone_flakeref(self, flakeref): + cmd = f"nix flake clone {flakeref} --dest {self.repodir}" + exec_cmd(cmd.split()) + + def _init_flakefiles(self): + # Backup the original flake.lock + self.lockfile = self.repodir / "flake.lock" + if not self.lockfile.exists(): + LOG.fatal("Missing flake.lock: %s", self.lockfile.resolve()) + sys.exit(1) + self.lockfile_bak = self.tmpdir / "flake.lock" + shutil.copy(self.lockfile, self.lockfile_bak) + LOG.debug("%s:\n%s", self.lockfile, self.lockfile.read_text()) + # Backup the original flake.nix + self.flakefile = self.repodir / "flake.nix" + if not self.flakefile.exists(): + LOG.fatal("Missing flake.nix: %s", self.flakefile.resolve()) + sys.exit(1) + self.flakefile_bak = self.tmpdir / "flake.nix" + shutil.copy(self.flakefile, self.flakefile_bak) + + def scan_target(self, target, buildtime=True, nixprs=False, whitelist=None): + """Scan given flake output target""" + LOG.info("Scanning flake output '%s'", target) + # Build the vulnxscan command. Note: '--nixprs' takes a long time + # due to github rate limits. If the execution time becomes a problem, + # consider dropping the '--nixprs' + out = self.tmpdir / "vulnxscan.csv" + cmd_vulnxscan = f"vulnxscan.py --triage --out={out}" + if buildtime: + cmd_vulnxscan += " --buildtime" + if nixprs: + cmd_vulnxscan += " --nixprs" + if whitelist: + cmd_vulnxscan += f" --whitelist={whitelist}" + # First scan: + # Before lockfile update + LOG.info("Scanning current vulnerabilities") + self._read_scan_results(cmd_vulnxscan, target, "current") + # Second scan: + # Update lockfile to get latest updates from the pinned channel + self._update_repo_lock() + LOG.info("Scanning vulnerabilities after lockfile update") + self._read_scan_results(cmd_vulnxscan, target, "lock_updated") + # Third scan: + # Update lockfile to get latest updates from nixos-unstable + self._update_repo_lock(nixpkgs_url="github:NixOS/nixpkgs/nixos-unstable") + LOG.info("Scanning vulnerabilities after updating from nixos-unstable") + self._read_scan_results(cmd_vulnxscan, target, "nix_unstable") + + def report(self, outdir): + """Report scan results to console and `outdir`""" + outdir.mkdir(parents=True, exist_ok=True) + rawout = outdir / "data.csv" + df_ref = None + if rawout.exists(): + df_ref = df_from_csv_file(rawout.as_posix()) + df_targets = self.df_scan[["flakeref", "target"]].drop_duplicates() + newstr = "" + for scan_target in df_targets.itertuples(): + flakeref = scan_target.flakeref + target = scan_target.target + target_path = self._report_target(outdir, flakeref, target, df_ref) + relative_target_path = os.path.relpath(target_path, outdir) + newstr += f"* [Vulnerability Report: '{target}']({relative_target_path})\n" + template = _data_file("templates/ghaf_landing.md") + if not template.exists(): + LOG.fatal("Missing landing template '%s'", template.resolve().as_posix()) + sys.exit(1) + marker = "TARGET_REPORTS" + LOG.debug(marker) + landing_str = template.read_text(encoding="utf-8") + landing_str = landing_str.replace(marker, newstr) + readme_target = outdir / "README.md" + readme_target.write_text(landing_str) + df_to_csv_file(self.df_scan, rawout.as_posix()) + + def _report_target(self, outdir, flakeref, target, df_ref): + LOG.debug("%s#%s", flakeref, target) + template = _data_file("templates/ghaf_target.md") + if not template.exists(): + LOG.fatal("Missing report template '%s'", template.resolve().as_posix()) + sys.exit(1) + target_report = outdir / f"{target}.md" + report_str = template.read_text(encoding="utf-8") + df = self.df_scan.copy() + df_target = df[(df["target"] == target) & (df["flakeref"] == flakeref)] + if "whitelist" in df_target.columns: + df_target = df_target[df_target["whitelist"] == "False"] + if df_ref is not None: + df = df_ref + df_ref = df[(df["target"] == target) & (df["flakeref"] == flakeref)] + if "whitelist" in df_ref.columns: + df_ref = df_ref[df_ref["whitelist"] == "False"] + marker = "TARGET_NAME" + LOG.debug(marker) + newstr = f"{flakeref}#{target}" + report_str = report_str.replace(marker, newstr) + marker = "FIXED_IN_NIXPKGS" + LOG.debug(marker) + df = self._diff_scans(df_target, "current", "lock_updated") + newstr = self._df_to_report_tbl(df) + report_str = report_str.replace(marker, newstr) + marker = "FIXED_IN_NIX_UNSTABLE" + LOG.debug(marker) + df = self._diff_scans(df_target, "lock_updated", "nix_unstable") + newstr = self._df_to_report_tbl(df) + report_str = report_str.replace(marker, newstr) + marker = "NEW_SINCE_LAST_RUN" + LOG.debug(marker) + if df_ref is None or df_ref.empty: + newstr = self._df_to_report_tbl(pd.DataFrame()) + else: + df = df_target + df_left = df[df["pintype"] == "current"] + csv_left = self.tmpdir / "left.csv" + df_to_csv_file(df_left, csv_left, logging.DEBUG) + df = df_ref + df_right = df[df["pintype"] == "current"] + csv_right = self.tmpdir / "right.csv" + df_to_csv_file(df_right, csv_right, logging.DEBUG) + df = self._csvdiff(csv_left, csv_right) + newstr = self._df_to_report_tbl(df) + report_str = report_str.replace(marker, newstr) + marker = "CURRENT_VULNS" + LOG.debug(marker) + df = df_target + df = df[df["pintype"] == "current"] + newstr = self._df_to_report_tbl(df) + report_str = report_str.replace(marker, newstr) + marker = "ONLY_WHITELISTED" + LOG.debug(marker) + newstr = "```No whitelisted vulnerabilities```" + df = self.df_scan.copy() + if "whitelist" in df.columns: + df = df[df["whitelist"] != "False"] + newstr = self._df_to_report_tbl(df, up_ver=False) + report_str = report_str.replace(marker, newstr) + # Write the target report + target_report.write_text(report_str) + return target_report + + def _diff_scans(self, df, left_pin, right_pin): + LOG.debug("'%s' diff '%s'", left_pin, right_pin) + df_left = df[df["pintype"] == left_pin] + tmp_left_csv = self.tmpdir / "left.csv" + df_to_csv_file(df_left, tmp_left_csv, logging.DEBUG) + df_right = df[df["pintype"] == right_pin] + tmp_right_csv = self.tmpdir / "right.csv" + df_to_csv_file(df_right, tmp_right_csv, logging.DEBUG) + return self._csvdiff(tmp_left_csv, tmp_right_csv) + + def _csvdiff(self, csv_left, csv_right): + LOG.debug("") + out = self.tmpdir / "csvdiff.csv" + uids = "vuln_id,package" + if not csv_left.exists(): + return pd.DataFrame() + if not csv_right.exists(): + return pd.DataFrame() + left = csv_left.resolve().as_posix() + right = csv_right.resolve().as_posix() + cmd = ["csvdiff", left, right, f"--cols={uids}", f"--out={out}"] + exec_cmd(cmd) + df = df_from_csv_file(out).astype(str) + return df[df["diff"].str.contains("left_only")] + + def _df_to_report_tbl(self, df, up_ver=True): + LOG.debug("") + if df.empty: + return "```No vulnerabilities```" + # Sort by the following columns + sort_cols = ["sortcol", "package", "version_local", "vuln_id"] + if not set(sort_cols).issubset(df.columns): + return "\n```Error: missing required columns```\n" + df = df.sort_values(by=sort_cols, ascending=False) + # Truncate version strings + df["version_local"] = df["version_local"].str.slice(0, 16) + # Report table will have the following columns + report_cols = ["vuln_id", "package", "version_local"] + # Optionally add the following upstream versions + if up_ver and "version_nixpkgs" in df: + ver_rename = "nix_unstable" + report_cols.append(ver_rename) + df[ver_rename] = df["version_nixpkgs"].str.slice(0, 16) + if up_ver and "version_upstream" in df: + ver_rename = "upstream" + report_cols.append(ver_rename) + df[ver_rename] = df["version_upstream"].str.slice(0, 16) + # Add the 'comment' column + df["comment"] = df.apply(_reformat_comment, axis=1) + report_cols.append("comment") + # Convert vuln_id to a hyperlink + df["vuln_id"] = df.apply(_reformat_vuln_id, axis=1) + # Add PR search links + if "nixpkgs_pr" in df.columns: + df["comment"] = df.apply(_reformat_pr_search, axis=1) + # Select only the report_cols + df = df[report_cols] + df = df.drop_duplicates(keep="first") + # Format dataframe to markdown table + table = tabulate( + df, headers="keys", tablefmt="github", stralign="left", showindex=False + ) + return f"\n{table}\n" + + def _evaluate_target_drv(self, target): + cmd = f"nix eval {str(self.repodir)}#{target}.drvPath" + ret = exec_cmd(cmd.split()) + drv_path = Path(str(ret.stdout).strip('"\n\t ')) + LOG.info("Target '%s' evaluates to derivation: %s", target, drv_path) + return drv_path + + def _update_repo_lock(self, nixpkgs_url=None): + LOG.info("Updating: %s", self.lockfile) + # Reset possible earlier changes to the flake.nix and lockfile + shutil.copy(self.lockfile_bak, self.lockfile) + shutil.copy(self.flakefile_bak, self.flakefile) + if nixpkgs_url: + # Update the nixpkgs.url reference in flake.nix + flake_text = self.flakefile.read_text() + # Match e.g. 'nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";' + pattern = r"(nixpkgs\.url *= *)[^;]+" + repl = rf'\1"{nixpkgs_url}"' + # Replace pattern with repl in flake_text + flake_text_new = re.sub(pattern, repl, flake_text) + self.flakefile.write_text(flake_text_new) + diffstr = filediff(str(self.flakefile_bak), str(self.flakefile)) + if not diffstr: + LOG.warning( + "Replacing nixpkgs.url in flake.nix did not result any changes, " + "maybe it's already pinned to '%s'?", + nixpkgs_url, + ) + LOG.debug("%s contents:\n%s", self.flakefile, flake_text) + # Update the lockfile + cmd = f"nix flake lock {str(self.repodir)} --update-input nixpkgs" + exec_cmd(cmd.split()) + diffstr = filediff(str(self.lockfile_bak), str(self.lockfile)) + if diffstr: + LOG.info("Updated lockfile:\n%s", diffstr) + + def _read_scan_results(self, cmd, target, pintype): + out_triage = self.tmpdir / "vulnxscan.triage.csv" + shutil.rmtree(out_triage, ignore_errors=True) + drv_path = self._evaluate_target_drv(target) + cmd = f"{cmd} {str(drv_path)}" + ret = exec_cmd(cmd.split()) + LOG.debug("vulnxscan.py ==>\n\n%s\n\n<== vulnxscan.py\n", ret.stderr) + if not out_triage.exists(): + LOG.warning("vulnxscan triage output not found: %s", out_triage) + return + df = df_from_csv_file(out_triage.as_posix()) + # Add the following columns to the beginning of df + df.insert(0, "pintype", pintype) + df.insert(0, "flakeref", self.flakeref) + df.insert(0, "target", target) + self.df_scan = pd.concat([self.df_scan, df], ignore_index=True) + + +################################################################################ + +# Helpers + + +def _reformat_vuln_id(row): + if not row.vuln_id or not row.url: + return "" + # Return vuln_id as markdown hyperlink that points links to row.url + return f"[{row.vuln_id}]({row.url})" + + +def _reformat_comment(row): + if not hasattr(row, "whitelist_comment") or not row.whitelist_comment: + return "" + comment = str(row.whitelist_comment) + # Replace urls in the comment entry with markdown hyperlinks + pattern = r"(https?://\S+\w/?)" + comment_mod = re.sub(pattern, r"[link](\1)", comment) + return comment_mod + + +def _reformat_pr_search(row): + if not hasattr(row, "nixpkgs_pr") or not row.nixpkgs_pr: + if hasattr(row, "comment"): + return row.comment + return "" + # Replace urls in nixpkgs_pr entry with markdown hyperlinks + pattern = r"(https?://\S+\w/?)" + pr_search = re.sub(pattern, r"[PR](\1)", row.nixpkgs_pr) + pr_search = " ".join(pr_search.split()) + if pr_search: + pr_search = f" *[{', '.join(pr_search.split(' '))}]*" + if row.comment: + pr_search = f"{row.comment} {pr_search}" + return pr_search + + +def _data_file(fname): + """Return the path to a data file.""" + return Path(os.path.join(os.path.split(__file__)[0], fname)) + + +################################################################################ + +# Main + + +def main(): + """main entry point""" + args = _getargs() + _set_log_verbosity(args.verbose) + # Fail early if the following commands are not in PATH + exit_unless_command_exists("nix") + exit_unless_command_exists("vulnxscan.py") + exit_unless_command_exists("csvdiff") + scanner = FlakeScanner(args.flakeref) + whitelist = args.whitelist + if whitelist is not None and not whitelist.exists(): + LOG.warning("Ignoring inaccessible whitelist: %s", whitelist.as_posix()) + whitelist = None + for target in args.target: + scanner.scan_target(target[0], nixprs=True, whitelist=whitelist) + scanner.report(args.outdir) + + +if __name__ == "__main__": + main() + +################################################################################ diff --git a/src/ghafscan/templates/ghaf_landing.md b/src/ghafscan/templates/ghaf_landing.md new file mode 100644 index 0000000..bd8259e --- /dev/null +++ b/src/ghafscan/templates/ghaf_landing.md @@ -0,0 +1,11 @@ + + +# Ghaf Vulnerability Reports + +See the following links for detailled Ghaf vulnerability reports: + +TARGET_REPORTS diff --git a/src/ghafscan/templates/ghaf_target.md b/src/ghafscan/templates/ghaf_target.md new file mode 100644 index 0000000..96af48a --- /dev/null +++ b/src/ghafscan/templates/ghaf_target.md @@ -0,0 +1,68 @@ + + +# Vulnerability Report + +This vulnerability report is generated for Ghaf target '`TARGET_NAME`'. The tables on this page include known vulnerabilities impacting any buildtime or runtime dependencies of the given target. + +This report is automatically generated as specified on the [Vulnerability Scan](../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../manual_analysis.csv) file. + + +Reports +================= + +* [Vulnerabilities Fixed in Ghaf nixpkgs Upstream](#vulnerabilities-fixed-in-ghaf-nixpkgs-upstream) +* [Vulnerabilities Fixed in nix-unstable](#vulnerabilities-fixed-in-nix-unstable) +* [New Vulnerabilities Since Last Run](#new-vulnerabilities-since-last-run) +* [All Vulnerabilities Impacting Ghaf](#all-vulnerabilities-impacting-ghaf) +* [Whitelisted Vulnerabilities](#whitelisted-vulnerabilities) + +## Vulnerabilities Fixed in Ghaf nixpkgs Upstream + +Following table lists vulnerabilities that have been fixed in the nixpkgs channel the Ghaf target is currently pinned to, but the fixes have not been included in Ghaf. + +Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/flake.lock) file to mitigate the following issues: + +FIXED_IN_NIXPKGS + +## Vulnerabilities Fixed in nix-unstable + +Following table lists vulnerabilities that have been fixed in nixpgks nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. + +Following issues potentially require backporting the fix from nixpkgs-unstable to the correct nixpkgs release branch. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community backport the fix to the correct nixpkgs branch: + +FIXED_IN_NIX_UNSTABLE + + +## New Vulnerabilities Since Last Run + +Following table lists vulnerabilities currently impacting the Ghaf target that have emerged since the last time this vulnerability report was generated. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: + +NEW_SINCE_LAST_RUN + + +## All Vulnerabilities Impacting Ghaf + +Following table lists all vulnerabilities currently impacting the Ghaf target. + +Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: + +CURRENT_VULNS + + +## Whitelisted Vulnerabilities + +Following table lists vulnerabilities that would otherwise have been included to the report, but were left out due to whitelisting. + +
+Whitelisted vulnerabilities +
+ONLY_WHITELISTED +
diff --git a/tests/test_ghafscan.py b/tests/test_ghafscan.py new file mode 100644 index 0000000..6fb28b3 --- /dev/null +++ b/tests/test_ghafscan.py @@ -0,0 +1,77 @@ +#!/usr/bin/env python3 +# SPDX-FileCopyrightText: 2022-2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +# pylint: disable=invalid-name, global-statement, redefined-outer-name +# pylint: disable=protected-access + +""" Tests for ghafscan """ + +import os +import subprocess +import shutil +from pathlib import Path +import pytest + +from ghafscan.main import FlakeScanner + +################################################################################ + +MYDIR = Path(os.path.dirname(os.path.realpath(__file__))) +TEST_WORK_DIR = None +REPOROOT = MYDIR / ".." +GHAFSCAN = REPOROOT / "src" / "ghafscan" / "main.py" + +################################################################################ + + +@pytest.fixture(scope="session") +def test_work_dir(tmp_path_factory): + """Fixture for session-scope tempdir""" + tempdir = tmp_path_factory.mktemp("test_ghafscan") + return Path(tempdir) + + +@pytest.fixture(autouse=True) +def set_up_test_data(test_work_dir): + """Fixture to set up the test data""" + print("setup") + global TEST_WORK_DIR + TEST_WORK_DIR = test_work_dir + TEST_WORK_DIR.mkdir(parents=True, exist_ok=True) + print(f"using TEST_WORK_DIR: {TEST_WORK_DIR}") + os.chdir(TEST_WORK_DIR) + yield "resource" + print("clean up") + shutil.rmtree(TEST_WORK_DIR) + + +################################################################################ + + +def test_ghafscan_help(): + """Test ghafscan command line argument: '-h'""" + cmd = [GHAFSCAN, "-h"] + assert subprocess.run(cmd, check=True).returncode == 0 + + +def test_ghafscan_basic(): + """Basic tests for GhafScanner""" + scanner = FlakeScanner("github:tiiuae/ghaf?ref=main") + scanner.scan_target("formatter.x86_64-linux", buildtime=False) + test_work_dir = Path(TEST_WORK_DIR) + scanner.report(test_work_dir) + readme = test_work_dir / "README.md" + assert readme.exists() + assert readme.stat().st_size != 0 + + +################################################################################ + + +if __name__ == "__main__": + pytest.main([__file__]) + + +################################################################################