CVE checker return false positives
(address . bug-guix@gnu.org)
Hello,
The CVE checker of “guix lint” returns false positives:
?????
? LANGUAGE=C guix lint git 2>&1
????
? gnu/packages/version-control.scm:149:2: git@2.25.1: probably
vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110,
CVE-2018-1000182
?
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12:
git@2.25.1: can be upgraded to 2.25.2
?
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11:
git@2.25.1: source not archived on Software Heritage
?????
• [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]”
• [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]”
• [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier
[…]”
• [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]”
Also note the missing / on the first line and it output on `stderr'
instead of `stdout'.
[CVE-2020-2136] https://nvd.nist.gov/vuln/detail/CVE-2020-2136
[CVE-2019-1003010] https://nvd.nist.gov/vuln/detail/CVE-2019-1003010
[CVE-2018-1000110] https://nvd.nist.gov/vuln/detail/CVE-2018-1000110
[CVE-2018-1000182] https://nvd.nist.gov/vuln/detail/CVE-2018-1000182
Brice.