GNU bug report logs - #40142
(guix cve) discards configuration "vendor", leading to false positives

Previous Next

Package: guix;

Reported by: Brice Waegeneire <brice <at> waegenei.re>

Date: Fri, 20 Mar 2020 09:11:02 UTC

Severity: normal

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire <brice <at> waegenei.re>
To: bug-guix <at> gnu.org
Subject: CVE checker return false positives
Date: Fri, 20 Mar 2020 09:10:31 +0000

Hello,

The CVE checker of “guix lint” returns false positives:
┌────
│ LANGUAGE=C guix lint git 2>&1
├───
│ gnu/packages/version-control.scm:149:2: git <at> 2.25.1: probably 
vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, 
CVE-2018-1000182
│ 
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12: 
git <at> 2.25.1: can be upgraded to 2.25.2
│ 
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11: 
git <at> 2.25.1: source not archived on Software Heritage
└────


• [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]”
• [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]”
• [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier
  […]”
• [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]”

Also note the missing / on the first line and it output on `stderr'
instead of `stdout'.

[CVE-2020-2136] <https://nvd.nist.gov/vuln/detail/CVE-2020-2136>

[CVE-2019-1003010] <https://nvd.nist.gov/vuln/detail/CVE-2019-1003010>

[CVE-2018-1000110] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000110>

[CVE-2018-1000182] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000182>

Brice.
This bug report was last modified 5 years and 163 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.