From mboxrd@z Thu Jan  1 00:00:00 1970
From: Brice Waegeneire <brice@waegenei.re>
Subject: bug#40142: CVE checker return false positives
Date: Fri, 20 Mar 2020 09:10:31 +0000
Message-ID: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:50246)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jFDgF-0006aa-Sy
 for bug-guix@gnu.org; Fri, 20 Mar 2020 05:11:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jFDgE-0007V7-QE
 for bug-guix@gnu.org; Fri, 20 Mar 2020 05:11:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:37994)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jFDgE-0007Uw-N0
 for bug-guix@gnu.org; Fri, 20 Mar 2020 05:11:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jFDgE-0005WP-H5
 for bug-guix@gnu.org; Fri, 20 Mar 2020 05:11:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.40142.B.158469543921194@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:50228)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <brice@waegenei.re>) id 1jFDfn-0006Z7-JG
 for bug-guix@gnu.org; Fri, 20 Mar 2020 05:10:36 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <brice@waegenei.re>) id 1jFDfm-00077A-CN
 for bug-guix@gnu.org; Fri, 20 Mar 2020 05:10:35 -0400
Received: from relay3-d.mail.gandi.net ([217.70.183.195]:56911)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <brice@waegenei.re>) id 1jFDfm-00071v-5d
 for bug-guix@gnu.org; Fri, 20 Mar 2020 05:10:34 -0400
Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18])
 (Authenticated sender: brice@waegenei.re)
 by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 9E8A260009
 for <bug-guix@gnu.org>; Fri, 20 Mar 2020 09:10:31 +0000 (UTC)
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
To: 40142@debbugs.gnu.org

Hello,

The CVE checker of “guix lint” returns false positives:
┌────
│ LANGUAGE=C guix lint git 2>&1
├───
│ gnu/packages/version-control.scm:149:2: git@2.25.1: probably 
vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, 
CVE-2018-1000182
│ 
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12: 
git@2.25.1: can be upgraded to 2.25.2
│ 
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11: 
git@2.25.1: source not archived on Software Heritage
└────


• [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]”
• [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]”
• [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier
   […]”
• [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]”

Also note the missing / on the first line and it output on `stderr'
instead of `stdout'.

[CVE-2020-2136] <https://nvd.nist.gov/vuln/detail/CVE-2020-2136>

[CVE-2019-1003010] <https://nvd.nist.gov/vuln/detail/CVE-2019-1003010>

[CVE-2018-1000110] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000110>

[CVE-2018-1000182] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000182>

Brice.