Skip to content

Commit

Permalink
Automatic vulnerability report update
Browse files Browse the repository at this point in the history
  • Loading branch information
@henrirosten @github-actions
henrirosten authored and github-actions[bot] committed Nov 19, 2023
1 parent 55931d2 commit 1280298
Show file tree
Hide file tree
Showing 7 changed files with 105 additions and 55 deletions.
8 changes: 8 additions & 0 deletions reports/ghaf-23.06/data.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-45853","https://nvd.nist.gov/vuln/detail/CVE-2023-45853","zlib","9.8","1.2.13","1.3","1.3","zlib","2023A0000045853","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/262722
https://github.com/NixOS/nixpkgs/pull/263083"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-45322","https://nvd.nist.gov/vuln/detail/CVE-2023-45322","libxml2","6.5","2.10.4","2.11.5","2.12.0","libxml2","2023A0000045322","False","","fix_update_to_version_upstream",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-45284","https://nvd.nist.gov/vuln/detail/CVE-2023-45284","go","5.3","1.20.4","1.21.3","1.21.4","go","2023A0000045284","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-45284","https://nvd.nist.gov/vuln/detail/CVE-2023-45284","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000045284","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-45283","https://nvd.nist.gov/vuln/detail/CVE-2023-45283","go","7.5","1.20.4","1.21.3","1.21.4","go","2023A0000045283","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-45283","https://nvd.nist.gov/vuln/detail/CVE-2023-45283","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000045283","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-44488","https://nvd.nist.gov/vuln/detail/CVE-2023-44488","libvpx","7.5","1.13.0","1.13.1","1.13.1","libvpx","2023A0000044488","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/258295
https://github.com/NixOS/nixpkgs/pull/258350
https://github.com/NixOS/nixpkgs/pull/259881
Expand Down Expand Up @@ -434,6 +438,10 @@ https://github.com/NixOS/nixpkgs/pull/84664"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-45853","https://nvd.nist.gov/vuln/detail/CVE-2023-45853","zlib","9.8","1.2.13","1.3","1.3","zlib","2023A0000045853","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/262722
https://github.com/NixOS/nixpkgs/pull/263083"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-45322","https://nvd.nist.gov/vuln/detail/CVE-2023-45322","libxml2","6.5","2.10.4","2.11.5","2.12.0","libxml2","2023A0000045322","False","","fix_update_to_version_upstream",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-45284","https://nvd.nist.gov/vuln/detail/CVE-2023-45284","go","5.3","1.20.8","1.21.3","1.21.4","go","2023A0000045284","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-45284","https://nvd.nist.gov/vuln/detail/CVE-2023-45284","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000045284","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-45283","https://nvd.nist.gov/vuln/detail/CVE-2023-45283","go","7.5","1.20.8","1.21.3","1.21.4","go","2023A0000045283","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-45283","https://nvd.nist.gov/vuln/detail/CVE-2023-45283","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000045283","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-44487","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","nghttp2","7.5","1.51.0","1.57.0","1.58.0","nghttp2","2023A0000044487","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329
https://github.com/NixOS/nixpkgs/pull/262022
https://github.com/NixOS/nixpkgs/pull/262713
Expand Down
13 changes: 12 additions & 1 deletion reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,14 @@ Following table lists vulnerabilities currently impacting the Ghaf target that h

Consider [whitelisting](../../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs:

```No vulnerabilities```

| vuln_id | package | severity | version_local | nix_unstable | upstream | comment |
|-------------------------------------------------------------------|-----------|------------|------------------|----------------|------------|-----------|
| [CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283) | go | 7.5 | 1.20.4 | 1.21.3 | 1.21.4 | |
| [CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283) | go | 7.5 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | |
| [CVE-2023-45284](https://nvd.nist.gov/vuln/detail/CVE-2023-45284) | go | 5.3 | 1.20.4 | 1.21.3 | 1.21.4 | |
| [CVE-2023-45284](https://nvd.nist.gov/vuln/detail/CVE-2023-45284) | go | 5.3 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | |



## All Vulnerabilities Impacting Ghaf
Expand Down Expand Up @@ -144,6 +151,8 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base
| [CVE-2023-4733](https://nvd.nist.gov/vuln/detail/CVE-2023-4733) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2112 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* |
| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2112 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* |
| [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 7.8 | 8.0.0 | 8.1.2 | 8.1.2 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). |
| [CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283) | go | 7.5 | 1.20.4 | 1.21.3 | 1.21.4 | |
| [CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283) | go | 7.5 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | |
| [CVE-2023-44488](https://nvd.nist.gov/vuln/detail/CVE-2023-44488) | libvpx | 7.5 | 1.13.0 | 1.13.1 | 1.13.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258295), [PR](https://github.com/NixOS/nixpkgs/pull/258350), [PR](https://github.com/NixOS/nixpkgs/pull/259881), [PR](https://github.com/NixOS/nixpkgs/pull/260189)]* |
| [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | nghttp2 | 7.5 | 1.51.0 | 1.57.0 | 1.58.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/262022), [PR](https://github.com/NixOS/nixpkgs/pull/262713), [PR](https://github.com/NixOS/nixpkgs/pull/262718), [PR](https://github.com/NixOS/nixpkgs/pull/262738)]* |
| [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | go | 7.5 | 1.20.4 | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/262022), [PR](https://github.com/NixOS/nixpkgs/pull/262713), [PR](https://github.com/NixOS/nixpkgs/pull/262718), [PR](https://github.com/NixOS/nixpkgs/pull/262738)]* |
Expand Down Expand Up @@ -222,6 +231,8 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base
| [CVE-2021-3933](https://nvd.nist.gov/vuln/detail/CVE-2021-3933) | openexr | 5.5 | 2.5.8 | 3.2.0 | 3.2.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/234754), [PR](https://github.com/NixOS/nixpkgs/pull/236043), [PR](https://github.com/NixOS/nixpkgs/pull/238270), [PR](https://github.com/NixOS/nixpkgs/pull/254764), [PR](https://github.com/NixOS/nixpkgs/pull/258729)]* |
| [CVE-2020-18781](https://nvd.nist.gov/vuln/detail/CVE-2020-18781) | audiofile | 5.5 | 0.3.6 | 0.3.6 | 0.3.6 | |
| [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 5.4 | 2.40.1 | 2.42.0 | 2.42.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* |
| [CVE-2023-45284](https://nvd.nist.gov/vuln/detail/CVE-2023-45284) | go | 5.3 | 1.20.4 | 1.21.3 | 1.21.4 | |
| [CVE-2023-45284](https://nvd.nist.gov/vuln/detail/CVE-2023-45284) | go | 5.3 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | |
| [CVE-2023-30571](https://nvd.nist.gov/vuln/detail/CVE-2023-30571) | libarchive | 5.3 | 3.6.2 | 3.7.2 | 3.7.2 | No upstream fix available, see: [link](https://github.com/libarchive/libarchive/issues/1876). *[[PR](https://github.com/NixOS/nixpkgs/pull/244713), [PR](https://github.com/NixOS/nixpkgs/pull/256930)]* |
| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.20.4 | 1.21.3 | 1.21.4 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266382)]* |
| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266382)]* |
Expand Down
8 changes: 8 additions & 0 deletions reports/ghaf-23.09/data.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-45853","https://nvd.nist.gov/vuln/detail/CVE-2023-45853","zlib","9.8","1.2.13","1.3","1.3","zlib","2023A0000045853","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/262722
https://github.com/NixOS/nixpkgs/pull/263083"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-45322","https://nvd.nist.gov/vuln/detail/CVE-2023-45322","libxml2","6.5","2.10.4","2.11.5","2.12.0","libxml2","2023A0000045322","False","","fix_update_to_version_upstream",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-45284","https://nvd.nist.gov/vuln/detail/CVE-2023-45284","go","5.3","1.20.7","1.21.3","1.21.4","go","2023A0000045284","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-45284","https://nvd.nist.gov/vuln/detail/CVE-2023-45284","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000045284","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-45283","https://nvd.nist.gov/vuln/detail/CVE-2023-45283","go","7.5","1.20.7","1.21.3","1.21.4","go","2023A0000045283","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-45283","https://nvd.nist.gov/vuln/detail/CVE-2023-45283","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000045283","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-44488","https://nvd.nist.gov/vuln/detail/CVE-2023-44488","libvpx","7.5","1.13.0","1.13.1","1.13.1","libvpx","2023A0000044488","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/258295
https://github.com/NixOS/nixpkgs/pull/258350
https://github.com/NixOS/nixpkgs/pull/259881
Expand Down Expand Up @@ -362,6 +366,10 @@ https://github.com/NixOS/nixpkgs/pull/84664"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-45853","https://nvd.nist.gov/vuln/detail/CVE-2023-45853","zlib","9.8","1.2.13","1.3","1.3","zlib","2023A0000045853","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/262722
https://github.com/NixOS/nixpkgs/pull/263083"
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-45322","https://nvd.nist.gov/vuln/detail/CVE-2023-45322","libxml2","6.5","2.10.4","2.11.5","2.12.0","libxml2","2023A0000045322","False","","fix_update_to_version_upstream",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-45284","https://nvd.nist.gov/vuln/detail/CVE-2023-45284","go","5.3","1.20.8","1.21.3","1.21.4","go","2023A0000045284","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-45284","https://nvd.nist.gov/vuln/detail/CVE-2023-45284","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000045284","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-45283","https://nvd.nist.gov/vuln/detail/CVE-2023-45283","go","7.5","1.20.8","1.21.3","1.21.4","go","2023A0000045283","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-45283","https://nvd.nist.gov/vuln/detail/CVE-2023-45283","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000045283","False","","err_not_vulnerable_based_on_repology",""
"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-44487","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","nghttp2","7.5","1.51.0","1.57.0","1.58.0","nghttp2","2023A0000044487","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329
https://github.com/NixOS/nixpkgs/pull/262022
https://github.com/NixOS/nixpkgs/pull/262713
Expand Down
Loading

0 comments on commit 1280298

Please sign in to comment.