This is a false positive, because this issue was fixed in version 2.4.2 and we are already on version 2.4.7.
The reason this triggered is because there are multiple version ranges: cpe:2.3:a:apple:cups:*:*:*:*:*:*:*:* Up to (excluding) 499.4 and cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:* Up to (excluding) 2.4.2.
Perhaps we should keep a list of CPEs to explicitly ignore somewhere and add cpe:2.3:a:apple:cups to it? Nix-Security-WG/nix-local-security-scanner#2
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports CVE-2022-26691 in cups.
This is a false positive, because this issue was fixed in version 2.4.2 and we are already on version 2.4.7.
The reason this triggered is because there are multiple version ranges:
cpe:2.3:a:apple:cups:*:*:*:*:*:*:*:* Up to (excluding) 499.4andcpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:* Up to (excluding) 2.4.2.Perhaps we should keep a list of CPEs to explicitly ignore somewhere and add
cpe:2.3:a:apple:cupsto it? Nix-Security-WG/nix-local-security-scanner#2