Nix-Security-WG / nix-local-security-scanner

Reports on which security advisories may be relevant for a given system or derivation
MIT License
3 stars 0 forks source link

False positive: CVE-2023-3576 in libtiff #36

Closed raboof closed 11 months ago

raboof commented 11 months ago

Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/736a64d37eaddec5f6621f067782f2cbc8e40a73, it reports CVE-2023-3576 in libtiff.

The problem is the version range in the CVE is wrong: it says all versions are affected, while in fact this issue was fixed in 4.5.1

The best way to solve this issue would probably be to ingest the NVD feed, as https://nvd.nist.gov/vuln/detail/CVE-2023-3576 correctly has the version range as 'affected up to 4.5.1' Nix-Security-WG/nix-local-security-scanner#47.

GHSA does not have this improved data yet at the time of writing this issue (https://github.com/advisories/GHSA-qfgr-f5j7-2xxf)

raboof commented 11 months ago

verified this advisory is now filtered out based on version range