search

Nix-Security-WG / nix-local-security-scanner

Reports on which security advisories may be relevant for a given system or derivation
MIT License
3 stars 0 forks source link

False positive: CVE-2023-3164 in gawk #41

Closed raboof closed 11 months ago

raboof commented 11 months ago

Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/e3e8d9a880e10e07a6942ee00e86294b5eb548fa, it reports CVE-2023-4156 in gawk.

The problem is the version range in the CVE is wrong: the version range says '5.1.1 is not affected', which strictly speaking means 5.2.2 should still be considered affected.

The best way to solve this issue would probably be to ingest the NVD feed, as https://nvd.nist.gov/vuln/detail/CVE-2023-3164 correctly has the version range as 'affected up to 5.1.1' Nix-Security-WG/nix-local-security-scanner#47.

GHSA does not have this improved data yet at the time of writing this issue (https://github.com/advisories/GHSA-2x8c-h7r9-r6m6)

raboof commented 11 months ago

verified this advisory is now filtered out based on version range