In WordPress, `vuls report -ignore-unfixed' can't report fixed pkgs .

[shigechika]

What did you do? (required. The issue will be closed when not provided.)

% vuls scan wp-vuls
% vuls report -format-full-text -ignore-unfixed
 : Nothing
% vuls report -format-full-text
wp-vuls (centos7.9.2009)
============================
Total: 2 (Critical:1 High:1 Medium:0 Low:0 ?:0)
2/2 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 9 WordPress pkgs

+----------------+---------------------------------------------------------------------------------------------------+
| CVE-2021-44223 | FIXED                                                                                             |
+----------------+---------------------------------------------------------------------------------------------------+
| Max Score      | 9.8 CRITICAL (nvd)                                                                                |
| nvd            | 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL                                         |
| nvd            | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH                                                               |
| Summary        | WordPress before 5.8 lacks support for the Update URI plugin header. This makes                   |
|                | it easier for remote attackers to execute arbitrary code via a supply-chain                       |
|                | attack against WordPress installations that use any plugin for which the slug                     |
|                | satisfies the naming constraints of the WordPress.org Plugin Directory but is                     |
|                | not yet present in that directory.                                                                |
| Primary Src    | https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/ |
| Primary Src    | https://nvd.nist.gov/vuln/detail/CVE-2021-44223                                                   |
| WordPress      | core-5.7.4, FixedIn: 5.8                                                                          |
| Confidence     | 100 / WpScanMatch                                                                                 |
| CWE            | NVD-CWE-Other:  (nvd)                                                                             |
| CWE            | https://cwe.mitre.org/data/definitions/NVD-CWE-Other.html                                         |
| nvd            | https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/               |
+----------------+---------------------------------------------------------------------------------------------------+

+----------------+----------------------------------------------------------------------------------+
| CVE-2021-20865 | FIXED                                                                            |
+----------------+----------------------------------------------------------------------------------+
| Max Score      | 7.5 HIGH (nvd)                                                                   |
| nvd            | 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N HIGH                            |
| jvn            | 4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MEDIUM                          |
| nvd            | 5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N MEDIUM                                            |
| jvn            | 4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N MEDIUM                                            |
| Summary        | WordPress 用プラグイン Advanced Custom Fields における複数の認証欠如の脆弱性     |
|                | Delicious Brains が提供する WordPress 用プラグイン Advanced                      |
|                | Custom Fields には、次に挙げる複数の認証欠如の脆弱性が存在します。               |
|                | ・データベース閲覧に関わる認証の欠如 (CWE-862) - CVE-2021-20865                  |
|                | ・ユーザ一覧取得に関わる認証の欠如 (CWE-862) - CVE-2021-20866                    |
|                | ・フィールドグループ移動に関わる認証の欠如 (CWE-862) - CVE-2021-20867            |
|                | この脆弱性情報は、情報セキュリティ早期警戒パートナーシップに基づき下記の方が     |
|                | IPA に報告し、JPCERT/CC が開発者との調整を行いました。 報告者:                   |
|                | 株式会社イエラエセキュリティ 山崎 啓太郎 氏                                      |
| Primary Src    | https://www.advancedcustomfields.com/                                            |
| Primary Src    | https://nvd.nist.gov/vuln/detail/CVE-2021-20865                                  |
| Primary Src    | https://jvndb.jvn.jp/ja/contents/2021/JVNDB-2021-000109.html                     |
| WordPress      | advanced-custom-fields-5.9.6, Update: available, FixedIn: 5.11, active           |
| WordPress      | advanced-custom-fields-pro-5.9.6, Update: available, FixedIn: 5.11, active       |
| Confidence     | 100 / WpScanMatch                                                                |
| Confidence     | 100 / WpScanMatch                                                                |
| CWE            | [CWE/SANS Top6]  CWE-862: 認証の欠如(CWE-862) (nvd)                              |
| CWE            | http://jvndb.jvn.jp/ja/cwe/CWE-862.html                                          |
| SANS/CWE Top25 | https://www.sans.org/top25-software-errors/                                      |
+----------------+----------------------------------------------------------------------------------+

What did you expect to happen?

reporting fixed pkgs

What happened instead?

• Current Output

Please re-run the command using -debug and provide the output below.

Steps to reproduce the behaviour

Configuration (MUST fill this out):

• Go version (go version):

go version go1.16.3 linux/amd64

• Go environment (go env):

• Vuls environment:

vuls-v0.19.0-build-20211217_102841_2b7294a

• config.toml:

• command:

[MaineK00n]

I think the reason is that fixed/unfixed is not taken into account from WpPackageFixStats here. https://github.com/future-architect/vuls/blob/2b7294a50454eb49b762e3825a85ee1aedea1ba2/models/vulninfos.go#L67-L86