what to do around frequent false positives (might be a case of me needing to learn to triage better with nix)

vulnix thinks my drv is uses jetbrains hub when the drv holds https://github.com/tektoncd/hub

This is also the case for other dependencies collected by gomod2nix

λ vulnix ./result
22 derivations with active advisories

------------------------------------------------------------------------
bash-4.4-p23

/nix/store/ay54nhnk1md3ygj8s877d6n3721l2dyz-bash-4.4-p23.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-18276    7.8

# ...

------------------------------------------------------------------------
hub-0ae1afc

/nix/store/ni50vpsf4kclcbd8d6flk127nh8mx8pb-hub-0ae1afc.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-36209    9.8
https://nvd.nist.gov/vuln/detail/CVE-2020-11691    7.5
https://nvd.nist.gov/vuln/detail/CVE-2021-31901    7.5
https://nvd.nist.gov/vuln/detail/CVE-2019-12847    7.2
https://nvd.nist.gov/vuln/detail/CVE-2021-25759    6.5
https://nvd.nist.gov/vuln/detail/CVE-2021-37540    6.5
https://nvd.nist.gov/vuln/detail/CVE-2021-25757    6.1
https://nvd.nist.gov/vuln/detail/CVE-2021-37541    6.1
https://nvd.nist.gov/vuln/detail/CVE-2019-14955    5.3
https://nvd.nist.gov/vuln/detail/CVE-2019-18360    5.3
https://nvd.nist.gov/vuln/detail/CVE-2021-25760    5.3

# ...

------------------------------------------------------------------------
util-linux-2.36.2

/nix/store/2c9ab725kccddpjlxb5r8s1hxzbrjdqq-util-linux-2.36.2.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-37600    5.5

λ nix why-depends /nix/store/xkfmhy8za4jhlzk0iav0mm52wd2s4lji-vendor-env.drv /nix/store/ni50vpsf4kclcbd8d6flk127nh8mx8pb-hub-0ae1afc.drv
└───github.com/tektoncd/hub/api -> /nix/store/3qa9ymxypdd5xv0jvxk4f4b9d83mv0py-hub-0ae1afc/api
    → /nix/store/3qa9ymxypdd5xv0jvxk4f4b9d83mv0py-hub-0ae1afc
/nix/store/gmsm2cwync8nsnpqnwq6sg3nwfrqfwjl-vendor-env

λ ls -l /nix/store/gmsm2cwync8nsnpqnwq6sg3nwfrqfwjl-vendor-env/github.com/tektoncd/hub
lrwxrwxrwx root root 59 B Thu Jan  1 01:00:01 1970  api ⇒ /nix/store/3qa9ymxypdd5xv0jvxk4f4b9d83mv0py-hub-0ae1afc/api

Is there anything vulnix can do or should gomod2nix just change the drv names? or both?

I also a buildGoModule based build

vulnix thinks it uses a vulnerable w3m during build but I can't find it

λ vulnix ./result
16 derivations with active advisories

------------------------------------------------------------------------
bash-4.4-p23

/nix/store/ay54nhnk1md3ygj8s877d6n3721l2dyz-bash-4.4-p23.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-18276    7.8

------------------------------------------------------------------------
binutils-2.35.1

/nix/store/z4sfszir1p0077xw55bki07yjshymcs9-binutils-2.35.1.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-20294    7.8
https://nvd.nist.gov/vuln/detail/CVE-2021-3487     6.5
https://nvd.nist.gov/vuln/detail/CVE-2021-20284    5.5

# ...

------------------------------------------------------------------------
w3m-0.5.3+git20190105

/nix/store/h0j15nrdh0y9yng5ylg3qm1427j9ky1y-w3m-0.5.3+git20190105.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2016-9422     8.8
# ...
https://nvd.nist.gov/vuln/detail/CVE-2016-9633     6.5

λ nix why-depends ./result /nix/store/h0j15nrdh0y9yng5ylg3qm1427j9ky1y-w3m-0.5.3+git20190105.drv
this path will be fetched (0.73 MiB download, 1.69 MiB unpacked):
  /nix/store/hvq53cdwdbmkd26y5qh0lgwgzy3sbqfi-w3m-0.5.3+git20190105
'/nix/store/ly9bhnp0lmc7n76ks0vgarildp49pwy9-tkn-utils-0.0.1' does not depend on '/nix/store/hvq53cdwdbmkd26y5qh0lgwgzy3sbqfi-w3m-0.5.3+git20190105'

# done a manual search too
nix show-derivation ./result -r | bat -l json

nix-community / vulnix

what to do around frequent false positives (might be a case of me needing to learn to triage better with nix) #81