Hello,
The CVE checker of “guix lint” returns false positives:
┌────
│ LANGUAGE=C guix lint git 2>&1
├───
│ gnu/packages/version-control.scm:149:2: git@2.25.1: probably
vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110,
CVE-2018-1000182
│
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12:
git@2.25.1: can be upgraded to 2.25.2
│
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11:
git@2.25.1: source not archived on Software Heritage
└────
• [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]”
• [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]”
• [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier
[…]”
• [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]”
Also note the missing / on the first line and it output on `stderr'
instead of `stdout'.
[CVE-2020-2136] <https://nvd.nist.gov/vuln/detail/CVE-2020-2136>
[CVE-2019-1003010] <https://nvd.nist.gov/vuln/detail/CVE-2019-1003010>
[CVE-2018-1000110] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000110>
[CVE-2018-1000182] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000182>
Brice.
