You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Backfilling patch resolves annotations in homebrew-core so brew vulns can suppress CVEs already fixed by a shipped patch. Follows discussion #6869 and the demo in Homebrew/homebrew-core#285534.
Each annotation removes one real false positive from scan output, so we drive from the scanner rather than a heuristic sweep: a sample of 59 upstream-commit patches found zero CVE references (core patches are mostly build fixes), and grepping for CVE strings would mislabel outstanding CVEs as patched.
For each reported CVE: real and unpatched → leave it; fixed by a shipped patch → add resolves "CVE-..." to the patch in homebrew-core in a syntax-only PR.
Re-run and confirm it suppresses; link before/after in the PR.
resolves "CVE-X" means this shipped patch fixes CVE-X in the bottle — not an outstanding/unfixed CVE, a version-bump fix, or an ENV mitigation.
Query OSV for formulae without GitHub/GitLab/Codeberg source URLs #93 (issue) — forge coverage. All six current annotations sit on unsupported forges (SourceForge/GNU/etc.), so none can be validated until this lands. Formulae on GitHub/GitLab/Codeberg with a tagged release are queryable without it.
avahi, openslp, sylpheed, opentsdb, dpkg mention a CVE in source, but it's version rationale or an ENV mitigation, not a patch fix. Listed so we don't re-check them.
Working set
Per-patch inventory (798 formulae, 1,183 patches: formula, source kind, current resolves status) attached for reference. The scanner output is what drives which patches get annotated.
Backfilling patch
resolvesannotations in homebrew-core sobrew vulnscan suppress CVEs already fixed by a shipped patch. Follows discussion #6869 and the demo in Homebrew/homebrew-core#285534.Each annotation removes one real false positive from scan output, so we drive from the scanner rather than a heuristic sweep: a sample of 59 upstream-commit patches found zero CVE references (core patches are mostly build fixes), and grepping for CVE strings would mislabel outstanding CVEs as patched.
Process
brew vulnsover core on the suppression branch (Suppress vulnerabilities resolved by formula patches #92).resolves "CVE-..."to the patch in homebrew-core in a syntax-only PR.resolves "CVE-X"means this shipped patch fixes CVE-X in the bottle — not an outstanding/unfixed CVE, a version-bump fix, or an ENV mitigation.Dependencies
Already annotated
libquicktime, innoextract (explicit
resolves); glibc, unzip, zip, lrzsz (filename-inferred).Checked, not candidates
avahi,openslp,sylpheed,opentsdb,dpkgmention a CVE in source, but it's version rationale or an ENV mitigation, not a patch fix. Listed so we don't re-check them.Working set
Per-patch inventory (798 formulae, 1,183 patches: formula, source kind, current
resolvesstatus) attached for reference. The scanner output is what drives which patches get annotated.patch-inventory.csv