Skip to content

Tracking: annotate homebrew-core patches with resolves (CVE suppression) #95

Description

@p-linnane

Backfilling patch resolves annotations in homebrew-core so brew vulns can suppress CVEs already fixed by a shipped patch. Follows discussion #6869 and the demo in Homebrew/homebrew-core#285534.

Each annotation removes one real false positive from scan output, so we drive from the scanner rather than a heuristic sweep: a sample of 59 upstream-commit patches found zero CVE references (core patches are mostly build fixes), and grepping for CVE strings would mislabel outstanding CVEs as patched.

Process

  1. Run brew vulns over core on the suppression branch (Suppress vulnerabilities resolved by formula patches #92).
  2. For each reported CVE: real and unpatched → leave it; fixed by a shipped patch → add resolves "CVE-..." to the patch in homebrew-core in a syntax-only PR.
  3. Re-run and confirm it suppresses; link before/after in the PR.

resolves "CVE-X" means this shipped patch fixes CVE-X in the bottle — not an outstanding/unfixed CVE, a version-bump fix, or an ENV mitigation.

Dependencies

Already annotated

libquicktime, innoextract (explicit resolves); glibc, unzip, zip, lrzsz (filename-inferred).

Checked, not candidates

avahi, openslp, sylpheed, opentsdb, dpkg mention a CVE in source, but it's version rationale or an ENV mitigation, not a patch fix. Listed so we don't re-check them.

Working set

Per-patch inventory (798 formulae, 1,183 patches: formula, source kind, current resolves status) attached for reference. The scanner output is what drives which patches get annotated.

patch-inventory.csv

Metadata

Metadata

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions