-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Chore] resolve "perpetually open" CVEs for PHP and FPM #14050
Comments
None of those CVEs were assigned by the PHP CNA, and so we don't have control over them. One is not even a security issue and is disputed, and the last one also isn't considered a security issue as it would require a user to knowingly trigger an overflow on their own local machine. |
@nielsdos the idea is to reach out to somebody who can close them then. This way, PHP is perpetually "on the list" and shows up whenever anyone does a CVE based scan, fixing this is PHP's best interest. |
There isn't anything that can be done here about it I'm afraid. |
It seems the correct procedure is what's outlined in this document, PHP foundation or PHP CNA would start a dispute with the CVE owner CNA. https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf |
Thank you for bringing this up. Let me check what we can do and get back to you. |
Stas is already looking into it. |
Description
Using a security vulnerability scanner like https://github.com/anchore/grype will yield some (false positive?) perpetually open CVEs for PHP and FPM, namely:
Since with the exception of the last one, these are all ancient, it's possible to mark them as false positives, but projects like Node try to keep their open CVEs up to date to reflect the actual status and now show up on these and similar scanners, resulting in churn across the entire community.
Is there a way to deal with these and have them marked as resolved, invalid, etc?
PHP Version
PHP 8.3.6
Operating System
No response
The text was updated successfully, but these errors were encountered: