[Chore] resolve "perpetually open" CVEs for PHP and FPM

[dkarlovi]

Description

Using a security vulnerability scanner like https://github.com/anchore/grype will yield some (false positive?) perpetually open CVEs for PHP and FPM, namely:

CVE-2007-2728
CVE-2007-3205
CVE-2007-4596
CVE-2015-3211
CVE-2022-4900

Since with the exception of the last one, these are all ancient, it's possible to mark them as false positives, but projects like Node try to keep their open CVEs up to date to reflect the actual status and now show up on these and similar scanners, resulting in churn across the entire community.

Is there a way to deal with these and have them marked as resolved, invalid, etc?

PHP Version

PHP 8.3.6

Operating System

No response

[nielsdos]

None of those CVEs were assigned by the PHP CNA, and so we don't have control over them. One is not even a security issue and is disputed, and the last one also isn't considered a security issue as it would require a user to knowingly trigger an overflow on their own local machine.

[dkarlovi]

@nielsdos the idea is to reach out to somebody who can close them then. This way, PHP is perpetually "on the list" and shows up whenever anyone does a CVE based scan, fixing this is PHP's best interest.

[bukka]

There isn't anything that can be done here about it I'm afraid.

[dkarlovi]

It seems the correct procedure is what's outlined in this document, PHP foundation or PHP CNA would start a dispute with the CVE owner CNA.

https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf

[javiereguiluz]

I agree with @dkarlovi. This (unfairly) hurts PHP project reputation. Maybe Roman (@pronskiy) from the PHP Foundation can look into this and start a dispute over these CVEs (or assign this task to somewhere else in the Foundation?) Thanks!

[pronskiy]

Thank you for bringing this up. Let me check what we can do and get back to you.

[bukka]

Stas is already looking into it.