-
Notifications
You must be signed in to change notification settings - Fork 14.5k
Open
Labels
cmakeBuild system in general and CMake in particularBuild system in general and CMake in particularpackaging
Description
An automated security scan of 15.0.1 during upgrading our toolchain to 15.0.1 complained about the following dependencies
The relevant requirement files are:
- third-party/benchmark/requirements.txt
- numpy==1.19.4 CVE-2021-41495, CVE-2021-41496
- pandas==1.1.5 CVE-2020-13091
- scipy==1.5.4 CVE-2018-1999024
- llvm/utils/git/requirements.txt
- gitpython==3.1.26 Sonatype CWE 1333
- pyjwt==2.3.0 CVE-2022-29217
- mlir/utils/vscode/package-lock.json
- minimatch:3.0.4 Sonatype CWE 1333
- flang/examples/FlangOmpReport/requirements.txt
- ruamel.yaml==0.17.16 CVE-2019-20478; this actually looks like a false positive in the scanner; the used version should no longer be impacted
From my understanding, none of those dependencies affect the security of the built LLVM libraries/tools. I would still appreciate if we can update those libraries to their latest versions, so next time around I will not need security excemptions to use LLVM
Metadata
Metadata
Assignees
Labels
cmakeBuild system in general and CMake in particularBuild system in general and CMake in particularpackaging