<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/57907>57907</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Security vulnerabilities in LLVM's transitive dependencies
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          vogelsgesang
      </td>
    </tr>
</table>

<pre>
    An automated security scan of 15.0.1 during upgrading our toolchain to 15.0.1 complained about the following dependencies

<img width="710" alt="Screenshot 2022-09-22 at 19 14 11" src="https://user-images.githubusercontent.com/6820896/191810391-d9782960-4dbd-4d3c-9521-598fe588de94.png">

The relevant requirement files are:
* third-party/benchmark/requirements.txt
   * numpy==1.19.4 [CVE-2021-41495](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41495), [CVE-2021-41496](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41496)
   * pandas==1.1.5 [CVE-2020-13091](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13091)
   * scipy==1.5.4 [CVE-2018-1999024](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1999024)
* llvm/utils/git/requirements.txt
   * gitpython==3.1.26 [Sonatype CWE 1333](https://cwe.mitre.org/data/definitions/1333.html)
   * pyjwt==2.3.0 [CVE-2022-29217](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29217)
* mlir/utils/vscode/package-lock.json
   * minimatch:3.0.4 [Sonatype CWE 1333](https://cwe.mitre.org/data/definitions/1333.html)
* flang/examples/FlangOmpReport/requirements.txt
   * ruamel.yaml==0.17.16 [CVE-2019-20478](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20478); this actually looks like a false positive in the scanner; the used version should no longer be impacted
   
>From my understanding, none of those dependencies affect the security of the built LLVM libraries/tools. I would still appreciate if we can update those libraries to their latest versions, so next time around I will not need security excemptions to use LLVM
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy1VsFu4zgM_RrnQtiwrNixDjl0Oi0wwCwW2C5mz7JFJ5rKkleSk-bvl3Ka1jtzmEsHMCxZEsnHR4p059Rlf2dBztGNMqKCgP3sdbxA6KUFNwCri7JgoGjVHmCeDl6qNHOzh-ic6Y9SW5rdDvZunAwtkS7ZuTlCPCIMzhh3TmIKJ7QKba8xZOXnrLx7ffN7PR7grFU8ZvxzVlU7VtIbpInX76feI9pwdBGqsqryUuRpOwITwLbAWDodfH89fYxxChm_y6pHeuaAPtejPGAoDjoe5y6t9M5GtLEgyHSmaauyFQ3NmGAtK7lguRK7thJNmW9Vp-jF-1zUFctr0Q5Yt61CsS0meyCDGX9Y-_M3ee3R4EnaSJN_Z-1xJGMwaIMBpMcE7ipQ3RFJ2qt8kj5eCEBH_BxH6Z9pvpINRXyJVxkASGJ2HqdLcph_ZgUTxRay-tP9t4ecGGL5lm1FndVER5voeGPjjF1hT6qwOsTi4E60dNJ4TsNsLA0Ko9Qm48v3F0Xaf9BZiay6_8lW8xtsNcnW2uVJWiXDm89FvYJR5oyXgn0ojJvOH2CEXr8zX6-JZ23OhBBltf1IHCutNyQJhjGnlLtz1CbQSLn9q5ShI9MlHp29gudEYdUk9E_OyniZEO7_eQDGOX-H_36R-jMWo44eC-cPCa6MckE9aKujdjahSMLFMY7mp9hdvp_j1W5V8KJcha7KK1Gx3YeG7qZzTdhotF8Rdgq9U0iTSfbPVB5y4_rn4nsgetbAR_KO6mNPpemOcF_D_TsJS0YHI1NlecQXSSUV08HHtPTnOP2Fk_O_DLWf5YimuEhSvJBO9XlXsGaVq1RDy-2u_dBMvekkX_inVNmo3PVxlsZcwDj3HMDoZwQJgzQBYXKBiDghpDZCVTM1Hov-KotAhVrBCX0groCq_2wUWEeK7AE9dCQ2Uuyodb27vkwevRthvMBM3caHSFVDJzbvSdhiamx0B8j6uh-BHAbsrx3rrQ8uJxG6WZsIX79--4PQd156vQQkdcBQwBc4L8ACpZUBOU0ee039FPQAZ4TUSudJpYWr1TcVqXGSeu3B0G6IN09DQhocWHwhPHokurwjV5KlZMJSF7S47tf40uM4LRmVlBJtC9oN7lnT8LZpy5pv1J4rwYXcRB0N7p9uwimE6GWnDYWCUFEoknBW7UiZl_Y1QmuyNrM3-__n-rWzvrbT18qUhnzy7jsRS586hHkhrt6Jcrc57hlH0SPjaqgVbyqxHQbRIatq3inJm2FjZIcm7CllKUk3ep_udSkqutd8y6qi23Zd2zQ7xAY568tsW-JIeVkkw-nObfx-wdDNh0CbhtI5vG_KEPSBiLzppx-ho_P7kzuQUfpboOu2WTDvF8D_AfCt15g">