<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/64417>64417</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Security vulnerabilities in 17.0.0-rc1
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
vogelsgesang
</td>
</tr>
</table>
<pre>
An automated security scan of 17.0.0-rc1 complained about the following dependencies
<img width="666" alt="Screenshot 2023-08-04 at 13 45 08" src="https://github.com/llvm/llvm-project/assets/6820896/11664951-6a24-4c12-99b2-1b67c4c3ac8d">
<img width="660" alt="Screenshot 2023-08-04 at 13 46 06" src="https://github.com/llvm/llvm-project/assets/6820896/16b31029-4d7d-4543-ad9a-5428a1d48e2c">
The relevant requirement files are:
* llvm/utils/git/requirements.txt
* certifi==2023.5.7 [CVE-2023-3792](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) ; [Security advisory](https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7)
* requests==2.28.1 [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681)
* mlir/utils/vscode/package-lock.json
* minimatch:3.0.4 [Sonatype CWE 1333](https://cwe.mitre.org/data/definitions/1333.html)
* semver:7.3.7 [CVE-2022-25883](https://nvd.nist.gov/vuln/detail/CVE-2022-25883)
* third-party/benchmark/requirements.txt
* numpy==1.19.4 [CVE-2021-41495](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41495), [CVE-2021-41496](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41496)
* pandas==1.1.5 [CVE-2020-13091](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13091)
* scipy==1.5.4 [CVE-2018-1999024](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1999024)
* flang/examples/FlangOmpReport/requirements.txt
* ruamel.yaml==0.17.16 [CVE-2019-20478](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20478); this actually looks like a false positive in the scanner; the used version should no longer be impacted; but I guess upgrading to the latest version `0.17.32` can't hurt
(Previously reported in https://github.com/llvm/llvm-project/issues/57907#issuecomment-1665478426 ; splitting this off as a separate issue as requested on [Discourse](https://discourse.llvm.org/t/llvm-17-0-0-rc1-tagged/72404/9?u=avogelsgesang))
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy0Vk1z4zYS_TXQBQUWPvh50MG2hrtz2q1MKjmDRJPEGAQ4ACiP_n0KlGVLM04ySZwLVYSA1--9bnZDhqBHC7BHxT0qDju5xsn5_dGNYMIIQdpx1zl12t9ZLNfoZhlB4QD96nU84dBLi92AWZXRjBLfM9y7eTFSW1BYdm6NOE6AB2eMe9J2xAoWsApsryEgekD07vkpHvQ84iet4oTEAXFeliXiHEsTz--feg9gw-Qi5pQLQmtCcywjZgLnBaZ12h18f949xbgEJO4QbxFvRx2ntct6NyPeGnO8_JDFu8_QR8RbGQLEgHhb1pzWTYl4y1hZ5k3BSCl5TvKecdI0HSesK6s-74Xsa4U4R-LDnymhP66kxLR8fyVlJxjlDclVpUhe5IJI1UhS5LyWTOU18P4NJdvz5wmwBwNHaSP28GXVHmawEQ_aQMDSQyJ3fYzf4Wdma9QmnFkj3l4dDln8Gs_bcdrfg4960EmxOCRTsiKrMCruH375QDaTRNVwVBwQr28NsUeVWR1iNroj4u1xNRbxVkGU2iDe3pyniDcYifsE_OlSw1IddXD-9Bb4jdsXjrxdTnFylrwuXD6I5P4ZLpU3b__z30935OsXX5Pq85MnfloqxJsr3ckSCDE8C894nbFb2bys2T_SvQFcgqaYs9H-KjfH0DsFSZXsH-UIxLj-MfscnH3muRGdtdWzjP2ExJ3IaJZvHjor42kB_PDrB8yEEG8R7Z8gm3X0kDk_Jooyyo3poK2O2tlEIh3OpjibV3u2sAHmI3gk7qpM3BQEJ7yo6zcD_pgzF4BrZ-KkvSKL9FsmO7D9NEv_-Pulu3G067yczglkGWvO1jxHYSRneVO80nxh-QRd9i1TDU_fERbb-0eFxOEbTN4g_vBdrPJfiFXeFu0irZLhRXFWXJGghAnasHclccG8IRF6_ep6cW06qwlrmoby_D1ZXKFel8xgpE1VDV_lvJjto2_T0v_m5SdYnP-DvnduAKucwWQnOZuzGJqxKmPllZyGcJpX9buKuWDyJrXDOOmAZR9XacwJG-ceAzb6EbDEgzQB8OKCjvoIWNttnqe5b9N3eb-9rgEUPoIP2lkcJrcaha3DxtkRPO4A63mRfQSVDnRrxB_xuEIIeF1GL1W6F0S3IRkZIcQXLFTSzQ_BUUlxLy3iVcTT6uPtwKn_7-Go3RrMCfvNdlCJ61-enTqEdUtiUTW0QlxsC72bU_IIK8sir-qcl9sUCYvRMW7sk4FuGLAMWOIAi_QyAt4Op7XnNg8KJ1HF_UGH3q0-wFv9S13-zBK5564ZL1xZRSjZrlokynEEhXhb8ZzmiLcNEu2KxEFe39-2PtHgndoL1YhG7mDPyoaxgvFc7Ka9VNCUrGwaSqHmA-_4ULGCFVKWqqIl2-l9GiS0pjnjLKcig4IVdScUrRkdhnpAOYVZavPCd7cJ35d5zqqdkR2YsF0wObfwdHYl3TaKw87vN1HdOgaUU6NDDK8oUUcD-5dBnWoYvOy00VFDSPl9vXfuVm_2fz_dG9XfAgAA__8HEFAo">