[cfe-dev] Updating/removing clang-tidy-vs from clang-tools-extra because of CVE-2018-1000210

Alex L via cfe-dev cfe-dev at lists.llvm.org
Mon Aug 26 10:40:49 PDT 2019


The `clang-tidy-vs` visual studio plugin in clang-tools-extra contains a
security vulnerability in the YamlDotNet package [1]. Github flags the code
in clang-tools-extra as a high priority security vulnerability. If you're
an admin of a custom fork of the llvm-project monorepo on Github, you get a
banner every time you open the GitHub webpage for the repo, and an
additional weekly email about this high priority vulnerability.

I've emailed Zachary, who originally added the plugin about this issue, and
also filed a bug report on llvm.org [2]. From what I gathered so far, I
don't think Zachary works on llvm-project anymore, would there be anyone
else who'd be interested in updating the plugin to address the
vulnerability? If not, would it be reasonable to remove this plugin from
llvm-project entirely?


[1]: https://nvd.nist.gov/vuln/detail/CVE-2018-1000210
[2]: https://bugs.llvm.org/show_bug.cgi?id=41791
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190826/0a6450e3/attachment.html>

More information about the cfe-dev mailing list