Viewing CVEs For Your Active Guix Profile And System
Someone in #guix IRC gave me this helpful command for listing CVEs for your active Guix profile and system:
Things were a little more complicated for me because I use inferiors, so some installed packages are not in the current guix pull. I had to add some grep calls to exclude those packages from the list:
Most of these are Medium level CVEs. It looks like a lot of vulnerabilities, but things are not so clear when you start actually reading the CVEs. Many of them have notes similar to "this CVE has been modified and is awaiting re-analysis" or "it is highly unlikely that this vulnerability would ever be exposed in any real use of the application" or "third parties dispute the significance of this issue". The CVE shown attached to openssl, at a quick glance, appears to be more of a vulnerability in the Ruby module that uses openssl.
Yes, I find one must carefully read the CVEs before blindly taking action when I work with Android kernels.