From afc8879d24e14907f90030685c224c4cb816df48 Mon Sep 17 00:00:00 2001
From: Luna Nova <git@lunnova.dev>
Date: Sun, 2 Nov 2025 10:55:03 -0800
Subject: [PATCH] whisper: set knownVulnerabilities due to dated vendored
 libraries

whisper vendors libraries acof, aelf, deflate, bzip2, zlib
that haven't been updated in 6-8 years
---
 pkgs/by-name/wh/whisper/package.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkgs/by-name/wh/whisper/package.nix b/pkgs/by-name/wh/whisper/package.nix
index 9ce1836b25d3..ae12ed7140d3 100644
--- a/pkgs/by-name/wh/whisper/package.nix
+++ b/pkgs/by-name/wh/whisper/package.nix
@@ -51,6 +51,15 @@ stdenv.mkDerivation rec {
     broken = stdenv.hostPlatform.isDarwin;
     description = "Short read sequence mapper";
     license = licenses.gpl3;
+    # vendored libraries acof, aelf, deflate, bzip2, zlib
+    # https://github.com/refresh-bio/Whisper/issues/18
+    knownVulnerabilities = [
+      # src/libs/libz.a from 2017
+      "CVE-2018-25032"
+      "CVE-2022-37434"
+      # src/libs/libbzip2.lib
+      "CVE-2019-12900"
+    ];
     homepage = "https://github.com/refresh-bio/whisper";
     maintainers = with maintainers; [ jbedo ];
     platforms = platforms.x86_64;