$ pkgcheck --checks=TreeVulnerabilitiesReport app-editors/emacs app-editors/emacs VulnerablePackage: version 18.59-r12: vulnerable via glsa(201801-07) ( ( ver-rev < 23.4-r16 || ver-rev < 24.5-r4 || ver-rev < 25.2-r1 ) ), keywords: amd64, x86 VulnerablePackage: version 23.4-r18: vulnerable via glsa(201801-07) ( ( ver-rev < 23.4-r16 || ver-rev < 24.5-r4 || ver-rev < 25.2-r1 ) ), keywords: alpha, amd64, amd64-fbsd, amd64-linux, arm, hppa, ia64, mips, ppc, ppc-macos, ppc64, sh, sparc, x86, x86-fbsd, x86-linux, x86-macos VulnerablePackage: version 24.3-r8: vulnerable via glsa(201801-07) ( ( ver-rev < 23.4-r16 || ver-rev < 24.5-r4 || ver-rev < 25.2-r1 ) ), keywords: VulnerablePackage: version 24.5-r5: vulnerable via glsa(201801-07) ( ( ver-rev < 23.4-r16 || ver-rev < 24.5-r4 || ver-rev < 25.2-r1 ) ), keywords: alpha, amd64, amd64-fbsd, amd64-linux, arm, hppa, ia64, mips, ppc, ppc-macos, ppc64, sh, sparc, x64-macos, x86, x86-fbsd, x86-linux, x86-macos VulnerablePackage: version 24.5-r7: vulnerable via glsa(201801-07) ( ( ver-rev < 23.4-r16 || ver-rev < 24.5-r4 || ver-rev < 25.2-r1 ) ), keywords: alpha, amd64, amd64-fbsd, amd64-linux, arm, hppa, ia64, mips, ppc, ppc-macos, ppc64, sh, sparc, x64-macos, x86, x86-fbsd, x86-linux, x86-macos All of the above are false positive. glsa-201801-07.xml actually contains this information about affected versions: <affected> <package name="app-editors/emacs" auto="yes" arch="*"> <unaffected range="ge" slot="23">23.4-r16</unaffected> <unaffected range="ge" slot="24">24.5-r4</unaffected> <unaffected range="ge" slot="25">25.2-r1</unaffected> <vulnerable range="lt" slot="23">23.4-r16</vulnerable> <vulnerable range="lt" slot="24">24.5-r4</vulnerable> <vulnerable range="lt" slot="25">25.2-r1</vulnerable> </package> </affected> None of which matches any of the versions in the pkgcheck output (nor any version in the tree).
Fixed in https://github.com/pkgcore/pkgcore/commit/f3bd1bce.
