Add osv-scanner.toml, ignoring some non-exploitable vulns

3 files changed, 96 insertions, 0 deletions

diff --git a/gui/scripts/osv-scanner.toml b/gui/scripts/osv-scanner.toml
new file mode 100644
index 0000000000..ec390ea1d3
--- /dev/null
+++ b/gui/scripts/osv-scanner.toml
@@ -0,0 +1,43 @@
+# See repository root `osv-scanner.toml` for instructions and rules for this file.
+
+# Pillow arbitrary code execution
+[[IgnoredVulns]]
+id = "CVE-2023-50447" # GHSA-3f63-hfp8-52jq
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow buffer overflow
+[[IgnoredVulns]]
+id = "CVE-2024-28219" # GHSA-44wm-f244-xhp3
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow DoS
+[[IgnoredVulns]]
+id = "CVE-2023-44271" # GHSA-8ghj-p4vj-mr35
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# libwebp: OOB write in BuildHuffmanTable
+[[IgnoredVulns]]
+id = "CVE-2023-5129" # GHSA-j7hp-h8jx-5ppr
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863)
+[[IgnoredVulns]]
+id = "PYSEC-2023-175"
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863)
+[[IgnoredVulns]]
+id = "GHSA-56pw-mpj4-fxww"
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow vulnerable to Data Amplification attack.
+[[IgnoredVulns]]
+id = "CVE-2022-45198" # GHSA-m2vv-5vj5-2hm7
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
diff --git a/osv-scanner.toml b/osv-scanner.toml
new file mode 100644
index 0000000000..0349695942
--- /dev/null
+++ b/osv-scanner.toml
@@ -0,0 +1,52 @@
+# List of ignored known vulnerabilities
+#
+# A vulnerability should only be ignored if it cannot be upgraded to a fixed version, or if
+# upgrading it has significant other downsides.
+#
+# Every ignored vulnerability entry must have an `ignoreUntil`.
+# * It is not allowed to ignore a vulnerability indefinitely.
+# * The default should be to ignore a vulnerability for three months.
+# * A vulnerability can be ignored for up to a year at most (Use extremely sparsely).
+# * If anything above three months is used, write a short comment about why this ignore is longer.
+#
+# Try to use the "original" identifier as `id`. This means the identifier used by the original
+# vulnerability database it originates from. These are usually listed as "Aliases" on osv.dev.
+# Feel free to add more identifiers as comments after the `id`.
+#
+# In the `reason` field explain why this vulnerability does not affect us,
+# and why we can't change to an unaffected version.
+#
+# Write a comment above each entry specifying what dependency it is about and what type of
+# vulnerability it is. The other fields do not convey this.
+#
+# Remove the ignore as soon as we upgrade or otherwise get rid of the vulnerable dependency from
+# our product.
+#
+# When an `ignoreUntil` expire and start yielding errors on a previously ignored issue, follow
+# these steps:
+# 1. Try to upgrade away from the vulnerable versions and get rid of the ignore.
+# 2. Update any outdated info in this ignore.
+# 3. Bump the `ignoreUntil` following the same rules as when initially adding an ignore entry.
+
+# Example entry:
+#
+# ```
+# # libbaz remote code execution in get_date() function
+# [[IgnoredVulns]]
+# id = "CVE-2020-12345" # GHSA-abcd-efgh-1234
+# ignoreUntil = 2024-12-05 # Ignored for six months at a time. Unlikely to be fixed, but also unlikely to be an issue for us.
+# reason = """
+# The vulnerable code path is currently not triggered by us or our dependencies.
+# `renderer-helper` currently depend on this version of libbaz, preventing us from upgrading to a fixed version.
+# """
+# ```
+
+# KyberSlash timing attack against Kyber PQ KEM
+[[IgnoredVulns]]
+id = "RUSTSEC-2023-0079"
+ignoreUntil = 2024-12-05 # Ignored for six months at a time. This class of timing based attacks are not exploitable in our protocol design
+reason = """
+KyberSlash is not exploitable in our usage of it:
+https://mullvad.net/en/blog/mullvads-usage-of-kyber-is-not-affected-by-kyberslash
+And no patched version is available.
+"""
diff --git a/test/osv-scanner.toml b/test/osv-scanner.toml
new file mode 100644
index 0000000000..5df7b8d3b9
--- /dev/null
+++ b/test/osv-scanner.toml
@@ -0,0 +1 @@
+# See repository root `osv-scanner.toml` for instructions and rules for this file.