diff options
| author | David Göransson <david.goransson@mullvad.net> | 2024-08-06 16:27:25 +0200 |
|---|---|---|
| committer | David Göransson <david.goransson@mullvad.net> | 2024-08-06 16:27:25 +0200 |
| commit | 0a9158eb70ebe7cdbbdc8ac643800cd635cf33f1 (patch) | |
| tree | 44ee1767f92eaba57b9704da67f9cf2a8e4e4329 /android | |
| parent | d4f4669931690531e0ee3d3c1f239b5ffd30619b (diff) | |
| parent | 759aba1a3413977965431a3c6d3dfed76f9af9e3 (diff) | |
| download | mullvadvpn-0a9158eb70ebe7cdbbdc8ac643800cd635cf33f1.tar.xz mullvadvpn-0a9158eb70ebe7cdbbdc8ac643800cd635cf33f1.zip | |
Merge branch 'osv-scanner-netty-droid-1222'
Diffstat (limited to 'android')
| -rw-r--r-- | android/gradle/osv-scanner.toml | 67 |
1 files changed, 31 insertions, 36 deletions
diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml index 25ca2747a1..07d829b468 100644 --- a/android/gradle/osv-scanner.toml +++ b/android/gradle/osv-scanner.toml @@ -1,89 +1,84 @@ # See repository root `osv-scanner.toml` for instructions and rules for this file. # -# Temporarily ignoring all reported android vulnerabilites with a one month deadline -# since we plan to examine the vulnerabilites and bootstrap this file with proper -# ignore reasons (or address by bumping dependencies). -# -# Also worth mentioning that we're already using the OWASP Dependency-Check tool -# for the android code base as of before. +# The OWASP Dependency-Check tool is also used for vulnerability scanning. [[IgnoredVulns]] id = "CVE-2022-45868" # GHSA-22wj-vf5f-wrvj -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "Used by the dependency-check tool and not the app directly." [[IgnoredVulns]] id = "CVE-2023-3635" # GHSA-w33c-445m-f8w7 -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "We do not use gzip when using okio." [[IgnoredVulns]] id = "CVE-2024-29025" # GHSA-5jpm-x58v-624v -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "We do not use netty for http communication." [[IgnoredVulns]] id = "CVE-2023-44487" # GHSA-xpw8-rcwv-8f8p -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "No impact on this app since it uses UDS rather than HTTP2." [[IgnoredVulns]] id = "CVE-2023-34462" # GHSA-6mjq-h674-j845 -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "We do not use netty for http communication." [[IgnoredVulns]] id = "CVE-2024-26308" # GHSA-4265-ccf5-phj5 -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "Apache commons compress is used by lint and not the app directly." [[IgnoredVulns]] id = "CVE-2024-25710" # GHSA-4g9r-vxhx-9pgx -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "Apache commons compress is used by lint and not the app directly." [[IgnoredVulns]] id = "CVE-2020-13956" # GHSA-7r82-7xv7-xcpj -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "Apache http client is used by lint and not the app directly." [[IgnoredVulns]] id = "CVE-2023-51775" # GHSA-6qvw-249j-h44c -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-09-02 +reason = "Used by the gradle bundler, will be fixed by upgrading the android gradle plugin." [[IgnoredVulns]] id = "CVE-2023-31582" # GHSA-7g24-qg88-p43q -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-09-02 +reason = "Used by the gradle bundler, will be fixed by upgrading the android gradle plugin." [[IgnoredVulns]] id = "GHSA-jgvc-jfgh-rjvv" -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-09-02 +reason = "Used by the gradle bundler, will be fixed by upgrading the android gradle plugin." [[IgnoredVulns]] id = "CVE-2022-24329" # GHSA-2qp4-g3q3-f92w -ignoreUntil = 2024-08-02 -reason = "See top comment" +ignoreUntil = 2024-11-02 +reason = "This CVE only affect Multiplatform Gradle Projects, which this project is not." [[PackageOverrides]] name = "org.bouncycastle:bcprov-jdk15on" ecosystem = "Maven" ignore = true -effectiveUntil = 2024-08-02 -reason = "See top comment" +effectiveUntil = 2024-11-02 +reason = "Used by lint and the dependency-check tool and not the app directly." [[PackageOverrides]] name = "org.bouncycastle:bcprov-jdk18on" ecosystem = "Maven" ignore = true -effectiveUntil = 2024-08-02 -reason = "See top comment" +effectiveUntil = 2024-11-02 +reason = "Used by lint and the dependency-check tool and not the app directly." [[PackageOverrides]] name = "org.bouncycastle:bcpkix-jdk18on" ecosystem = "Maven" ignore = true -effectiveUntil = 2024-08-02 -reason = "See top comment" +effectiveUntil = 2024-11-02 +reason = "Used by lint and the dependency-check tool and not the app directly." |