diff options
| author | Jonatan Rhodin <jonatan.rhodin@mullvad.net> | 2024-11-18 15:42:45 +0100 |
|---|---|---|
| committer | Jonatan Rhodin <jonatan.rhodin@mullvad.net> | 2024-11-20 10:35:59 +0100 |
| commit | 6bbce692b46f264b4d7322436cad7261e418d21d (patch) | |
| tree | 74875f6d19437a1b2adcc6a76ea5b7ac590fa242 /android | |
| parent | 746b94d8981316f633a81c3b57e88b5b6f3117f0 (diff) | |
| download | mullvadvpn-6bbce692b46f264b4d7322436cad7261e418d21d.tar.xz mullvadvpn-6bbce692b46f264b4d7322436cad7261e418d21d.zip | |
Clarify osv-scanner ignores
Diffstat (limited to 'android')
| -rw-r--r-- | android/gradle/osv-scanner.toml | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml index 7ca55275dc..44f4c9b645 100644 --- a/android/gradle/osv-scanner.toml +++ b/android/gradle/osv-scanner.toml @@ -2,21 +2,25 @@ # # The OWASP Dependency-Check tool is also used for vulnerability scanning. +# h2database: Cleartext Storage of Sensitive Information [[IgnoredVulns]] id = "CVE-2022-45868" # GHSA-22wj-vf5f-wrvj ignoreUntil = 2025-02-02 reason = "Used by the dependency-check tool and not the app directly." +# okio: Signed to Unsigned Conversion Error vulnerability [[IgnoredVulns]] id = "CVE-2023-3635" # GHSA-w33c-445m-f8w7 ignoreUntil = 2025-02-02 reason = "We do not use gzip when using okio." +# netty: HttpPostRequestDecoder can OOM [[IgnoredVulns]] id = "CVE-2024-29025" # GHSA-5jpm-x58v-624v ignoreUntil = 2025-02-02 reason = "We do not use netty for http communication." +# netty: Vulnerable to HTTP/2 Rapid Reset Attack [[IgnoredVulns]] id = "CVE-2023-44487" # GHSA-xpw8-rcwv-8f8p ignoreUntil = 2025-02-02 @@ -28,46 +32,56 @@ id = "GHSA-xpw8-rcwv-8f8p" ignoreUntil = 2025-02-02 reason = "No impact on this app since it uses UDS rather than HTTP2." +# netty: SniHandler 16MB allocation [[IgnoredVulns]] id = "CVE-2023-34462" # GHSA-6mjq-h674-j845 ignoreUntil = 2025-02-02 reason = "We do not use netty for http communication." +# apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file [[IgnoredVulns]] id = "CVE-2024-26308" # GHSA-4265-ccf5-phj5 ignoreUntil = 2025-02-02 reason = "Apache commons compress is used by lint and not the app directly." +# apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file [[IgnoredVulns]] id = "CVE-2024-25710" # GHSA-4g9r-vxhx-9pgx ignoreUntil = 2025-02-02 reason = "Apache commons compress is used by lint and not the app directly." +# apache httpclient: Cross-site scripting [[IgnoredVulns]] id = "CVE-2020-13956" # GHSA-7r82-7xv7-xcpj ignoreUntil = 2025-02-02 reason = "Apache http client is used by lint and not the app directly." +# kotlin: Improper Locking [[IgnoredVulns]] id = "CVE-2022-24329" # GHSA-2qp4-g3q3-f92w ignoreUntil = 2025-02-02 reason = "This CVE only affect Multiplatform Gradle Projects, which this project is not." +# protobuf-java: Has potential Denial of Service issue [[IgnoredVulns]] id = "CVE-2024-7254" # GHSA-735f-pc8j-v9w8 ignoreUntil = 2025-02-02 reason = "Should not be applicable since client and server are always in sync and we are only communicating locally over UDS." +# apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader [[IgnoredVulns]] id = "CVE-2024-47554" # GHSA-78wr-2p64-hpwj ignoreUntil = 2025-02-02 reason = "No impact since the app doesn't process externally crafted XML." +# netty: Denial of Service attack on windows app [[IgnoredVulns]] id = "CVE-2024-47535" # GHSA-xq3w-v528-46rv ignoreUntil = 2025-02-13 reason = "Only impacting Windows." +# Several vulns related to bouncy castle that is only being used by the dependency check tool. +# These are not used directly in the app. [[PackageOverrides]] name = "org.bouncycastle:bcprov-jdk15on" ecosystem = "Maven" |