diff options
| author | Jonatan Rhodin <jonatan.rhodin@mullvad.net> | 2025-02-03 14:53:54 +0100 |
|---|---|---|
| committer | Jonatan Rhodin <jonatan.rhodin@mullvad.net> | 2025-02-03 14:53:54 +0100 |
| commit | dbede06aed67d892de7fe495a3d4ac87dcecb83e (patch) | |
| tree | 67b2a16801092c44500b4aa47d03f1e976fef42c /android | |
| parent | f4c02852da9edc4d2ba72a9f01ec2f761ca9edaf (diff) | |
| parent | 73d8513678520fe0edd171e3b4f35930c5d105de (diff) | |
| download | mullvadvpn-dbede06aed67d892de7fe495a3d4ac87dcecb83e.tar.xz mullvadvpn-dbede06aed67d892de7fe495a3d4ac87dcecb83e.zip | |
Merge branch 'move-dates-forward'
Diffstat (limited to 'android')
| -rw-r--r-- | android/config/dependency-check-suppression.xml | 2 | ||||
| -rw-r--r-- | android/gradle/osv-scanner.toml | 51 |
2 files changed, 12 insertions, 41 deletions
diff --git a/android/config/dependency-check-suppression.xml b/android/config/dependency-check-suppression.xml index 88020e381b..6fa39f3249 100644 --- a/android/config/dependency-check-suppression.xml +++ b/android/config/dependency-check-suppression.xml @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> - <suppress until="2025-02-01Z"> + <suppress until="2025-05-01Z"> <notes><![CDATA[ This CVE only affect Multiplatform Gradle Projects, which this project is not. https://nvd.nist.gov/vuln/detail/CVE-2022-24329 diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml index 44f4c9b645..0b3df29516 100644 --- a/android/gradle/osv-scanner.toml +++ b/android/gradle/osv-scanner.toml @@ -5,73 +5,67 @@ # h2database: Cleartext Storage of Sensitive Information [[IgnoredVulns]] id = "CVE-2022-45868" # GHSA-22wj-vf5f-wrvj -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "Used by the dependency-check tool and not the app directly." -# okio: Signed to Unsigned Conversion Error vulnerability -[[IgnoredVulns]] -id = "CVE-2023-3635" # GHSA-w33c-445m-f8w7 -ignoreUntil = 2025-02-02 -reason = "We do not use gzip when using okio." - # netty: HttpPostRequestDecoder can OOM [[IgnoredVulns]] id = "CVE-2024-29025" # GHSA-5jpm-x58v-624v -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "We do not use netty for http communication." # netty: Vulnerable to HTTP/2 Rapid Reset Attack [[IgnoredVulns]] id = "CVE-2023-44487" # GHSA-xpw8-rcwv-8f8p -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "No impact on this app since it uses UDS rather than HTTP2." # Same as the vuln above, but it seems like osv scanner does not always make the connection. [[IgnoredVulns]] id = "GHSA-xpw8-rcwv-8f8p" -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "No impact on this app since it uses UDS rather than HTTP2." # netty: SniHandler 16MB allocation [[IgnoredVulns]] id = "CVE-2023-34462" # GHSA-6mjq-h674-j845 -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "We do not use netty for http communication." # apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file [[IgnoredVulns]] id = "CVE-2024-26308" # GHSA-4265-ccf5-phj5 -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "Apache commons compress is used by lint and not the app directly." # apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file [[IgnoredVulns]] id = "CVE-2024-25710" # GHSA-4g9r-vxhx-9pgx -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "Apache commons compress is used by lint and not the app directly." # apache httpclient: Cross-site scripting [[IgnoredVulns]] id = "CVE-2020-13956" # GHSA-7r82-7xv7-xcpj -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "Apache http client is used by lint and not the app directly." # kotlin: Improper Locking [[IgnoredVulns]] id = "CVE-2022-24329" # GHSA-2qp4-g3q3-f92w -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "This CVE only affect Multiplatform Gradle Projects, which this project is not." # protobuf-java: Has potential Denial of Service issue [[IgnoredVulns]] id = "CVE-2024-7254" # GHSA-735f-pc8j-v9w8 -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "Should not be applicable since client and server are always in sync and we are only communicating locally over UDS." # apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader [[IgnoredVulns]] id = "CVE-2024-47554" # GHSA-78wr-2p64-hpwj -ignoreUntil = 2025-02-02 +ignoreUntil = 2025-05-02 reason = "No impact since the app doesn't process externally crafted XML." # netty: Denial of Service attack on windows app @@ -79,26 +73,3 @@ reason = "No impact since the app doesn't process externally crafted XML." id = "CVE-2024-47535" # GHSA-xq3w-v528-46rv ignoreUntil = 2025-02-13 reason = "Only impacting Windows." - -# Several vulns related to bouncy castle that is only being used by the dependency check tool. -# These are not used directly in the app. -[[PackageOverrides]] -name = "org.bouncycastle:bcprov-jdk15on" -ecosystem = "Maven" -ignore = true -effectiveUntil = 2025-02-02 -reason = "Used by lint and the dependency-check tool and not the app directly." - -[[PackageOverrides]] -name = "org.bouncycastle:bcprov-jdk18on" -ecosystem = "Maven" -ignore = true -effectiveUntil = 2025-02-02 -reason = "Used by lint and the dependency-check tool and not the app directly." - -[[PackageOverrides]] -name = "org.bouncycastle:bcpkix-jdk18on" -ecosystem = "Maven" -ignore = true -effectiveUntil = 2025-02-02 -reason = "Used by lint and the dependency-check tool and not the app directly." |