diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2024-07-09 07:56:33 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2024-07-09 07:56:33 +0200 |
| commit | 1529a389fd4a472f42ff8e3ec49c25c0c8fd4a73 (patch) | |
| tree | dc57f6ab8dfd274f52a8d5ce60515002ba865e08 /gui | |
| parent | d726e19cf93d15d0bf6734afb28e0794bacda72c (diff) | |
| parent | ac832d3146ab25b621dd9dc95a154eded918b774 (diff) | |
| download | mullvadvpn-1529a389fd4a472f42ff8e3ec49c25c0c8fd4a73.tar.xz mullvadvpn-1529a389fd4a472f42ff8e3ec49c25c0c8fd4a73.zip | |
Merge branch 'integrate-osv-scanner-into-ci-des-706'
Diffstat (limited to 'gui')
| -rw-r--r-- | gui/osv-scanner.toml | 26 | ||||
| -rw-r--r-- | gui/scripts/osv-scanner.toml | 43 |
2 files changed, 69 insertions, 0 deletions
diff --git a/gui/osv-scanner.toml b/gui/osv-scanner.toml new file mode 100644 index 0000000000..cef97fe2d8 --- /dev/null +++ b/gui/osv-scanner.toml @@ -0,0 +1,26 @@ +# See repository root `osv-scanner.toml` for instructions and rules for this file. + +# @grpc/grpc-js: There are two separate code paths in which memory can be allocated per message in +# excess of the grpc.max_receive_message_length channel option +[[IgnoredVulns]] +id = "CVE-2024-37168" # GHSA-7v5v-9h63-cj86 +ignoreUntil = 2024-09-05 +reason = "This component only receives gRPC messages from the trusted mullvad-daemon" + +# yargs-parser Vulnerable to Prototype Pollution +[[IgnoredVulns]] +id = "CVE-2020-7608" # GHSA-p9pc-299p-vxgp +ignoreUntil = 2024-09-05 +reason = "This package is only used to parse commands run by either us or trusted libraries" + +# PostCSS line return parsing error +[[IgnoredVulns]] +id = "CVE-2023-44270" # GHSA-7fh5-64p2-3v2j +ignoreUntil = 2024-09-05 +reason = "This project does not use PostCSS to parse untrusted CSS" + +# braces: Uncontrolled resource consumption +[[IgnoredVulns]] +id = "CVE-2024-4068" # GHSA-grv7-fg5c-xmjg +ignoreUntil = 2024-09-05 +reason = "This package is only used to match paths from either us or trusted libraries" diff --git a/gui/scripts/osv-scanner.toml b/gui/scripts/osv-scanner.toml new file mode 100644 index 0000000000..ec390ea1d3 --- /dev/null +++ b/gui/scripts/osv-scanner.toml @@ -0,0 +1,43 @@ +# See repository root `osv-scanner.toml` for instructions and rules for this file. + +# Pillow arbitrary code execution +[[IgnoredVulns]] +id = "CVE-2023-50447" # GHSA-3f63-hfp8-52jq +ignoreUntil = 2024-09-05 +reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" + +# Pillow buffer overflow +[[IgnoredVulns]] +id = "CVE-2024-28219" # GHSA-44wm-f244-xhp3 +ignoreUntil = 2024-09-05 +reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" + +# Pillow DoS +[[IgnoredVulns]] +id = "CVE-2023-44271" # GHSA-8ghj-p4vj-mr35 +ignoreUntil = 2024-09-05 +reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" + +# libwebp: OOB write in BuildHuffmanTable +[[IgnoredVulns]] +id = "CVE-2023-5129" # GHSA-j7hp-h8jx-5ppr +ignoreUntil = 2024-09-05 +reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" + +# Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863) +[[IgnoredVulns]] +id = "PYSEC-2023-175" +ignoreUntil = 2024-09-05 +reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" + +# Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863) +[[IgnoredVulns]] +id = "GHSA-56pw-mpj4-fxww" +ignoreUntil = 2024-09-05 +reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" + +# Pillow vulnerable to Data Amplification attack. +[[IgnoredVulns]] +id = "CVE-2022-45198" # GHSA-m2vv-5vj5-2hm7 +ignoreUntil = 2024-09-05 +reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" |
