summaryrefslogtreecommitdiffhomepage
path: root/gui
diff options
context:
space:
mode:
Diffstat (limited to 'gui')
-rw-r--r--gui/osv-scanner.toml26
-rw-r--r--gui/scripts/osv-scanner.toml43
2 files changed, 69 insertions, 0 deletions
diff --git a/gui/osv-scanner.toml b/gui/osv-scanner.toml
new file mode 100644
index 0000000000..cef97fe2d8
--- /dev/null
+++ b/gui/osv-scanner.toml
@@ -0,0 +1,26 @@
+# See repository root `osv-scanner.toml` for instructions and rules for this file.
+
+# @grpc/grpc-js: There are two separate code paths in which memory can be allocated per message in
+# excess of the grpc.max_receive_message_length channel option
+[[IgnoredVulns]]
+id = "CVE-2024-37168" # GHSA-7v5v-9h63-cj86
+ignoreUntil = 2024-09-05
+reason = "This component only receives gRPC messages from the trusted mullvad-daemon"
+
+# yargs-parser Vulnerable to Prototype Pollution
+[[IgnoredVulns]]
+id = "CVE-2020-7608" # GHSA-p9pc-299p-vxgp
+ignoreUntil = 2024-09-05
+reason = "This package is only used to parse commands run by either us or trusted libraries"
+
+# PostCSS line return parsing error
+[[IgnoredVulns]]
+id = "CVE-2023-44270" # GHSA-7fh5-64p2-3v2j
+ignoreUntil = 2024-09-05
+reason = "This project does not use PostCSS to parse untrusted CSS"
+
+# braces: Uncontrolled resource consumption
+[[IgnoredVulns]]
+id = "CVE-2024-4068" # GHSA-grv7-fg5c-xmjg
+ignoreUntil = 2024-09-05
+reason = "This package is only used to match paths from either us or trusted libraries"
diff --git a/gui/scripts/osv-scanner.toml b/gui/scripts/osv-scanner.toml
new file mode 100644
index 0000000000..ec390ea1d3
--- /dev/null
+++ b/gui/scripts/osv-scanner.toml
@@ -0,0 +1,43 @@
+# See repository root `osv-scanner.toml` for instructions and rules for this file.
+
+# Pillow arbitrary code execution
+[[IgnoredVulns]]
+id = "CVE-2023-50447" # GHSA-3f63-hfp8-52jq
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow buffer overflow
+[[IgnoredVulns]]
+id = "CVE-2024-28219" # GHSA-44wm-f244-xhp3
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow DoS
+[[IgnoredVulns]]
+id = "CVE-2023-44271" # GHSA-8ghj-p4vj-mr35
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# libwebp: OOB write in BuildHuffmanTable
+[[IgnoredVulns]]
+id = "CVE-2023-5129" # GHSA-j7hp-h8jx-5ppr
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863)
+[[IgnoredVulns]]
+id = "PYSEC-2023-175"
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863)
+[[IgnoredVulns]]
+id = "GHSA-56pw-mpj4-fxww"
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"
+
+# Pillow vulnerable to Data Amplification attack.
+[[IgnoredVulns]]
+id = "CVE-2022-45198" # GHSA-m2vv-5vj5-2hm7
+ignoreUntil = 2024-09-05
+reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade"