summaryrefslogtreecommitdiffhomepage
path: root/android/gradle/osv-scanner.toml
blob: 44f4c9b64587ffeeb829fc22ba4eece37166bbdf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# See repository root `osv-scanner.toml` for instructions and rules for this file.
#
# The OWASP Dependency-Check tool is also used for vulnerability scanning.

# h2database: Cleartext Storage of Sensitive Information
[[IgnoredVulns]]
id = "CVE-2022-45868" # GHSA-22wj-vf5f-wrvj
ignoreUntil = 2025-02-02
reason = "Used by the dependency-check tool and not the app directly."

# okio: Signed to Unsigned Conversion Error vulnerability
[[IgnoredVulns]]
id = "CVE-2023-3635" # GHSA-w33c-445m-f8w7
ignoreUntil = 2025-02-02
reason = "We do not use gzip when using okio."

# netty: HttpPostRequestDecoder can OOM
[[IgnoredVulns]]
id = "CVE-2024-29025" # GHSA-5jpm-x58v-624v
ignoreUntil = 2025-02-02
reason = "We do not use netty for http communication."

# netty: Vulnerable to HTTP/2 Rapid Reset Attack
[[IgnoredVulns]]
id = "CVE-2023-44487" # GHSA-xpw8-rcwv-8f8p
ignoreUntil = 2025-02-02
reason = "No impact on this app since it uses UDS rather than HTTP2."

# Same as the vuln above, but it seems like osv scanner does not always make the connection.
[[IgnoredVulns]]
id = "GHSA-xpw8-rcwv-8f8p"
ignoreUntil = 2025-02-02
reason = "No impact on this app since it uses UDS rather than HTTP2."

# netty: SniHandler 16MB allocation
[[IgnoredVulns]]
id = "CVE-2023-34462" # GHSA-6mjq-h674-j845
ignoreUntil = 2025-02-02
reason = "We do not use netty for http communication."

# apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
[[IgnoredVulns]]
id = "CVE-2024-26308" # GHSA-4265-ccf5-phj5
ignoreUntil = 2025-02-02
reason = "Apache commons compress is used by lint and not the app directly."

# apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
[[IgnoredVulns]]
id = "CVE-2024-25710" # GHSA-4g9r-vxhx-9pgx
ignoreUntil = 2025-02-02
reason = "Apache commons compress is used by lint and not the app directly."

# apache httpclient: Cross-site scripting
[[IgnoredVulns]]
id = "CVE-2020-13956" # GHSA-7r82-7xv7-xcpj
ignoreUntil = 2025-02-02
reason = "Apache http client is used by lint and not the app directly."

# kotlin: Improper Locking
[[IgnoredVulns]]
id = "CVE-2022-24329" # GHSA-2qp4-g3q3-f92w
ignoreUntil = 2025-02-02
reason = "This CVE only affect Multiplatform Gradle Projects, which this project is not."

# protobuf-java: Has potential Denial of Service issue
[[IgnoredVulns]]
id = "CVE-2024-7254" # GHSA-735f-pc8j-v9w8
ignoreUntil = 2025-02-02
reason = "Should not be applicable since client and server are always in sync and we are only communicating locally over UDS."

# apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader
[[IgnoredVulns]]
id = "CVE-2024-47554" # GHSA-78wr-2p64-hpwj
ignoreUntil = 2025-02-02
reason = "No impact since the app doesn't process externally crafted XML."

# netty: Denial of Service attack on windows app
[[IgnoredVulns]]
id = "CVE-2024-47535" # GHSA-xq3w-v528-46rv
ignoreUntil = 2025-02-13
reason = "Only impacting Windows."

# Several vulns related to bouncy castle that is only being used by the dependency check tool.
# These are not used directly in the app.
[[PackageOverrides]]
name = "org.bouncycastle:bcprov-jdk15on"
ecosystem = "Maven"
ignore = true
effectiveUntil = 2025-02-02
reason = "Used by lint and the dependency-check tool and not the app directly."

[[PackageOverrides]]
name = "org.bouncycastle:bcprov-jdk18on"
ecosystem = "Maven"
ignore = true
effectiveUntil = 2025-02-02
reason = "Used by lint and the dependency-check tool and not the app directly."

[[PackageOverrides]]
name = "org.bouncycastle:bcpkix-jdk18on"
ecosystem = "Maven"
ignore = true
effectiveUntil = 2025-02-02
reason = "Used by lint and the dependency-check tool and not the app directly."