-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathosv-scanner.toml
More file actions
99 lines (78 loc) · 3.65 KB
/
osv-scanner.toml
File metadata and controls
99 lines (78 loc) · 3.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# OSV Scanner configuration — suppressed vulnerabilities
#
# Scorecard's osv-scanner auto-discovers this file by name (must be
# `osv-scanner.toml`, NOT `.osv-scanner.toml` or `.osv-scanner-config.toml`).
#
# Only add entries here when:
# 1. The vulnerability has a fix available upstream AND we already pin it, OR
# 2. No fix exists upstream and the code path is not reachable
# 3. An issue is open to track re-evaluation when constraints change
#
# Re-audit this file on every dependency bump.
# ── nltk — REMOVED from core deps (v0.74.0+) ────────────────────────────────
# nltk was pinned as a transitive dep of `safety`, which was replaced by pip-audit.
# agent-bom never imports nltk. Removed to eliminate 3+ unfixable CVEs from Docker images.
# ── Werkzeug — FIXED in 3.1.6 (our locked version) ──────────────────────────
[[IgnoredVulns]]
id = "GHSA-29vq-49wr-vm6x"
reason = "werkzeug safe_join Windows — fixed in 3.1.6, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "GHSA-2g68-c3qc-8985"
reason = "werkzeug debugger RCE — fixed in 3.0.3, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "GHSA-87hc-h4r5-73f7"
reason = "werkzeug safe_join compound extensions — fixed in 3.1.5, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "GHSA-f9vj-2wh5-fj8j"
reason = "werkzeug safe_join Windows — fixed in 3.0.6, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "GHSA-hgf8-39gv-g3f2"
reason = "werkzeug safe_join Windows device — fixed in 3.1.4, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "GHSA-hrfv-mqp8-q5rw"
reason = "werkzeug multipart DoS — fixed in 3.0.1, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "GHSA-px8h-6qxv-m22q"
reason = "werkzeug nameless cookies — fixed in 2.2.3, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "GHSA-q34m-jh98-gwm2"
reason = "werkzeug form resource exhaustion — fixed in 3.0.6, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "GHSA-xg9f-g7g7-2323"
reason = "werkzeug multipart high resource — fixed in 2.2.3, our locked version is 3.1.6"
[[IgnoredVulns]]
id = "PYSEC-2023-221"
reason = "werkzeug alias (GHSA-hrfv-mqp8-q5rw) — fixed in 3.1.6"
[[IgnoredVulns]]
id = "PYSEC-2023-57"
reason = "werkzeug alias (GHSA-px8h-6qxv-m22q) — fixed in 3.1.6"
[[IgnoredVulns]]
id = "PYSEC-2023-58"
reason = "werkzeug alias (GHSA-xg9f-g7g7-2323) — fixed in 3.1.6"
# ── Flask — FIXED in 3.1.3 (our locked version) ─────────────────────────────
[[IgnoredVulns]]
id = "GHSA-68rp-wp8r-4726"
reason = "Flask Vary:Cookie low-severity — fixed in 3.1.1, our locked version is 3.1.3"
[[IgnoredVulns]]
id = "GHSA-m2qf-hxjv-5gpq"
reason = "Flask session cookie disclosure — fixed in 2.3.8, our locked version is 3.1.3"
[[IgnoredVulns]]
id = "PYSEC-2023-62"
reason = "Flask alias (GHSA-m2qf-hxjv-5gpq) — fixed in 3.1.3"
# ── pyopenssl — blocked by snowflake-connector-python <26.0.0 cap ────────────
[[IgnoredVulns]]
id = "GHSA-5pwr-322w-8jr4"
reason = """
pyopenssl vulnerability (fixed in pyopenssl>=26.0.0).
BLOCKER: snowflake-connector-python requires pyopenssl<26.0.0.
NOT DIRECTLY EXPLOITABLE: agent-bom does not use the affected code paths.
Tracked: https://github.com/msaad00/agent-bom/issues/930
"""
[[IgnoredVulns]]
id = "GHSA-vp96-hxj8-p424"
reason = """
pyopenssl vulnerability (fixed in pyopenssl>=26.0.0).
BLOCKER: snowflake-connector-python requires pyopenssl<26.0.0.
NOT DIRECTLY EXPLOITABLE: agent-bom does not use the affected code paths.
Tracked: https://github.com/msaad00/agent-bom/issues/930
"""