-
Notifications
You must be signed in to change notification settings - Fork 354
/
osv-scanner.toml
69 lines (69 loc) · 3.5 KB
/
osv-scanner.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# List of ignored known vulnerabilities
#
# Keep this file in sync with deny.toml
#
# When osv-scanner reports a vulnerability, evaluate if the vulnerability affects the security
# of our app. If it does, escalate the issue and discuss in the team and with tech leadership.
# If the vulnerability does *not* affect the security of the app, there are three ways to fix it.
# Here they are listed in priority order:
#
# 1. Try to upgrade the dependency to a version that does not have the vulnerability.
# If possible and does not come with too many other downsides, this is always recommended.
# 2. If upgrading is not feasible and the vulnerability does not affect the security of our app,
# it can be ignored with an `IgnoredVulns` entry. See below for rules.
# 3. If one package has very many vulnerabilities or a constant stream of new vulnerabilities
# found, and they are never a threat to our app's security, the entire package can be ignored
# with a `PackageOverrides` entry. See below for rules. This should be avoided if feasible.
#
# Every ignored vulnerability/package entry must have an end date. It is not allowed to ignore
# vulnerabilies indefinitely. This means specifying an `ignoreUntil` for `IgnoredVulns` entries
# and `effectiveUntil` for `PackageOverrides` entries.
# * The default should be to ignore a vulnerability for three months.
# * A vulnerability can be ignored for up to a year at most (Use extremely sparsely).
# * If anything above three months is used, write a short comment about why this ignore is longer.
#
# Every entry must have a `reason` field that explains why this vulnerability does not affect us,
# and why we can't/decided not to change to an unaffected version.
#
# Try to use the "original" identifier as `id` in `IgnoredVulns`. This means the identifier used
# by the original vulnerability database it originates from.
# These are usually listed as "Aliases" on osv.dev.
# Feel free to add more identifiers as comments after the `id`.
#
# Write a comment above each entry specifying what dependency it is about and what type of
# vulnerability it is. The other fields do not convey this.
#
# Remove the ignore as soon as we upgrade or otherwise get rid of the vulnerable dependency from
# our product.
#
# When an `ignoreUntil`/`effectiveUntil` expire and start yielding errors on a previously ignored
# issue, follow these steps:
# 1. Try to upgrade away from the vulnerable versions and get rid of the ignore.
# 2. Update any outdated info in this ignore.
# 3. Bump the `ignoreUntil` following the same rules as when initially adding an ignore entry.
#
# Example `IgnoredVulns` entry:
#
# ```
# # libbaz remote code execution in get_date() function
# [[IgnoredVulns]]
# id = "CVE-2020-12345" # GHSA-abcd-efgh-1234
# ignoreUntil = 2024-12-05 # Ignored for six months at a time. Unlikely to be fixed, but also unlikely to be an issue for us.
# reason = """
# The vulnerable code path is currently not triggered by us or our dependencies.
# `renderer-helper` currently depend on this version of libbaz, preventing us from upgrading to a fixed version.
# """
# ```
#
# Example `PackageOverrides` entry:
#
# ```
# # Entire package ignored since there is a constant stream of newly found regular expression attacks.
# # All of these attacks rely on the input being malicious. We only use this package in our trusted
# # build environment with trusted inputs.
# [[PackageOverrides]]
# name = "rexml"
# ignore = true
# effectiveUntil = 2024-11-02
# reason = "The XML payload is generated by Apple tooling which we trust"
# ```