mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
chore(security): add osv-scanner findings for markdown & pyjwt (#11256)
This commit is contained in:
@@ -0,0 +1,30 @@
|
||||
# osv-scanner per-vulnerability ignore list.
|
||||
#
|
||||
# Each [[IgnoredVulns]] entry must include a `reason` explaining why the
|
||||
# finding is accepted and an `ignoreUntil` date so the suppression auto-expires
|
||||
# and gets re-evaluated. See https://github.com/google/osv-scanner for the
|
||||
# config schema.
|
||||
|
||||
[[IgnoredVulns]]
|
||||
id = "PYSEC-2025-183"
|
||||
ignoreUntil = 2026-08-20T00:00:00Z
|
||||
reason = """
|
||||
CVE-2025-45768 is disputed by the pyjwt maintainers. The advisory describes
|
||||
weak encryption, but the underlying issue is that callers may pick a short
|
||||
HMAC secret — key-length enforcement is the application's responsibility, not
|
||||
a defect in the library. We are on pyjwt 2.12.1 (latest at pin time) and
|
||||
enforce key strength in our own auth code, so this advisory does not apply.
|
||||
Re-evaluate when a non-disputed advisory or upstream fix lands.
|
||||
"""
|
||||
|
||||
[[IgnoredVulns]]
|
||||
id = "PYSEC-2026-89"
|
||||
ignoreUntil = 2026-08-20T00:00:00Z
|
||||
reason = """
|
||||
False positive caused by a malformed PYSEC record. The equivalent GitHub
|
||||
Security Advisory (GHSA-5wmx-573v-2qwq) for CVE-2025-69534 declares the issue
|
||||
fixed in markdown 3.8.1. We are on markdown==3.10.2 (latest release, includes
|
||||
the fix), but the PYSEC entry's range is [{introduced: "0"}, {}] with no
|
||||
closing "fixed" event, so osv-scanner flags every version. There is no newer
|
||||
release to upgrade to. Re-evaluate once the PYSEC record is corrected upstream.
|
||||
"""
|
||||
Reference in New Issue
Block a user