mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
Remove some stale CVE entries from .grype.yaml
Our security scans no longer pick up some CVEs we have ignored in the past, so we can safely remove them now.
This commit is contained in:
Alex Pyrgiotis
parent
141c1e8a23
commit
08f03b4bb4
1 changed files with 0 additions and 40 deletions
40
.grype.yaml
40
.grype.yaml
|
|
@ -2,46 +2,6 @@
|
||||||
# latest release of Dangerzone, and offer our analysis.
|
# latest release of Dangerzone, and offer our analysis.
|
||||||
|
|
||||||
ignore:
|
ignore:
|
||||||
# CVE-2023-7104
|
|
||||||
# =============
|
|
||||||
#
|
|
||||||
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-7104
|
|
||||||
# Verdict: Dangerzone is not affected. The rationale is the following:
|
|
||||||
#
|
|
||||||
# 1. This CVE affects malicious/corrupted SQLite DBs.
|
|
||||||
# 2. Databases can be loaded either via LibreOffice Calc or Base. Files for
|
|
||||||
# the latter are not a valid input to Dangerzone.
|
|
||||||
# 3. Based on the LibreOffice Calc guide [1], users can only refer to
|
|
||||||
# external databases, not embed them in a spreadsheet.
|
|
||||||
# 4. The actual CVSS score for this vulnerability is High, according to
|
|
||||||
# NIST, not Critical.
|
|
||||||
#
|
|
||||||
# [1]: From https://wiki.documentfoundation.org/images/f/f4/CG75-CalcGuide.pdf:
|
|
||||||
#
|
|
||||||
# > The possible data sources for the pivot table are a Calc spreadsheet
|
|
||||||
# > or an external data source that is registered in LibreOffice. [...]
|
|
||||||
# > A registered data source is a connection to data held in a database
|
|
||||||
# > outside of LibreOffice.
|
|
||||||
- vulnerability: CVE-2023-7104
|
|
||||||
# CVE-2024-5535
|
|
||||||
# =============
|
|
||||||
#
|
|
||||||
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-5535
|
|
||||||
# Verdict: Dangerzone is not affected. The rationale is the following:
|
|
||||||
#
|
|
||||||
# 1. This CVE affects applications that make network calls. The Dangerzone
|
|
||||||
# container does not perform any such calls, and has no access to the
|
|
||||||
# internet.
|
|
||||||
# 2. The OpenSSL devs have marked this issue as low severity [1].
|
|
||||||
#
|
|
||||||
# [1]: From https://www.openssl.org/news/secadv/20240627.txt:
|
|
||||||
#
|
|
||||||
# > This issue has been assessed as Low severity because applications are
|
|
||||||
# > most likely to be vulnerable if they are using NPN instead of ALPN -
|
|
||||||
# > but NPN is not widely used. It also requires an application
|
|
||||||
# > configuration or programming error. Finally, this issue would not
|
|
||||||
# > typically be under attacker control making active exploitation
|
|
||||||
# > unlikely.
|
|
||||||
- vulnerability: CVE-2024-5535
|
- vulnerability: CVE-2024-5535
|
||||||
# CVE-2024-5171
|
# CVE-2024-5171
|
||||||
# =============
|
# =============
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue