almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Remove some stale CVE entries from .grype.yaml

Browse source 
Our security scans no longer pick up some CVEs we have ignored in the
past, so we can safely remove them now.
This commit is contained in:
Alex Pyrgiotis 2024-08-08 20:56:51 +03:00
parent 141c1e8a23
commit 08f03b4bb4
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
1 changed files with 0 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
.grype.yaml
View file

@ -2,46 +2,6 @@
# latest release of Dangerzone, and offer our analysis.
ignore:
# CVE-2023-7104
# =============
#
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-7104
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# 1. This CVE affects malicious/corrupted SQLite DBs.
# 2. Databases can be loaded either via LibreOffice Calc or Base. Files for
# the latter are not a valid input to Dangerzone.
# 3. Based on the LibreOffice Calc guide [1], users can only refer to
# external databases, not embed them in a spreadsheet.
# 4. The actual CVSS score for this vulnerability is High, according to
# NIST, not Critical.
#
# [1]: From https://wiki.documentfoundation.org/images/f/f4/CG75-CalcGuide.pdf:
#
# > The possible data sources for the pivot table are a Calc spreadsheet
# > or an external data source that is registered in LibreOffice. [...]
# > A registered data source is a connection to data held in a database
# > outside of LibreOffice.
- vulnerability: CVE-2023-7104
# CVE-2024-5535
# =============
#
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-5535
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# 1. This CVE affects applications that make network calls. The Dangerzone
# container does not perform any such calls, and has no access to the
# internet.
# 2. The OpenSSL devs have marked this issue as low severity [1].
#
# [1]: From https://www.openssl.org/news/secadv/20240627.txt:
#
# > This issue has been assessed as Low severity because applications are
# > most likely to be vulnerable if they are using NPN instead of ALPN -
# > but NPN is not widely used. It also requires an application
# > configuration or programming error. Finally, this issue would not
# > typically be under attacker control making active exploitation
# > unlikely.
- vulnerability: CVE-2024-5535
# CVE-2024-5171
# =============