From a6755080ad6528c7a0a48b618288e1393bfb90c6 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Tue, 9 Jan 2024 20:25:17 +0200
Subject: [PATCH] Ignore CVE-2023-7104 from our security scans

Our security scans for the released container image have flagged
CVE-2023-7104. Our assessment is that this CVE doesn't affect
Dangerzone, mainly because our understanding is that attackers cannot
embed SQLite dbs within LibreOffice spreadsheets.
---
 .grype.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.grype.yaml b/.grype.yaml
index 962edfd..1e2f93f 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -2,3 +2,24 @@
 # latest release of Dangerzone, and offer our analysis.
 
 ignore:
+  # CVE-2023-7104
+  # =============
+  #
+  # NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-7104
+  # Verdict: Dangerzone is not affected. The rationale is the following:
+  #
+  #   1. This CVE affects malicious/corrupted SQLite DBs.
+  #   2. Databases can be loaded either via LibreOffice Calc or Base. Files for
+  #      the latter are not a valid input to Dangerzone.
+  #   3. Based on the LibreOffice Calc guide [1], users can only refer to
+  #      external databases, not embed them in a spreadsheet.
+  #   4. The actual CVSS score for this vulnerability is High, according to
+  #      NIST, not Critical.
+  #
+  # [1]: From https://wiki.documentfoundation.org/images/f/f4/CG75-CalcGuide.pdf:
+  #
+  #      > The possible data sources for the pivot table are a Calc spreadsheet
+  #      > or an external data source that is registered in LibreOffice. [...]
+  #      > A registered data source is a connection to data held in a database
+  #      > outside of LibreOffice.
+  - vulnerability: CVE-2023-7104