forked from aehrc/pathling
-
Notifications
You must be signed in to change notification settings - Fork 1
/
.trivyignore
66 lines (55 loc) · 2.58 KB
/
.trivyignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# These vulnerabilities relate to a problem within apache-commons-compress that cause it to be
# vulnerable to a denial of service attack when faced with a specially-crafted archive.
# We have assessed these as low risk in the context of Pathling, as files are only ever read from a
# configured white-list of locations that are trusted by the administrators of the server.
CVE-2021-35515
CVE-2021-35516
CVE-2021-35517
CVE-2021-36090
CVE-2021-35515
CVE-2021-35516
CVE-2021-35517
CVE-2021-36090
# This vulnerability makes it possible to craft a denial of service attack through crafted input to
# the code which handles Parquet files.
# We have assessed this as low risk in the context of Pathling, as files are only ever read from a
# configured white-list of locations that are trusted by the administrators of the server.
CVE-2020-36518
# This vulnerability makes it possible for an attacker participating in a HTTP session to cause an
# OOM error.
# We have assessed this as low risk in the context of Pathling, as this only applies to the AWS
# client and is also mitigated by the white-list of trusted data sources.
CVE-2020-25644
# This vulnerability affects openssl, which is not a dependency is not exposed through any of the
# interfaces to our application.
CVE-2022-2068
# This vulnerability relates to Jetty, which is used by Wiremock within the test suite. It is not a
# dependency of any of the run-time code.
CVE-2022-2191
# These vulnerabilities relate to a problem where deeply nested arrays within JSON can be crafted to
# cause resource exhaustion.
# We have assessed these as low risk in the context of Pathling, as it only affects libraries which
# communicate with trusted sources, and the consequences are not critical.
CVE-2022-42003
CVE-2022-42004
# These vulnerabilities relate to libdb, libpcre and zlib1g, and have been assessed as low risk in
# the context of our implementation.
CVE-2019-8457
CVE-2019-8457
CVE-2022-1587
CVE-2022-37434
CVE-2022-1586
# This vulnerability relates to deserialization of untrusted data within spring-web, which is not
# relevant to Pathling.
CVE-2016-1000027
# This vulnerability relates to Freetype, which is not a dependency of Pathling.
CVE-2022-27404
# This vulnerability relates to YAML deserialization - Pathling does not deserialize untrusted
# sources of YAML data.
CVE-2022-1471
# This vulnerability relates to YAML deserialization - Pathling does not deserialize untrusted
# sources of YAML data.
CVE-2022-1471
# This vulnerability relates to privilege management using spark-submit, which is outside of the
# scope of this solution.
CVE-2023-22946