From dad981e570798b11ed82089ce6df09c28cfb4cc6 Mon Sep 17 00:00:00 2001 From: Serhii Korchynskyi Date: Tue, 13 Dec 2022 10:57:07 +0100 Subject: [PATCH] Add ort (#45) --- .ort.yml | 77 ++++++++++++++++++++++++++++++++----------------------- README.md | 3 +++ 2 files changed, 48 insertions(+), 32 deletions(-) diff --git a/.ort.yml b/.ort.yml index 3af702e7..886694e0 100644 --- a/.ort.yml +++ b/.ort.yml @@ -16,48 +16,61 @@ curations: packages: - id: "PyPI::pytest-cov:4.0.0" curations: - comment: "Add correct license" - concluded_license: MIT + comment: "Proper license is defined in package repository https://pypi.org/project/pytest-cov/" + concluded_license: "MIT" - id: "PyPI::coverage:6.5.0" curations: - comment: "Add correct license" - concluded_license: Apache-2.0 - - id: "PyPI::grpcio:1.49.1" + comment: "Proper license is defined in package repository https://pypi.org/project/coverage/" + concluded_license: "Apache-2.0" + - id: "PyPI::gitdb:4.0.10" curations: - comment: "Add correct license" - concluded_license: Apache-2.0 - - id: "PyPI::identify:2.5.6" + comment: "Proper license is defined in package repository https://pypi.org/project/gitdb/" + concluded_license: "BSD-3-Clause" + - id: "PyPI::grpcio:1.48.2" curations: - comment: "Add correct license" - concluded_license: MIT - - id: "PyPI::setuptools:65.5.0" + comment: "Proper license is defined in package repository https://pypi.org/project/grpcio/" + concluded_license: "Apache-2.0" + - id: "PyPI::identify:2.5.9" curations: - comment: "Add correct license" - concluded_license: MIT + comment: "Proper license is defined in package repository https://pypi.org/project/identify/" + concluded_license: "MIT" + - id: "PyPI::setuptools:65.6.3" + curations: + comment: "Proper license is defined in package repository https://pypi.org/project/setuptools/" + concluded_license: "MIT" + - id : "PyPI::filelock:3.8.2" + curations: + comment: "Proper license is defined in package repository https://pypi.org/project/filelock/" + concluded_license: "Unlicense" + - id : "PIP::sdv-requirements:0.7.2" + curations: + comment: "Bosch maintained component" + concluded_license: "Apache-2.0" + resolutions: vulnerabilities: - - id: "CVE-2018-20225" - reason: CANT_FIX_VULNERABILITY - comment: "Requires a change to be made by a third party that is not responsive." - - id: "CVE-2022-1941" - reason: CANT_FIX_VULNERABILITY - comment: "Requires a change to be made by a third party that is not responsive." - - id: "CVE-2022-3171" - reason: CANT_FIX_VULNERABILITY - comment: "Requires a change to be made by a third party that is not responsive." - id: "CVE-2022-42969" - reason: CANT_FIX_VULNERABILITY - comment: "Requires a change to be made by a third party that is not responsive." + reason: "INEFFECTIVE_VULNERABILITY" + comment: "Vulnerability only applicable for SVN projects. Requires a change to be made by a third party https://github.com/pytest-dev/py/issues/287" - id: "CVE-2018-20225" - reason: CANT_FIX_VULNERABILITY - comment: "Requires a change to be made by a third party that is not responsive." + reason: "MITIGATED_VULNERABILITY" + comment: "Mitigating control: avoiding use of the --extra-index-url parameter for pip" - id: "CVE-2019-20907" - reason: CANT_FIX_VULNERABILITY - comment: "Requires a change to be made by a third party that is not responsive." + reason: "INVALID_MATCH_VULNERABILITY" + comment: "Only applicable for python version <=3.8.3 or <3.9.0-b5 python 3.10 in use" - id: "CVE-2019-20916" - reason: CANT_FIX_VULNERABILITY - comment: "Requires a change to be made by a third party that is not responsive." + reason: "INVALID_MATCH_VULNERABILITY" + comment: "pip < 19.2 is affected pip in use 22.3.1" - id: "sonatype-2012-0071" - reason: CANT_FIX_VULNERABILITY - comment: "Requires a change to be made by a third party that is not responsive." + reason: "INVALID_MATCH_VULNERABILITY" + comment: "only relevan for python 2.7 python 3.10 in use" + - id: "sonatype-2022-6046" + reason: "INVALID_MATCH_VULNERABILITY" + comment: "affected wheel < 0.38.4 wheel = 0.38.4 in use" + - id: " CVE-2022-33124" + reason: "CANT_FIX_VULNERABILITY" + comment: "aiohttp consider this vulnerability as false possitive. No prove that issue leads to DoS attack. Requires a change to be made by a third party" + - id: "CVE-2020-11023" + reason: "INEFFECTIVE_VULNERABILITY" + comment: "No evidences that pkg:pypi/deprecation@2.1.0 is affected. mainly jquery package is affected" diff --git a/README.md b/README.md index 090307c5..e5e26daf 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,9 @@ [![CI workflow](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/ci.yaml/badge.svg)](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/ci.yaml) [![License: Apache](https://img.shields.io/badge/License-Apache-yellow.svg)](http://www.apache.org/licenses/LICENSE-2.0) +[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit) +[![Imports: isort](https://img.shields.io/badge/%20imports-isort-%231674b1?style=flat&labelColor=ef8336)](https://pycqa.github.io/isort/) +[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black) The `Vehicle App SDK` reduces the effort required to implement Vehicle Apps by using the Velocitas development model for the Python programming language. To create a Vehicle App, please use our [Vehicle App Template](https://github.com/eclipse-velocitas/vehicle-app-python-template) which uses this sdk.