Skip to content

Commit

Permalink
dependencies: allowlist CVE-2020-8277 to prevent false positives. (#1…
Browse files Browse the repository at this point in the history
…4228)

The CVE scanner is alerting on CVE-2020-8277 despite the c-ares
upgrade in #14213, since the CVE applies to nodejs (and http-parser)
rather than c-ares.

Signed-off-by: Harvey Tuch <htuch@google.com>
  • Loading branch information
htuch authored Dec 1, 2020
1 parent 2dc72a9 commit ae7d841
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions tools/dependency/cve_scan.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@
'CVE-2020-8252',
# Fixed via the nghttp2 1.41.0 bump in Envoy 8b6ea4.
'CVE-2020-11080',
# Node.js issue rooted in a c-ares bug. Does not appear to affect
# http-parser or our use of c-ares, c-ares has been bumped regardless.
'CVE-2020-8277',
])

# Subset of CVE fields that are useful below.
Expand Down

0 comments on commit ae7d841

Please sign in to comment.