From ae7d84132858d831286a6b079fab8271faa451f5 Mon Sep 17 00:00:00 2001
From: htuch <htuch@users.noreply.github.com>
Date: Tue, 1 Dec 2020 13:23:07 -0500
Subject: [PATCH] dependencies: allowlist CVE-2020-8277 to prevent false
 positives. (#14228)

The CVE scanner is alerting on CVE-2020-8277 despite the c-ares
upgrade in #14213, since the CVE applies to nodejs (and http-parser)
rather than c-ares.

Signed-off-by: Harvey Tuch <htuch@google.com>
---
 tools/dependency/cve_scan.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/dependency/cve_scan.py b/tools/dependency/cve_scan.py
index 97aab18224fc..3279f4855e5f 100755
--- a/tools/dependency/cve_scan.py
+++ b/tools/dependency/cve_scan.py
@@ -34,6 +34,9 @@
     'CVE-2020-8252',
     # Fixed via the nghttp2 1.41.0 bump in Envoy 8b6ea4.
     'CVE-2020-11080',
+    # Node.js issue rooted in a c-ares bug. Does not appear to affect
+    # http-parser or our use of c-ares, c-ares has been bumped regardless.
+    'CVE-2020-8277',
 ])
 
 # Subset of CVE fields that are useful below.