From e0afade42dc2d34d1d417886bf9c83298dfdd37b Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Tue, 20 Feb 2024 13:10:47 -0500 Subject: [PATCH] security: add scan triage for CVE-2024-25620 (helm/v3) Triage this scan result as `consul-k8s` should not be directly impacted and it is medium severity. Follow-up ticket filed for remediation. Also improve formatting of scan config since this change will be backported. --- .release/security-scan.hcl | 31 ++++++++++++++++++++----------- scan.hcl | 4 ++++ 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 518aaa6156..52877c1805 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -13,19 +13,28 @@ # See `security-scanner` docs or run with `--help` for scan target syntax. container { - dependencies = true - alpine_secdb = true + dependencies = true + alpine_secdb = true - secrets { - all = true - } + secrets { + all = true + } } binary { - go_modules = true - osv = true + go_modules = true + osv = true - secrets { - all = true - } -} \ No newline at end of file + secrets { + all = true + } + + triage { + suppress { + vulnerabilites = [ + # NET-8174 (2024-02-20): Chart YAML path traversal (not impacted) + "GHSA-v53g-5gjp-272r", # alias CVE-2024-25620 + ] + } + } +} diff --git a/scan.hcl b/scan.hcl index 5716c1ce2e..3d5baf68db 100644 --- a/scan.hcl +++ b/scan.hcl @@ -31,6 +31,10 @@ repository { "acceptance/*", "hack/*", ] + vulnerabilites = [ + # NET-8174 (2024-02-20): Chart YAML path traversal (not impacted) + "GHSA-v53g-5gjp-272r", # alias CVE-2024-25620 + ] } } }