-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy path.grype.yml
33 lines (29 loc) · 1.4 KB
/
.grype.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
fail-on-severity: "medium"
# List of vulnerabilities to ignore for the anchore scan
# https://github.com/anchore/grype#specifying-matches-to-ignore
# More info can be found in the docs/infra/vulnerability-management.md file
# Please add safelists in the following format to make it easier when checking
# Package/module name: URL to vulnerability for checking updates
# Versions: URL to the version history
# Dependencies: Name of any other packages or modules that are dependent on this version
# Link to the dependencies for ease of checking for updates
# Issue: Why there is a finding and why this is here or not been removed
# Last checked: Date last checked in scans
# - vulnerability: The-CVE-or-vuln-id # Remove comment at start of line
ignore:
# These settings ignore any findings that fall into these categories
- fix-state: not-fixed
- fix-state: wont-fix
- fix-state: unknown
# https://github.com/HHS/simpler-grants-gov/issues/2582
- vulnerability: CVE-2024-34158
- vulnerability: CVE-2024-34156
- vulnerability: CVE-2024-34155
# Issue due to crypto package pulled in by GitHub CLI
# Will be fixed in next GitHub CLI release
# Last Checked: Dec 19th, 2024
- vulnerability: GHSA-v778-237x-gjrc
- vulnerability: GHSA-w32m-9786-jp63
# Issue with asyncio library in Python, should be fixed
# in 3.13.2 (early February 2025)
- vulnerability: CVE-2024-12254