release-engineering/repo-autoindex
1
0
Fork 0
mirror of https://github.com/release-engineering/repo-autoindex.git synced 2025-02-23 05:32:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

safety: ignore irrelevant Jinja CVE

Browse source 
safety started to complain about CVE-2019-8341 in jinja.
The validity of the CVE is widely disputed, and in any case it is not
exploitable here, so add it to the ignored list.
This commit is contained in:
Rohan McGovern 2024-07-22 13:06:39 +10:00
parent 4fa8f8a1d9
commit 2879de67b9
1 changed files with 15 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
.safety-policy.yml Normal file
View file

@ -0,0 +1,15 @@
security:
ignore-cvss-severity-below: 4
ignore-vulnerabilities:
70612:
# CVE-2019-8341, jinja2:
#
# In summary, the CVE says that it is unsafe to use untrusted
# user input as Jinja template sources as arbitrary code execution
# is possible. This should be obvious, so unsurprisingly Jinja
# maintainers and various third-parties reject/dispute the CVE,
# including Red Hat in https://bugzilla.redhat.com/show_bug.cgi?id=1677653
#
reason: >-
Not exploitable: user input is not used in any Jinja template sources
continue-on-vulnerability-error: False