forked from OWASP/threat-dragon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.trivyignore
33 lines (28 loc) · 1.27 KB
/
.trivyignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# ignoring these vulnerabilities in zlib,
# there are no updates to zlib and so these are unlikely to be fixed
CVE-2018-25032
CVE-2022-37434
# https://avd.aquasec.com/nvd/2022/cve-2022-24999/
# qs before 6.10.3, as used in Express before 4.17.3 and other products,
# allows attackers to cause a Node process hang for an Express application
# The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3,
# and 6.2.4 (and therefore Express 4.17.3, which has deps: [email protected] in its
# release description, is not vulnerable).
CVE-2022-24999
# https://avd.aquasec.com/nvd/cve-2022-25881
# http-cache-semantics prior to 4.1.1
# vulnerable to Regular Expression Denial of Service
# by inspection, this vunerability is not exploitable here
CVE-2022-25881
# https://avd.aquasec.com/nvd/cve-2023-28155
# request version prior to 2.88.2
# this vulnerability is for the build system, not run time, so ignore
CVE-2023-28155
# https://avd.aquasec.com/nvd/cve-2022-25883
# semver prior to version 7.5.2 vulnerable to Regular Expression DoS
# not applicable to Threat Dragon
CVE-2022-25883
# https://avd.aquasec.com/nvd/cve-2023-26136
# tough-cookie prior to version 4.1.3 has prototype pollution in cookie memstore
# not applicable to Threat Dragon as no cookies used
CVE-2023-26136