-
Notifications
You must be signed in to change notification settings - Fork 28
Expand file tree
/
Copy path.grype.yaml
More file actions
32 lines (29 loc) · 2.28 KB
/
.grype.yaml
File metadata and controls
32 lines (29 loc) · 2.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Grype configuration for vulnerability scanning
# See: https://github.com/anchore/grype#configuration
ignore:
# GHSA-7h2j-956f-4vf2: @isaacs/brace-expansion DoS vulnerability
# Disclosed: 2026-02-03, fix available in brace-expansion@5.0.1
# npm CLI hasn't released a patched version yet (latest is 11.8.0)
# Risk: DoS only (not RCE), requires untrusted input to brace expansion
# Toolkit exposure: Low - not processing arbitrary user input
# Tracking: https://github.com/npm/cli/issues/8958
# TODO: Remove this ignore once npm releases a version with the fix
- vulnerability: GHSA-7h2j-956f-4vf2
# wasmtime 35.0.0 critical vulnerability (transitive via polkadot-sdk polkadot-stable2509)
# sc-executor-wasmtime pins wasmtime; cannot be bumped without upgrading polkadot-sdk
# After checking the advistory description: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w
# > This vulnerability has a few ingredients, all of which must be met, for this situation to occur and bypass the sandbox restrictions:
# > This miscompiled shape of load only occurs on 64-bit WebAssembly linear memories, or when Config::wasm_memory64 is enabled. 32-bit WebAssembly is not affected.
# > Spectre mitigations or signals-based-traps must be disabled. When spectre mitigations are enabled then the offending shape of load is not generated. When signals-based-traps are disabled then spectre mitigations are also automatically disabled.
#
# I've confirmed that this does not affect the node/polkadot-sdk
# - We're using wasm 32-bit memory, not 64
# - No spectre config — Spectre mitigations stay at the default (enabled)
# - No signals_based_traps config — stays at default (enabled)
# TODO: Remove this ignore after upgrading to a polkadot-sdk version using wasmtime >= 36.0.7
- vulnerability: GHSA-jhxm-h53p-jm7w # Critical: wasmtime 35.0.0, fixed in 36.0.7
# wasmtime 35.0.0 critical vulnerability
# Only applies when using the non-default Winch compiler - we use cranelift
# More info: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83
# TODO: Remove this ignore after upgrading to a polkadot-sdk version using wasmtime >= 36.0.7
- vulnerability: GHSA-xx5w-cvp6-jv83 # Critical: wasmtime 35.0.0, fixed in 36.0.7