From 70cdb2eb9666088c1313ac0d61836dcd3959199d Mon Sep 17 00:00:00 2001 From: Oskar Date: Thu, 15 Aug 2024 16:55:15 +0200 Subject: [PATCH] Suppress elliptic CVEs --- gui/osv-scanner.toml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/gui/osv-scanner.toml b/gui/osv-scanner.toml index cef97fe2d879..968158fa7c1c 100644 --- a/gui/osv-scanner.toml +++ b/gui/osv-scanner.toml @@ -24,3 +24,21 @@ reason = "This project does not use PostCSS to parse untrusted CSS" id = "CVE-2024-4068" # GHSA-grv7-fg5c-xmjg ignoreUntil = 2024-09-05 reason = "This package is only used to match paths from either us or trusted libraries" + +# elliptic: Elliptic allows BER-encoded signatures +[[IgnoredVulns]] +id = "CVE-2024-42461" # GHSA-49q7-c7j4-3p7m +ignoreUntil = 2024-10-15 +reason = "We don't utilize the signing features in browserify" + +# elliptic: Elliptic's ECDSA missing check for whether leading bit of r and s is zero +[[IgnoredVulns]] +id = "CVE-2024-42460" # GHSA-977x-g7h5-7qgw +ignoreUntil = 2024-10-15 +reason = "We don't utilize the signing features in browserify" + +# elliptic: Elliptic's EDDSA missing signature length check +[[IgnoredVulns]] +id = "CVE-2024-42459" # GHSA-f7q4-pwc6-w24p +ignoreUntil = 2024-10-15 +reason = "We don't utilize the signing features in browserify"