Merge branch 'clarify-osv-scanner-ignores-droid-1539'

mullvad · Nov 20, 2024 · 8e8c679 · 8e8c679
2 parents 746b94d + 6bbce69
commit 8e8c679
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml
@@ -2,21 +2,25 @@
 #
 # The OWASP Dependency-Check tool is also used for vulnerability scanning.
 
+# h2database: Cleartext Storage of Sensitive Information
 [[IgnoredVulns]]
 id = "CVE-2022-45868" # GHSA-22wj-vf5f-wrvj
 ignoreUntil = 2025-02-02
 reason = "Used by the dependency-check tool and not the app directly."
 
+# okio: Signed to Unsigned Conversion Error vulnerability
 [[IgnoredVulns]]
 id = "CVE-2023-3635" # GHSA-w33c-445m-f8w7
 ignoreUntil = 2025-02-02
 reason = "We do not use gzip when using okio."
 
+# netty: HttpPostRequestDecoder can OOM
 [[IgnoredVulns]]
 id = "CVE-2024-29025" # GHSA-5jpm-x58v-624v
 ignoreUntil = 2025-02-02
 reason = "We do not use netty for http communication."
 
+# netty: Vulnerable to HTTP/2 Rapid Reset Attack
 [[IgnoredVulns]]
 id = "CVE-2023-44487" # GHSA-xpw8-rcwv-8f8p
 ignoreUntil = 2025-02-02
@@ -28,46 +32,56 @@ id = "GHSA-xpw8-rcwv-8f8p"
 ignoreUntil = 2025-02-02
 reason = "No impact on this app since it uses UDS rather than HTTP2."
 
+# netty: SniHandler 16MB allocation
 [[IgnoredVulns]]
 id = "CVE-2023-34462" # GHSA-6mjq-h674-j845
 ignoreUntil = 2025-02-02
 reason = "We do not use netty for http communication."
 
+# apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
 [[IgnoredVulns]]
 id = "CVE-2024-26308" # GHSA-4265-ccf5-phj5
 ignoreUntil = 2025-02-02
 reason = "Apache commons compress is used by lint and not the app directly."
 
+# apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
 [[IgnoredVulns]]
 id = "CVE-2024-25710" # GHSA-4g9r-vxhx-9pgx
 ignoreUntil = 2025-02-02
 reason = "Apache commons compress is used by lint and not the app directly."
 
+# apache httpclient: Cross-site scripting
 [[IgnoredVulns]]
 id = "CVE-2020-13956" # GHSA-7r82-7xv7-xcpj
 ignoreUntil = 2025-02-02
 reason = "Apache http client is used by lint and not the app directly."
 
+# kotlin: Improper Locking
 [[IgnoredVulns]]
 id = "CVE-2022-24329" # GHSA-2qp4-g3q3-f92w
 ignoreUntil = 2025-02-02
 reason = "This CVE only affect Multiplatform Gradle Projects, which this project is not."
 
+# protobuf-java: Has potential Denial of Service issue
 [[IgnoredVulns]]
 id = "CVE-2024-7254" # GHSA-735f-pc8j-v9w8
 ignoreUntil = 2025-02-02
 reason = "Should not be applicable since client and server are always in sync and we are only communicating locally over UDS."
 
+# apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader
 [[IgnoredVulns]]
 id = "CVE-2024-47554" # GHSA-78wr-2p64-hpwj
 ignoreUntil = 2025-02-02
 reason = "No impact since the app doesn't process externally crafted XML."
 
+# netty: Denial of Service attack on windows app
 [[IgnoredVulns]]
 id = "CVE-2024-47535" # GHSA-xq3w-v528-46rv
 ignoreUntil = 2025-02-13
 reason = "Only impacting Windows."
 
+# Several vulns related to bouncy castle that is only being used by the dependency check tool.
+# These are not used directly in the app.
 [[PackageOverrides]]
 name = "org.bouncycastle:bcprov-jdk15on"
 ecosystem = "Maven"