Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Snyk exclusions 2025-01 #889

Merged
merged 4 commits into from
Jan 28, 2025
Merged

Update Snyk exclusions 2025-01 #889

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
232c3c5
Add exceptions for PPM
ianpittwood Jan 24, 2025
a035f5d
Remove exceptions for connect (no vulnerabilities detected)
ianpittwood Jan 24, 2025
9c7d1be
Update exceptions for Workbench-related images
ianpittwood Jan 24, 2025
c19b182
Merge branch 'dev' into security-update-2025-01
ianpittwood Jan 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions connect/.snyk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,4 @@
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-GOLANG-GITHUBCOMJACKCPGXV4-7416900:
- '*':
reason: 'Reported upstream in https://github.com/rstudio/connect/issues/27482'
expires: 2024-07-31T00:00:00.000Z
created: 2024-07-03T13:49:12.040Z
patch: {}
20 changes: 14 additions & 6 deletions package-manager/.snyk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,19 @@
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-GOLANG-GITHUBCOMJACKCPGXV4-7416900:
SNYK-GOLANG-GOLANGORGXNETHTML-8535262:
- '*':
reason: >-
Reported upstream in
https://github.com/rstudio/package-manager/issues/13981
expires: 2024-10-01T00:00:00.000Z
created: 2024-07-03T14:03:16.019Z
reason: Patch will be ingested in next release
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:05:55.359Z
SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBING-8602520:
- '*':
reason: Patch will be ingested in next release
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:08:04.773Z
SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611:
- '*':
reason: Patch will be ingested in next release
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:08:19.247Z
patch: {}
21 changes: 10 additions & 11 deletions r-session-complete/.snyk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,18 @@
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016:
SNYK-JS-SEMVER-3247795:
- '*':
reason: >-
Reported upstream in
https://github.com/rstudio/rstudio-pro/issues/6529
expires: 2024-08-31T00:00:00.000Z
created: 2024-07-02T20:33:30.847Z
SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
Awaiting upstream patch in jupyterlab, but exploit should not be
reachable.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:42:36.788Z
SNYK-JS-WS-7266574:
- '*':
reason: >-
Confirmed fixed upstream in
https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
ingested in Workbench 2024.08.0 (expected within 1 week).
expires: 2024-08-07T00:00:00.000Z
created: 2024-07-31T17:46:24.852Z
Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the
package component affected.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:58:55.561Z
patch: {}
26 changes: 10 additions & 16 deletions workbench-for-google-cloud-workstations/.snyk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,18 @@
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016:
SNYK-JS-SEMVER-3247795:
- '*':
reason: >-
Reported upstream in
https://github.com/rstudio/rstudio-pro/issues/6529
expires: 2024-08-31T00:00:00.000Z
created: 2024-07-02T20:33:30.847Z
SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
Awaiting upstream patch in jupyterlab, but exploit should not be
reachable.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:42:36.788Z
SNYK-JS-WS-7266574:
- '*':
reason: >-
Confirmed fixed upstream in
https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
ingested in Workbench 2024.08.0 (expected within 1 week).
expires: 2024-08-07T00:00:00.000Z
created: 2024-07-31T17:46:24.852Z
SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285:
- '*':
reason: Vulnerability in Google Cloud SDK.
expires: 2024-09-01T00:00:00.000Z
created: 2024-07-31T19:45:25.728Z
Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the
package component affected.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:58:55.561Z
patch: {}
12 changes: 12 additions & 0 deletions workbench-session-init/.snyk
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-JS-BODYPARSER-7926860:
- '*':
reason: >-
Patched upstream in Positron by upgrading express to 4.19.2. Will be
ingested next Workbench release.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T02:04:47.267Z
patch: {}
19 changes: 19 additions & 0 deletions workbench-session/.snyk
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-JS-SEMVER-3247795:
- '*':
reason: >-
Awaiting upstream patch in jupyterlab, but exploit should not be
reachable.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:42:36.788Z
SNYK-JS-WS-7266574:
- '*':
reason: >-
Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the
package component affected.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:58:55.561Z
patch: {}
21 changes: 10 additions & 11 deletions workbench/.snyk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,18 @@
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016:
SNYK-JS-SEMVER-3247795:
- '*':
reason: >-
Reported upstream in
https://github.com/rstudio/rstudio-pro/issues/6529
expires: 2024-08-31T00:00:00.000Z
created: 2024-07-02T20:33:30.847Z
SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
Awaiting upstream patch in jupyterlab, but exploit should not be
reachable.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:42:36.788Z
SNYK-JS-WS-7266574:
- '*':
reason: >-
Confirmed fixed upstream in
https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
ingested in Workbench 2024.08.0 (expected within 1 week).
expires: 2024-08-07T00:00:00.000Z
created: 2024-07-31T17:46:24.852Z
Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the
package component affected.
expires: 2025-03-31T00:00:00.000Z
created: 2025-01-24T01:58:55.561Z
patch: {}
Loading