cvescan: Exclude fails by version #18731
Conversation
Signed-off-by: Ryan Northey <[email protected]>
|
Switch away from deprecated |
|
grrr coverage.... lill kick |
|
im tempted to think that the node.js bug is not related to the http parser, and can probably added to the exclude list |
tools/dependency/cve_scan.py
Outdated
| @@ -80,6 +80,15 @@ | |||
| # Tracking issue to fix versioning: | |||
| # https://github.com/envoyproxy/envoy/issues/18354 | |||
| 'CVE-2021-38153', | |||
| # Excluded by version | |||
There was a problem hiding this comment.
Can you leave a slightly more verbose message, i.e. "These are false positives triggered by the inability of cvescan to accurately compute vesion" or something like that? Thanks. Otherwise LGTM.
There was a problem hiding this comment.
yep, i have improved the message, and merged the immediately preceding exclusion, which was added for the same reason, and had a ~duplicating message
Signed-off-by: Ryan Northey <[email protected]>
|
@htuch shall i add the nodejs cve (posted in PR comment) to the exclusions ? |
There was a problem hiding this comment.
Reading https://bugzilla.redhat.com/show_bug.cgi?id=1988394, I think the Node.js issue is on their side, rather than nghttp2, so we should allowlist that one.
|
ill add it this PR now... |
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey [email protected]
Commit Message:
Additional Description:
This doesnt fix the cve scanner, but does exclude some errors/warnings that have already been updated
We still have this
here https://dev.azure.com/cncf/envoy/_build/results?buildId=92610&view=logs&j=12f1170f-54f2-53f3-20dd-22fc7dff55f9&t=9c939e41-62c2-5605-5e05-fc3554afc9f5&l=116
iirc the proposed solution to that one is to replace the parser altogether
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]