.safety-policy.yml

security:
  ignore-cvss-severity-below: 4
  ignore-cvss-unknown-severity: False
  ignore-vulnerabilities:
    65213:
      # CVE-2023-6129, pyopenssl>=22.0.0,
      # POLY1305 MAC issue on PowerPC CPUs
      reason: >-
        Vulnerability is specific to PPC architecture, which is not
        used or relevant for this service.
      expires: "2025-04-04"
    67599:
      # CVE-2018-20225, pip:
      #
      # ** DISPUTED ** An issue was discovered in pip (all versions) because
      # it installs the version with the highest version number, even if the
      # user had intended to obtain a private package from a private index.
      # This only affects use of the --extra-index-url option, and
      # exploitation requires that the package does not already exist in the
      # public index (and thus the attacker can put the package there with
      # an arbitrary version number). NOTE: it has been reported that this
      # is intended functionality and the user is responsible for using
      # --extra-index-url securely.
      #
      reason: >-
        Not exploitable: all dependencies exist on the public index.
    70612:
      # CVE-2019-8341, jinja2:
      #
      # In summary, the CVE says that it is unsafe to use untrusted
      # user input as Jinja template sources as arbitrary code execution
      # is possible. This should be obvious, so unsurprisingly Jinja
      # maintainers and various third-parties reject/dispute the CVE,
      # including Red Hat in https://bugzilla.redhat.com/show_bug.cgi?id=1677653
      #
      reason: >-
        Not exploitable: user input is not used in any Jinja template sources
  continue-on-vulnerability-error: False