mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-06 14:47:01 +02:00
Code Issues Projects Releases Wiki Activity

VAULT-35615 security(scanner): suppress CVE-2025-46394 (#30350)

Browse Source 
An upstream CVE in busybox is tripping the security scanner:
https://github.com/hashicorp/crt-workflows-common/actions/runs/14623987904/job/41031896870#step:9:16

Since this will require a new version of Alpine we can’t do much except
suppress it until a new version has been released with Busybox >= 1.38

We’re already rolling on the latest Alpine 3 so we ought to get the fix
as soon as it’s released and available, but this will unbreak the
pipeline until then.

Signed-off-by: Ryan Cragun <me@ryan.ec>
This commit is contained in:
Ryan Cragun 2025-04-23 13:43:33 -06:00 committed by GitHub
parent 87c08a0af3
commit 9859b06401
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 32 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
.release/security-scan.hcl
View File

@ -1,27 +1,25 @@
# Copyright (c) HashiCorp, Inc. # Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1 # SPDX-License-Identifier: BUSL-1.1
container {
dependencies = true
alpine_secdb = true
secrets = true
}
binary { binary {
secrets = false secrets = false
go_modules = true go_modules = false
go_stdlib = true osv = true
osv = true oss_index = true
oss_index = true nvd = false
nvd = false }
# Triage items that are _safe_ to ignore here. Note that this list should be container {
# periodically cleaned up to remove items that are no longer found by the scanner. dependencies = true
triage { alpine_security = true
suppress { secrets = true
vulnerabilities = [
"GO-2022-0635", // github.com/aws/aws-sdk-go@v1.55.5 triage {
] suppress {
} vulnerabilities = [
} "CVE-2025-46394", // We can't do anything about this until a new Alpine container with busybox 1.38 is available.
"GO-2022-0635", // github.com/aws/aws-sdk-go@v1.x
]
}
}
} }

22
scan.hcl
View File

@ -3,18 +3,20 @@
repository { repository {
go_modules = true go_modules = true
osv = true osv = true
secrets {
all = true
}
dependabot { dependabot {
required = true required = true
check_config = true check_config = true
} }
plugin "codeql" {
languages = ["go"]
}
plugin "semgrep" { plugin "semgrep" {
use_git_ignore = true use_git_ignore = true
exclude = ["vendor"] exclude = ["vendor"]
config = [ config = [
"tools/semgrep/ci", "tools/semgrep/ci",
"p/r2c-security-audit", "p/r2c-security-audit",
@ -24,8 +26,8 @@ repository {
] ]
exclude_rule = ["generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var"] exclude_rule = ["generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var"]
} }
plugin "codeql" { secrets {
languages = ["go"] all = true
} }
} }