coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
99c488d4d540c7fea3500b864199683a0437a356
gatehouse-api/.trivyignore
T
sangnn 99c488d4d5
Push -> develop / Build Docker images (push) Successful in 1m10s
Details
Push -> develop / Deploy (push) Successful in 21s
Details
Push -> develop / Notify on result (push) Successful in 0s
Details
security: upgrade some package versions
2026-06-23 03:24:12 +00:00

21 lines
1.1 KiB
Plaintext
Raw Blame History

# Accepted vulnerabilities — reviewed, justified, and tracked.
# Format: one CVE/GHSA ID per line. Re-evaluate each at the review date below.
#
# ---------------------------------------------------------------------------
# cryptography is pinned to 43.0.3 because sshkey-tools 0.11.3 (SSH CA cert
# signing) requires cryptography <44. The two findings below are only fixed in
# cryptography >=44/48, which we cannot adopt until sshkey-tools relaxes its pin.
#
# Reviewed: 2026-06-23 | Next review: 2026-09-23
# Action to remove: bump sshkey-tools to a release allowing cryptography>=48,
# then set cryptography>=48.0.1 and delete these lines.
# ---------------------------------------------------------------------------
# SECT (binary-field) curve subgroup attack. Not reachable: Gatehouse uses only
# RSA / NIST P-256 / Ed25519 (JWT, x509, SSH CA). No SECT curves anywhere.
CVE-2026-26007
# Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
# Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
GHSA-537c-gmf6-5ccf
Reference in New Issue View Git Blame Copy Permalink