spiff-arena/spiffworkflow-backend/.snyk

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
  # in case snyk wants werkzeug v3, in the future:
  # we cannot upgrade werkzeug because it breaks connexion
  # and we can't upgrade connexion because it downgrades werkzeug.
  # this means we cannot satisfy the snyk requiement to upgrade werkzeug to v3.
  # we have a ticket to workaround it:
  #   https://github.com/sartography/spiff-arena/issues/592
  # SNYK-PYTHON-CRYPTOGRAPHY-6050294:
  #   - '*':
  #       reason: No current resolution
  #       expires: 2024-12-15T19:52:08.948Z
  #       created: 2023-11-15T19:52:08.954Z
  SNYK-PYTHON-GUNICORN-6615672:
    - '*':
        reason: No current resolution
        expires: 2024-05-16T14:21:10.348Z
        created: 2024-04-16T14:21:10.357Z
  SNYK-PYTHON-CRYPTOGRAPHY-6592767:
    - '*':
        reason: No current resolution
        expires: 2024-05-16T14:21:30.321Z
        created: 2024-04-16T14:21:30.331Z
  SNYK-PYTHON-FLASKCORS-6670412:
    - '*':
        reason: no fix available
        expires: 2024-11-01T00:00:00.000Z
        created: 2024-05-02T17:22:47.098Z

patch: {}

# when running snyk ignore to ignore issues with "snyk code test"
# make sure to EXCLUDE the id option. Otherwise a bad file is created.
#
# Works:
#   snyk ignore --file-path=src/spiffworkflow_backend/routes/debug_controller.py
#
# Des not work:
#   snyk ignore --file-path=src/spiffworkflow_backend/routes/debug_controller.py --id=whatever
#
# a single vulnerability cannot be ignored for "snyk code test". Only whole files can be ingored.
exclude:
  global:
    - src/spiffworkflow_backend/routes/debug_controller.py
ignore issue for which ticket has been filed 2023-05-03 14:49:32 +00:00			`# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.`
			`version: v1.25.0`
			`# ignores vulnerabilities until expiry date; change duration by modifying expiry date`
upgraded cryptography to satisfy snyk and added ignore for werkzeug issue since we cannot do anything about it now w/ burnettk 2023-10-26 15:28:37 +00:00			`ignore:`
reset to page 1 when status changes to fix #765 (#769) * reset to page 1 when status changes to fix #765 w/ jasquat * upgrade connexion and werkzeug to fix snyk w/ jasquat * fix all security issues like a boss w/ jasquat * whoops, still no resolution for cryptography w/ jasquat --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-28 16:58:54 +00:00			`# in case snyk wants werkzeug v3, in the future:`
upgraded cryptography to satisfy snyk and added ignore for werkzeug issue since we cannot do anything about it now w/ burnettk 2023-10-26 15:28:37 +00:00			`# we cannot upgrade werkzeug because it breaks connexion`
			`# and we can't upgrade connexion because it downgrades werkzeug.`
			`# this means we cannot satisfy the snyk requiement to upgrade werkzeug to v3.`
ignore this for a month and hope that we get a resolution on the internet during this time 2023-11-15 19:54:03 +00:00			`# we have a ticket to workaround it:`
upgraded cryptography to satisfy snyk and added ignore for werkzeug issue since we cannot do anything about it now w/ burnettk 2023-10-26 15:28:37 +00:00			`# https://github.com/sartography/spiff-arena/issues/592`
update cryptography 2024-02-01 19:02:49 +00:00			`# SNYK-PYTHON-CRYPTOGRAPHY-6050294:`
			`# - '*':`
			`# reason: No current resolution`
			`# expires: 2024-12-15T19:52:08.948Z`
			`# created: 2023-11-15T19:52:08.954Z`
fixed and ignored unfixable synk issues 2024-04-16 14:22:57 +00:00			`SNYK-PYTHON-GUNICORN-6615672:`
			`- '*':`
			`reason: No current resolution`
			`expires: 2024-05-16T14:21:10.348Z`
			`created: 2024-04-16T14:21:10.357Z`
			`SNYK-PYTHON-CRYPTOGRAPHY-6592767:`
			`- '*':`
			`reason: No current resolution`
			`expires: 2024-05-16T14:21:30.321Z`
			`created: 2024-04-16T14:21:30.331Z`
ignore flask cors issue with no fix 2024-05-02 17:24:37 +00:00			`SNYK-PYTHON-FLASKCORS-6670412:`
			`- '*':`
			`reason: no fix available`
			`expires: 2024-11-01T00:00:00.000Z`
			`created: 2024-05-02T17:22:47.098Z`
ignore this for a month and hope that we get a resolution on the internet during this time 2023-11-15 19:54:03 +00:00
ignore issue for which ticket has been filed 2023-05-03 14:49:32 +00:00			`patch: {}`
Feature/docker CVE issues (#558) * updated Dockerfile to try to remove security vulnerabilities w/ burnettk * we require curl for health checks w/ burnettk * try to scan docker image in ci * use Dockerfile from backend w/ burnettk * continue-on-error w/ burnettk * attempt to elevate permissions of snyk w/ burnettk * added snyk security github workflow w/ burnettk * fixed location of constraints w/ burnettk * add in or true for snyk tests w/ burnettk * sent the snyk token w/ burnettk * specify the directory for the sarif file w/ burnettk * updated spiffworkflow-connector-command for snyk issue w/ burnettk * updated sql statements sanitize input * ignore issues for debug_controller and check frontend with snyk w/ burnettk * updated babel and electron for snyk w/ burnettk * some more updates to fix vulnerabilities w/ burnettk * prune repeated deps for frontend builds since * uncomment ci code so it runs again and use node for frontend base image w/ burnettk * fixed backend image name w/ burnettk * pyl w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-10-19 18:22:52 +00:00
			`# when running snyk ignore to ignore issues with "snyk code test"`
			`# make sure to EXCLUDE the id option. Otherwise a bad file is created.`
			`#`
			`# Works:`
			`# snyk ignore --file-path=src/spiffworkflow_backend/routes/debug_controller.py`
			`#`
			`# Des not work:`
			`# snyk ignore --file-path=src/spiffworkflow_backend/routes/debug_controller.py --id=whatever`
			`#`
			`# a single vulnerability cannot be ignored for "snyk code test". Only whole files can be ingored.`
			`exclude:`
			`global:`
			`- src/spiffworkflow_backend/routes/debug_controller.py`