security: triage false positive for go-jose/v3 (#20901)

Per https://osv.dev/vulnerability/GO-2024-2631 this vulnerability is not present in the version currently used (go-jose/v3@3.0.3).
2024-03-26 17:27:50 -04:00 · 2024-03-26 17:27:50 -04:00 · cc959dcdf4
parent d7f25631ce
commit cc959dcdf4
2 changed files with 22 additions and 0 deletions
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@ -67,4 +67,15 @@ binary {
 			]
 		}
 	}
+
+	# Triage items that are _safe_ to ignore here. Note that this list should be
+	# periodically cleaned up to remove items that are no longer found by the scanner.
+	triage {
+		suppress {
+			# N.b. `vulnerabilites` is the correct spelling for this tool.
+			vulnerabilites = [
+				"GO-2024-2631", # go-jose/v3@v3.0.3 (false positive)
+			]
+		}
+	}
 }
--- a/scan.hcl
+++ b/scan.hcl
@ -22,4 +22,15 @@ repository {
  secrets {
    all = true
  }
+
+  # Triage items that are _safe_ to ignore here. Note that this list should be
+  # periodically cleaned up to remove items that are no longer found by the scanner.
+  triage {
+    suppress {
+      # N.b. `vulnerabilites` is the correct spelling for this tool.
+      vulnerabilites = [
+        "GO-2024-2631", # go-jose/v3@v3.0.3 (false positive)
+      ]
+    }
+  }
 }