fix: ignore overstated CVE-2024-11053

CVE-2024-11053 https://curl.se/docs/CVE-2024-11053.html (severity Low) was published on Dec 11, 2024 and began failing CI builds on open-core on Dec 13, 2024 when it appeared in `grype` as a critical vulnerability. Add a `.grype.yaml` file to ignore this CVE as apparently overstated by grype.
Unstructured-IO · Dec 16, 2024 · 19cb487 · 19cb487
1 parent 3b718ec
commit 19cb487
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 2 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -398,3 +398,4 @@ jobs:
           image: "unstructured:dev"
           severity-cutoff: critical
           only-fixed: true
+          output-format: table
diff --git a/.grype.yaml b/.grype.yaml
@@ -0,0 +1,2 @@
+ignore:
+  - vulnerability: CVE-2024-11053
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,4 @@
-## 0.16.12-dev0
+## 0.16.12-dev1
 
 ### Enhancements
 
@@ -8,6 +8,9 @@
 
 ### Fixes
 
+- **Adjust severity of CVE-2024-11053.** The severity of CVE-2024-11053 has apparently been
+  overstated as critical in `grype` where it is stated as low in the CVE itself, ignoring for now.
+
 ## 0.16.11
 
 ### Enhancements

diff --git a/unstructured/__version__.py b/unstructured/__version__.py
@@ -1 +1 @@
-__version__ = "0.16.12-dev0"  # pragma: no cover
+__version__ = "0.16.12-dev1"  # pragma: no cover
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		__version__ = "0.16.12-dev0" # pragma: no cover
		__version__ = "0.16.12-dev1" # pragma: no cover