-
Notifications
You must be signed in to change notification settings - Fork 201
/
Copy path.bundler-audit.yml
35 lines (31 loc) · 1.43 KB
/
.bundler-audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Configure bundle-audit
# Identify dependencies that have CVE entries but
# are not exploitable vulnerabilities in our application.
ignore:
# Ignore these vulnerabilities in jquery-ui-rails.
# This client-side JavaScript library
# never receives untrusted data. Also, we never use position(), and
# thus we never use its "of" parameter that's vulnerable to XSS, and we don't
# use DatePicker.
- CVE-2021-41182
- CVE-2021-41183
- CVE-2021-41184
- CVE-2022-31160
# A vulnerability has been identified in Bootstrap that exposes users
# to Cross-Site Scripting (XSS) attacks. The issue is present in the
# carousel component, where the data-slide and data-slide-to attributes
# can be exploited through the href attribute of an tag due to inadequate
# sanitization.
# However, we never use the carousel component, and we strictly restrict
# the HTML text the user is allowed to insert, so it's not exploitable
# in our use. More information:
# https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
# https://nvd.nist.gov/vuln/detail/CVE-2024-6484
- CVE-2024-6484
# At one time we ignored CVE-2015-9284 (omniauth), because we mitigated this with a
# third-party countermeasure (omniauth-rails_csrf_protection) in:
# https://github.com/coreinfrastructure/best-practices-badge/pull/1298
# This is no longer necessary, so we removed that.
# vuln in the carousel component of bootstrap
# component not used
- CVE-2024-6484