-
Notifications
You must be signed in to change notification settings - Fork 4.7k
/
.trivyignore
28 lines (27 loc) · 999 Bytes
/
.trivyignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# TensorFlow 2.3.3 vulnerabilities
#
# Vulnerabilities are fixed in 2.4, but we can not upgrade; it contains
# breaking changes. We are targeting 2.5
#
# https://github.com/RasaHQ/rasa/issues/7619
#
# tensorflow 2.3.3: Segfault in tf.quantization.quantize_and_dequantize
CVE-2020-15265
# tensorflow 2.3.3: Float cast overflow undefined behavior
CVE-2020-15266
# Python websockets 8.0.2
#
# The aaugustin websockets library before 9.1 for Python has an
# Observable Timing Discrepancy on servers when HTTP Basic Authentication
# is enabled with basic_auth_protocol_factory(credentials=...).
# An attacker may be able to guess a password via a timing attack.
#
# We need to update websockets to version 9.1 to fix CVE-2021-33880 when
# we drop support for Python 3.6.
#
# We can't do this right now because websockets 9.1 requires sanic >= 21
# which requires dropping support for python 3.6.
#
# https://github.com/RasaHQ/rasa/issues/9167
# https://github.com/RasaHQ/rasa/issues/9315
CVE-2021-33880