Skip to content
This repository was archived by the owner on Mar 19, 2024. It is now read-only.

Disable NVD scanning temporarily#213

Merged
nathancoleman merged 1 commit intomainfrom
disable-nvd-scan
Jun 8, 2022
Merged

Disable NVD scanning temporarily#213
nathancoleman merged 1 commit intomainfrom
disable-nvd-scan

Conversation

@nathancoleman
Copy link
Copy Markdown
Member

@nathancoleman nathancoleman commented Jun 8, 2022
edited
Loading

CVE-2020-29509 and CVE-2020-29511 do not currently have a fix available and are used only in test code.

$ go mod why encoding/xml
# encoding/xml
github.com/hashicorp/consul-api-gateway/internal/testing
math/big
math/big.test
encoding/xml

The long-term plan is an allow-list to ignore particular CVEs that don't have a functional impact on the product that we're shipping; however, that allow list doesn't currently exist. ProdSec has an outstanding issue for addressing this.

At the recommendation of ProdSec, I'm disabling NVD scanning on our binary similar to other repos that have encountered the same issue. There will be followup work to set this back to true once the long-term solution is in place.

Changes proposed in this PR:

Set nvd=false in our release scanning config

How I've tested this PR:

Discussed change with ProdSec and mirrored other repos having the same issues

How I expect reviewers to test this PR:

Check into the links above to verify my paper trail

Checklist:

  • Tests added
  • CHANGELOG entry added

    Run make changelog-entry for guidance in authoring a changelog entry, and
    commit the resulting file, which should have a name matching your PR number.
    Entries should use imperative present tense (e.g. Add support for...)

@nathancoleman
Disable NVD scanning of binary on releases
20ec00b 
CVE-2020-29509 and CVE-2020-29511 do not currently have a fix available and are used in test code. The long-term plan is an allow-list to ignore particular CVEs that don't have a functional impact on the product that we're shipping; however, that allow list doesn't currently exist.

At the recommendation of ProdSec, I'm disabling NVD scanning on our binary similar to other repos that have encountered the same two CVEs:
https://github.com/search?q=org%3Ahashicorp+Turn+nvd+security+scanning+off+temporarily&type=issues
@nathancoleman nathancoleman added the pr/no-changelog Skip the CI check that requires a changelog entry label Jun 8, 2022
@nathancoleman nathancoleman marked this pull request as ready for review June 8, 2022 15:37
@nathancoleman nathancoleman requested review from a team, modrake and sarahethompson June 8, 2022 15:37
@nathancoleman
Copy link
Copy Markdown
Member Author

nathancoleman commented Jun 8, 2022

This is followup to #206

@nathancoleman nathancoleman merged commit 01549fc into main Jun 8, 2022
@nathancoleman nathancoleman deleted the disable-nvd-scan branch June 8, 2022 16:58
nathancoleman added a commit that referenced this pull request Jun 9, 2022
@nathancoleman
Disable NVD scanning of binary on releases (#213)
9988006 
CVE-2020-29509 and CVE-2020-29511 do not currently have a fix available and are used in test code. The long-term plan is an allow-list to ignore particular CVEs that don't have a functional impact on the product that we're shipping; however, that allow list doesn't currently exist.

At the recommendation of ProdSec, I'm disabling NVD scanning on our binary similar to other repos that have encountered the same two CVEs:
https://github.com/search?q=org%3Ahashicorp+Turn+nvd+security+scanning+off+temporarily&type=issues
nathancoleman added a commit that referenced this pull request Jun 9, 2022
@nathancoleman
Disable NVD scanning of binary on releases (#213)
f415260 
CVE-2020-29509 and CVE-2020-29511 do not currently have a fix available and are used in test code. The long-term plan is an allow-list to ignore particular CVEs that don't have a functional impact on the product that we're shipping; however, that allow list doesn't currently exist.

At the recommendation of ProdSec, I'm disabling NVD scanning on our binary similar to other repos that have encountered the same two CVEs:
https://github.com/search?q=org%3Ahashicorp+Turn+nvd+security+scanning+off+temporarily&type=issues
This was referenced Jun 9, 2022
Merged
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@sarahethompson sarahethompson Awaiting requested review from sarahethompson

@modrake modrake Awaiting requested review from modrake

1 more reviewer

@mdeggies mdeggies mdeggies approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pr/no-changelog Skip the CI check that requires a changelog entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nathancoleman @mdeggies