v2.2.0 #43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Audit Python dependencies for known vulnerabilities (pip-audit). | |
| # Fails the run if any non-whitelisted CVE is found. | |
| name: Security audit | |
| on: | |
| push: | |
| branches: ["**"] | |
| pull_request: | |
| branches: ["**"] | |
| jobs: | |
| pre_job: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should_skip: ${{ steps.skip_check.outputs.should_skip }} | |
| steps: | |
| - id: skip_check | |
| uses: fkirc/skip-duplicate-actions@v3.4.0 | |
| with: | |
| skip_after_successful_duplicate: "true" | |
| same_content_newer: "true" | |
| audit: | |
| needs: pre_job | |
| if: needs.pre_job.outputs.should_skip != 'true' | |
| name: pip-audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip setuptools | |
| if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi | |
| if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | |
| if [ -f requirements-customizations.txt ]; then pip install -r requirements-customizations.txt; fi | |
| python -m pip install -e ".[satosa,docs]" | |
| - name: Install pip-audit | |
| run: pip install pip-audit | |
| # CVE-2024-23342 (ecdsa): Minerva timing side-channel. No upstream fix; | |
| # python-ecdsa considers side-channel attacks out of scope. Whitelisted | |
| # per pymdoccbor/docs; risk accepted. | |
| - name: Audit dependencies for vulnerabilities | |
| run: | | |
| echo "" | |
| echo "##############################################################################" | |
| echo "# CVE-2024-23342 (ecdsa) whitelisted: Minerva timing side-channel. #" | |
| echo "# No fix in python-ecdsa (side-channel out of scope). Risk accepted. #" | |
| echo "##############################################################################" | |
| echo "" | |
| pip-audit --desc --ignore-vuln CVE-2024-23342 | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### CVE-2024-23342 (ecdsa) whitelisted" >> $GITHUB_STEP_SUMMARY | |
| echo "**CVE-2024-23342** (ecdsa): Minerva timing side-channel. There is **no upstream fix**; python-ecdsa considers side-channel attacks out of scope. Whitelisted per pymdoccbor documentation — **risk is accepted**." >> $GITHUB_STEP_SUMMARY |