From 232c3c52d50126ec1c43f12e7a25ca535b9fa101 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 23 Jan 2025 18:11:32 -0700 Subject: [PATCH 1/3] Add exceptions for PPM --- package-manager/.snyk | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/package-manager/.snyk b/package-manager/.snyk index e550808be..5f61b6b1a 100644 --- a/package-manager/.snyk +++ b/package-manager/.snyk @@ -2,11 +2,19 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: - SNYK-GOLANG-GITHUBCOMJACKCPGXV4-7416900: + SNYK-GOLANG-GOLANGORGXNETHTML-8535262: - '*': - reason: >- - Reported upstream in - https://github.com/rstudio/package-manager/issues/13981 - expires: 2024-10-01T00:00:00.000Z - created: 2024-07-03T14:03:16.019Z + reason: Patch will be ingested in next release + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:05:55.359Z + SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBING-8602520: + - '*': + reason: Patch will be ingested in next release + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:08:04.773Z + SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611: + - '*': + reason: Patch will be ingested in next release + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:08:19.247Z patch: {} From a035f5db343760b706c108bc8b0b83a02065b152 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 23 Jan 2025 18:30:17 -0700 Subject: [PATCH 2/3] Remove exceptions for connect (no vulnerabilities detected) --- connect/.snyk | 5 ----- 1 file changed, 5 deletions(-) diff --git a/connect/.snyk b/connect/.snyk index 76241fea7..2b62034f9 100644 --- a/connect/.snyk +++ b/connect/.snyk @@ -2,9 +2,4 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: - SNYK-GOLANG-GITHUBCOMJACKCPGXV4-7416900: - - '*': - reason: 'Reported upstream in https://github.com/rstudio/connect/issues/27482' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-03T13:49:12.040Z patch: {} From 9c7d1bed6293c7271b439884d8288fe4e4eb2c6a Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Thu, 23 Jan 2025 19:07:08 -0700 Subject: [PATCH 3/3] Update exceptions for Workbench-related images --- r-session-complete/.snyk | 21 +++++++-------- workbench-for-google-cloud-workstations/.snyk | 26 +++++++------------ workbench-session-init/.snyk | 12 +++++++++ workbench-session/.snyk | 19 ++++++++++++++ workbench/.snyk | 21 +++++++-------- 5 files changed, 61 insertions(+), 38 deletions(-) create mode 100644 workbench-session-init/.snyk create mode 100644 workbench-session/.snyk diff --git a/r-session-complete/.snyk b/r-session-complete/.snyk index 909ad99a1..fdda7d7ef 100644 --- a/r-session-complete/.snyk +++ b/r-session-complete/.snyk @@ -2,19 +2,18 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: - SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016: + SNYK-JS-SEMVER-3247795: - '*': reason: >- - Reported upstream in - https://github.com/rstudio/rstudio-pro/issues/6529 - expires: 2024-08-31T00:00:00.000Z - created: 2024-07-02T20:33:30.847Z - SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: + Awaiting upstream patch in jupyterlab, but exploit should not be + reachable. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:42:36.788Z + SNYK-JS-WS-7266574: - '*': reason: >- - Confirmed fixed upstream in - https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be - ingested in Workbench 2024.08.0 (expected within 1 week). - expires: 2024-08-07T00:00:00.000Z - created: 2024-07-31T17:46:24.852Z + Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the + package component affected. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:58:55.561Z patch: {} diff --git a/workbench-for-google-cloud-workstations/.snyk b/workbench-for-google-cloud-workstations/.snyk index 557b169de..fdda7d7ef 100644 --- a/workbench-for-google-cloud-workstations/.snyk +++ b/workbench-for-google-cloud-workstations/.snyk @@ -2,24 +2,18 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: - SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016: + SNYK-JS-SEMVER-3247795: - '*': reason: >- - Reported upstream in - https://github.com/rstudio/rstudio-pro/issues/6529 - expires: 2024-08-31T00:00:00.000Z - created: 2024-07-02T20:33:30.847Z - SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: + Awaiting upstream patch in jupyterlab, but exploit should not be + reachable. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:42:36.788Z + SNYK-JS-WS-7266574: - '*': reason: >- - Confirmed fixed upstream in - https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be - ingested in Workbench 2024.08.0 (expected within 1 week). - expires: 2024-08-07T00:00:00.000Z - created: 2024-07-31T17:46:24.852Z - SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285: - - '*': - reason: Vulnerability in Google Cloud SDK. - expires: 2024-09-01T00:00:00.000Z - created: 2024-07-31T19:45:25.728Z + Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the + package component affected. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:58:55.561Z patch: {} diff --git a/workbench-session-init/.snyk b/workbench-session-init/.snyk new file mode 100644 index 000000000..031720219 --- /dev/null +++ b/workbench-session-init/.snyk @@ -0,0 +1,12 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JS-BODYPARSER-7926860: + - '*': + reason: >- + Patched upstream in Positron by upgrading express to 4.19.2. Will be + ingested next Workbench release. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T02:04:47.267Z +patch: {} diff --git a/workbench-session/.snyk b/workbench-session/.snyk new file mode 100644 index 000000000..fdda7d7ef --- /dev/null +++ b/workbench-session/.snyk @@ -0,0 +1,19 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JS-SEMVER-3247795: + - '*': + reason: >- + Awaiting upstream patch in jupyterlab, but exploit should not be + reachable. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:42:36.788Z + SNYK-JS-WS-7266574: + - '*': + reason: >- + Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the + package component affected. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:58:55.561Z +patch: {} diff --git a/workbench/.snyk b/workbench/.snyk index 909ad99a1..fdda7d7ef 100644 --- a/workbench/.snyk +++ b/workbench/.snyk @@ -2,19 +2,18 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: - SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016: + SNYK-JS-SEMVER-3247795: - '*': reason: >- - Reported upstream in - https://github.com/rstudio/rstudio-pro/issues/6529 - expires: 2024-08-31T00:00:00.000Z - created: 2024-07-02T20:33:30.847Z - SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: + Awaiting upstream patch in jupyterlab, but exploit should not be + reachable. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:42:36.788Z + SNYK-JS-WS-7266574: - '*': reason: >- - Confirmed fixed upstream in - https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be - ingested in Workbench 2024.08.0 (expected within 1 week). - expires: 2024-08-07T00:00:00.000Z - created: 2024-07-31T17:46:24.852Z + Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the + package component affected. + expires: 2025-03-31T00:00:00.000Z + created: 2025-01-24T01:58:55.561Z patch: {}