From 09ffe87fbbc868d2a5f5605bb6fed76338da6bbf Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 20 May 2026 21:40:30 +0800 Subject: [PATCH] ci: ignore pip-audit findings without published fixes Adds joblib, markdown, nltk, onnx, pyjwt, torch and transformers advisories that have no fixed version available (or are disputed) to the pip-audit ignore list. Rationale recorded next to each ID. --- .github/workflows/vulnerability-scan.yml | 36 ++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 878310544..cc677f156 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -47,10 +47,42 @@ jobs: run: | uv run pip-audit --desc --aliases --skip-editable --format json --output pip-audit-report.json \ --ignore-vuln CVE-2026-3219 \ - --ignore-vuln GHSA-r374-rxx8-8654 + --ignore-vuln GHSA-r374-rxx8-8654 \ + --ignore-vuln PYSEC-2024-277 \ + --ignore-vuln PYSEC-2026-89 \ + --ignore-vuln PYSEC-2026-97 \ + --ignore-vuln PYSEC-2025-148 \ + --ignore-vuln PYSEC-2025-183 \ + --ignore-vuln PYSEC-2025-189 \ + --ignore-vuln PYSEC-2025-190 \ + --ignore-vuln PYSEC-2025-191 \ + --ignore-vuln PYSEC-2025-192 \ + --ignore-vuln PYSEC-2025-193 \ + --ignore-vuln PYSEC-2025-194 \ + --ignore-vuln PYSEC-2025-195 \ + --ignore-vuln PYSEC-2025-196 \ + --ignore-vuln PYSEC-2025-197 \ + --ignore-vuln PYSEC-2025-210 \ + --ignore-vuln PYSEC-2026-139 \ + --ignore-vuln PYSEC-2025-211 \ + --ignore-vuln PYSEC-2025-212 \ + --ignore-vuln PYSEC-2025-213 \ + --ignore-vuln PYSEC-2025-214 \ + --ignore-vuln PYSEC-2025-215 \ + --ignore-vuln PYSEC-2025-216 \ + --ignore-vuln PYSEC-2025-217 \ + --ignore-vuln PYSEC-2025-218 # Ignored CVEs: - # CVE-2026-3219 - pip 26.0.1 (GHSA-58qw-9mgm-455v): no fix available, archive handling issue + # CVE-2026-3219 - pip 26.0.1 (GHSA-58qw-9mgm-455v): no fix available, archive handling issue # GHSA-r374-rxx8-8654 - paramiko 4.0.0 (SHA-1 in rsakey.py): no fix available; transitive via composio-core + # PYSEC-2024-277 - joblib 1.5.3: disputed; NumpyArrayWrapper only used with trusted caches + # PYSEC-2026-89 - markdown 3.10.2: DoS via malformed HTML; fix 3.8.1 — already past, advisory range is stale + # PYSEC-2026-97 - nltk 3.9.4: arbitrary file read in filestring(); no fix available + # PYSEC-2025-148 - onnx 1.21.0: path traversal in save_external_data; no fix available + # PYSEC-2025-183 - pyjwt 2.12.1: disputed weak-encryption claim; key length is application-chosen + # PYSEC-2025-189..197 - torch 2.11.0: memory-corruption/DoS in functions only reachable via untrusted models; no fix available + # PYSEC-2025-210, PYSEC-2026-139 - torch 2.11.0: profiler/deserialization issues; no fix available + # PYSEC-2025-211..218 - transformers 5.5.4: deserialization/code injection via malicious model checkpoints; no fix available continue-on-error: true - name: Display results