feat: block releases on HIGH/CRITICAL OSV advisories with override support

The release workflow's OSV scan previously used continue-on-error: true,
so HIGH/CRITICAL advisories were noted but never blocked the release.

- scripts/osv-release-gate.py: parses osv-result.json, classifies by
  CVSS score or database severity, blocks on HIGH/CRITICAL unless the
  advisory ID appears in .github/osv-overrides.json with a valid expiry.
- .github/osv-overrides.json: empty allowlist for explicit overrides;
  each entry requires id, severity, rationale, owner, and expiry date.
- .github/workflows/release.yml: added "Gate on HIGH/CRITICAL" step
  between OSV scan and summary generation.
- docs/SECURITY.md: updated release-scan section to document the gate
  and override mechanism.

Author: SysAdminDoc

.github/osv-overrides.json

@@ -0,0 +1,5 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "_comment": "Explicit overrides for OSV advisories that should not block the release. Each entry must document why the advisory does not apply or is accepted.",
+  "overrides": []
+}

.github/workflows/release.yml

@@ -117,9 +117,8 @@ jobs:
         run: ./gradlew :app:lintDebug
 
       # ROADMAP matrix #9 + #44 — capture OSV scan status into the release body so each
-      # tag carries a dated "OSV scan: ..." appendix. `continue-on-error: true` ensures
-      # the release still ships if OSV reports something — the result is recorded either
-      # way so users can reason about how stale / clean the dep tree was on release day.
+      # tag carries a dated "OSV scan: ..." appendix. HIGH/CRITICAL advisories block
+      # the release unless explicitly overridden in .github/osv-overrides.json.
       # See `docs/SECURITY.md` for the policy.
       - name: Generate Gradle dependency tree for OSV scan
         run: ./gradlew :app:dependencies --configuration releaseRuntimeClasspath > gradle-deps.txt
@@ -150,6 +149,9 @@ jobs:
           echo "osv-exit=$osv_exit" >> "$GITHUB_OUTPUT"
           set -e
 
+      - name: Gate on HIGH/CRITICAL advisories
+        run: python3 scripts/osv-release-gate.py
+
       - name: Summarise OSV result into release appendix
         run: |
           scan_date=$(date -u +"%Y-%m-%d")

docs/SECURITY.md

@@ -114,9 +114,13 @@ and appended to the GitHub Release body. The result is reproducible — anyone c
 locally against the source tree at the matching tag and expect the same advisory set, modulo CVEs disclosed after the
 release date.
 
-If the release-time scan finds a HIGH or CRITICAL vulnerability the workflow does **not** silently swallow it; the
-step is `continue-on-error: true` so the release proceeds, but the failure is recorded in the release body and
-visible at a glance.
+If the release-time scan finds a HIGH or CRITICAL advisory, `scripts/osv-release-gate.py` blocks the release. The
+gate parses `osv-result.json`, classifies each finding by CVSS score or database severity, and exits non-zero for any
+unoverridden HIGH/CRITICAL match. LOW and MEDIUM findings are summarized but non-blocking.
+
+To override a blocking advisory (e.g. not reachable, awaiting upstream fix), add an entry to `.github/osv-overrides.json`
+with the advisory `id`, `severity`, `rationale`, `owner`, and `expiry` (YYYY-MM-DD). Expired overrides are ignored and
+produce a CI warning. The override file is committed and auditable.
 
 ### Provenance attestation (`.github/workflows/release.yml`)
 

scripts/osv-release-gate.py

@@ -0,0 +1,144 @@
+#!/usr/bin/env python3
+"""
+scripts/osv-release-gate.py
+
+Release-time OSV severity gate. Parses osv-result.json and fails if any
+HIGH or CRITICAL advisory is present that is not explicitly overridden in
+.github/osv-overrides.json.
+
+Exit codes:
+  0 — no blocking findings (clean, or all high/critical overridden)
+  1 — at least one high/critical advisory is not overridden; release blocked
+  2 — osv-result.json missing or unparseable (scan did not complete)
+
+Override file format (.github/osv-overrides.json):
+{
+  "overrides": [
+    {
+      "id": "GHSA-xxxx-yyyy-zzzz",
+      "severity": "HIGH",
+      "rationale": "Not reachable: SwiftFloris never calls the affected API.",
+      "owner": "matt_parker@outlook.com",
+      "expiry": "2026-09-01"
+    }
+  ]
+}
+"""
+
+import json
+import sys
+from datetime import date
+from pathlib import Path
+
+OSV_RESULT = Path("osv-result.json")
+OVERRIDES_FILE = Path(".github/osv-overrides.json")
+
+BLOCKING_SEVERITIES = {"HIGH", "CRITICAL"}
+
+
+def load_overrides():
+    if not OVERRIDES_FILE.exists():
+        return {}
+    data = json.loads(OVERRIDES_FILE.read_text())
+    today = date.today().isoformat()
+    active = {}
+    for entry in data.get("overrides", []):
+        advisory_id = entry.get("id", "")
+        expiry = entry.get("expiry", "")
+        if expiry and expiry < today:
+            print(f"::warning::OSV override expired: {advisory_id} (expiry {expiry})")
+            continue
+        if not all(entry.get(k) for k in ("id", "severity", "rationale", "owner")):
+            print(f"::warning::OSV override missing required fields: {entry}")
+            continue
+        active[advisory_id] = entry
+    return active
+
+
+def extract_severity(vuln):
+    for sv in vuln.get("severity", []):
+        score_str = sv.get("score", "")
+        if "CVSS" in sv.get("type", ""):
+            try:
+                score = float(score_str.split("/")[0].split(":")[-1])
+            except (ValueError, IndexError):
+                continue
+            if score >= 9.0:
+                return "CRITICAL"
+            if score >= 7.0:
+                return "HIGH"
+            if score >= 4.0:
+                return "MEDIUM"
+            return "LOW"
+    db_severity = vuln.get("database_specific", {}).get("severity", "").upper()
+    if db_severity in ("CRITICAL", "HIGH", "MEDIUM", "LOW"):
+        return db_severity
+    return "UNKNOWN"
+
+
+def main():
+    if not OSV_RESULT.exists() or OSV_RESULT.stat().st_size == 0:
+        print("::warning::osv-result.json missing or empty — scan did not complete.")
+        sys.exit(2)
+
+    try:
+        data = json.loads(OSV_RESULT.read_text())
+    except json.JSONDecodeError as e:
+        print(f"::error::osv-result.json is not valid JSON: {e}")
+        sys.exit(2)
+
+    overrides = load_overrides()
+
+    blocking = []
+    non_blocking = []
+
+    for result in data.get("results", []):
+        for pkg in result.get("packages", []):
+            pkg_name = pkg.get("package", {}).get("name", "unknown")
+            for vuln in pkg.get("vulnerabilities", []):
+                vuln_id = vuln.get("id", "unknown")
+                severity = extract_severity(vuln)
+                summary = vuln.get("summary", "")[:120]
+                aliases = vuln.get("aliases", [])
+
+                all_ids = {vuln_id} | set(aliases)
+                overridden = any(aid in overrides for aid in all_ids)
+
+                entry = {
+                    "id": vuln_id,
+                    "severity": severity,
+                    "package": pkg_name,
+                    "summary": summary,
+                    "overridden": overridden,
+                }
+
+                if severity in BLOCKING_SEVERITIES and not overridden:
+                    blocking.append(entry)
+                else:
+                    non_blocking.append(entry)
+
+    if non_blocking:
+        print(f"Non-blocking findings ({len(non_blocking)}):")
+        for e in non_blocking:
+            status = " [overridden]" if e["overridden"] else ""
+            print(f"  {e['severity']:8s} {e['id']} ({e['package']}){status}")
+
+    if blocking:
+        print(f"\n::error::Release blocked by {len(blocking)} HIGH/CRITICAL advisory(ies):")
+        for e in blocking:
+            print(f"  {e['severity']:8s} {e['id']} ({e['package']}): {e['summary']}")
+        print(
+            "\nTo override, add entries to .github/osv-overrides.json with:"
+            "\n  id, severity, rationale, owner, expiry (YYYY-MM-DD)"
+        )
+        sys.exit(1)
+
+    total = len(blocking) + len(non_blocking)
+    if total == 0:
+        print("OSV release gate: PASS (0 advisories)")
+    else:
+        print(f"OSV release gate: PASS ({total} advisory(ies), none blocking)")
+
+
+if __name__ == "__main__":
+    main()