-
Notifications
You must be signed in to change notification settings - Fork 41
Expand file tree
/
Copy pathosv-scanner.toml
More file actions
94 lines (81 loc) · 3.6 KB
/
Copy pathosv-scanner.toml
File metadata and controls
94 lines (81 loc) · 3.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# OSV-Scanner suppressions for the databricks-jdbc security gate.
#
# Each entry suppresses a CVE that is a documented CPE / ecosystem false
# positive against an artifact we ship. Every entry has a justification.
#
# Trade-off worth noting (reviewer pointed this out): [[IgnoredVulns]]
# entries are CVE-id global -- they ignore the CVE across all packages
# OSV reports it against, not just the artifact we have in mind. The
# alternative ([[PackageOverrides]] with `vulnerability.ignore = true`)
# is per-package but blanket-ignores ALL vulnerabilities on that
# package, which is much worse. OSV-Scanner v2.3.8 does NOT support an
# intersection ("this CVE on this package only"); the config struct at
# internal/config/config.go has no per-CVE field on PackageOverrides.
#
# Net effect: if a future Maven dep ever legitimately picks up one of
# the CVE IDs below, it will be silently suppressed here. The
# mitigation is that these are all ecosystem-mismatched CVEs (the Go /
# Python / R / C_glib binding of a library, not the Java binding), so a
# legitimate Java affectation would itself be a notable advisory event
# we'd want to revisit -- which would make us re-read these entries
# anyway. Acceptable risk for now.
#
# See google.github.io/osv-scanner/configuration/ for the schema.
# --- Apache Arrow ---
# Both Arrow CVEs come from the same pattern: an advisory scoped to
# Arrow C++ or Arrow R, matched against the Java arrow-* artifacts via
# the shared "apache:arrow" identifier. Java Arrow is unaffected.
[[IgnoredVulns]]
id = "CVE-2026-25087"
reason = """
Use-After-Free in Apache Arrow C++ IPC file reader (variadic buffers).
Does not affect the Java Arrow libraries (arrow-memory-core,
arrow-vector, etc.) which are pure Java with no native C++ code.
"""
[[IgnoredVulns]]
id = "CVE-2024-52338"
reason = """
Deserialization vulnerability in the Apache Arrow R package on CRAN
(R 4.0.0 - 16.1.0, fixed in R 17.0.0). Apache advisory explicitly
states it does not affect other Arrow implementations or bindings.
Driver ships Java Arrow 18.3.0 -- wrong ecosystem and outside version
range. See https://www.openwall.com/lists/oss-security/2024/11/28/3
"""
# --- gRPC ---
[[IgnoredVulns]]
id = "CVE-2026-33186"
reason = """
gRPC-Go server authorization bypass (google.golang.org/grpc, fixed in
1.79.3). The Java gRPC libraries are a separate codebase with
independent release lines. The JDBC driver is also a gRPC client only
-- it does not run a gRPC server, so even the underlying flaw would be
unreachable.
"""
# --- protobuf-java ---
[[IgnoredVulns]]
id = "CVE-2026-0994"
reason = """
Vulnerability in pip protobuf (Python) json_format.ParseDict().
Advisory record lists only the pip module as affected; no Java fix
exists because Java isn't affected.
"""
# --- libthrift (non-Java bindings) ---
# Several CVEs in the May 2026 Apache Thrift batch are scoped to
# non-Java bindings. Remaining libthrift CVEs whose binding is
# unspecified or known to affect Java are NOT suppressed and will be
# cleared by a follow-up bump to libthrift 0.23.0.
[[IgnoredVulns]]
id = "CVE-2025-48431"
reason = "libthrift C_glib (invalid free). Not Java. CPE namespace collision."
[[IgnoredVulns]]
id = "CVE-2026-41602"
reason = "libthrift Go TFramedTransport. Not Java. CPE namespace collision."
[[IgnoredVulns]]
id = "CVE-2026-41636"
reason = "libthrift Node.js skip() recursion. Not Java. CPE namespace collision."
[[IgnoredVulns]]
id = "CVE-2026-43868"
reason = "libthrift Rust memory allocation excess size. Not Java. CPE namespace collision."
[[IgnoredVulns]]
id = "CVE-2026-43870"
reason = "libthrift Node.js web_server.js multi-vuln. Not Java. CPE namespace collision."