Fork me on GitHub
#practicalli
<
2024-03-02
>
practicalli-johnny13:03:19

Practicalli Project Templates commit (updated to a targeted approach for specific CVE's) • https://github.com/practicalli/project-templates/commit/27a7e328153aacd59c923869bf0ed958630e7ff3 I've added REPOSITORY_TRIVY_DISABLE_ERRORS: true # Errors only as warnings in the .github/config/megalinter.yamlhttps://github.com/practicalli/project-templates/commit/caf2e3b7157b7384fcfbcd8c9e37dbeecabf6d7e Added a trivyignore file to the GitHub configuration for workflows, instructing Trivy to ingnore specific CVE reports, specifically CVE-2024-22871 Due to the CVE-2024-22871 report that uses deserialisation in a way that goes against the warning in the Clojure documentation, the Trivy reports are now warnings. According to https://clojurians.slack.com/archives/C03S1KBA2/p1709276646647669?thread_ts=1707205549.345089&cid=C03S1KBA2, the CVE-2024-22871 report can be ignored/suppressed and treated as a reminder not to deserialise data from sources that are not trusted (should such a reminder not be already completely obvious).