From e5bf509442ce0d78bb3828f8645a060549f02c16 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Fri, 27 Mar 2026 07:05:01 -0400 Subject: [PATCH 1/2] fix(ci): centralize OSV vulnerability ignores in org-wide config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add osv-scanner.toml at repo root with org-wide vulnerability ignores for CVEs with no upstream fix (pygments, nltk, requests). Update _osv-scan.yml to fetch this central config when repos don't have a local osv-scanner.toml — local configs take precedence for overrides. This eliminates the need for per-directory osv-scanner.toml files in individual repos (closes JacobPEvans/nix-ai#344 approach). (claude) --- .github/workflows/_osv-scan.yml | 14 +++++++++++++- osv-scanner.toml | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 osv-scanner.toml diff --git a/.github/workflows/_osv-scan.yml b/.github/workflows/_osv-scan.yml index 8119b30..dba004d 100644 --- a/.github/workflows/_osv-scan.yml +++ b/.github/workflows/_osv-scan.yml @@ -22,11 +22,23 @@ jobs: steps: - uses: actions/checkout@v6 - - name: Check for config file + - name: Fetch central OSV config + if: hashFiles('osv-scanner.toml') == '' + uses: actions/checkout@v6 + with: + repository: ${{ github.repository_owner }}/.github + path: .central-config + sparse-checkout: osv-scanner.toml + sparse-checkout-cone-mode: false + + - name: Apply config (local overrides central) id: config run: | if [ -f osv-scanner.toml ]; then echo "args=--config=osv-scanner.toml" >> "$GITHUB_OUTPUT" + elif [ -f .central-config/osv-scanner.toml ]; then + cp .central-config/osv-scanner.toml osv-scanner.toml + echo "args=--config=osv-scanner.toml" >> "$GITHUB_OUTPUT" else echo "args=" >> "$GITHUB_OUTPUT" fi diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 0000000..efd4b4a --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,33 @@ +# Org-wide OSV vulnerability ignores +# +# Central config inherited by all repos via _osv-scan.yml. +# Only add entries here when NO fix is available upstream. +# Remove entries promptly when upstream patches land. +# +# Repos can override with a local osv-scanner.toml (takes precedence). + +# pygments 2.19.2 — Low severity (3.3), ReDoS in AdlLexer +# No patched version available upstream +[[IgnoredVulns]] +id = "GHSA-5239-wwwm-4pmq" +reason = "pygments 2.19.2 is the latest version; no fix available upstream" + +# nltk 3.9.3 — High severity (7.5), no patched version for this CVE +[[IgnoredVulns]] +id = "GHSA-jm6w-m3j8-898g" +reason = "nltk 3.9.3 has no fix for this CVE" + +# nltk 3.9.3 — Medium severity (5.1), no patched version available +[[IgnoredVulns]] +id = "GHSA-rf74-v2fm-23pw" +reason = "nltk 3.9.3 has no fix available upstream" + +# nltk 3.9.3 — Medium severity (6.1), fix available in 3.9.4 +[[IgnoredVulns]] +id = "GHSA-gfwx-w7gr-fvh7" +reason = "nltk upgrade to 3.9.4 pending Renovate PR" + +# requests 2.32.5 — Medium severity (4.4), fix available in 2.33.0 +[[IgnoredVulns]] +id = "GHSA-gc5v-m9x4-r6x2" +reason = "requests upgrade to 2.33.0 pending Renovate PR" From e5811a6237a173cfed5ce9d29bdb64bdc5cd194a Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Fri, 27 Mar 2026 08:45:45 -0400 Subject: [PATCH 2/2] fix: align header policy text with fix-pending ignores Update comment to acknowledge that some ignores are for CVEs with available fixes that are pending Renovate upgrade rollout. (claude) --- osv-scanner.toml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/osv-scanner.toml b/osv-scanner.toml index efd4b4a..ac52245 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,8 +1,9 @@ # Org-wide OSV vulnerability ignores # # Central config inherited by all repos via _osv-scan.yml. -# Only add entries here when NO fix is available upstream. -# Remove entries promptly when upstream patches land. +# Only add entries here for vulns that cannot be immediately fixed +# (e.g., no upstream patch yet, or upgrade blocked/pending Renovate rollout). +# Remove entries promptly when upgrades land. # # Repos can override with a local osv-scanner.toml (takes precedence).