Skip to content
Closed
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions test/security/data/ecr_scan_allowlist/ray/framework_allowlist.json
Original file line number Diff line number Diff line change
Expand Up @@ -78,5 +78,20 @@
"vulnerability_id": "CVE-2026-54275",
"reason": "aiohttp 3.13.5 bundled inside ray/_private/runtime_env/agent/thirdparty_files/, cannot patch without upstream ray release",
"review_by": "2026-09-29"
},
{
"vulnerability_id": "CVE-2026-57516",
"reason": "ray[serve]==2.55.1 exact pin (autorelease-managed core contract); fix in ray 2.56.0 needs a Ray version bump",
"review_by": "2027-01-02"
},
{
"vulnerability_id": "CVE-2026-54277",
"reason": "aiohttp 3.13.5 bundled inside ray/_private/runtime_env/agent/thirdparty_files/, cannot patch without upstream ray release",
"review_by": "2026-10-04"
},
{
"vulnerability_id": "RUSTSEC-2026-0195",
"reason": "quick-xml 0.39.2 vendored in the uv binary; fix (0.41.0) not shipped in any stable uv release (latest 0.11.26 still ships 0.39.2)",
"review_by": "2026-10-04"
}
]
Loading