Skip to content
Draft
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .ort.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,12 @@ resolutions:
reason: "SCANNER_ISSUE"
comment: >-
This file contains test data. Contained licenses do not apply to the OSS Review Toolkit.
vulnerabilities:
- id: "CVE-2024-6763"
reason: "INEFFECTIVE_VULNERABILITY"
comment: >-
The vulnerable package 'Maven:org.eclipse.jetty:jetty-http:11.0.26' is introduced as a transitive dependency of 'Maven:org.wiremock:wiremock:3.13.2'
which is a package exclusively used for testing and thus is neither distributed nor exploitable in a deployment.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to setup excludes such that this is not queried in the first place? (e.g. scope excludes?)

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I needed this for a demo to show how resolved vulnerabilities look in the ORT Server:

image

So this was not really meant for review, which is why I made it a draft.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about this again, while it's correct that the vulnerability could also be "configured away" by creating a scope exclude for all tests scopes and running the advisor with skipExcluded = true, I wonder whether that's what we want, as it would suppress any vulnerability in a test dependency. But maybe our aspiration for our own code base is to even go through vulnerabilities in test dependencies and resolve them on a case by case basis?

In a way, the question boils down to which "distribution type" we'd like to assume / apply when running ORT on ORT. This is probably something we could discuss in a meeting.

curations:
license_findings:
- path: "README.md"
Expand Down
Loading