lerkolabs/uptop
1
1
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects 2 Releases 4 Wiki Activity
Files
9ee5908af5e6c1fb10e35f45a727465b782c1520
uptop/.grype.yaml
T
lerko 37bf443e29
CI / test (pull_request) Successful in 1m44s
Details
CI / lint (pull_request) Successful in 1m11s
Details
CI / vulncheck (pull_request) Successful in 51s
Details
Release Binaries / release (push) Successful in 2m9s
Details
Release Docker / docker (push) Successful in 10m18s
Details
fix(release): suppress wish GHSA alias in grype, fold rc tags into launch notes 
The existing .grype.yaml ignore listed the wish SCP traversal only by CVE
id; grype's db now matches it as GHSA-xjvp-7243-rg9h and ignores are
exact-id, so the rc.2 scan gate tripped on an already-triaged finding.
List both ids. Vulnerable SCP middleware is never compiled in; real fix
is the charm v2 stack migration (#126).

cliff.toml ignore_tags folds rc tags into the next real release so
v0.1.0's notes cover full history instead of commits-since-rc.2.
2026-06-12 17:02:55 -04:00

12 lines
658 B
YAML
Raw Blame History

ignore:
# SCP path traversal in charmbracelet/wish — same flaw, two ids: grype has
# matched it as CVE-2026-41589 and as GHSA-xjvp-7243-rg9h depending on db
# version, and ignore matching is exact-id, so both stay listed.
# We only import wish/bubbletea for the SSH TUI server — the vulnerable
# scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in
# (govulncheck reachability agrees). No fix for wish v1; v2
# (charm.land/wish/v2 >= 2.0.1) requires the bubbletea-v2 stack migration,
# tracked in issue #126. Remove both entries when that lands.
- vulnerability: CVE-2026-41589
- vulnerability: GHSA-xjvp-7243-rg9h
Reference in New Issue View Git Blame Copy Permalink