.snyk

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
# To format the date now and in 3 months:
#   date -u +"%Y-%m-%dT%H:%M:%SZ"
#   date -d 'now + 3 month' -u +"%Y-%m-%dT%H:%M:%SZ"
ignore:
  SNYK-PYTHON-PYOPENSSL-6149520:
    - '*':
        reason: |
          Issue fixed by Red Hat
          See: https://access.redhat.com/errata/RHSA-2024:2447
        created: 2024-04-24T15:02:32.471Z
  SNYK-PYTHON-PYOPENSSL-6592766:
    - '*':
        reason: SSL_OP_NO_TICKET option isn't enabled
        created: 2024-04-24T15:02:32.471Z
  SNYK-PYTHON-PYOPENSSL-6157250:
    - '*':
        reason: |
          No OpenSSL refresh available yet due to low severity;
          see https://www.openssl.org/news/secadv/20240115.txt
          Issue fixed by Red Hat
          See: https://access.redhat.com/errata/RHSA-2024:2447
        created: 2024-04-24T15:02:32.471Z
  SNYK-PYTHON-JOBLIB-6913425:
    - '*':
        reason: |
          ansible-wisdom-service doesn't currently use the
          vulnerable component 'joblib.numpy_pickle::NumpyArrayWrapper'
          We don't use joblib internally and the severity of the issue is challenged
          by the lib maintainer because NumpyArrayWrapper is not a public class.
          See: https://github.com/joblib/joblib/issues/1582#issuecomment-2120517671
        expires: 2024-10-24T15:02:32.468Z
        created: 2024-04-24T15:02:32.471Z
  SNYK-PYTHON-CRYPTOGRAPHY-6913422:
    - '*':
        reason: |
          No DSA key validation is done at our level and TLS is handle
          by OpenShift
        expires: 2024-08-21T12:19:22Z
        created: 2024-05-21T12:19:22Z
  SNYK-PYTHON-CRYPTOGRAPHY-7161587:
    - '*':
        reason: |
          There is no fix yet and it will later as an UBI update
          See: https://access.redhat.com/security/cve/CVE-2024-4741
        expires: 2024-06-29T19:26:28Z
        created: 2024-05-29T19:26:28Z
  SNYK-PYTHON-PYOPENSSL-7161590:
    - '*':
        reason: |
          There is no fix yet and it will later as an UBI update
          See: https://access.redhat.com/security/cve/CVE-2024-4741
        expires: 2024-06-29T19:26:28Z
        created: 2024-05-29T19:26:28Z
  SNYK-PYTHON-LANGCHAIN-7217837:
    - '*':
        reason: We don't use the Web Research Retriever
        created: 2024-06-07T16:15:54Z
  SNYK-PYTHON-LANGCHAINCOMMUNITY-7217836:
    - '*':
        reason: |
          We are not using SitemapLoader
        expires: 2024-07-10T10:04:58Z
        created: 2024-06-10T10:04:58Z
  SNYK-PYTHON-PYDRIVE2-6101007:
    - '*':
        reason: |
          We are using v1.20.0 which contains the fix.
          https://www.cve.org/CVERecord?id=CVE-2023-49297
          https://github.com/iterative/PyDrive2/commits/1.20.0
        created: 2024-08-19T08:29:20Z
  SNYK-PYTHON-ANSIBLECORE-7981515:
    - '*':
        reason: |
          We do not use Ansible Vault and are therefore unaffected.
          See: https://security.snyk.io/vuln/SNYK-PYTHON-ANSIBLECORE-7981515
        created: 2024-09-16T10:19:00Z
  SNYK-PYTHON-ANSIBLECORE-8349549:
    - '*':
        reason: |
          This is only exploitable if someone with root privileges uses
          the user module with the generate_ssh_key option (disabled
          by default) and targets an unprivileged user. We do not use
          ansible-core in that way in ansible-ai-connect-service.
patch: {}