Remove some stale CVE entries from .grype.yaml

Our security scans no longer pick up some CVEs we have ignored in the past, so we can safely remove them now.
freedomofpress · Aug 8, 2024 · 08f03b4 · 08f03b4
1 parent 141c1e8
commit 08f03b4
Showing 1 changed file with 0 additions and 40 deletions.
diff --git a/.grype.yaml b/.grype.yaml
@@ -2,46 +2,6 @@
 # latest release of Dangerzone, and offer our analysis.
 
 ignore:
-  # CVE-2023-7104
-  # =============
-  #
-  # NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-7104
-  # Verdict: Dangerzone is not affected. The rationale is the following:
-  #
-  #   1. This CVE affects malicious/corrupted SQLite DBs.
-  #   2. Databases can be loaded either via LibreOffice Calc or Base. Files for
-  #      the latter are not a valid input to Dangerzone.
-  #   3. Based on the LibreOffice Calc guide [1], users can only refer to
-  #      external databases, not embed them in a spreadsheet.
-  #   4. The actual CVSS score for this vulnerability is High, according to
-  #      NIST, not Critical.
-  #
-  # [1]: From https://wiki.documentfoundation.org/images/f/f4/CG75-CalcGuide.pdf:
-  #
-  #      > The possible data sources for the pivot table are a Calc spreadsheet
-  #      > or an external data source that is registered in LibreOffice. [...]
-  #      > A registered data source is a connection to data held in a database
-  #      > outside of LibreOffice.
-  - vulnerability: CVE-2023-7104
-  # CVE-2024-5535
-  # =============
-  #
-  # NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-5535
-  # Verdict: Dangerzone is not affected. The rationale is the following:
-  #
-  #   1. This CVE affects applications that make network calls. The Dangerzone
-  #      container does not perform any such calls, and has no access to the
-  #      internet.
-  #   2. The OpenSSL devs have marked this issue as low severity [1].
-  #
-  # [1]: From https://www.openssl.org/news/secadv/20240627.txt:
-  #
-  #      > This issue has been assessed as Low severity because applications are
-  #      > most likely to be vulnerable if they are using NPN instead of ALPN -
-  #      > but NPN is not widely used. It also requires an application
-  #      > configuration or programming error. Finally, this issue would not
-  #      > typically be under attacker control making active exploitation
-  #      > unlikely.
   - vulnerability: CVE-2024-5535
   # CVE-2024-5171
   # =============