Update vulnerability whitelist

sd234678 · sd234678 · commit b789cca648c2 · 2023-06-29T09:46:37.000+01:00
diff --git a/.last-exported-commit b/.last-exported-commit
@@ -1 +1 @@
-Last exported commit from parent repo: 0e3b39088f7b334fe6ce2c1199800dff80466188
+Last exported commit from parent repo: d0f1f49fac41192923a5acb1becefa03916ef968
diff --git a/nix-bootstrap.cabal b/nix-bootstrap.cabal
@@ -5,7 +5,7 @@ cabal-version: 2.0
 -- see: https://github.com/sol/hpack
 
 name:           nix-bootstrap
-version:        1.3.1.1
+version:        1.3.1.2
 author:         gchquser
 maintainer:     48051938+sd234678@users.noreply.github.com
 copyright:      Crown Copyright
diff --git a/package.yaml b/package.yaml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 name: nix-bootstrap
-version: 1.3.1.1
+version: 1.3.1.2
 author: gchquser
 maintainer: 48051938+sd234678@users.noreply.github.com
 copyright: Crown Copyright
diff --git a/vulnerability-whitelist.toml b/vulnerability-whitelist.toml
@@ -22,6 +22,9 @@ comment = "bash is only a build-time dependency so we're not vulnerable to this
 ["binutils"]
 comment = "binutils is only a build-time dependency so we're not vulnerable to this attack."
 
+["c-ares"]
+comment = "c-ares is only a build-time dependency so we are not vulnerable to this attack."
+
 ["cereal"]
 cve = ["CVE-2020-11104", "CVE-2020-11105"]
 comment = "CVEs refer to the C++ library cereal, not this haskell package."
@@ -62,7 +65,6 @@ cve = ["CVE-2021-23154", "CVE-2021-44458"]
 comment = "CVEs refer to Mirantis Lens, not this haskell package."
 
 ["libarchive"]
-cve = ["CVE-2022-36227"]
 comment = "libarchive is only a build-time dependency so we are not vulnerable to this attack."
 
 ["libxml2"]
@@ -94,12 +96,22 @@ cve = ["CVE-2021-35048",
   "CVE-2022-0997"]
 comment = "CVEs refer to Fidelis Network, not this haskell package."
 
+["ncurses"]
+cve = ["CVE-2023-29491"]
+comment = "Vulnerability only applies to setuid applications, which nix-bootstrap is not"
+
+["ninja"]
+comment = "ninja is only a build-time dependency so we are not vulnerable to this attack."
+
 ["openssl"]
 comment = "openssl is only a build-time dependency so we are not vulnerable to this attack."
 
 ["patch"]
 comment = "patch is only a build-time dependency so we are not vulnerable to this attack."
 
+["perl"]
+comment = "perl is only a build-time dependency so we are not vulnerable to this attack."
+
 ["safe"]
 comment = "CVEs refer to F-Secure SAFE browser, not this haskell package."
 
@@ -137,8 +149,8 @@ comment = "None of these vulnerabilities affect nix-bootstrap as it doesn't proc
 comment = "wheel is only a build-time dependency so we are not vulnerable to this attack."
 
 ["yaml"]
-cve = ["CVE-2022-3064", "CVE-2021-4235"]
-comment = "CVEs refer to go-yaml, not this haskell package."
+cve = ["CVE-2022-3064", "CVE-2021-4235", "CVE-2023-2251"]
+comment = "CVEs refer to other things called yaml, not this haskell package."
 
 ["zlib-0.6.3.0"]
 cve = ["CVE-2018-25032", "CVE-2022-37434"]

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-Last exported commit from parent repo: 0e3b39088f7b334fe6ce2c1199800dff80466188`
	`1`	`+Last exported commit from parent repo: d0f1f49fac41192923a5acb1becefa03916ef968`