forked from ArbitrumFoundation/governance
-
Notifications
You must be signed in to change notification settings - Fork 0
/
audit-ci.jsonc
90 lines (90 loc) · 4.49 KB
/
audit-ci.jsonc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
// audit-ci.jsonc
{
// $schema provides code completion hints to IDEs.
"$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
"low": true,
"allowlist": [
// OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
"GHSA-mx2q-35m2-x2rh",
// GovernorCompatibilityBravo may trim proposal calldata
"GHSA-93hq-5wgc-jc82",
// OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning
"GHSA-5h3x-9wvq-w4m2",
// OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees
"GHSA-wprv-93r4-jj2p",
// semver vulnerable to Regular Expression Denial of Service
"GHSA-c2qf-rxjj-qqgw",
// Regular Expression Denial of Service in Headers
"GHSA-r6ch-mqf9-qc9w",
// CRLF Injection in Nodejs ‘undici’ via host
"GHSA-5r9g-qh6m-jxff",
// word-wrap vulnerable to Regular Expression Denial of Service
"GHSA-j8xg-fqg3-53r7",
// minimatch ReDoS vulnerability
"GHSA-f8q6-p94x-37v3",
// OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
"GHSA-4g63-c64m-25w9",
// OpenZeppelin Contracts initializer reentrancy may lead to double initialization
"GHSA-9c22-pwxw-p6hx",
// OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals
"GHSA-xrc4-737v-9q75",
// OpenZeppelin Contracts's ERC165Checker may revert instead of returning false
"GHSA-qh9x-gcfh-pcrw",
// OpenZeppelin Contracts vulnerable to ECDSA signature malleability
"GHSA-4h98-2769-gh6h",
// OpenZeppelin Contracts ERC165Checker unbounded gas consumption
"GHSA-7grf-83vw-6f5x",
// Improper Initialization in OpenZeppelin
"GHSA-88g8-f5mf-f5rj",
// flat vulnerable to Prototype Pollution
"GHSA-2j2x-2gpw-g8fm",
// tough-cookie Prototype Pollution vulnerability
"GHSA-72xf-g2v4-qvf3",
// Server-Side Request Forgery in Request
"GHSA-p8p7-x288-28g6",
// OpenZeppelin: Using ERC2771Context with a custom forwarder can yield address(0)
"GHSA-g4vp-m682-qqmp",
// regular expression DoS in debug - low severity
"GHSA-gxpj-cx7g-858c",
// undici - only used in hardhat, not used in prod
"GHSA-wqq4-5wpv-mx2g",
// get-func-name - only used in chai, not used in prod
"GHSA-4q6p-r6v2-jvc5",
// axios used only in sol2uml
"GHSA-wf5p-g6vw-rhxx",
// follow-redirects url.parse bug. Not used in prod
"GHSA-jchw-25xp-jwwc",
// OpenZeppelin Contracts base64 encoding may read from potentially dirty memory
"GHSA-9vx6-7xxf-x967",
// Undici proxy-authorization header not cleared on cross-origin redirect in fetch
"GHSA-3787-6prv-h9w3",
// follow-redirects' Proxy-Authorization header kept across hosts
"GHSA-cxjh-pqwp-8mfp",
// es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`
"GHSA-4gmj-3p3h-gm8h",
// Express.js Open Redirect in malformed URLs
"GHSA-rv95-896h-c2vc",
// vuln in tar, node doesnt validate tar before trying to untar. Supplied bad tar can cause DOS on client
// we use node only in dev, and tar is only used by web3 which we dont use client side
// only bad tar we could be provided is through malicious package in dev
"GHSA-f5x3-32g6-xq36",
// undici proxy autho again - same as GHSA-3787-6prv-h9w3
"GHSA-m4v8-wqvr-p9f7",
// undici fetch with integrity action is too lax - again we only use undici in dev so not an issue
"GHSA-9qxr-qj54-h672",
// memory exhaustion possible in lib/parse, but we only use node in dev so not an issue for us
"GHSA-grv7-fg5c-xmjg",
// ws dos too many http - we only use in dev
"GHSA-3h5v-q93c-6h6q",
// BER sig malleability vuln - only used in dev
"GHSA-49q7-c7j4-3p7m",
// ECDSA missing leading bit r and s check - only used in dev
"GHSA-977x-g7h5-7qgw",
// EDDSA missing sig length check - package only used in dev
"GHSA-f7q4-pwc6-w24p",
// Server-Side Request Forgery in axios
"GHSA-8hc4-vh64-cxmj",
// Regular Expression Denial of Service (ReDoS) in micromatch
"GHSA-952p-6rrq-rcjv"
]
}