dependencies: allowlist CVE-2020-8277 to prevent false positives. (#1…

…4228) The CVE scanner is alerting on CVE-2020-8277 despite the c-ares upgrade in #14213, since the CVE applies to nodejs (and http-parser) rather than c-ares. Signed-off-by: Harvey Tuch <[email protected]>
envoyproxy · Dec 1, 2020 · ae7d841 · ae7d841
1 parent 2dc72a9
commit ae7d841
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/tools/dependency/cve_scan.py b/tools/dependency/cve_scan.py
@@ -34,6 +34,9 @@
     'CVE-2020-8252',
     # Fixed via the nghttp2 1.41.0 bump in Envoy 8b6ea4.
     'CVE-2020-11080',
+    # Node.js issue rooted in a c-ares bug. Does not appear to affect
+    # http-parser or our use of c-ares, c-ares has been bumped regardless.
+    'CVE-2020-8277',
 ])
 
 # Subset of CVE fields that are useful below.