Cutlery/calibre
1
0
Fork 0
mirror of https://github.com/kovidgoyal/calibre.git synced 2025-11-24 15:25:01 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix false positive CVEs

Browse Source
This commit is contained in:
Kovid Goyal 2025-10-17 09:54:37 +05:30
parent ca1c006eff
commit ced66a2815
No known key found for this signature in database
GPG Key ID: 06BC317B515ACE7C
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
setup/unix-ci.py
View File

@ -175,6 +175,8 @@ IGNORED_DEPENDENCY_CVES = [
'CVE-2017-1000376', # false match in the database 'CVE-2017-1000376', # false match in the database
# espeak # espeak
'CVE-2023-4990', # false match because we currently build with a specific commit pending release of espeak 1.53 'CVE-2023-4990', # false match because we currently build with a specific commit pending release of espeak 1.53
# Qt
'CVE-2025-5683', # we dont use the ICNS image format
# ffmpeg cannot be updated till Qt starts using FFMPEG 8 and these CVEs are # ffmpeg cannot be updated till Qt starts using FFMPEG 8 and these CVEs are
# anyway for file types we dont use or support # anyway for file types we dont use or support
'CVE-2025-59733', 'CVE-2025-59731', 'CVE-2025-59732', # OpenEXR image files, not supported by calibre 'CVE-2025-59733', 'CVE-2025-59731', 'CVE-2025-59732', # OpenEXR image files, not supported by calibre
@ -211,9 +213,13 @@ def check_dependencies() -> None:
for x in IGNORED_DEPENDENCY_CVES: for x in IGNORED_DEPENDENCY_CVES:
print(' - vulnerability:', x, file=f) print(' - vulnerability:', x, file=f)
cmdline = [grype, '--by-cve', '--config', gc, '--fail-on', 'medium', '--only-fixed', '--add-cpes-if-none'] cmdline = [grype, '--by-cve', '--config', gc, '--fail-on', 'medium', '--only-fixed', '--add-cpes-if-none']
if (cp := subprocess.run(cmdline + ['dir:' + SW])).returncode != 0: # disable testing against dir as it raises false positives on sqlite
raise SystemExit(cp.returncode) # embedded in dependencies we dont use at runtime
# Now test against the SBOM # print('Testing against the bundle directories', flush=True)
# if (cp := subprocess.run(cmdline + ['dir:' + SW])).returncode != 0:
# raise SystemExit(cp.returncode)
# Test against the SBOM
print('Testing against the SBOM', flush=True)
import runpy import runpy
orig = sys.argv, sys.stdout orig = sys.argv, sys.stdout
sys.argv = ['bypy', 'sbom', 'myproject', '1.0.0'] sys.argv = ['bypy', 'sbom', 'myproject', '1.0.0']