Cutlery/calibre
1
0
Fork 0
mirror of https://github.com/kovidgoyal/calibre.git synced 2026-01-29 07:03:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

Prune list of ignored dependency CVEs

Browse Source 
Various deps have now been updated
This commit is contained in:
Kovid Goyal 2026-01-10 12:49:19 +05:30
parent 9ffa9298bf
commit dd15cf7ce1
No known key found for this signature in database
GPG Key ID: 06BC317B515ACE7C
1 changed files with 0 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
setup/unix-ci.py
View File

@ -178,26 +178,17 @@ def install_grype(exe: str = '/tmp/grype') -> str:
IGNORED_DEPENDENCY_CVES = [
# Python stdlib
'CVE-2025-8194', # DoS in tarfile
'CVE-2025-6069', # DoS in HTMLParser
'CVE-2025-13836', # DoS in http client reading from malicious server
# glib
'CVE-2025-4056', # Only affects Windows, on which we dont use glib
# libtiff
'CVE-2025-8851', # this is erroneously marked as fixed in the database but no release of libtiff has been made with the fix
# hyphen
'CVE-2017-1000376', # false match in the database
# espeak
'CVE-2023-4990', # false match because we currently build with a specific commit pending release of espeak 1.53
# Qt
'CVE-2025-5683', # we dont use the ICNS image format
# ffmpeg cannot be updated till Qt starts using FFMPEG 8 and these CVEs are
# anyway for file types we dont use or support
'CVE-2025-59733', 'CVE-2025-59731', 'CVE-2025-59732', # OpenEXR image files, not supported by calibre
'CVE-2025-59730', 'CVE-2025-59734', # SANM decoding unused by calibre
'CVE-2025-59729', # DHAV files unused by calibre ad negligible security impact: https://issuetracker.google.com/issues/433513232
'CVE-2025-11579', # Go rardecode package probably from grype's own dependencies calibre does not use Go code
]