forked from marichi67/arbitrum-sdk_marichi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaudit-ci.jsonc
100 lines (99 loc) · 5.11 KB
/
audit-ci.jsonc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
{
"$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
"low": true,
"allowlist": [
// Undici
////////////
// https://github.com/advisories/GHSA-3cvr-822r-rqcc
// Undici CRLF injection
// Used only in hardhat, so only in dev. Even then we dont use remote requests.
"GHSA-3cvr-822r-rqcc",
// https://github.com/advisories/GHSA-pgw7-wx7w-2w33
// ProxyAgent vulnerable to MITM
// Used only in hardhat, so only in dev. Even then we dont use remote requests.
"GHSA-pgw7-wx7w-2w33",
// https://github.com/advisories/GHSA-q768-x9m6-m9qp
// undici before v5.8.0 vulnerable to uncleared cookies
// Used only in hardhat, so only in dev. Even then we dont use remote requests.
"GHSA-q768-x9m6-m9qp",
// https://github.com/advisories/GHSA-8qr4-xgw6-wmr3
// undici.request` vulnerable to SSRF
// Used only in hardhat, so only in dev. Even then we dont use remote requests.
"GHSA-8qr4-xgw6-wmr3",
// https://github.com/advisories/GHSA-f772-66g8-q5h3
// Nodejs ‘undici’ Vulnerable to CRLF
// Used only in hardhat, so only in dev. Even then we dont use remote requests.
"GHSA-f772-66g8-q5h3",
// https://github.com/advisories/GHSA-r6ch-mqf9-qc9w
// Nodejs ‘undici’ Vulnerable to DoS
// Used only in hardhat, so only in dev. Even then we dont use remote requests.
"GHSA-r6ch-mqf9-qc9w",
// https://github.com/advisories/GHSA-5r9g-qh6m-jxff
// Nodejs ‘undici’ Vulnerable to CRLF
// Used only in hardhat, so only in dev. Even then we dont use remote requests.
"GHSA-5r9g-qh6m-jxff",
// Open Zepplin
////////////
// https://github.com/advisories/GHSA-88g8-f5mf-f5rj
// Improper Initialization in OpenZeppelin
// Initialiser can be re-entered. We've checked and aren't currently vulnerable.
"GHSA-88g8-f5mf-f5rj",
// https://github.com/advisories/GHSA-9c22-pwxw-p6hx
// Initializer reentrancy may lead to double initialization
// Initialiser can be re-entered. We've checked and aren't currently vulnerable.
"GHSA-9c22-pwxw-p6hx",
// https://github.com/advisories/GHSA-4g63-c64m-25w9
// OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
// We dont use EIP-1271
"GHSA-4g63-c64m-25w9",
// https://github.com/advisories/GHSA-qh9x-gcfh-pcrw
// OpenZeppelin Contracts's ERC165Checker may revert instead of returning false
// We don't use ERC165Checker
"GHSA-qh9x-gcfh-pcrw",
// https://github.com/advisories/GHSA-7grf-83vw-6f5x
// OpenZeppelin Contracts ERC165Checker unbounded gas consumption
// We don't use ERC165Checker
"GHSA-7grf-83vw-6f5x",
// https://github.com/advisories/GHSA-xrc4-737v-9q75
// OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals
// We don't use GovernorVotesQuorumFraction
"GHSA-xrc4-737v-9q75",
// https://github.com/advisories/GHSA-4h98-2769-gh6h
// OpenZeppelin Contracts vulnerable to ECDSA signature malleability
// We don’t use signatures for replay protection anywhere
"GHSA-4h98-2769-gh6h",
// https://github.com/advisories/GHSA-xvch-5gv4-984h
// Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
// from dev dependency: typedoc-plugin-markdown>handlebars>minimist
// Minimist is a typedoc plugin's dependency and is never included in the sdk build
// Typedoc was only called by the nitro-docs repo to generate sdk docs
"GHSA-xvch-5gv4-984h",
// https://github.com/advisories/GHSA-9c47-m6qq-7p4h
// Prototype Pollution in JSON5 via Parse Method
// from: nyc>istanbul-lib-instrument>@babel/core>json5
// not used in ci
"GHSA-9c47-m6qq-7p4h",
// https://github.com/advisories/GHSA-mx2q-35m2-x2rh
// OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable
// from: arb-bridge-peripherals>@openzeppelin/contracts-upgradeable
// from: arb-bridge-peripherals>arb-bridge-eth>@openzeppelin/contracts-upgradeable
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts
// from: arb-bridge-peripherals>@openzeppelin/contracts
// from: arb-bridge-peripherals>arb-bridge-eth>@openzeppelin/contracts
// Clashing selector between proxy and implementation can only be caused deliberately
"GHSA-mx2q-35m2-x2rh",
// https://github.com/advisories/GHSA-93hq-5wgc-jc82
// GovernorCompatibilityBravo may trim proposal calldata
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts
// We don't use GovernorCompatibilityBravo
"GHSA-93hq-5wgc-jc82",
// https://github.com/advisories/GHSA-5h3x-9wvq-w4m2
// OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts
// We don't use Governor or GovernorCompatibilityBravo
"GHSA-5h3x-9wvq-w4m2"
]
}