ignore CVE from indirect dep which does not impact us

2026-02-05 20:41:16 +00:00 · 2026-02-04 12:29:15 -08:00
parent b2c5a8f123
commit 370487be59
1 changed files with 8 additions and 0 deletions
--- a/pipelines/pull-requests/pipeline.yml
+++ b/pipelines/pull-requests/pipeline.yml
@@ -631,6 +631,14 @@ jobs:
                # 3.0.4 and 4.0.5 contain the fix.
                CVE-2025-27144

+                # CVE-2026-24051 is in go.opentelemetry.io/otel/sdk before v1.40.0. This is an indirect dep that we
+                # get through various k8s modules and through fosite. The CVE description says that it only applies
+                # to MacOS. We do not use opentelemetry in the Pinniped CLI, and our other code never runs on MacOS,
+                # so we should have no exposure to this issue. We can wait for the next version of k8s packages to
+                # update this dependency, if they choose to do so.
+                # See https://ossindex.sonatype.org/vulnerability/CVE-2026-24051?component-type=golang&component-name=go.opentelemetry.io%2Fotel%2Fsdk&utm_source=nancy-client&utm_medium=integration&utm_content=1.2.0
+                CVE-2026-24051 until=2026-04-04
+
                EOF

                cat pinniped-modules/modules.json | nancy sleuth \