From 840744da7089bad3ff928d10486f66c8e2c8d7ea Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Thu, 6 Mar 2025 08:54:14 -0800
Subject: [PATCH] exclude a CVE warning which was already fixed

---
 pipelines/pull-requests/pipeline.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pipelines/pull-requests/pipeline.yml b/pipelines/pull-requests/pipeline.yml
index e0e838e57..871867237 100644
--- a/pipelines/pull-requests/pipeline.yml
+++ b/pipelines/pull-requests/pipeline.yml
@@ -619,6 +619,10 @@ jobs:
                 # Removing the "until" date on the next line to ignore this CVE forever.
                 CVE-2020-8561
 
+                # CVE-2025-27144 is in github.com/go-jose/go-jose. We are already using the versions which contain
+                # the fix v3.0.4 and v4.0.5, but for some reason nancy is complaining about it, so ignore it.
+                CVE-2025-27144 until=2025-04-01
+
                 EOF
 
                 nancy sleuth --exclude-vulnerability-file=exclusions.txt < pinniped-modules/modules.json