add VEX exception

.github/workflows/build-and-push-image.yaml

@@ -22,6 +22,7 @@ on:
       - '.github/ISSUE_TEMPLATE/**/*'
       - 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
       - 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
+      - 'docker/vex/*' # CVE exceptions we know are not in risk
 
 jobs:
   push_multi_platform_to_registries:

docker/vex/CVE-2024-37890.vex.json

@@ -0,0 +1,51 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
+  "author": "tim@mintplexlabs.com",
+  "timestamp": "2024-07-19T16:08:47.147169-07:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2024-37890"
+      },
+      "timestamp": "2024-07-19T16:08:47.147172-07:00",
+      "products": [
+        {
+          "@id": "pkg:docker/mintplexlabs/anythingllm@render",
+          "subcomponents": [
+            {
+              "@id": "pkg:npm/ws@8.14.2"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:docker/mintplexlabs/anythingllm@railway",
+          "subcomponents": [
+            {
+              "@id": "pkg:npm/ws@8.14.2"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:docker/mintplexlabs/anythingllm@latest",
+          "subcomponents": [
+            {
+              "@id": "pkg:npm/ws@8.14.2"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:docker/mintplexlabs/anythingllm@master",
+          "subcomponents": [
+            {
+              "@id": "pkg:npm/ws@8.14.2"
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
+    }
+  ]
+}