fdroidserver/.safety-policy.yml

---

version: '3.0'

scanning-settings:
  max-depth: 6
  exclude:

report:
  dependency-vulnerabilities:
    enabled: true
    auto-ignore-in-report:
      vulnerabilities:
        52495:
          reason: setuptools comes from Debian
          expires: '2025-01-31'
        60350:
          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40267
          expires: '2025-01-31'
        60789:
          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40590
          expires: '2025-01-31'
        60841:
          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-41040
          expires: '2025-01-31'
        62044:
          reason: "F-Droid doesn't fetch pip dependencies directly from hg/mercurial repositories: https://data.safetycli.com/v/62044/f17/"
          expires: '2025-01-31'
        63687:
          reason: Only affects Windows https://security-tracker.debian.org/tracker/CVE-2024-22190
          expires: '2026-01-31'
        67599:
          reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI.
          expires: '2026-05-31'
        70612:
          reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree.
          expires: '2026-05-31'
        72132:
          reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.
          expires: '2026-08-31'
        72236:
          reason: setuptools is not used in production to download or install packages, they come from Debian.
          expires: '2026-08-31'

fail-scan-with-exit-code:
  dependency-vulnerabilities:
    enabled: true
    fail-on-any-of:
      cvss-severity:
        - critical
        - high
        - medium

security-updates:
  dependency-vulnerabilities:
gitlab-ci: ignore setuptools DoS error from safety 2023-02-02 15:10:48 +01:00			`---`

gitlab-ci: port to Safety 3.x and move to own job https://docs.safetycli.com/safety-docs/installation/gitlab https://docs.safetycli.com/safety-docs/administration/safety-policy-files 2024-08-30 12:05:23 +02:00			`version: '3.0'`

			`scanning-settings:`
			`max-depth: 6`
			`exclude:`

			`report:`
			`dependency-vulnerabilities:`
			`enabled: true`
			`auto-ignore-in-report:`
			`vulnerabilities:`
			`52495:`
			`reason: setuptools comes from Debian`
			`expires: '2025-01-31'`
			`60350:`
			`reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40267`
			`expires: '2025-01-31'`
			`60789:`
			`reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40590`
			`expires: '2025-01-31'`
			`60841:`
			`reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-41040`
			`expires: '2025-01-31'`
			`62044:`
			`reason: "F-Droid doesn't fetch pip dependencies directly from hg/mercurial repositories: https://data.safetycli.com/v/62044/f17/"`
			`expires: '2025-01-31'`
			`63687:`
			`reason: Only affects Windows https://security-tracker.debian.org/tracker/CVE-2024-22190`
			`expires: '2026-01-31'`
			`67599:`
			`reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI.`
			`expires: '2026-05-31'`
			`70612:`
			`reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree.`
			`expires: '2026-05-31'`
			`72132:`
			`reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.`
			`expires: '2026-08-31'`
			`72236:`
safety: clarify reason to ignore CVE 2024-09-04 16:18:13 +02:00			`reason: setuptools is not used in production to download or install packages, they come from Debian.`
gitlab-ci: port to Safety 3.x and move to own job https://docs.safetycli.com/safety-docs/installation/gitlab https://docs.safetycli.com/safety-docs/administration/safety-policy-files 2024-08-30 12:05:23 +02:00			`expires: '2026-08-31'`

			`fail-scan-with-exit-code:`
			`dependency-vulnerabilities:`
			`enabled: true`
			`fail-on-any-of:`
			`cvss-severity:`
			`- critical`
			`- high`
			`- medium`

			`security-updates:`
			`dependency-vulnerabilities:`