-
Notifications
You must be signed in to change notification settings - Fork 179
/
audit-ci.jsonc
125 lines (125 loc) · 7.17 KB
/
audit-ci.jsonc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
{
"$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
"low": true,
"allowlist": [
// Open Zepplin
////////////
// https://github.com/advisories/GHSA-4g63-c64m-25w9
// OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
// We dont use EIP-1271
"GHSA-4g63-c64m-25w9",
// https://github.com/advisories/GHSA-qh9x-gcfh-pcrw
// OpenZeppelin Contracts's ERC165Checker may revert instead of returning false
// We don't use ERC165Checker
"GHSA-qh9x-gcfh-pcrw",
// https://github.com/advisories/GHSA-7grf-83vw-6f5x
// OpenZeppelin Contracts ERC165Checker unbounded gas consumption
// We don't use ERC165Checker
"GHSA-7grf-83vw-6f5x",
// https://github.com/advisories/GHSA-xrc4-737v-9q75
// OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals
// We don't use GovernorVotesQuorumFraction
"GHSA-xrc4-737v-9q75",
// https://github.com/advisories/GHSA-4h98-2769-gh6h
// OpenZeppelin Contracts vulnerable to ECDSA signature malleability
// We don’t use signatures for replay protection anywhere
"GHSA-4h98-2769-gh6h",
// https://github.com/advisories/GHSA-mx2q-35m2-x2rh
// OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable
// from: arb-bridge-peripherals>@openzeppelin/contracts-upgradeable
// from: arb-bridge-peripherals>arb-bridge-eth>@openzeppelin/contracts-upgradeable
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts
// from: arb-bridge-peripherals>@openzeppelin/contracts
// from: arb-bridge-peripherals>arb-bridge-eth>@openzeppelin/contracts
// Clashing selector between proxy and implementation can only be caused deliberately
"GHSA-mx2q-35m2-x2rh",
// https://github.com/advisories/GHSA-93hq-5wgc-jc82
// GovernorCompatibilityBravo may trim proposal calldata
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts
// We don't use GovernorCompatibilityBravo
"GHSA-93hq-5wgc-jc82",
// https://github.com/advisories/GHSA-5h3x-9wvq-w4m2
// OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts
// We don't use Governor or GovernorCompatibilityBravo
"GHSA-5h3x-9wvq-w4m2",
// https://github.com/advisories/GHSA-g4vp-m682-qqmp
// OpenZeppelin Contracts vulnerable to Improper Escaping of Output
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable
// from @arbitrum/nitro-contracts>@openzeppelin/contracts
// We don't use ERC2771Context
"GHSA-g4vp-m682-qqmp",
// https://github.com/advisories/GHSA-wprv-93r4-jj2p
// OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees
// we don't use oz/merkle-trees anywhere
// from @arbitrum/nitro-contracts>@offchainlabs/upgrade-executor>@openzeppelin/contracts-upgradeable
// from @arbitrum/nitro-contracts>@offchainlabs/upgrade-executor>@openzeppelin/contracts
"GHSA-wprv-93r4-jj2p",
// https://github.com/advisories/GHSA-3787-6prv-h9w3
// Undici proxy-authorization header not cleared on cross-origin redirect in fetch
"GHSA-3787-6prv-h9w3",
// https://github.com/advisories/GHSA-699g-q6qh-q4v8
// OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4
// from: @offchainlabs/l1-l3-teleport-contracts>@openzeppelin/contracts
"GHSA-699g-q6qh-q4v8",
// https://github.com/advisories/GHSA-9vx6-7xxf-x967
// OpenZeppelin Contracts base64 encoding may read from potentially dirty memory
// we don't use the base64 functions
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts-upgradeable
// from: @arbitrum/token-bridge-contracts>@openzeppelin/contracts-upgradeable
// from: @arbitrum/nitro-contracts>@openzeppelin/contracts
// from: @arbitrum/token-bridge-contracts>@openzeppelin/contracts
"GHSA-9vx6-7xxf-x967",
// https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
// axios can leak auth headers when using `Proxy-Authentication` header. We do not use that header.
// from: axios>follow-redirects
// from: hardhat>solc>follow-redirects
"GHSA-cxjh-pqwp-8mfp",
// https://github.com/advisories/GHSA-9qxr-qj54-h672
// Undici's fetch with integrity option is too lax when algorithm is specified but hash value is incorrect
// hardhat requests are only done during development
// from: hardhat>undici
"GHSA-9qxr-qj54-h672",
// https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
// Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
// hardhat requests are only done during development
// from: hardhat>undici
"GHSA-m4v8-wqvr-p9f7",
// https://github.com/advisories/GHSA-grv7-fg5c-xmjg
// Uncontrolled resource consumption in braces
// eslint and hardhat dependency, only used in dev
// from: hardhat>braces & eslint>braces
"GHSA-grv7-fg5c-xmjg",
// https://github.com/advisories/GHSA-3h5v-q93c-6h6q
// Exposure of Sensitive Information in ws
// Issue with sol2uml library that generates UML diagrams from Solidity code. Only used at build time.
// from: @offchainlabs/l1-l3-teleport-contracts>@arbitrum/nitro-contracts>sol2uml>convert-svg-to-png>convert-svg-core>puppeteer>ws
// from: @offchainlabs/l1-l3-teleport-contracts>@arbitrum/token-bridge-contracts>@arbitrum/nitro-contracts>sol2uml>convert-svg-to-png>convert-svg-core>puppeteer>ws
"GHSA-3h5v-q93c-6h6q",
// https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
// Axios: Server-Side Request Forgery vulnerability
// Issue with sol2uml library that generates UML diagrams from Solidity code. Only used at build time.
// from: @offchainlabs/l1-l3-teleport-contracts>@arbitrum/nitro-contracts>sol2uml>axios
// from: @offchainlabs/l1-l3-teleport-contracts>@arbitrum/token-bridge-contracts>@arbitrum/nitro-contracts>sol2uml>axios
"GHSA-wf5p-g6vw-rhxx",
// https://github.com/advisories/GHSA-3xgq-45jj-v275
// cross-spawn command injection vulnerability
// Only used during development via audit-ci, nyc, and patch-package
// from: audit-ci>cross-spawn
// from: nyc>foreground-child>cross-spawn
// from: nyc>spawn-wrap>foreground-child>cross-spawn
// from: @arbitrum/nitro-contracts>patch-package>cross-spawn
// from: @arbitrum/token-bridge-contracts>@arbitrum/nitro-contracts>patch-package>cross-spawn
// from: @offchainlabs/l1-l3-teleport-contracts>@arbitrum/token-bridge-contracts>@arbitrum/nitro-contracts>patch-package>cross-spawn
"GHSA-3xgq-45jj-v275",
// https://github.com/advisories/GHSA-mwcw-c2x4-8c55
// nanoid infinite loop vulnerability when handling non-integer values
// Only used by mocha for test file IDs during test execution, not in production code
// from: hardhat>mocha>nanoid
// from: mocha>nanoid
"GHSA-mwcw-c2x4-8c55"
]
}