build: disable CVE-2018-20225 pip package shadow

rouilj · rouilj · commit 6148e502f983 · 2023-09-24T22:54:34.000-04:00
ignore as long as status is not-fixed.

description:

** DISPUTED ** An issue was discovered in pip (all versions) because
   it installs the version with the highest version number, even if
   the user had intended to obtain a private package from a private
   index. This only affects use of the --extra-index-url option, and
   exploitation requires that the package does not already exist in
   the public index (and thus the attacker can put the package there
   with an arbitrary version number). NOTE: it has been reported that
   this is intended functionality and the user is responsible for
   using --extra-index-url securely.

[skip travis]
diff --git a/.grype.yaml b/.grype.yaml
@@ -0,0 +1,4 @@
+ignore:
+  - vulnerability: CVE-2018-20225
+    fix-state: not-fixed
+    

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +ignore:
 +  - vulnerability: CVE-2018-20225
 +    fix-state: not-fixed
++