Skip to content

ci(deps): allow-list ecdsa GHSA-wj6h-64fc-37mp in dependency review#642

Merged
bindsi merged 1 commit into
mainfrom
fix/641-pip-allow
Jun 30, 2026
Merged

ci(deps): allow-list ecdsa GHSA-wj6h-64fc-37mp in dependency review#642
bindsi merged 1 commit into
mainfrom
fix/641-pip-allow

Conversation

@katriendg

Copy link
Copy Markdown
Collaborator

Description

The Dependency Review gate in the PR Validation workflow was failing on the open Dependabot pip-group update (#629). Its only high-severity finding was ecdsa 0.19.2 (GHSA-wj6h-64fc-37mp, "Minerva timing attack on P-256"), a new transitive dependency introduced by the checkov 3.2.529 → 3.3.5 bump. The advisory has no fixed upstream version, so no dependency bump can satisfy fail-on-severity: high.

This change adds a narrowly-scoped allow-ghsas entry for that single advisory to the Dependency Review step in .github/workflows/pr-validation.yml, with inline comments documenting the rationale and a pointer to re-evaluate when checkov drops the ecdsa dependency. No other workflow settings change.

Related Issue

Fixes #641

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Blueprint modification or addition
  • Component modification or addition
  • Documentation update
  • CI/CD pipeline change
  • Other (please describe):

Implementation Details

Added allow-ghsas: GHSA-wj6h-64fc-37mp to the actions/dependency-review-action step within the dependency-scan job. The fail-on-severity: high, warn-on-openssf-scorecard-level: 3, and comment-summary-in-pr: on-failure settings are unchanged, so the gate still fails on every other high-or-higher advisory. Two preceding comments record that ecdsa is affected by a side-channel with no upstream fix, that it is transitive via checkov, and that the suppression should be revisited when that dependency is dropped.

Testing Performed

  • Terraform plan/apply
  • Blueprint deployment test
  • Unit tests
  • Integration tests
  • Bug fix includes regression test (see Test Policy)
  • Manual validation
  • Other:

Validation Steps

  1. Re-run (or rebase) Dependabot PR chore(deps): bump the pip group across 2 directories with 4 updates #629 and confirm the Dependency Scan check now passes.
  2. Confirm an unrelated high-severity advisory still fails the gate (no broadening of the suppression beyond GHSA-wj6h-64fc-37mp).

Checklist

  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have run terraform fmt on all Terraform code
  • I have run terraform validate on all Terraform code
  • I have run az bicep format on all Bicep code
  • I have run az bicep build to validate all Bicep code
  • I have checked for any sensitive data/tokens that should not be committed
  • Lint checks pass (run applicable linters for changed file types)

Security Review

  • No credentials, secrets, or tokens are hardcoded or logged
  • RBAC and identity changes follow least-privilege principles
  • No new network exposure or public endpoints introduced without justification
  • Dependency additions or updates have been reviewed for known vulnerabilities
  • Container image changes use pinned digests or SHA references

Additional Notes

This intentionally suppresses one known advisory (GHSA-wj6h-64fc-37mp) because no patched ecdsa release exists; the python-ecdsa maintainers treat the Minerva side-channel as out of scope. The suppression mirrors the existing transitive-with-no-fix pattern documented in osv-scanner.toml (which feeds osv-scanner rather than the Dependency Review action). Re-evaluate and remove the entry once checkov no longer pulls in ecdsa.

Screenshots (if applicable)

The checkov bump in Dependabot PR #629 introduces a new transitive
dependency ecdsa==0.19.2, flagged by GHSA-wj6h-64fc-37mp (Minerva timing
attack on P-256, high severity). No fixed upstream version exists, so the
dependency-review-action gate cannot be satisfied by a version bump.

Add the advisory to allow-ghsas so the pip group bump can pass. Re-evaluate
when checkov drops the ecdsa dependency.

Refs #641
@katriendg katriendg requested a review from a team June 30, 2026 12:44
@codecov-commenter

codecov-commenter commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 31.80%. Comparing base (f62a6f2) to head (bc982bb).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #642   +/-   ##
=======================================
  Coverage   31.80%   31.80%           
=======================================
  Files          40       40           
  Lines        6015     6015           
=======================================
  Hits         1913     1913           
  Misses       4102     4102           
Flag Coverage Δ
rust 31.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bindsi bindsi merged commit 30c35cc into main Jun 30, 2026
60 checks passed
@bindsi bindsi deleted the fix/641-pip-allow branch June 30, 2026 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Dependency Review blocks Dependabot pip bump (#629): allow-list ecdsa GHSA-wj6h-64fc-37mp

3 participants