From 61a4028797a705c1b6d98b57c4c7c3b00d8aa7c8 Mon Sep 17 00:00:00 2001
From: Max Kurapov <max@interledger.org>
Date: Sun, 8 Dec 2024 16:50:10 +0100
Subject: [PATCH] chore: add override for cross-spawn vulnerability (#3154)

* chore: add override for cross-spawn vulnerability

* chore: debugging trivy

* Revert "chore: debugging trivy"

This reverts commit c8434d22c2fdedca158874c54441e61f9c7f54ec.

* chore(ci): trivy ignore

* chore(ci): debug trivvy

* Revert "chore(ci): debug trivvy"

This reverts commit 81023c6c5e46c9f43f143ed2605e6989a12284ae.

* chore(ci): debug trivy

* chore(ci): checkout repo during trivy check

* chore(ci): add expiry to ignored vulnerability

* chore(ci): ignore vulnerability in grype

* chore(ci): remove debug flag from trivy scan
---
 .github/workflows/node-build.yml |  2 ++
 .grype.yaml                      |  2 ++
 .trivyignore                     |  1 +
 package.json                     |  3 ++-
 pnpm-lock.yaml                   | 19 ++++++++++---------
 5 files changed, 17 insertions(+), 10 deletions(-)
 create mode 100644 .grype.yaml
 create mode 100644 .trivyignore

diff --git a/.github/workflows/node-build.yml b/.github/workflows/node-build.yml
index f9ffe1eb6a..c6904c034a 100644
--- a/.github/workflows/node-build.yml
+++ b/.github/workflows/node-build.yml
@@ -291,6 +291,7 @@ jobs:
           - backend
           - frontend
     steps:
+      - uses: actions/checkout@v4
       - name: Fetch docker image from cache
         uses: actions/cache/restore@v4
         with:
@@ -326,6 +327,7 @@ jobs:
           - backend
           - frontend
     steps:
+      - uses: actions/checkout@v4
       - name: Fetch docker image from cache
         uses: actions/cache/restore@v4
         with:
diff --git a/.grype.yaml b/.grype.yaml
new file mode 100644
index 0000000000..e6cad11151
--- /dev/null
+++ b/.grype.yaml
@@ -0,0 +1,2 @@
+ignore:
+  - vulnerability: GHSA-3xgq-45jj-v275
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000000..bdfddad256
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1 @@
+CVE-2024-21538 exp:2024-12-31
\ No newline at end of file
diff --git a/package.json b/package.json
index afde84d534..edd63bd4d4 100644
--- a/package.json
+++ b/package.json
@@ -78,7 +78,8 @@
       "tar@<6.2.1": ">=6.2.1",
       "braces@<3.0.3": ">=3.0.3",
       "@grpc/grpc-js@>=1.10.0 <1.10.9": ">=1.10.9",
-      "dset@<3.1.4": ">=3.1.4"
+      "dset@<3.1.4": ">=3.1.4",
+      "cross-spawn@>=7.0.0 <7.0.5": ">=7.0.5"
     }
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 641900d859..6205a2327c 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -23,6 +23,7 @@ overrides:
   braces@<3.0.3: '>=3.0.3'
   '@grpc/grpc-js@>=1.10.0 <1.10.9': '>=1.10.9'
   dset@<3.1.4: '>=3.1.4'
+  cross-spawn@>=7.0.0 <7.0.5: '>=7.0.5'
 
 importers:
 
@@ -5278,7 +5279,7 @@ packages:
     resolution: {integrity: sha512-wfzX8kc1PMyUILA+1Z/EqoE4UCXGy0iRGMhPwdfae1+f0OXlLqCk+By+aMzgJBzR9AzS4CDizioG6Ss1gvAFJw==}
     engines: {node: ^12.20.0 || ^14.18.0 || >=16.0.0}
     dependencies:
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.6
       is-glob: 4.0.3
       open: 8.4.0
       picocolors: 1.1.1
@@ -5398,7 +5399,7 @@ packages:
       cacache: 17.1.4
       chalk: 4.1.2
       chokidar: 3.5.3
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.6
       dotenv: 16.4.1
       es-module-lexer: 1.4.1
       esbuild: 0.17.6
@@ -5488,7 +5489,7 @@ packages:
       cacache: 17.1.4
       chalk: 4.1.2
       chokidar: 3.5.3
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.6
       dotenv: 16.4.1
       es-module-lexer: 1.4.1
       esbuild: 0.17.6
@@ -9072,8 +9073,8 @@ packages:
     dependencies:
       tslib: 2.8.0
 
-  /cross-spawn@7.0.3:
-    resolution: {integrity: sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==}
+  /cross-spawn@7.0.6:
+    resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
     dependencies:
       path-key: 3.1.1
@@ -10460,7 +10461,7 @@ packages:
       '@ungap/structured-clone': 1.2.0
       ajv: 6.12.6
       chalk: 4.1.2
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.6
       debug: 4.3.7(supports-color@9.4.0)
       doctrine: 3.0.0
       escape-string-regexp: 4.0.0
@@ -10650,7 +10651,7 @@ packages:
     resolution: {integrity: sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg==}
     engines: {node: '>=10'}
     dependencies:
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.6
       get-stream: 6.0.1
       human-signals: 2.1.0
       is-stream: 2.0.1
@@ -11004,7 +11005,7 @@ packages:
     resolution: {integrity: sha512-TMKDUnIte6bfb5nWv7V/caI169OHgvwjb7V4WkeUvbQQdjr5rWKqHFiKWb/fcOwB+CzBT+qbWjvj+DVwRskpIg==}
     engines: {node: '>=14'}
     dependencies:
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.6
       signal-exit: 4.1.0
     dev: true
 
@@ -15342,7 +15343,7 @@ packages:
     hasBin: true
     dependencies:
       ansi-styles: 6.2.1
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.6
       memorystream: 0.3.1
       minimatch: 9.0.3
       pidtree: 0.6.0