diff --git a/.github/workflows/ci.py b/.github/workflows/ci.py index b8768b3c5..41fc2431c 100644 --- a/.github/workflows/ci.py +++ b/.github/workflows/ci.py @@ -205,8 +205,8 @@ def install_grype() -> str: IGNORED_DEPENDENCY_CVES = [ # Python stdlib - 'CVE-2025-8194', # DoS in tarfile - 'CVE-2025-6069', # DoS in HTMLParser + 'CVE-2025-8194', 'BIT-python-2025-8194', # DoS in tarfile + 'CVE-2025-6069', 'BIT-python-2025-6069', # DoS in HTMLParser ] @@ -222,7 +222,7 @@ def check_dependencies() -> None: dest = os.path.join(SW, 'macos') os.makedirs(dest, exist_ok=True) install_bundle(dest, os.path.basename(dest)) - if (cp := subprocess.run([grype, '--config', gc, '--fail-on', 'medium', SW])).returncode != 0: + if (cp := subprocess.run([grype, '--config', gc, '--only-fixed', '--fail-on', 'medium', SW])).returncode != 0: raise SystemExit(cp.returncode) # Now test against the SBOM import runpy @@ -233,7 +233,7 @@ def check_dependencies() -> None: runpy.run_path('bypy-src') sys.argv, sys.stdout = orig print(buf.getvalue()) - if (cp := subprocess.run([grype, '--config', gc, '--fail-on', 'medium'], input=buf.getvalue().encode())).returncode != 0: + if (cp := subprocess.run([grype, '--config', gc, '--only-fixed', '--fail-on', 'medium'], input=buf.getvalue().encode())).returncode != 0: raise SystemExit(cp.returncode) diff --git a/bypy/sources.json b/bypy/sources.json index 23d2bd0cd..1fb727944 100644 --- a/bypy/sources.json +++ b/bypy/sources.json @@ -86,12 +86,12 @@ }, { - "name": "sqlite 3500400", + "name": "sqlite 3.50.4", "spdx": "blessing", "unix": { "file_extension": "tar.gz", "hash": "sha256:a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18", - "urls": ["https://www.sqlite.org/2025/{name}-autoconf-{version}.{file_extension}"] + "urls": ["https://www.sqlite.org/2025/{name}-autoconf-3500400.{file_extension}"] } },