Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions osv-scanner.toml
Original file line number Diff line number Diff line change
@@ -1,19 +1,24 @@
[[IgnoredVulns]]
id = "GHSA-fv5p-p927-qmxr"
ignoreUntil = "2026-07-24T00:00:00Z"
ignoreUntil = 2026-07-24
reason = "langchain-text-splitters SSRF redirect bypass in HTMLHeaderTextSplitter.split_text_from_url (MEDIUM). Fix requires langchain-text-splitters>=1.1.2 which requires langchain-core>=1.2.31 — a breaking major change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible. HTMLHeaderTextSplitter is not used by langchain-agentql. Related: ENG-14677."

[[IgnoredVulns]]
id = "GHSA-2g6r-c272-w58r"
ignoreUntil = "2026-06-15T00:00:00Z"
ignoreUntil = 2026-06-15
reason = "langchain-core SSRF via image_url token counting (LOW). Fix requires upgrading langchain-core 0.3.x -> 1.2.11, a breaking major version change incompatible with our ^0.3.15 constraint. No semver-compatible fix available."

[[IgnoredVulns]]
id = "GHSA-qh6h-p6c9-ff54"
ignoreUntil = "2026-07-16T00:00:00Z"
ignoreUntil = 2026-07-16
reason = "langchain-core path traversal in load_prompt/load_prompt_from_config (HIGH, CVE-2026-34070). Fix requires upgrading langchain-core 0.3.x -> 1.2.22, a breaking major version change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible without also migrating langchain-community to a stable 1.x release (currently only alpha). No fix available in the 0.3.x line."

[[IgnoredVulns]]
id = "GHSA-6w46-j5rx-g56g"
ignoreUntil = "2026-07-16T00:00:00Z"
ignoreUntil = 2026-07-16
reason = "pytest tmpdir privilege escalation (CVE-2025-71176, MEDIUM). Fix requires pytest>=9.0.3, but langchain-tests<=0.3.x pins pytest<9. Upgrading langchain-tests to 1.x would require a full langchain ecosystem migration (langchain-core 0.3->1.x, langchain-community 0.3->1.x). Affects test execution only — no production exposure. ENG-14433."

[[IgnoredVulns]]
id = "GHSA-r7w7-9xr2-qq2r"
ignoreUntil = 2026-07-27
reason = "langchain-openai prompt injection via tool result injection (LOW). Fix requires langchain-openai>=0.4.4 which requires langchain-core>=1.3.1 — a breaking major change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible. ENG-14837."
Comment on lines 1 to +24

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import sys, tomllib, pathlib

p = pathlib.Path("osv-scanner.toml")
data = tomllib.loads(p.read_text())

# Depending on osv-scanner.toml structure, adjust key access.
# This assumes the file is only a list under the top-level key `IgnoredVulns`.
# If it’s top-level array-of-tables, tomllib will place it as a key matching the table name.
key_candidates = ["IgnoredVulns", "Ignoredvulns", "ignoredvulns"]
key = next((k for k in key_candidates if k in data), None)

if key is None:
    print("Could not find IgnoredVulns key in parsed TOML. Parsed keys:", list(data.keys()))
    print("Parsed document:", data)
    sys.exit(1)

for item in data[key]:
    vid = item.get("id")
    iu = item.get("ignoreUntil")
    print(f"{vid}: ignoreUntil={iu!r} (python_type={type(iu).__name__})")
PY

Repository: tinyfish-io/agentql-integrations

Length of output: 471


🏁 Script executed:

# Search for osv-scanner references in the codebase
rg -i "osv-scanner|osv.scanner" --type toml --type json --type yaml --type md -A 3 -B 3

Repository: tinyfish-io/agentql-integrations

Length of output: 58


🏁 Script executed:

# Check for any dependency files that might mention osv-scanner
fd -e "go.mod" -e "go.sum" -e "package.json" -e "yarn.lock" -e "requirements.txt" -e "pyproject.toml" -e "Pipfile" | head -20

Repository: tinyfish-io/agentql-integrations

Length of output: 58


🏁 Script executed:

# Search for osv-scanner in documentation or config files
find . -type f \( -name "*.md" -o -name "*.txt" -o -name ".github" \) | xargs grep -l "osv-scanner" 2>/dev/null | head -10

Repository: tinyfish-io/agentql-integrations

Length of output: 58


🌐 Web query:

osv-scanner ignoreUntil TOML schema format string date

💡 Result:

In osv-scanner's TOML configuration file (osv-scanner.toml), ignoreUntil is an optional field used in [[IgnoredVulns]] and [[PackageOverrides]] sections to specify an expiry date for ignoring vulnerabilities or package overrides. It is a string in YYYY-MM-DD format (ISO 8601 date). Example for IgnoredVulns: [[IgnoredVulns]] id = "GO-2022-0968" ignoreUntil = "2022-11-09" # Optional exception expiry date reason = "No ssh servers are connected to or hosted in Go lang" Example for PackageOverrides: [[PackageOverrides]] name = "lib" version = "1.0.0" ecosystem = "Go" ignore = true effectiveUntil = "2022-11-09" # Optional exception expiry date (note: uses effectiveUntil here) reason = "abc" Note: PackageOverrides uses effectiveUntil instead of ignoreUntil, but both follow the same date string format. After the date passes, the ignore/override no longer applies.

Citations:


Critical: Fix ignoreUntil format—must be quoted strings, not unquoted dates.

osv-scanner's official schema specifies ignoreUntil as a STRING in YYYY-MM-DD format (e.g., "2026-07-24"), not a TOML date type. Your current changes use unquoted dates (ignoreUntil = 2026-07-24), which TOML parsers decode as datetime.date objects. osv-scanner will not recognize this type, causing all vulnerability suppressions in this file to be silently ignored. This breaks security compliance and may cause CI failures.

Change all five ignoreUntil entries from unquoted to quoted:

  • ignoreUntil = 2026-07-24ignoreUntil = "2026-07-24"
  • ignoreUntil = 2026-06-15ignoreUntil = "2026-06-15"
  • ignoreUntil = 2026-07-16ignoreUntil = "2026-07-16"
  • ignoreUntil = 2026-07-27ignoreUntil = "2026-07-27"

Reference: https://google.github.io/osv-scanner/configuration/

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@osv-scanner.toml` around lines 1 - 24, The TOML ignoreUntil values in the
[[IgnoredVulns]] blocks are currently unquoted dates (TOML date types) which
osv-scanner expects as STRINGs; update each ignoreUntil entry to a quoted
YYYY-MM-DD string for the listed GHSA IDs (GHSA-fv5p-p927-qmxr,
GHSA-2g6r-c272-w58r, GHSA-qh6h-p6c9-ff54, GHSA-6w46-j5rx-g56g,
GHSA-r7w7-9xr2-qq2r) by replacing lines like ignoreUntil = 2026-07-24 with
ignoreUntil = "2026-07-24" so the parser sees strings, not TOML date objects.

Loading