Skip to content

nancy: add files .nancy-ignore#2440

Merged
brilliant-lx merged 1 commit intobnb-chain:developfrom
zzzckck:nancy_ignore
May 9, 2024
Merged

nancy: add files .nancy-ignore#2440
brilliant-lx merged 1 commit intobnb-chain:developfrom
zzzckck:nancy_ignore

Conversation

@zzzckck
Copy link
Copy Markdown
Collaborator

@zzzckck zzzckck commented May 9, 2024
edited
Loading

Description

Detected Nancy failure:

pkg:golang/github.com/btcsuite/btcd/btcec/v2@v2.3.2
1 known vulnerabilities affecting installed version 
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2024-34478] CWE-754: Improper Check for Unusual or Exceptional Conditions                                                                                                                                                   ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ btcd before 0.24.0 does not correctly implement the consensus rules                                                                                                                                         ┃
┃                    ┃ outlined in BIP 68 and BIP 112, making it susceptible to consensus                                                                                                                                          ┃
┃                    ┃ failures. Specifically, it uses the transaction version as a signed integer                                                                                                                                 ┃
┃                    ┃ when it is supposed to be treated as unsigned. There can be a chain split                                                                                                                                   ┃
┃                    ┃ and loss of funds.                                                                                                                                                                                          ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫

But the vulnerability is BTC only, BSC does not have the issue, prefer not to upgrade the version of btcd.
So add the .nancy-ignore to ignore it.

Rationale

tell us why we need these changes...

Example

add an example CLI or API response...

Changes

Notable changes:

  • add each change in a bullet point here
  • ...

@brilliant-lx brilliant-lx merged commit 571ea2c into bnb-chain:develop May 9, 2024
This was referenced May 9, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@galaio galaio galaio approved these changes

+1 more reviewer

@brilliant-lx brilliant-lx brilliant-lx approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zzzckck @galaio @brilliant-lx