Skip to content

fix: consolidate open dependency PRs into one vulnerable-package remediation #656

Description

@katriendg

Problem

Four open dependabot PRs are blocked or would be merged piecemeal:

The blocking gate for #629 is Grype specifically — the .grype.yaml ignore list does not suppress the ecdsa finding, while the allow-ghsas entry for dependency-review lives inline in pr-validation.yml (two separate tools, two separate configs).

Approach

Land one joint remediation PR off main (cherry-picking manifest changes, not merging dependabot branches):

  1. Python bumps — regenerate the pip-compile --generate-hashes lockfiles for checkov 3.3.6 and the ros2-connector bumps.
  2. Suppress ecdsa across every gate — add a scoped GHSA-wj6h-64fc-37mp ignore to .grype.yaml (required to unblock the gate) and mirror it in osv-scanner.toml (Scorecard). Justification documented via in-file comments; no live tracking issue (no upstream fix — re-evaluate when checkov drops ecdsa).
  3. Centralize the dependency-review allow-list — move the inline allow-ghsas out of pr-validation.yml into a new .github/dependency-review-config.yml, wired via config-file:. Deny-all top-level / per-job permissions preserved.
  4. Rust migration — bump the opentelemetry family to 0.32.1 in all three crates and fix the API breakage (notably span.set_parent now returns a Result, handled with a logged warning).

Validation

  • All three crates: clippy (-D warnings) clean + tests pass (sender 11, receiver 14, mqtt 24).
  • ecdsa suppression verified in .grype.yaml, osv-scanner.toml, and the new dependency-review config; inline allow-ghsas removed from the workflow.

Follow-ups (out of scope)

  • Add a stale-ignore audit step to security-staleness-check.yml to auto-flag obsolete suppressions.
  • Re-evaluate the likely-stale GHSA-rp8m-h266-53jh grype ignore under grype 0.109.1.

Closes #629, #639, #644, #651

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions