Problem
Four open dependabot PRs are blocked or would be merged piecemeal:
The blocking gate for #629 is Grype specifically — the .grype.yaml ignore list does not suppress the ecdsa finding, while the allow-ghsas entry for dependency-review lives inline in pr-validation.yml (two separate tools, two separate configs).
Approach
Land one joint remediation PR off main (cherry-picking manifest changes, not merging dependabot branches):
- Python bumps — regenerate the
pip-compile --generate-hashes lockfiles for checkov 3.3.6 and the ros2-connector bumps.
- Suppress ecdsa across every gate — add a scoped
GHSA-wj6h-64fc-37mp ignore to .grype.yaml (required to unblock the gate) and mirror it in osv-scanner.toml (Scorecard). Justification documented via in-file comments; no live tracking issue (no upstream fix — re-evaluate when checkov drops ecdsa).
- Centralize the dependency-review allow-list — move the inline
allow-ghsas out of pr-validation.yml into a new .github/dependency-review-config.yml, wired via config-file:. Deny-all top-level / per-job permissions preserved.
- Rust migration — bump the opentelemetry family to 0.32.1 in all three crates and fix the API breakage (notably
span.set_parent now returns a Result, handled with a logged warning).
Validation
- All three crates: clippy (
-D warnings) clean + tests pass (sender 11, receiver 14, mqtt 24).
- ecdsa suppression verified in
.grype.yaml, osv-scanner.toml, and the new dependency-review config; inline allow-ghsas removed from the workflow.
Follow-ups (out of scope)
- Add a stale-ignore audit step to
security-staleness-check.yml to auto-flag obsolete suppressions.
- Re-evaluate the likely-stale
GHSA-rp8m-h266-53jh grype ignore under grype 0.109.1.
Closes #629, #639, #644, #651
Problem
Four open dependabot PRs are blocked or would be merged piecemeal:
checkov3.2.529→3.3.6 (root) +numpy/pytest/pytest-asynciobumps in the ros2-connector. checkov 3.3.x transitively pinsecdsa==0.19.2, which trips the Grype Security Scan gate viaGHSA-wj6h-64fc-37mp(CVE-2024-23342, Minerva P-256 timing attack, High, no upstream fix).opentelemetry_sdk0.29→0.32 bump across the telemetry sender, receiver, and mqtt-otel-trace-exporter services. These fail only on clippy/tests due to the 0.29→0.32 API migration, not on security.The blocking gate for #629 is Grype specifically — the
.grype.yamlignore list does not suppress the ecdsa finding, while theallow-ghsasentry for dependency-review lives inline inpr-validation.yml(two separate tools, two separate configs).Approach
Land one joint remediation PR off
main(cherry-picking manifest changes, not merging dependabot branches):pip-compile --generate-hasheslockfiles for checkov 3.3.6 and the ros2-connector bumps.GHSA-wj6h-64fc-37mpignore to.grype.yaml(required to unblock the gate) and mirror it inosv-scanner.toml(Scorecard). Justification documented via in-file comments; no live tracking issue (no upstream fix — re-evaluate when checkov drops ecdsa).allow-ghsasout ofpr-validation.ymlinto a new.github/dependency-review-config.yml, wired viaconfig-file:. Deny-all top-level / per-job permissions preserved.span.set_parentnow returns aResult, handled with a logged warning).Validation
-D warnings) clean + tests pass (sender 11, receiver 14, mqtt 24)..grype.yaml,osv-scanner.toml, and the new dependency-review config; inlineallow-ghsasremoved from the workflow.Follow-ups (out of scope)
security-staleness-check.ymlto auto-flag obsolete suppressions.GHSA-rp8m-h266-53jhgrype ignore under grype 0.109.1.Closes #629, #639, #644, #651