From 7d56289fab7900331726cea1b5614ec9f98b230a Mon Sep 17 00:00:00 2001
From: TianlongLiang <111852609+TianlongLiang@users.noreply.github.com>
Date: Wed, 23 Oct 2024 14:48:15 +0800
Subject: [PATCH] Exclude fuzz test python and npm packages in scoreboard scan
 (#3871)

* exclude fuzz test for scoreboard scan

* ci ignore osv-scanner.toml file name inconsistency
---
 ci/coding_guidelines_check.py                 |  1 +
 .../wasm-mutator-fuzz/portal/osv-scanner.toml | 52 +++++++++++++++++++
 .../wasm-mutator-fuzz/server/osv-scanner.toml | 32 ++++++++++++
 3 files changed, 85 insertions(+)
 create mode 100644 tests/fuzz/wasm-mutator-fuzz/portal/osv-scanner.toml
 create mode 100644 tests/fuzz/wasm-mutator-fuzz/server/osv-scanner.toml

diff --git a/ci/coding_guidelines_check.py b/ci/coding_guidelines_check.py
index d96446266..a0b4535f9 100644
--- a/ci/coding_guidelines_check.py
+++ b/ci/coding_guidelines_check.py
@@ -180,6 +180,7 @@ def check_file_name(path: Path) -> bool:
         "docker-compose",
         "package-lock",
         "vite-env.d",
+        "osv-scanner",
     ]:
         return True
 
diff --git a/tests/fuzz/wasm-mutator-fuzz/portal/osv-scanner.toml b/tests/fuzz/wasm-mutator-fuzz/portal/osv-scanner.toml
new file mode 100644
index 000000000..1eb55cd8d
--- /dev/null
+++ b/tests/fuzz/wasm-mutator-fuzz/portal/osv-scanner.toml
@@ -0,0 +1,52 @@
+# GHSA-67hx-6x53-jw92
+[[PackageOverrides]]
+name = "@babel/traverse"
+ecosystem = "npm"
+ignore = true
+reason = "Accepted known vulnerabilities for testing purposes"
+
+# GHSA-67hx-6x53-jw92
+[[PackageOverrides]]
+name = "babel-traverse"
+ecosystem = "npm"
+ignore = true
+reason = "Accepted known vulnerabilities for testing purposes"
+
+# GHSA-9c47-m6qq-7p4h	
+[[PackageOverrides]]
+name = "json5"
+ecosystem = "npm"
+ignore = true
+reason = "Dependency not critical for security"
+
+# GHSA-7fh5-64p2-3v2j
+[[PackageOverrides]]
+name = "postcss"
+ecosystem = "npm"
+ignore = true
+reason = "Vulnerabilities do not affect current use case"
+
+# GHSA-gcx4-mw62-g8wm
+[[PackageOverrides]]
+name = "rollup"
+ecosystem = "npm"
+ignore = true
+reason = "Legacy build tool under controlled environment"
+
+# GHSA-c2qf-rxjj-qqgw
+[[PackageOverrides]]
+name = "semver"
+ecosystem = "npm"
+ignore = true
+reason = "Version parsing is managed securely"
+
+# GHSA-353f-5xf4-qw67
+# GHSA-c24v-8rfc-w8vw
+# GHSA-8jhw-289h-jh2g
+# GHSA-64vr-g452-qvp3
+# GHSA-9cwx-2883-4wfx
+[[PackageOverrides]]
+name = "vite"
+ecosystem = "npm"
+ignore = true
+reason = "Development server not exposed to untrusted networks"
diff --git a/tests/fuzz/wasm-mutator-fuzz/server/osv-scanner.toml b/tests/fuzz/wasm-mutator-fuzz/server/osv-scanner.toml
new file mode 100644
index 000000000..430d8ca8c
--- /dev/null
+++ b/tests/fuzz/wasm-mutator-fuzz/server/osv-scanner.toml
@@ -0,0 +1,32 @@
+# GHSA-m2qf-hxjv-5gpq / PYSEC-2023-62
+[[PackageOverrides]]
+name = "Flask"
+ecosystem = "PyPI"
+ignore = true
+reason = "Accepted known vulnerabilities for testing purposes"
+
+# GHSA-m2qf-hxjv-5gpq / PYSEC-2023-62
+[[PackageOverrides]]
+name = "flask"
+ecosystem = "PyPI"
+ignore = true
+reason = "Accepted known vulnerabilities for testing purposes"
+
+# GHSA-84pr-m4jr-85g5
+# GHSA-hxwh-jpp2-84pm / PYSEC-2024-71
+[[PackageOverrides]]
+name = "flask-cors"
+ecosystem = "PyPI"
+ignore = true
+reason = "Accepted known vulnerabilities for testing purposes"
+
+# GHSA-2g68-c3qc-8985
+# GHSA-hrfv-mqp8-q5rw / PYSEC-2023-221
+# GHSA-px8h-6qxv-m22q / PYSEC-2023-57
+# GHSA-xg9f-g7g7-2323 / PYSEC-2023-58
+# PYSEC-2022-203
+[[PackageOverrides]]
+name = "werkzeug"
+ecosystem = "PyPI"
+ignore = true
+reason = "Accepted known vulnerabilities for testing purposes"