chore: add .osv-scanner.toml to suppress false positives in OpenSSF Scorecard#1314
Conversation
…corecard Cargo.lock v4 (edition 2024) records unactivated optional dependencies, causing osv-scanner to flag crates that are never compiled (e.g. rsa via sqlx-mysql). GTK3 and other unmaintained warnings are Tauri upstream deps with no available fix.
There was a problem hiding this comment.
Pull request overview
Adds an OSV scanner configuration file intended to suppress known false-positive vulnerability findings (primarily around unactivated optional Rust deps in Cargo.lock v4 and upstream Tauri/Linux GTK3 transitive advisories), to reduce noise in automated security reporting.
Changes:
- Add
.osv-scanner.tomlwith a set ofIgnoredVulnsentries for specific RustSec advisory IDs. - Document suppression rationales inline via
reasonstrings (optional deps / platform-specific / unmaintained upstream deps).
| [[IgnoredVulns]] | ||
| id = "RUSTSEC-2023-0071" | ||
| reason = "rsa is an optional dep of sqlx-mysql, not compiled (Cargo.lock v4 lists unactivated optional deps)" |
There was a problem hiding this comment.
I couldn't find any workflow or script in this repo that runs osv-scanner (only .github/workflows/scorecard.yml runs ossf/scorecard-action). If the goal is to suppress findings in CI/Scorecard, please confirm that Scorecard consumes .osv-scanner.toml; otherwise this file may have no effect and you'd need to configure the job/tool that produces the findings to use it (or add an osv-scanner step that reads this config).
| @@ -0,0 +1,87 @@ | |||
| [[IgnoredVulns]] | |||
| id = "RUSTSEC-2023-0071" | |||
| reason = "rsa is an optional dep of sqlx-mysql, not compiled (Cargo.lock v4 lists unactivated optional deps)" | |||
There was a problem hiding this comment.
These ignores are global by advisory ID. That can silently mask real vulnerabilities later if the project starts compiling/using an affected crate (e.g., enabling sqlx-mysql would keep RUSTSEC-2023-0071 suppressed). Consider scoping the ignores as narrowly as the tooling allows (e.g., to specific packages/paths) and/or adding an explicit review/expiry note so the suppressions get revisited when dependencies/features change.
| reason = "rsa is an optional dep of sqlx-mysql, not compiled (Cargo.lock v4 lists unactivated optional deps)" | |
| reason = "rsa is an optional dep of sqlx-mysql and is not compiled in the current build (Cargo.lock v4 lists unactivated optional deps); REVIEW REQUIRED if sqlx-mysql or related features are enabled; review by 2026-01-31" |
Summary
Cargo.lock v4 (edition 2024) records unactivated optional dependencies, causing osv-scanner to flag crates that are never compiled (e.g. rsa via sqlx-mysql). GTK3 and other unmaintained warnings are Tauri upstream deps with no available fix.
Related Issues
Type of Change
fix/branch)feat/branch)refactor/branch)docs/branch)chore/branch)Screenshots / Videos
Test Plan
Checklist
npm run lint && npm run format/cargo tauri-lint && cargo tauri-fmt)npm test/cargo tauri-test)