🚫 Scan Exemptions¶
📋 Template¶
CVE-YYYY-XXXXX (Library vX.Y.Z)¶
Vulnerability: Brief description of the vulnerability Severity: Critical/High/Medium/Low Why exempt: Detailed justification for exemption Mitigation: What we do instead to protect against this Review date: YYYY-MM-DD Approved by: Name & Title Created: YYYY-MM-DD
⚠️ Rules¶
- Exemptions require security lead approval
- All exemptions must be reviewed by security lead
-
Document approval in this file
-
Review quarterly
- Re-assess all exemptions every 3 months
- Check if patches are now available
-
Verify mitigation still effective
-
No permanent exemptions
- All exemptions must have expiration date
- Maximum 1 year duration
-
Must be renewed if still needed
-
Document in code if relevant
- Add comments in code referencing this exemption
- Explain why vulnerable code is safe in our context
- Link to this document
📝 Active Exemptions¶
Example: CVE-2024-12345 (example-lib v1.2.3)¶
Vulnerability: Buffer overflow in parsing function Severity: High Why exempt: We only use this library for output formatting, not parsing untrusted input. The vulnerable function is never called in our codebase. Mitigation: Input validation before any data reaches this library. Sandboxed execution environment. Review date: 2025-06-01 Approved by: Jane Doe, Security Lead Created: 2025-03-03
📚 Historical Exemptions (Resolved)¶
CVE-2023-99999 (old-lib v2.1.0)¶
Vulnerability: SQL injection Severity: Critical Resolution: Updated to v2.2.0 on 2025-02-15 Duration: 2025-01-10 to 2025-02-15 (36 days)
🔍 Exemption Review Log¶
| Date | Reviewer | Action | Notes |
|---|---|---|---|
| 2025-03-03 | Jane Doe | Created template | Initial setup |
| 2025-06-01 | TBD | Quarterly review | Review all exemptions |
| 2025-09-01 | TBD | Quarterly review | Review all exemptions |
📞 Contact¶
For questions about exemptions or to request a new exemption: - Security Team: security@example.com - Security Lead: jane.doe@example.com - Process Documentation: Security Wiki