From 9b78c31d9d6ff474c9d29aa4252a2d95ccc9861c Mon Sep 17 00:00:00 2001
From: timothycarambat <rambat1010@gmail.com>
Date: Fri, 19 Jul 2024 16:21:12 -0700
Subject: [PATCH] add VEX exception

---
 .github/workflows/build-and-push-image.yaml |  1 +
 docker/vex/CVE-2024-37890.vex.json          | 51 +++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 docker/vex/CVE-2024-37890.vex.json

diff --git a/.github/workflows/build-and-push-image.yaml b/.github/workflows/build-and-push-image.yaml
index f29fa511d..95e8d187b 100644
--- a/.github/workflows/build-and-push-image.yaml
+++ b/.github/workflows/build-and-push-image.yaml
@@ -22,6 +22,7 @@ on:
       - '.github/ISSUE_TEMPLATE/**/*'
       - 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
       - 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
+      - 'docker/vex/*' # CVE exceptions we know are not in risk
 
 jobs:
   push_multi_platform_to_registries:
diff --git a/docker/vex/CVE-2024-37890.vex.json b/docker/vex/CVE-2024-37890.vex.json
new file mode 100644
index 000000000..89de7553c
--- /dev/null
+++ b/docker/vex/CVE-2024-37890.vex.json
@@ -0,0 +1,51 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
+  "author": "tim@mintplexlabs.com",
+  "timestamp": "2024-07-19T16:08:47.147169-07:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2024-37890"
+      },
+      "timestamp": "2024-07-19T16:08:47.147172-07:00",
+      "products": [
+        {
+          "@id": "pkg:docker/mintplexlabs/anythingllm@render",
+          "subcomponents": [
+            {
+              "@id": "pkg:npm/ws@8.14.2"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:docker/mintplexlabs/anythingllm@railway",
+          "subcomponents": [
+            {
+              "@id": "pkg:npm/ws@8.14.2"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:docker/mintplexlabs/anythingllm@latest",
+          "subcomponents": [
+            {
+              "@id": "pkg:npm/ws@8.14.2"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:docker/mintplexlabs/anythingllm@master",
+          "subcomponents": [
+            {
+              "@id": "pkg:npm/ws@8.14.2"
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
+    }
+  ]
+}
\ No newline at end of file
-- 
GitLab