Vulnerability & Patch Log (Evidence 8.2.1)

Monitoring Tools: pip-audit, ggshield (via pre-commit), GitHub Dependabot, CodeQL.

1. Active Vulnerability Exceptions (Open & Ignored)

Current Status: Zero active exceptions. All previously ignored vulnerabilities have been remediated.

Our security scanning pipeline now operates with zero vulnerability exceptions. All dependencies are monitored in real-time and any new vulnerabilities will cause immediate CI/CD pipeline failure.

Previously Active Exceptions (Now Resolved - January 2025)

The following vulnerabilities were previously silenced but have been fully remediated through dependency architecture improvements:

Dependency CVE / GHSA Resolution Method Date Resolved
Transitive (via ggshield) GHSA-79v4-65xg-pq4g Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-48p4-8xcf-vxj5 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-pq67-6m6q-mj2v Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-gm62-xv2j-4w53 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-2xpw-w6gg-jr37 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-wj6h-64fc-37mp Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) PYSEC-2024-187 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-428g-f7cq-pgp5 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-38jv-5279-wg99 Isolated ggshield to pre-commit environment 18/01/2026
cryptography CVE-2024-12797 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2025-50182 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2025-50181 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2025-66418 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2025-66471 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2024-3766 Removed dependency pin, updated to latest 18/01/2026
ecdsa CVE-2024-23342 Removed python-jose dependency entirely 18/01/2026

2. Recently Remediated Patches (Closed)

Verified history of security updates applied. Real-time evidence is available in the CheckTick GitHub repository under the dependencies label and closed issues.

Date Dependency Version Change Reason / Security Fix Verified By
22/02/2026 SortableJS 1.15.6 -> 1.15.7 Updated to patched upstream release; regenerated SRI and self-hosted artifact. CTO
12/02/2026 pillow 11.3.0 -> 12.1.1 Security Fix: Fixed CVE-2026-25990 (out-of-bounds write in PSD image loader). Specially crafted PSD images could trigger memory corruption. All Pillow >= 10.3.0 users affected. CTO
12/02/2026 marshmallow 3.18.0 -> 3.26.2 Security Fix: Fixed CVE-2025-68480 (transitive dependency). Updated to latest secure version. CTO
12/02/2026 pip 25.3 -> 26.0.1 Security Fix: Fixed CVE-2026-1703. Updated to latest secure version. CTO
10/02/2026 cryptography 46.0.3 -> 46.0.5 Security Fix: Fixed CVE-2026-26007 (SECT curve public key validation bypass). Functions public_key_from_numbers, load_der_public_key, and load_pem_public_key now verify points belong to expected prime-order subgroup, preventing ECDSA signature forgery and ECDH key leakage. CTO
04/02/2026 django 5.1.x -> 5.2.11 Critical Security Update: Fixed CVE-2025-13473 (timing attack in mod_wsgi auth), CVE-2026-1207 (SQL injection in RasterField), CVE-2026-1312 (SQL injection in QuerySet.order_by), CVE-2026-1287 (SQL injection in FilteredRelation) CTO
04/02/2026 django-axes 6.5.2 -> 8.1.0 Updated for Django 6.0 compatibility. Adds enhanced brute-force protection features. CTO
04/02/2026 django-csp 3.8 -> 4.0 Breaking Change: Migrated to new CONTENT_SECURITY_POLICY configuration format. Updated @csp_exempt decorator syntax. CTO
04/02/2026 pip-audit 2.7.3 -> 2.10.0 Updated vulnerability scanning tool to latest version CTO
18/01/2026 python-jose 3.5.0 -> Removed Eliminated vulnerable ecdsa transitive dependency. JWT functionality provided by djangorestframework-simplejwt CTO
18/01/2026 ggshield Moved to pre-commit Architecture Change: Isolated security scanning tool from production dependencies. Prevents dependency pins from blocking security updates. CTO
18/01/2026 cryptography Unpinned -> Latest Removed pin previously required by ggshield. Now free to update immediately when patches released. CTO
18/01/2026 urllib3 Unpinned -> Latest Removed pin previously required by ggshield. Resolved 5 CVEs (CVE-2025-50182, CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2024-3766). CTO
02/01/2026 requests 2.31.0 -> 2.32.0 Fixed CVE-2024-3651 (Header parsing) CTO
28/12/2025 daisyui 4.x -> 5.4.7 Dependency refresh & security hardening CTO
05/12/2025 jinja2 3.1.2 -> 3.1.4 Fixed GHSA-h75v-3vv6-5qhc (XSS risk) CTO
12/11/2025 django 5.0.x -> 5.1.0 Minor version upgrade to latest stable CTO
21/1/2026 axes-core 4.11.0 -> 4.11.1 Patch version upgrade to latest stable CTO
22/2/2026 django-csp 4..0 CSP_CONFIG replaces CONTENT_SECURITY_POLICY CTO

3. Automation & Triage Process

  1. Continuous Auditing: Our Security Scan GitHub Action runs on every Push, Pull Request, and daily at 06:00 UTC.
  2. Hard Block on Production: If pip-audit detects any vulnerability (Critical, High, Medium, or Low), the build fails and deployment is automatically blocked. No exceptions are configured.
  3. Isolated Security Tooling: Security scanning tools (ggshield, pre-commit) run in isolated environments managed by pre-commit, preventing their dependencies from constraining production packages.
  4. Zero-Exception Policy: Since January 2026, we maintain a zero-exception policy for vulnerability scanning. This ensures immediate visibility and remediation of any new vulnerabilities.
  5. Endpoint Sync: Developers are required to run poetry install locally to synchronize their development environment with the latest patched versions in poetry.lock, preventing 'version drift' between local and production environments.

4. Architecture Improvements (January 2026)

Key Change: Separated security scanning tool dependencies from application runtime dependencies.

Before:

  • Security tools (ggshield) were installed via Poetry alongside application dependencies
  • Security tools pinned critical dependencies (cryptography, urllib3) to outdated versions
  • Required maintaining an exception list of 10+ vulnerabilities
  • Could not update vulnerable dependencies without breaking security tools

After:

  • Security tools run in isolated pre-commit environments
  • Production dependencies are free to update immediately when patches are released
  • Zero vulnerabilities in production dependency tree
  • Zero exceptions required in CI/CD pipeline
  • Improved security posture and maintainability

This architectural change represents a significant improvement in our security monitoring capability while simultaneously reducing our vulnerability exposure.

5. CDN Artifact Handling & Integrity (January 2026)

Change: Updated automated CDN library refresh workflow to use npm pack as the canonical source for packaged JavaScript assets and to compute SRI from the package contents.

  • Reason: Downloading files directly into the repository root from third-party CDNs caused temporary artifacts to remain after workflow runs (triggering security scanners such as CodeQL). Using npm pack ensures the registry is the authoritative source and the artifact bytes are reproducible.
  • What changed: The update-cdn-libraries GitHub Action now:
    • Runs npm pack <pkg>@<version> in a temporary directory
    • Extracts the tarball, finds the minified asset, computes SHA-384 SRI from the file bytes, and atomically moves the asset into checktick_app/static/js/
    • Cleans up temporary files and directories using traps to avoid leaving files in the repository
  • Outcome: SRI values are computed from the exact npm package bytes; temporary files no longer appear in the repo root; CodeQL false-positives reduced.

Evidence: PR #155 updates the workflow and documentation to reflect this change and updates axe-core to 4.11.1 with the new SRI hash.