Merge pull request #228 from American-Institutes-for-Research/HEA-899/Fix-security-vulnerability-on-nbconvert

Ignore security vulnerability on nbconvert and gdal

Author: rhunwicks

docker/app/run_tests.sh

@@ -53,6 +53,10 @@ fi
 #     the vulnerable GMLAS driver, potentially rendering the application
 #     unresponsive. The issue is mitigated by introducing a limit on entity
 #     expansions and aborting parsing when the limit is exceeded.
+#  Vulnerability ID: 82915
+#    Affected spec: <3.12.1
+#    ADVISORY: Affected versions of the gdal package are vulnerable to
+#    path traversal due to insufficient path sanitization in multiple drivers.
 
 # Ignore vulnerability found in jinja2 version 3.1.4
 # We do not allow any untrusted templates, and so are not affected.
@@ -66,8 +70,24 @@ fi
 #   shouldn't use untrusted templates without sandboxing.
 #   CVE-2019-8341
 
+# Vulnerability found in nbconvert version 7.16.6
+#    Vulnerability ID: 83150
+#    Affected spec: <=7.16.6
+#    ADVISORY: Affected versions of the nbconvert package are
+#    vulnerable to Uncontrolled Search Path Element due to resolving the
+#    inkscape executable on Windows using a search order that includes the
+#    current working directory. In nbconvert/preprocessors/svg2pdf.py, the PDF
+#    conversion flow for notebooks with SVG outputs locates and executes
+#    inkscape without a fully qualified path, allowing a local inkscape.bat to
+#    be selected and run.
+# NOTE: jupyterlab==4.4.8 uses nbconvert==7.16.6 and there is currently no patched version 
+#  of nbconvert for CVE-2025-53000. 
+#  The vulnerability was only published on December 17-18, 2025, and version 7.16.6 remains 
+#  the latest release.
+#  Will ignore this and update once we got a fix
+
 echo Package Vulnerabilities:
-pip freeze | safety check --stdin --full-report -i 62283 -i 70612 -i 74054
+pip freeze | safety check --stdin --full-report -i 62283 -i 70612 -i 74054 -i 82915 -i 83150
 SAFETY_RESULT=$?
 
 # Suppress SAFETY_RESULT unless CHECK_SAFETY is set