From d539c2d5de5ac206929889267785c6c65f1b728f Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 26 Mar 2026 20:15:50 +0100
Subject: [PATCH] gitlab-ci: make pip_audit ignore CVE-2026-4539

* pygments is not used directly
* pygments is pulled in by androguard
* the issue is DoS when doing syntax highlighting
* https://www.resolvedsecurity.com/vulnerability-catalog/CVE-2026-4539
---
 .gitlab-ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f7f121b0..6413d4a7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -350,6 +350,7 @@ pip-audit:
     - python3 -m pip_audit -f json | python3 -m json.tool --indent=2 || true
     # then print human readable summary
     - python3 -m pip_audit
+        --ignore-vuln CVE-2026-4539
 
 # Check all the dependencies in Debian to mirror production.  CVEs are
 # generally fixed in the latest versions in pip/pypi.org, so it isn't