andrewmusselman opened a new issue, #709:
URL: https://github.com/apache/tooling-trusted-releases/issues/709
**ASVS:** 15.1.1 ยท Finding 5
**Severity:** LOW (process gap)
### Description
CVE ignores exist in pip-audit configuration (`.pre-commit-config.yaml`) but
there is no documented process for when and how ignores are acceptable:
```yaml
- id: pip-audit
# TODO: remove when GitHub Actions has pip 26.0+
args: ["--ignore-vuln", "CVE-2026-1703"]
```
The inline TODO comment shows good intent, but a formal process is needed
for ASVS compliance.
### Recommendation
Document a vulnerability exception process in `CONTRIBUTING.md`:
```markdown
### Vulnerability Exceptions
When temporarily ignoring a CVE in pip-audit:
1. Add a TODO comment with expected resolution date
2. Document justification in the PR description
3. Create a tracking issue referencing the CVE
4. Review exceptions monthly
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
