Add vulnerability ignore for CVE-2022-33171

Author: corneliusludmann

WORKSPACE.yaml

@@ -33,6 +33,15 @@ provenance:
   slsa: true
 sbom:
   enabled: true
+  ignoreVulnerabilities:
+    - vulnerability: CVE-2022-33171
+      reason: |
+        This vulnerability in TypeORM's findOne / findOneOrFail functions can improperly interpret a crafted JSON object
+        and concatenate it into raw SQL, potentially allowing SQL injection attacks.
+
+        In Gitpod’s usage, TypeORM is not exposed to arbitrary user input. For example, DB migrations run preset queries;
+        the server/bridge code does not hand raw JSON from external sources to findOne. Therefore, there is no path for
+        injecting malicious JSON into a query, rendering the vulnerability non-exploitable.
 environmentManifest:
   - name: "go"
     command: ["sh", "-c", "go version | sed s/arm/amd/"]