package/python-pip: ignore CVE-2018-20225

See https://security-tracker.debian.org/tracker/CVE-2018-20225 for the
rationale of ignoring this CVE. Things basically work as intended.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 57229c22f17fa892c18dff1e424dedc7e3d05358)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/python-pip/python-pip.mk

@@ -12,5 +12,8 @@ PYTHON_PIP_LICENSE = MIT
 PYTHON_PIP_LICENSE_FILES = LICENSE.txt
 PYTHON_PIP_CPE_ID_VENDOR = pypa
 PYTHON_PIP_CPE_ID_PRODUCT = pip
+# Disputed CVE: things work as designed, and only affects the
+# --extra-index-url option. This CVE will never be fixed.
+PYTHON_PIP_IGNORE_CVES += CVE-2018-20225
 
 $(eval $(python-package))