From 08f62f178791ed188d24b23b32ee34f672432fec Mon Sep 17 00:00:00 2001 From: Jason Woltje Date: Thu, 12 Feb 2026 17:05:11 -0600 Subject: [PATCH] fix(ci): add .trivyignore for upstream CVEs in base images All 16 suppressed CVEs are in upstream binaries/packages we don't control: - Go stdlib CVEs in openbao bin/bao (Go 1.25.6) and postgres gosu (Go 1.24.6) - OpenBao CVE false positives (Trivy reads Go pseudo-version, we run 2.5.0) - npm bundled cross-spawn/glob/tar CVEs in node:20-alpine base image Updated all 6 Trivy scan steps across 5 pipelines to use --ignorefile. Co-Authored-By: Claude Opus 4.6 --- .trivyignore | 32 ++++++++++++++++++++++++++++++++ .woodpecker/api.yml | 1 + .woodpecker/coordinator.yml | 1 + .woodpecker/infra.yml | 2 ++ .woodpecker/orchestrator.yml | 1 + .woodpecker/web.yml | 1 + docs/tasks.md | 8 ++++++++ 7 files changed, 46 insertions(+) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..b633782 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,32 @@ +# Trivy CVE Suppressions — Upstream Dependencies +# These CVEs exist in upstream base images/binaries we don't control. +# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline +# +# Re-evaluate when upgrading: node base image, openbao image, or postgres/gosu image. + +# === Go stdlib CVEs in upstream binaries === +# Affects: openbao bin/bao (Go 1.25.6), postgres gosu (Go 1.24.6) +# Fix requires upstream to rebuild with Go >= 1.25.7 / 1.24.13 +CVE-2025-68121 # CRITICAL: crypto/tls session resumption +CVE-2025-58183 # HIGH: archive/tar unbounded allocation +CVE-2025-61726 # HIGH: net/url memory exhaustion +CVE-2025-61728 # HIGH: archive/zip CPU exhaustion +CVE-2025-61729 # HIGH: crypto/x509 DoS +CVE-2025-61730 # HIGH: TLS 1.3 handshake vulnerability + +# === OpenBao false positives === +# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao +# and reports CVEs fixed in openbao 2.0.3–2.4.4. We run openbao:2.5.0. +CVE-2024-8185 # HIGH: DoS via Raft join (fixed in 2.0.3) +CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3) +CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1) +CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4) + +# === npm bundled packages in node:20-alpine base image === +# These are npm's own transitive deps at usr/local/lib/node_modules/npm/ +# Not used by our application code. Fix requires newer Node.js base image. +CVE-2024-21538 # HIGH: cross-spawn ReDoS (npm bundled 7.0.3, need 7.0.5) +CVE-2025-64756 # HIGH: glob command injection (npm bundled 10.4.2, need 10.5.0) +CVE-2026-23745 # HIGH: tar symlink poisoning (npm bundled 6.2.1, need 7.5.3) +CVE-2026-23950 # HIGH: tar Unicode path collision (npm bundled 6.2.1, need 7.5.4) +CVE-2026-24842 # HIGH: tar path traversal via hardlink (npm bundled 6.2.1, need 7.5.7) diff --git a/.woodpecker/api.yml b/.woodpecker/api.yml index 9228064..ffb6628 100644 --- a/.woodpecker/api.yml +++ b/.woodpecker/api.yml @@ -178,6 +178,7 @@ steps: mkdir -p ~/.docker echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json trivy image --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed \ + --ignorefile .trivyignore \ git.mosaicstack.dev/mosaic/stack-api:$${CI_COMMIT_SHA:0:8} when: - branch: [main, develop] diff --git a/.woodpecker/coordinator.yml b/.woodpecker/coordinator.yml index ddfc795..828c686 100644 --- a/.woodpecker/coordinator.yml +++ b/.woodpecker/coordinator.yml @@ -123,6 +123,7 @@ steps: mkdir -p ~/.docker echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json trivy image --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed \ + --ignorefile .trivyignore \ git.mosaicstack.dev/mosaic/stack-coordinator:$${CI_COMMIT_SHA:0:8} when: - branch: [main, develop] diff --git a/.woodpecker/infra.yml b/.woodpecker/infra.yml index 06b2452..fc2a8b2 100644 --- a/.woodpecker/infra.yml +++ b/.woodpecker/infra.yml @@ -88,6 +88,7 @@ steps: mkdir -p ~/.docker echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json trivy image --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed \ + --ignorefile .trivyignore \ git.mosaicstack.dev/mosaic/stack-postgres:$${CI_COMMIT_SHA:0:8} when: - branch: [main, develop] @@ -108,6 +109,7 @@ steps: mkdir -p ~/.docker echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json trivy image --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed \ + --ignorefile .trivyignore \ git.mosaicstack.dev/mosaic/stack-openbao:$${CI_COMMIT_SHA:0:8} when: - branch: [main, develop] diff --git a/.woodpecker/orchestrator.yml b/.woodpecker/orchestrator.yml index 7432844..6675d47 100644 --- a/.woodpecker/orchestrator.yml +++ b/.woodpecker/orchestrator.yml @@ -135,6 +135,7 @@ steps: mkdir -p ~/.docker echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json trivy image --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed \ + --ignorefile .trivyignore \ git.mosaicstack.dev/mosaic/stack-orchestrator:$${CI_COMMIT_SHA:0:8} when: - branch: [main, develop] diff --git a/.woodpecker/web.yml b/.woodpecker/web.yml index a897ca6..ac9e2f5 100644 --- a/.woodpecker/web.yml +++ b/.woodpecker/web.yml @@ -135,6 +135,7 @@ steps: mkdir -p ~/.docker echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json trivy image --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed \ + --ignorefile .trivyignore \ git.mosaicstack.dev/mosaic/stack-web:$${CI_COMMIT_SHA:0:8} when: - branch: [main, develop] diff --git a/docs/tasks.md b/docs/tasks.md index 8c9ba78..d5a7bf8 100644 --- a/docs/tasks.md +++ b/docs/tasks.md @@ -36,3 +36,11 @@ | CI-FIX2-002 | done | Fix Trivy coordinator: upgrade setuptools>=80.9 and wheel>=0.46.2 to fix 5 HIGH CVEs | #365 | coordinator | develop | | CI-FIX2-004 | worker-8 | 2026-02-12T16:30Z | 2026-02-12T16:32Z | 5K | 3K | | CI-FIX2-003 | done | Exclude 4 pre-existing integration test files from CI test step (M4/M5 debt, no DB migrations) | #364 | ci | develop | | CI-FIX2-004 | worker-9 | 2026-02-12T16:30Z | 2026-02-12T16:32Z | 5K | 3K | | CI-FIX2-004 | done | Verification: validate all pipeline #362 fixes | | all | develop | CI-FIX2-001,CI-FIX2-002,CI-FIX2-003 | | orch | 2026-02-12T16:33Z | 2026-02-12T16:34Z | 3K | 2K | + +## Pipeline #363 Follow-up Fixes + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| ----------- | ------ | ----------------------------------------------------------------------------------------------------- | ----- | ---- | ------- | ----------------------- | ----------- | ----- | ----------------- | ----------------- | -------- | ---- | +| CI-FIX3-001 | done | Create .trivyignore for upstream CVEs (Go stdlib in openbao/gosu, npm bundled pkgs in node:20-alpine) | | ci | develop | | CI-FIX3-002 | orch | 2026-02-12T17:00Z | 2026-02-12T17:02Z | 5K | 3K | +| CI-FIX3-002 | done | Update all Trivy CI steps (6 steps across 5 pipelines) to use --ignorefile .trivyignore | | ci | develop | CI-FIX3-001 | CI-FIX3-003 | orch | 2026-02-12T17:02Z | 2026-02-12T17:04Z | 5K | 3K | +| CI-FIX3-003 | done | Verification: validate all pipeline #363 fixes | | all | develop | CI-FIX3-001,CI-FIX3-002 | | orch | 2026-02-12T17:04Z | 2026-02-12T17:05Z | 3K | 1K |