mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(ci): add .trivyignore for upstream CVEs in base images
Some checks failed
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details

Browse Source 
All 16 suppressed CVEs are in upstream binaries/packages we don't control:
- Go stdlib CVEs in openbao bin/bao (Go 1.25.6) and postgres gosu (Go 1.24.6)
- OpenBao CVE false positives (Trivy reads Go pseudo-version, we run 2.5.0)
- npm bundled cross-spawn/glob/tar CVEs in node:20-alpine base image

Updated all 6 Trivy scan steps across 5 pipelines to use --ignorefile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-12 17:05:11 -06:00
parent d58edcb51c
commit 08f62f1787
7 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
.trivyignore Normal file
View File

@@ -0,0 +1,32 @@
# Trivy CVE Suppressions — Upstream Dependencies
# These CVEs exist in upstream base images/binaries we don't control.
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
#
# Re-evaluate when upgrading: node base image, openbao image, or postgres/gosu image.
# === Go stdlib CVEs in upstream binaries ===
# Affects: openbao bin/bao (Go 1.25.6), postgres gosu (Go 1.24.6)
# Fix requires upstream to rebuild with Go >= 1.25.7 / 1.24.13
CVE-2025-68121 # CRITICAL: crypto/tls session resumption
CVE-2025-58183 # HIGH: archive/tar unbounded allocation
CVE-2025-61726 # HIGH: net/url memory exhaustion
CVE-2025-61728 # HIGH: archive/zip CPU exhaustion
CVE-2025-61729 # HIGH: crypto/x509 DoS
CVE-2025-61730 # HIGH: TLS 1.3 handshake vulnerability
# === OpenBao false positives ===
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
# and reports CVEs fixed in openbao 2.0.32.4.4. We run openbao:2.5.0.
CVE-2024-8185 # HIGH: DoS via Raft join (fixed in 2.0.3)
CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3)
CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1)
CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4)
# === npm bundled packages in node:20-alpine base image ===
# These are npm's own transitive deps at usr/local/lib/node_modules/npm/
# Not used by our application code. Fix requires newer Node.js base image.
CVE-2024-21538 # HIGH: cross-spawn ReDoS (npm bundled 7.0.3, need 7.0.5)
CVE-2025-64756 # HIGH: glob command injection (npm bundled 10.4.2, need 10.5.0)
CVE-2026-23745 # HIGH: tar symlink poisoning (npm bundled 6.2.1, need 7.5.3)
CVE-2026-23950 # HIGH: tar Unicode path collision (npm bundled 6.2.1, need 7.5.4)
CVE-2026-24842 # HIGH: tar path traversal via hardlink (npm bundled 6.2.1, need 7.5.7)