From 3833805a9318a2793c5cf632586a9f7c811ab9e9 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason.woltje@uscllc.com>
Date: Thu, 12 Feb 2026 17:10:44 -0600
Subject: [PATCH] fix(ci): mitigate 11 upstream CVEs at source instead of
 suppressing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- docker/postgres/Dockerfile: build gosu from source with Go 1.26 via
  multi-stage build (eliminates 1 CRITICAL + 5 HIGH Go stdlib CVEs)
- apps/{api,web,orchestrator}/Dockerfile: remove npm from production
  images (eliminates 5 HIGH CVEs in npm's bundled cross-spawn/glob/tar)
- .trivyignore: trimmed from 16 to 5 CVEs (OpenBao only — 4 false
  positives from Go pseudo-version + 1 real Go stdlib waiting on upstream)

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .trivyignore                 | 30 ++++++++++--------------------
 apps/api/Dockerfile          |  4 ++++
 apps/orchestrator/Dockerfile |  4 ++++
 apps/web/Dockerfile          |  4 ++++
 docker/postgres/Dockerfile   | 26 +++++++++++++-------------
 docs/tasks.md                |  9 +++++++++
 6 files changed, 44 insertions(+), 33 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index b633782..5115dbe 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,18 +1,12 @@
 # Trivy CVE Suppressions — Upstream Dependencies
-# These CVEs exist in upstream base images/binaries we don't control.
 # Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
 #
-# Re-evaluate when upgrading: node base image, openbao image, or postgres/gosu image.
-
-# === Go stdlib CVEs in upstream binaries ===
-# Affects: openbao bin/bao (Go 1.25.6), postgres gosu (Go 1.24.6)
-# Fix requires upstream to rebuild with Go >= 1.25.7 / 1.24.13
-CVE-2025-68121  # CRITICAL: crypto/tls session resumption
-CVE-2025-58183  # HIGH: archive/tar unbounded allocation
-CVE-2025-61726  # HIGH: net/url memory exhaustion
-CVE-2025-61728  # HIGH: archive/zip CPU exhaustion
-CVE-2025-61729  # HIGH: crypto/x509 DoS
-CVE-2025-61730  # HIGH: TLS 1.3 handshake vulnerability
+# MITIGATED in this sprint:
+#   - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26
+#   - npm bundled CVEs (5): npm removed from production Node.js images
+#
+# REMAINING: OpenBao only (5 CVEs — 4 false positives + 1 upstream Go stdlib)
+# Re-evaluate when upgrading openbao image beyond 2.5.0.
 
 # === OpenBao false positives ===
 # Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
@@ -22,11 +16,7 @@ CVE-2024-9180   # HIGH: privilege escalation (fixed in 2.0.3)
 CVE-2025-59043  # HIGH: DoS via malicious JSON (fixed in 2.4.1)
 CVE-2025-64761  # HIGH: identity group root escalation (fixed in 2.4.4)
 
-# === npm bundled packages in node:20-alpine base image ===
-# These are npm's own transitive deps at usr/local/lib/node_modules/npm/
-# Not used by our application code. Fix requires newer Node.js base image.
-CVE-2024-21538  # HIGH: cross-spawn ReDoS (npm bundled 7.0.3, need 7.0.5)
-CVE-2025-64756  # HIGH: glob command injection (npm bundled 10.4.2, need 10.5.0)
-CVE-2026-23745  # HIGH: tar symlink poisoning (npm bundled 6.2.1, need 7.5.3)
-CVE-2026-23950  # HIGH: tar Unicode path collision (npm bundled 6.2.1, need 7.5.4)
-CVE-2026-24842  # HIGH: tar path traversal via hardlink (npm bundled 6.2.1, need 7.5.7)
+# === OpenBao Go stdlib (waiting on upstream rebuild) ===
+# OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
+# Cannot build OpenBao from source (large project). Waiting for upstream release.
+CVE-2025-68121  # CRITICAL: crypto/tls session resumption
diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index 6f71b2d..1179f5c 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -55,6 +55,10 @@ RUN pnpm turbo build --filter=@mosaic/api --force
 # ======================
 FROM node:20-alpine AS production
 
+# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs
+# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+
 # Install dumb-init for proper signal handling
 RUN apk add --no-cache dumb-init
 
diff --git a/apps/orchestrator/Dockerfile b/apps/orchestrator/Dockerfile
index e66574d..33d8bca 100644
--- a/apps/orchestrator/Dockerfile
+++ b/apps/orchestrator/Dockerfile
@@ -63,6 +63,10 @@ LABEL org.opencontainers.image.vendor="Mosaic Stack"
 LABEL org.opencontainers.image.title="Mosaic Orchestrator"
 LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack"
 
+# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs
+# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+
 # Install wget and dumb-init
 RUN apk add --no-cache wget dumb-init
 
diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile
index 20bfea1..e58f268 100644
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -77,6 +77,10 @@ RUN mkdir -p ./apps/web/public
 # ======================
 FROM node:20-alpine AS production
 
+# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs
+# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+
 # Install pnpm (needed for pnpm start command)
 RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
 
diff --git a/docker/postgres/Dockerfile b/docker/postgres/Dockerfile
index 1a86e44..46be8b9 100644
--- a/docker/postgres/Dockerfile
+++ b/docker/postgres/Dockerfile
@@ -1,22 +1,22 @@
-# PostgreSQL with pgvector and up-to-date gosu
+# PostgreSQL with pgvector and gosu built from source
 #
-# Override the base image's gosu binary with the latest from tianon/gosu.
-# The postgres base image bundles gosu built with Go 1.24.6, which contains:
-#   - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
-#   - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
-#   - CVE-2025-61726 (HIGH): net/url memory exhaustion
-#   - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
-#   - CVE-2025-61729 (HIGH): crypto/x509 DoS
-#   - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
-# The tianon/gosu image is rebuilt with recent Go toolchains, eliminating these CVEs.
-# Using COPY --from avoids `go install` failures (gosu lacks semver Go module tags).
+# gosu is built from source with Go 1.26 to eliminate 6 Go stdlib CVEs
+# (CVE-2025-68121 CRITICAL + 5 HIGH) present in the tianon/gosu pre-built binary.
+
+# Stage 1: Build gosu from source with Go 1.26
+FROM golang:1.26-alpine AS gosu-builder
+RUN apk add --no-cache git
+RUN git clone --branch 1.17 https://github.com/tianon/gosu.git /src/gosu
+WORKDIR /src/gosu
+RUN go build -v -ldflags '-s -w' -o /bin/gosu .
+
 FROM postgres:17.7-alpine3.22
 
 LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
 LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
 
-# Replace vulnerable gosu binary with latest pre-built version from tianon/gosu
-COPY --from=tianon/gosu /gosu /usr/local/bin/gosu
+# Copy gosu binary built from source in the gosu-builder stage
+COPY --from=gosu-builder /bin/gosu /usr/local/bin/gosu
 RUN chmod +x /usr/local/bin/gosu && gosu nobody true
 
 # Update Alpine packages for any remaining OS-level patches
diff --git a/docs/tasks.md b/docs/tasks.md
index d5a7bf8..8ccc1a1 100644
--- a/docs/tasks.md
+++ b/docs/tasks.md
@@ -44,3 +44,12 @@
 | CI-FIX3-001 | done   | Create .trivyignore for upstream CVEs (Go stdlib in openbao/gosu, npm bundled pkgs in node:20-alpine) |       | ci   | develop |                         | CI-FIX3-002 | orch  | 2026-02-12T17:00Z | 2026-02-12T17:02Z | 5K       | 3K   |
 | CI-FIX3-002 | done   | Update all Trivy CI steps (6 steps across 5 pipelines) to use --ignorefile .trivyignore               |       | ci   | develop | CI-FIX3-001             | CI-FIX3-003 | orch  | 2026-02-12T17:02Z | 2026-02-12T17:04Z | 5K       | 3K   |
 | CI-FIX3-003 | done   | Verification: validate all pipeline #363 fixes                                                        |       | all  | develop | CI-FIX3-001,CI-FIX3-002 |             | orch  | 2026-02-12T17:04Z | 2026-02-12T17:05Z | 3K       | 1K   |
+
+## Pipeline #363 CVE Mitigation (proper fixes, not just suppression)
+
+| id         | status | description                                                                              | issue | repo   | branch  | depends_on                       | blocks     | agent     | started_at        | completed_at      | estimate | used |
+| ---------- | ------ | ---------------------------------------------------------------------------------------- | ----- | ------ | ------- | -------------------------------- | ---------- | --------- | ----------------- | ----------------- | -------- | ---- |
+| CI-MIT-001 | done   | Build gosu from source with Go 1.26 (eliminates 6 Go stdlib CVEs in postgres image)      | #363  | docker | develop |                                  | CI-MIT-003 | worker-10 | 2026-02-12T17:10Z | 2026-02-12T17:12Z | 8K       | 5K   |
+| CI-MIT-002 | done   | Remove npm from 3 Node.js production images (eliminates 5 npm bundled CVEs)              |       | apps   | develop |                                  | CI-MIT-003 | worker-11 | 2026-02-12T17:10Z | 2026-02-12T17:12Z | 5K       | 5K   |
+| CI-MIT-003 | done   | Trim .trivyignore to OpenBao-only (5 CVEs: 4 false positives + 1 upstream Go stdlib)     |       | ci     | develop | CI-MIT-001,CI-MIT-002            | CI-MIT-004 | orch      | 2026-02-12T17:13Z | 2026-02-12T17:14Z | 3K       | 2K   |
+| CI-MIT-004 | done   | Verification: 11 of 16 CVEs eliminated at source, 5 remaining documented in .trivyignore |       | all    | develop | CI-MIT-001,CI-MIT-002,CI-MIT-003 |            | orch      | 2026-02-12T17:14Z | 2026-02-12T17:15Z | 3K       | 1K   |