fix(ci): mitigate 11 upstream CVEs at source instead of suppressing
- docker/postgres/Dockerfile: build gosu from source with Go 1.26 via
multi-stage build (eliminates 1 CRITICAL + 5 HIGH Go stdlib CVEs)
- apps/{api,web,orchestrator}/Dockerfile: remove npm from production
images (eliminates 5 HIGH CVEs in npm's bundled cross-spawn/glob/tar)
- .trivyignore: trimmed from 16 to 5 CVEs (OpenBao only — 4 false
positives from Go pseudo-version + 1 real Go stdlib waiting on upstream)
Fixes #363
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
30
.trivyignore
30
.trivyignore
@@ -1,18 +1,12 @@
|
||||
# Trivy CVE Suppressions — Upstream Dependencies
|
||||
# These CVEs exist in upstream base images/binaries we don't control.
|
||||
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
|
||||
#
|
||||
# Re-evaluate when upgrading: node base image, openbao image, or postgres/gosu image.
|
||||
|
||||
# === Go stdlib CVEs in upstream binaries ===
|
||||
# Affects: openbao bin/bao (Go 1.25.6), postgres gosu (Go 1.24.6)
|
||||
# Fix requires upstream to rebuild with Go >= 1.25.7 / 1.24.13
|
||||
CVE-2025-68121 # CRITICAL: crypto/tls session resumption
|
||||
CVE-2025-58183 # HIGH: archive/tar unbounded allocation
|
||||
CVE-2025-61726 # HIGH: net/url memory exhaustion
|
||||
CVE-2025-61728 # HIGH: archive/zip CPU exhaustion
|
||||
CVE-2025-61729 # HIGH: crypto/x509 DoS
|
||||
CVE-2025-61730 # HIGH: TLS 1.3 handshake vulnerability
|
||||
# MITIGATED in this sprint:
|
||||
# - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26
|
||||
# - npm bundled CVEs (5): npm removed from production Node.js images
|
||||
#
|
||||
# REMAINING: OpenBao only (5 CVEs — 4 false positives + 1 upstream Go stdlib)
|
||||
# Re-evaluate when upgrading openbao image beyond 2.5.0.
|
||||
|
||||
# === OpenBao false positives ===
|
||||
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
|
||||
@@ -22,11 +16,7 @@ CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3)
|
||||
CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1)
|
||||
CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4)
|
||||
|
||||
# === npm bundled packages in node:20-alpine base image ===
|
||||
# These are npm's own transitive deps at usr/local/lib/node_modules/npm/
|
||||
# Not used by our application code. Fix requires newer Node.js base image.
|
||||
CVE-2024-21538 # HIGH: cross-spawn ReDoS (npm bundled 7.0.3, need 7.0.5)
|
||||
CVE-2025-64756 # HIGH: glob command injection (npm bundled 10.4.2, need 10.5.0)
|
||||
CVE-2026-23745 # HIGH: tar symlink poisoning (npm bundled 6.2.1, need 7.5.3)
|
||||
CVE-2026-23950 # HIGH: tar Unicode path collision (npm bundled 6.2.1, need 7.5.4)
|
||||
CVE-2026-24842 # HIGH: tar path traversal via hardlink (npm bundled 6.2.1, need 7.5.7)
|
||||
# === OpenBao Go stdlib (waiting on upstream rebuild) ===
|
||||
# OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
|
||||
# Cannot build OpenBao from source (large project). Waiting for upstream release.
|
||||
CVE-2025-68121 # CRITICAL: crypto/tls session resumption
|
||||
|
||||
Reference in New Issue
Block a user