From 76c97b238c3abf373116b1f11619f1306bc2125a Mon Sep 17 00:00:00 2001 From: Jason Woltje Date: Sat, 21 Feb 2026 14:31:43 -0600 Subject: [PATCH] fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy scan MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore. These are embedded in next/dist/compiled/ and cannot be fixed via pnpm overrides — requires upstream Next.js release with updated bundles. Also add .trivyignore to all pipeline path filters so future changes to the ignore file trigger CI validation. Co-Authored-By: Claude Opus 4.6 --- .trivyignore | 13 ++++++++----- .woodpecker/api.yml | 1 + .woodpecker/orchestrator.yml | 1 + .woodpecker/web.yml | 1 + 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.trivyignore b/.trivyignore index 98984b9..efda588 100644 --- a/.trivyignore +++ b/.trivyignore @@ -6,7 +6,7 @@ # - npm bundled CVEs (5): npm removed from production Node.js images # - Node.js 20 → 24 LTS migration (#367): base images updated # -# REMAINING: OpenBao (5 CVEs) + Next.js bundled tar (3 CVEs) +# REMAINING: OpenBao (5 CVEs) + Next.js bundled tar/minimatch (5 CVEs) # Re-evaluate when upgrading openbao image beyond 2.5.0 or Next.js beyond 16.1.6. # === OpenBao false positives === @@ -17,15 +17,18 @@ CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3) CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1) CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4) -# === Next.js bundled tar CVEs (upstream — waiting on Next.js release) === -# Next.js 16.1.6 bundles tar@7.5.2 in next/dist/compiled/tar/ (pre-compiled). -# This is NOT a pnpm dependency — it's embedded in the Next.js package itself. +# === Next.js bundled tar/minimatch CVEs (upstream — waiting on Next.js release) === +# Next.js 16.1.6 bundles tar@7.5.2 and minimatch@9.0.5 in next/dist/compiled/ (pre-compiled). +# These are NOT pnpm dependencies — they're embedded in the Next.js package itself. +# pnpm overrides cannot reach these; only a Next.js upgrade can fix them. # Affects web image only (orchestrator and API are clean). # npm was also removed from all production images, eliminating the npm-bundled copy. -# To resolve: upgrade Next.js when a release bundles tar >= 7.5.7. +# To resolve: upgrade Next.js when a release bundles tar >= 7.5.8 and minimatch >= 10.2.1. CVE-2026-23745 # HIGH: tar arbitrary file overwrite via unsanitized linkpaths (fixed in 7.5.3) CVE-2026-23950 # HIGH: tar arbitrary file overwrite via Unicode path collision (fixed in 7.5.4) CVE-2026-24842 # HIGH: tar arbitrary file creation via hardlink path traversal (needs tar >= 7.5.7) +CVE-2026-26960 # HIGH: tar arbitrary file read/write via malicious archive hardlink (needs tar >= 7.5.8) +CVE-2026-26996 # HIGH: minimatch DoS via specially crafted glob patterns (needs minimatch >= 10.2.1) # === OpenBao Go stdlib (waiting on upstream rebuild) === # OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7. diff --git a/.woodpecker/api.yml b/.woodpecker/api.yml index 9918e32..fa1abb5 100644 --- a/.woodpecker/api.yml +++ b/.woodpecker/api.yml @@ -15,6 +15,7 @@ when: - "turbo.json" - "package.json" - ".woodpecker/api.yml" + - ".trivyignore" variables: - &node_image "node:24-alpine" diff --git a/.woodpecker/orchestrator.yml b/.woodpecker/orchestrator.yml index 0640c7b..308a9fb 100644 --- a/.woodpecker/orchestrator.yml +++ b/.woodpecker/orchestrator.yml @@ -15,6 +15,7 @@ when: - "turbo.json" - "package.json" - ".woodpecker/orchestrator.yml" + - ".trivyignore" variables: - &node_image "node:24-alpine" diff --git a/.woodpecker/web.yml b/.woodpecker/web.yml index e2f51c3..615df31 100644 --- a/.woodpecker/web.yml +++ b/.woodpecker/web.yml @@ -15,6 +15,7 @@ when: - "turbo.json" - "package.json" - ".woodpecker/web.yml" + - ".trivyignore" variables: - &node_image "node:24-alpine" -- 2.49.1