# Trivy CVE Suppressions — Upstream Dependencies
# These CVEs exist in upstream base images/binaries we don't control.
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
#
# Re-evaluate when upgrading: node base image, openbao image, or postgres/gosu image.

# === Go stdlib CVEs in upstream binaries ===
# Affects: openbao bin/bao (Go 1.25.6), postgres gosu (Go 1.24.6)
# Fix requires upstream to rebuild with Go >= 1.25.7 / 1.24.13
CVE-2025-68121  # CRITICAL: crypto/tls session resumption
CVE-2025-58183  # HIGH: archive/tar unbounded allocation
CVE-2025-61726  # HIGH: net/url memory exhaustion
CVE-2025-61728  # HIGH: archive/zip CPU exhaustion
CVE-2025-61729  # HIGH: crypto/x509 DoS
CVE-2025-61730  # HIGH: TLS 1.3 handshake vulnerability

# === OpenBao false positives ===
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
# and reports CVEs fixed in openbao 2.0.3–2.4.4. We run openbao:2.5.0.
CVE-2024-8185   # HIGH: DoS via Raft join (fixed in 2.0.3)
CVE-2024-9180   # HIGH: privilege escalation (fixed in 2.0.3)
CVE-2025-59043  # HIGH: DoS via malicious JSON (fixed in 2.4.1)
CVE-2025-64761  # HIGH: identity group root escalation (fixed in 2.4.4)

# === npm bundled packages in node:20-alpine base image ===
# These are npm's own transitive deps at usr/local/lib/node_modules/npm/
# Not used by our application code. Fix requires newer Node.js base image.
CVE-2024-21538  # HIGH: cross-spawn ReDoS (npm bundled 7.0.3, need 7.0.5)
CVE-2025-64756  # HIGH: glob command injection (npm bundled 10.4.2, need 10.5.0)
CVE-2026-23745  # HIGH: tar symlink poisoning (npm bundled 6.2.1, need 7.5.3)
CVE-2026-23950  # HIGH: tar Unicode path collision (npm bundled 6.2.1, need 7.5.4)
CVE-2026-24842  # HIGH: tar path traversal via hardlink (npm bundled 6.2.1, need 7.5.7)