# Trivy CVE Suppressions — Upstream Dependencies
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
#
# MITIGATED in this sprint:
#   - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26
#   - npm bundled CVEs (5): npm removed from production Node.js images
#
# REMAINING: OpenBao only (5 CVEs — 4 false positives + 1 upstream Go stdlib)
# Re-evaluate when upgrading openbao image beyond 2.5.0.

# === OpenBao false positives ===
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
# and reports CVEs fixed in openbao 2.0.3–2.4.4. We run openbao:2.5.0.
CVE-2024-8185   # HIGH: DoS via Raft join (fixed in 2.0.3)
CVE-2024-9180   # HIGH: privilege escalation (fixed in 2.0.3)
CVE-2025-59043  # HIGH: DoS via malicious JSON (fixed in 2.4.1)
CVE-2025-64761  # HIGH: identity group root escalation (fixed in 2.4.4)

# === npm bundled tar CVEs (not upgradeable — not our dependency) ===
# Why suppressed instead of fixed:
#   - tar@7.5.2 is bundled INSIDE npm, which ships with the node:20-alpine base image
#   - It is NOT in pnpm-lock.yaml — not a direct or transitive app dependency
#   - We already remove npm from all production images:
#       `RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx`
#   - Locally-built images have zero tar packages (verified via Trivy scan 2026-02-12)
#   - CVEs may reappear in CI due to Docker layer caching of the base image
# To fully eliminate: switch to a distroless/slim base image without npm, or
# wait for Node.js 20 to bundle a patched npm release.
CVE-2026-23745  # HIGH: tar arbitrary file overwrite via unsanitized linkpaths
CVE-2026-23950  # HIGH: tar arbitrary file overwrite via Unicode path collision
CVE-2026-24842  # HIGH: tar arbitrary file creation via hardlink path traversal

# === OpenBao Go stdlib (waiting on upstream rebuild) ===
# OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
# Cannot build OpenBao from source (large project). Waiting for upstream release.
CVE-2025-68121  # CRITICAL: crypto/tls session resumption