# Trivy CVE Suppressions — Upstream Dependencies
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
#
# MITIGATED in this sprint:
#   - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26
#   - npm bundled CVEs (5): npm removed from production Node.js images
#
# REMAINING: OpenBao only (5 CVEs — 4 false positives + 1 upstream Go stdlib)
# Re-evaluate when upgrading openbao image beyond 2.5.0.

# === OpenBao false positives ===
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
# and reports CVEs fixed in openbao 2.0.3–2.4.4. We run openbao:2.5.0.
CVE-2024-8185   # HIGH: DoS via Raft join (fixed in 2.0.3)
CVE-2024-9180   # HIGH: privilege escalation (fixed in 2.0.3)
CVE-2025-59043  # HIGH: DoS via malicious JSON (fixed in 2.4.1)
CVE-2025-64761  # HIGH: identity group root escalation (fixed in 2.4.4)

# === OpenBao Go stdlib (waiting on upstream rebuild) ===
# OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
# Cannot build OpenBao from source (large project). Waiting for upstream release.
CVE-2025-68121  # CRITICAL: crypto/tls session resumption