mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
08f62f178791ed188d24b23b32ee34f672432fec
stack/.trivyignore
Jason Woltje 08f62f1787
Some checks failed
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details
fix(ci): add .trivyignore for upstream CVEs in base images 
All 16 suppressed CVEs are in upstream binaries/packages we don't control:
- Go stdlib CVEs in openbao bin/bao (Go 1.25.6) and postgres gosu (Go 1.24.6)
- OpenBao CVE false positives (Trivy reads Go pseudo-version, we run 2.5.0)
- npm bundled cross-spawn/glob/tar CVEs in node:20-alpine base image

Updated all 6 Trivy scan steps across 5 pipelines to use --ignorefile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 17:05:11 -06:00

33 lines
1.8 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Trivy CVE Suppressions — Upstream Dependencies
# These CVEs exist in upstream base images/binaries we don't control.
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
#
# Re-evaluate when upgrading: node base image, openbao image, or postgres/gosu image.
# === Go stdlib CVEs in upstream binaries ===
# Affects: openbao bin/bao (Go 1.25.6), postgres gosu (Go 1.24.6)
# Fix requires upstream to rebuild with Go >= 1.25.7 / 1.24.13
CVE-2025-68121 # CRITICAL: crypto/tls session resumption
CVE-2025-58183 # HIGH: archive/tar unbounded allocation
CVE-2025-61726 # HIGH: net/url memory exhaustion
CVE-2025-61728 # HIGH: archive/zip CPU exhaustion
CVE-2025-61729 # HIGH: crypto/x509 DoS
CVE-2025-61730 # HIGH: TLS 1.3 handshake vulnerability
# === OpenBao false positives ===
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
# and reports CVEs fixed in openbao 2.0.32.4.4. We run openbao:2.5.0.
CVE-2024-8185 # HIGH: DoS via Raft join (fixed in 2.0.3)
CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3)
CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1)
CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4)
# === npm bundled packages in node:20-alpine base image ===
# These are npm's own transitive deps at usr/local/lib/node_modules/npm/
# Not used by our application code. Fix requires newer Node.js base image.
CVE-2024-21538 # HIGH: cross-spawn ReDoS (npm bundled 7.0.3, need 7.0.5)
CVE-2025-64756 # HIGH: glob command injection (npm bundled 10.4.2, need 10.5.0)
CVE-2026-23745 # HIGH: tar symlink poisoning (npm bundled 6.2.1, need 7.5.3)
CVE-2026-23950 # HIGH: tar Unicode path collision (npm bundled 6.2.1, need 7.5.4)
CVE-2026-24842 # HIGH: tar path traversal via hardlink (npm bundled 6.2.1, need 7.5.7)
Reference in New Issue View Git Blame Copy Permalink