3833805a93
- docker/postgres/Dockerfile: build gosu from source with Go 1.26 via
multi-stage build (eliminates 1 CRITICAL + 5 HIGH Go stdlib CVEs)
- apps/{api,web,orchestrator}/Dockerfile: remove npm from production
images (eliminates 5 HIGH CVEs in npm's bundled cross-spawn/glob/tar)
- .trivyignore: trimmed from 16 to 5 CVEs (OpenBao only — 4 false
positives from Go pseudo-version + 1 real Go stdlib waiting on upstream)
Fixes #363
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
23 lines
1.1 KiB
Plaintext
23 lines
1.1 KiB
Plaintext
# Trivy CVE Suppressions — Upstream Dependencies
|
||
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
|
||
#
|
||
# MITIGATED in this sprint:
|
||
# - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26
|
||
# - npm bundled CVEs (5): npm removed from production Node.js images
|
||
#
|
||
# REMAINING: OpenBao only (5 CVEs — 4 false positives + 1 upstream Go stdlib)
|
||
# Re-evaluate when upgrading openbao image beyond 2.5.0.
|
||
|
||
# === OpenBao false positives ===
|
||
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
|
||
# and reports CVEs fixed in openbao 2.0.3–2.4.4. We run openbao:2.5.0.
|
||
CVE-2024-8185 # HIGH: DoS via Raft join (fixed in 2.0.3)
|
||
CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3)
|
||
CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1)
|
||
CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4)
|
||
|
||
# === OpenBao Go stdlib (waiting on upstream rebuild) ===
|
||
# OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
|
||
# Cannot build OpenBao from source (large project). Waiting for upstream release.
|
||
CVE-2025-68121 # CRITICAL: crypto/tls session resumption
|