mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
7fb70210a408e4cc5f8c4e6896de5d6f4c09c16a
stack/.trivyignore
Jason Woltje 7fb70210a4
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
fix(ci): move spec removal to builder stage + suppress tar CVEs 
Two Trivy fixes:

1. Dockerfile: moved spec/test file deletion from production RUN step
   to builder stage. The previous approach (COPY then RUN rm) left files
   in the COPY layer — Trivy scans all layers, not just the final FS.
   Now spec files are deleted in builder BEFORE COPY to production.

2. .trivyignore: added 3 tar CVEs (CVE-2026-23745/23950/24842) with
   documented rationale. tar@7.5.2 is bundled inside npm which ships
   with node:20-alpine. Not upgradeable — not our dependency. npm is
   already removed from all production images.

Verified: local Trivy scan passes (exit code 0, 0 findings)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 19:19:27 -06:00

37 lines
2.0 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Trivy CVE Suppressions — Upstream Dependencies
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
#
# MITIGATED in this sprint:
# - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26
# - npm bundled CVEs (5): npm removed from production Node.js images
#
# REMAINING: OpenBao only (5 CVEs — 4 false positives + 1 upstream Go stdlib)
# Re-evaluate when upgrading openbao image beyond 2.5.0.
# === OpenBao false positives ===
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
# and reports CVEs fixed in openbao 2.0.32.4.4. We run openbao:2.5.0.
CVE-2024-8185 # HIGH: DoS via Raft join (fixed in 2.0.3)
CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3)
CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1)
CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4)
# === npm bundled tar CVEs (not upgradeable — not our dependency) ===
# Why suppressed instead of fixed:
# - tar@7.5.2 is bundled INSIDE npm, which ships with the node:20-alpine base image
# - It is NOT in pnpm-lock.yaml — not a direct or transitive app dependency
# - We already remove npm from all production images:
# `RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx`
# - Locally-built images have zero tar packages (verified via Trivy scan 2026-02-12)
# - CVEs may reappear in CI due to Docker layer caching of the base image
# To fully eliminate: switch to a distroless/slim base image without npm, or
# wait for Node.js 20 to bundle a patched npm release.
CVE-2026-23745 # HIGH: tar arbitrary file overwrite via unsanitized linkpaths
CVE-2026-23950 # HIGH: tar arbitrary file overwrite via Unicode path collision
CVE-2026-24842 # HIGH: tar arbitrary file creation via hardlink path traversal
# === OpenBao Go stdlib (waiting on upstream rebuild) ===
# OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
# Cannot build OpenBao from source (large project). Waiting for upstream release.
CVE-2025-68121 # CRITICAL: crypto/tls session resumption
Reference in New Issue View Git Blame Copy Permalink