From 23a62637297b2edc57f4d1bbb482d2d7756ea3be Mon Sep 17 00:00:00 2001
From: sean wibisono <sean.wibisono@thetradedesk.com>
Date: Mon, 9 Mar 2026 14:38:37 +1100
Subject: [PATCH] UID2-6704: Suppress CVE-2026-22184 (zlib untgz) in
 .trivyignore

The vulnerability is in zlib's contrib/untgz demo utility, not the core
libz library. Alpine does not ship the untgz binary, and the JRE only
uses libz for compression. The zlib maintainer disputes this CVE and
removed the untgz tool entirely. Not exploitable in our context.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .trivyignore | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.trivyignore b/.trivyignore
index 4d00158a3..883ad9f20 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -18,4 +18,9 @@ GHSA-72hv-8253-57qq exp:2026-09-01
 
 # libpng heap buffer overflow in Alpine base image - fixed version not yet available in Alpine 3.23
 # See: UID2-6677
-CVE-2026-25646 exp:2026-09-02
\ No newline at end of file
+CVE-2026-25646 exp:2026-09-02
+
+# zlib contrib/untgz demo utility buffer overflow - not exploitable, Alpine does not ship the untgz binary
+# and the core libz library used by the JRE is unaffected. The zlib maintainer disputes this CVE.
+# See: UID2-6704
+CVE-2026-22184 exp:2026-09-09
\ No newline at end of file