diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index ce560f0..65381de 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -66,7 +66,7 @@ jobs: - name: setup trivy uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 with: - version: v0.69.1 + version: v0.69.3 - name: setup node uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: diff --git a/.tool-versions b/.tool-versions index e4a19f0..1aed182 100644 --- a/.tool-versions +++ b/.tool-versions @@ -5,5 +5,5 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.69.1 +trivy 0.69.3 yq 4.52.2 diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index f492e92..24d49bd 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -2,5 +2,5 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.69.1 +trivy 0.69.3 yq 4.52.2 diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index 3ed5c49..1f9727c 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -323,3 +323,40 @@ vulnerabilities: purls: - "pkg:golang/stdlib@v1.25.6" expired_at: 2026-08-13 + - id: CVE-2025-15558 + statement: "docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries" + purls: + - "pkg:golang/github.com/docker/cli@v28.5.1%2Bincompatible" + - "pkg:golang/github.com/docker/cli@v29.0.3%2Bincompatible" + - "pkg:golang/github.com/docker/cli@v29.1.1%2Bincompatible" + expired_at: 2026-09-09 + - id: CVE-2026-24051 + statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" + purls: + - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.36.0" + expired_at: 2026-09-09 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml index 5491da7..ca220bd 100644 --- a/src/common_node_24/.trivyignore.yaml +++ b/src/common_node_24/.trivyignore.yaml @@ -53,3 +53,8 @@ vulnerabilities: - "pkg:npm/minimatch@10.0.3" - "pkg:npm/minimatch@9.0.5" expired_at: 2026-08-27 + - id: CVE-2026-29786 + statement: "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, ..." + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-09-09 diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml index 4443daa..79605cd 100644 --- a/src/projects/eps-storage-terraform/.trivyignore.yaml +++ b/src/projects/eps-storage-terraform/.trivyignore.yaml @@ -105,3 +105,8 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-16 + - id: CVE-2026-24051 + statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" + purls: + - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0" + expired_at: 2026-09-10