From 2e60fd7d92511db7f80daa53b6c949df9e1a785f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 9 Mar 2026 14:54:00 +0000 Subject: [PATCH 1/4] upgrade to latest trivy --- .github/workflows/build_multi_arch_image.yml | 2 +- .tool-versions | 2 +- src/base/.devcontainer/.tool-versions | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index ce560f0..65381de 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -66,7 +66,7 @@ jobs: - name: setup trivy uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 with: - version: v0.69.1 + version: v0.69.3 - name: setup node uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: diff --git a/.tool-versions b/.tool-versions index e4a19f0..1aed182 100644 --- a/.tool-versions +++ b/.tool-versions @@ -5,5 +5,5 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.69.1 +trivy 0.69.3 yq 4.52.2 diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index f492e92..24d49bd 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -2,5 +2,5 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.69.1 +trivy 0.69.3 yq 4.52.2 From a3be8fbba5fec1d1b89ea258803e26b0117c41e5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 9 Mar 2026 15:26:43 +0000 Subject: [PATCH 2/4] new vulns --- src/common/.trivyignore.yaml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index 3ed5c49..1f9727c 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -323,3 +323,40 @@ vulnerabilities: purls: - "pkg:golang/stdlib@v1.25.6" expired_at: 2026-08-13 + - id: CVE-2025-15558 + statement: "docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries" + purls: + - "pkg:golang/github.com/docker/cli@v28.5.1%2Bincompatible" + - "pkg:golang/github.com/docker/cli@v29.0.3%2Bincompatible" + - "pkg:golang/github.com/docker/cli@v29.1.1%2Bincompatible" + expired_at: 2026-09-09 + - id: CVE-2026-24051 + statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" + purls: + - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.36.0" + expired_at: 2026-09-09 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 From 8d1a69610eb63243cd9e76b2289be932f262b4e8 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 9 Mar 2026 16:40:14 +0000 Subject: [PATCH 3/4] new vuln --- src/common_node_24/.trivyignore.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml index 5491da7..ca220bd 100644 --- a/src/common_node_24/.trivyignore.yaml +++ b/src/common_node_24/.trivyignore.yaml @@ -53,3 +53,8 @@ vulnerabilities: - "pkg:npm/minimatch@10.0.3" - "pkg:npm/minimatch@9.0.5" expired_at: 2026-08-27 + - id: CVE-2026-29786 + statement: "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, ..." + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-09-09 From eb0a822c5269953b70e9c4f983bf3c94399a0f61 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 10 Mar 2026 10:18:00 +0000 Subject: [PATCH 4/4] new vuln --- src/projects/eps-storage-terraform/.trivyignore.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml index 4443daa..79605cd 100644 --- a/src/projects/eps-storage-terraform/.trivyignore.yaml +++ b/src/projects/eps-storage-terraform/.trivyignore.yaml @@ -105,3 +105,8 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-16 + - id: CVE-2026-24051 + statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" + purls: + - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0" + expired_at: 2026-09-10