NHSDigital · anthony-nhs · Mar 11, 2026 · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml
@@ -58,3 +58,8 @@ vulnerabilities:
     purls:
       - "pkg:npm/tar@7.5.1"
     expired_at: 2026-09-09
+  - id: CVE-2026-31802
+    statement: "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10,  ..."
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-09-09
diff --git a/src/languages/node_24_python_3_14_java_24/.devcontainer/.tool-versions b/src/languages/node_24_python_3_14_java_24/.devcontainer/.tool-versions
@@ -0,0 +1,4 @@
+python 3.14.3
+poetry 2.3.2
+java temurin-24.0.2+12
+maven 3.9.13
diff --git a/src/languages/node_24_python_3_14_java_24/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14_java_24/.devcontainer/devcontainer.json
@@ -0,0 +1,18 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
+{
+    "name": "EPS Devcontainer node_24 python_3.14",
+    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+    "build": {
+      "dockerfile": "../../../common_node_24/Dockerfile",
+      "args": {
+        "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}",
+        "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}",
+        "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}",
+        "IMAGE_TAG": "${localEnv:IMAGE_TAG}"
+      },
+      "context": "."
+    },
+    "features": {}
+  }
+
diff --git a/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/root_install.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -e
+export DEBIAN_FRONTEND=noninteractive
+
+# clean up
+apt-get clean
+rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
diff --git a/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/vscode_install.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -e
+
+asdf plugin add python
+asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git
+asdf plugin add java
+asdf plugin add maven
+
+asdf install python
+asdf install
+
+# install cfn-lint
+pip install --user cfn-lint
diff --git a/src/languages/node_24_python_3_14_java_24/.trivyignore.yaml b/src/languages/node_24_python_3_14_java_24/.trivyignore.yaml
@@ -0,0 +1,11 @@
+vulnerabilities:
+  - id: CVE-2026-23949
+    statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives"
+    purls:
+      - "pkg:pypi/jaraco.context@5.3.0"
+    expired_at: 2026-08-12
+  - id: CVE-2026-24049
+    statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking"
+    purls:
+      - "pkg:pypi/wheel@0.45.1"
+    expired_at: 2026-08-12
diff --git a/src/languages/node_24_python_3_14_java_24/trivy.yaml b/src/languages/node_24_python_3_14_java_24/trivy.yaml
@@ -0,0 +1 @@
+ignorefile: "src/languages/node_24_python_3_14_java_24/.trivyignore_combined.yaml"
diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml
@@ -2,30 +2,26 @@ vulnerabilities:
   - id: CVE-2022-25235
     statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
     purls:
-      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
-      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04"
-      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2022-25236
     statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
     purls:
-      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
-      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04"
-      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2022-26485
     statement: "Mozilla: Use-after-free in XSLT parameter processing"
     purls:
-      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
-      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04"
-      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2022-26486
     statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
     purls:
-      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
-      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04"
-      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2026-25547
     statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion"
@@ -53,63 +49,3 @@ vulnerabilities:
     purls:
       - "pkg:npm/tar@7.5.1"
     expired_at: 2026-08-12
-  - id: CVE-2022-25235
-    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
-    expired_at: 2026-08-13
-  - id: CVE-2022-25236
-    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
-    expired_at: 2026-08-13
-  - id: CVE-2022-26485
-    statement: "Mozilla: Use-after-free in XSLT parameter processing"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
-    expired_at: 2026-08-13
-  - id: CVE-2022-26486
-    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
-    expired_at: 2026-08-13
-  - id: CVE-2022-25235
-    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
-    expired_at: 2026-08-16
-  - id: CVE-2022-25236
-    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
-    expired_at: 2026-08-16
-  - id: CVE-2022-26485
-    statement: "Mozilla: Use-after-free in XSLT parameter processing"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
-    expired_at: 2026-08-16
-  - id: CVE-2022-26486
-    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
-    expired_at: 2026-08-16
-  - id: CVE-2022-25235
-    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
-    expired_at: 2026-08-16
-  - id: CVE-2022-25236
-    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
-    expired_at: 2026-08-16
-  - id: CVE-2022-26485
-    statement: "Mozilla: Use-after-free in XSLT parameter processing"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
-    expired_at: 2026-08-16
-  - id: CVE-2022-26486
-    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
-    purls:
-      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
-    expired_at: 2026-08-16
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		ignorefile: "src/languages/node_24_python_3_14_java_24/.trivyignore_combined.yaml"