-
Notifications
You must be signed in to change notification settings - Fork 25
Expand file tree
/
Copy path.trivyignore
More file actions
201 lines (173 loc) · 10.4 KB
/
Copy path.trivyignore
File metadata and controls
201 lines (173 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# =============================================================================
# TNO Trivy Ignore File
# =============================================================================
# This file suppresses known CVEs from Trivy container image scans.
# All entries here are BASE IMAGE vulnerabilities that will be resolved by
# upgrading the base images (tracked as a separate task).
#
# DO NOT add application-level CVEs here — those must be fixed in code.
#
# Planned base image upgrades:
# - node:18-bullseye (Debian 11 EOL) → node:18-bookworm (Debian 12)
# - nginxinc/nginx-unprivileged:1.24 → nginx-unprivileged:1.26-alpine
# - mcr.microsoft.com/dotnet/aspnet:9.0 — rebuild to pick up latest patch
#
# Last reviewed: 2026-04-28
# =============================================================================
# -----------------------------------------------------------------------------
# Debian 11 (Bullseye) — node:18-bullseye base image (editor, subscriber)
# These will all be eliminated by upgrading to node:18-bookworm
# -----------------------------------------------------------------------------
# -- libxml2 (2.9.10) --------------------------------------------------------
CVE-2016-3709 # libxml2: XSS in xmlserialize.c
CVE-2022-2309 # libxml2: NULL deref in lxml
CVE-2022-49043 # libxml2: use-after-free
CVE-2023-39615 # libxml2: crafted XML leading to DoS
CVE-2023-45322 # libxml2: use-after-free via crafted XML
CVE-2024-25062 # libxml2: use-after-free in XMLReader
CVE-2024-34459 # libxml2: buffer over-read
CVE-2024-56171 # libxml2: use-after-free
CVE-2025-24928 # libxml2: stack buffer overflow
CVE-2025-27113 # libxml2: NULL deref
CVE-2025-32414 # libxml2: out-of-bounds read
CVE-2025-32415 # libxml2: crafted XML DoS
CVE-2025-49794 # libxml2: vulnerability
CVE-2025-49796 # libxml2: vulnerability
CVE-2025-6021 # libxml2: vulnerability
CVE-2025-6170 # libxml2: vulnerability
CVE-2025-9714 # libxml2: vulnerability
# -- libxslt1.1 (1.1.34) -----------------------------------------------------
CVE-2023-40403 # libxslt: disclosure of heap memory
CVE-2024-55549 # libxslt: use-after-free
CVE-2025-24855 # libxslt: use-after-free
CVE-2025-7424 # libxslt: vulnerability
# -- OpenSSL 1.1.1 (libssl1.1) -----------------------------------------------
CVE-2023-5678 # OpenSSL: excessive time in DH key generation
CVE-2024-0727 # OpenSSL: NULL deref processing PKCS12 data
CVE-2024-2511 # OpenSSL: TLSv1.3 session cache unbounded growth
CVE-2024-4741 # OpenSSL: use-after-free in SSL_free_buffers
CVE-2024-5535 # OpenSSL: SSL_select_next_proto buffer overread
CVE-2024-9143 # OpenSSL: low-severity issue
CVE-2024-13176 # OpenSSL: timing side-channel in ECDSA
CVE-2025-9230 # OpenSSL: vulnerability
CVE-2025-68160 # OpenSSL: vulnerability
CVE-2025-69418 # OpenSSL: vulnerability
CVE-2025-69419 # OpenSSL: vulnerability
CVE-2025-69420 # OpenSSL: vulnerability
CVE-2025-69421 # OpenSSL: vulnerability
CVE-2026-22795 # OpenSSL: vulnerability
CVE-2026-22796 # OpenSSL: vulnerability
# -- libtiff5 (4.2.0) --------------------------------------------------------
CVE-2023-2908 # libtiff: NULL deref in tif_dir.c
CVE-2023-25433 # libtiff: buffer overflow in tiff2pdf.c
CVE-2023-26965 # libtiff: use-after-free in tiffcrop
CVE-2023-26966 # libtiff: buffer overflow in uv_encode
CVE-2023-3316 # libtiff: NULL deref via crafted image
CVE-2023-3618 # libtiff: segfault via crafted image
CVE-2023-52356 # libtiff: segfault in TIFFReadRGBATileExt
CVE-2024-7006 # libtiff: NULL deref in tif_dirinfo.c
CVE-2024-13978 # libtiff: vulnerability
CVE-2025-9900 # libtiff: vulnerability
# -- libssh2-1 (1.9.0) -------------------------------------------------------
CVE-2020-22218 # libssh2: use-after-free in _libssh2_packet_add
# -- e2fsprogs / libss2 / logsave (1.46.2) -----------------------------------
CVE-2022-1304 # e2fsprogs: out-of-bounds read/write via crafted fs
# -- libsepol1 (3.1) ---------------------------------------------------------
CVE-2021-36084 # libsepol: use-after-free in __cil_verify_classperms
CVE-2021-36085 # libsepol: use-after-free in __cil_verify_classperms
CVE-2021-36086 # libsepol: use-after-free in cil_reset_classpermission
CVE-2021-36087 # libsepol: heap-based buffer overflow in ebitmap_match_any
# -- shadow-utils / login / passwd (4.8.1) -----------------------------------
CVE-2023-29383 # shadow-utils: possible local DOS via chfn
CVE-2023-4641 # shadow-utils: password leak via /etc/shadow.bak
# -- systemd / libudev1 (247.3) ----------------------------------------------
CVE-2023-7008 # systemd-resolved: DNSSEC unsigned NSEC transition
CVE-2023-50387 # systemd: KeyTrap DNSSEC CPU exhaustion
CVE-2023-50868 # systemd: NSEC3 iteration count CPU exhaustion
CVE-2025-4598 # systemd: vulnerability
# -- perl-base (5.32.1) ------------------------------------------------------
CVE-2020-16156 # CPAN.pm: signature verification bypass
CVE-2023-31484 # perl: HTTP::Tiny does not verify TLS certificates
# -- libtasn1-6 (4.16.0) -----------------------------------------------------
CVE-2024-12133 # libtasn1: inefficient algorithm in DER decoding
# -- tzdata (2024a) -----------------------------------------------------------
DLA-3972-1 # tzdata: Debian LTS advisory
DLA-4016-1 # ucf: Debian LTS advisory
DLA-4085-1 # tzdata: Debian LTS advisory
DLA-4105-1 # tzdata: Debian LTS advisory
DLA-4403-1 # tzdata: Debian LTS advisory
DLA-4213-1 # curl: Debian LTS regression update
DLA-4432-1 # curl: Debian LTS security update
DLA-4485-1 # ca-certificates: Debian LTS CA update
# -- krb5 / libgssapi-krb5-2 (1.18.3) ----------------------------------------
CVE-2024-37370 # krb5: GSS message token handling
CVE-2024-37371 # krb5: GSS message token handling
CVE-2025-24528 # krb5: overflow when calculating ulog block size
CVE-2025-3576 # krb5: RC4-HMAC-MD5 checksum vulnerability enabling message spoofing
# -- glibc / libc6 (2.31) ----------------------------------------------------
CVE-2024-2961 # glibc: out of bounds write in iconv may lead to remote code execution
CVE-2024-33599 # glibc: stack-based buffer overflow in netgroup cache
CVE-2024-33600 # glibc: null pointer dereferences after failed netgroup cache insertion
CVE-2024-33601 # glibc: netgroup cache may terminate daemon on memory allocation failure
CVE-2024-33602 # glibc: netgroup cache assumes NSS callback uses in-buffer strings
CVE-2025-0395 # glibc: buffer overflow in the GNU C Library's assert()
CVE-2025-4802 # glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH
# -- curl / libcurl4 (7.74.0) ------------------------------------------------
CVE-2024-2398 # curl: HTTP/2 push headers memory-leak
CVE-2024-7264 # curl: libcurl ASN.1 date parser overread
CVE-2024-8096 # curl: OCSP stapling bypass with GnuTLS
# -- gnutls28 / libgnutls30 (3.7.1) ------------------------------------------
CVE-2024-0553 # gnutls: incomplete fix for CVE-2023-5981
CVE-2024-0567 # gnutls: rejects certificate chain with distributed trust
CVE-2024-12243 # gnutls: inefficient DER decoding in libtasn1 leading to remote DoS
CVE-2024-28834 # gnutls: vulnerable to Minerva side-channel information leak
CVE-2024-28835 # gnutls: potential crash during chain building/verification
CVE-2025-14831 # gnutls: DoS via excessive resource consumption during cert verification
CVE-2025-32988 # gnutls: vulnerability in otherName SAN export
CVE-2025-32990 # gnutls: vulnerability in certtool template parsing
CVE-2025-6395 # gnutls: NULL pointer dereference in _gnutls_figure_common_ciphersuite()
CVE-2025-9820 # gnutls: stack-based buffer overflow in gnutls_pkcs11_token_init()
# -- libexpat1 (2.2.10) ------------------------------------------------------
CVE-2023-52425 # expat: parsing large tokens can trigger a denial of service
CVE-2024-45490 # libexpat: negative length parsing vulnerability
CVE-2024-45491 # libexpat: integer overflow or wraparound
CVE-2024-45492 # libexpat: integer overflow
CVE-2024-50602 # libexpat: DoS via XML_ResumeParser
# -- libpng1.6 (1.6.37) ------------------------------------------------------
CVE-2025-64505 # libpng: heap buffer overflow via malformed palette index
CVE-2025-64506 # libpng: heap buffer over-read
CVE-2025-64720 # libpng: buffer overflow
CVE-2025-65018 # libpng: heap buffer overflow
CVE-2025-66293 # libpng: out-of-bounds read in png_image_read_composite
CVE-2026-22695 # libpng: DoS and info disclosure via heap buffer overflow
CVE-2026-22801 # libpng: info disclosure and DoS via integer truncation
CVE-2026-25646 # libpng: heap buffer overflow in png_set_quantize
CVE-2026-33416 # libpng: arbitrary code execution due to use-after-free
CVE-2026-33636 # libpng: info disclosure and DoS via out-of-bounds read
# -- libgd2 / LibGD (2.3.0) --------------------------------------------------
CVE-2021-38115 # LibGD: out-of-bounds read in read_header_tga
CVE-2021-40145 # LibGD: gdImageGd2Ptr vulnerability
CVE-2021-40812 # LibGD: out-of-bounds read
# -- freetype2 (2.10.4) ------------------------------------------------------
CVE-2025-27363 # freetype: OOB write when parsing font subglyph structures
# -- icu / libicu67 (67.1) ----------------------------------------------------
CVE-2025-5222 # icu: stack buffer overflow in SRBRoot::addTag function
# -- GnuPG / gnupg2 (2.2.27) -------------------------------------------------
CVE-2025-68973 # GnuPG: info disclosure and potential arbitrary code execution
# -- nghttp2 / libnghttp2-14 (1.43.0) ----------------------------------------
CVE-2024-28182 # nghttp2: CONTINUATION frames DoS
# -- linux-pam / libpam-modules (1.4.0) --------------------------------------
CVE-2024-22365 # pam: allowing unprivileged user to block another user namespace
CVE-2025-6020 # linux-pam: directory traversal
# -----------------------------------------------------------------------------
# Debian 12 (Bookworm) — mcr.microsoft.com/dotnet/aspnet:9.0 (event-handler)
# OpenSSL 3.0.x vulnerabilities — will be resolved by rebuilding images
# to pick up the latest patched aspnet:9.0 base image
# -----------------------------------------------------------------------------
# -- OpenSSL 3.0.18 (libssl3) ------------------------------------------------
CVE-2026-28387 # OpenSSL 3.0: vulnerability
CVE-2026-28388 # OpenSSL 3.0: vulnerability
CVE-2026-28389 # OpenSSL 3.0: vulnerability
CVE-2026-28390 # OpenSSL 3.0: vulnerability
CVE-2026-31789 # OpenSSL 3.0: vulnerability
CVE-2026-31790 # OpenSSL 3.0: vulnerability