trivy: Ignore CVE-2024-26147 (helm) (#9219)

* trivy: Ignore CVE-2024-26147 (helm)

* Update changelog/v1.17.0-beta11/ignore-helm-bump.yaml

Co-authored-by: Bernie Birnbaum <[email protected]>

---------

Co-authored-by: Bernie Birnbaum <[email protected]>

Author: davidjumani

.trivyignore

@@ -25,4 +25,14 @@ CVE-2022-41721
 # This CVE has not yet been patched in the kubectl version we are using, however it should not
 # affect us as kubernetes does not use the affected code path (see description in
 # https://github.com/kubernetes/kubernetes/pull/118036).
-CVE-2023-2253
+CVE-2023-2253
+
+# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
+# It only leads to a panic if there is a misconfigured / malicious helm plugin installed
+# and can be easily resolved by removing the misconfigured / malicious plugin
+# The helm bump will require bumping the k8s dependencies by +2 minor versions that can cause issues.
+# https://github.com/advisories/GHSA-r53h-jv2g-vpx6
+# https://github.com/solo-io/gloo/issues/9186
+# https://github.com/solo-io/gloo/issues/9187
+# https://github.com/solo-io/gloo/issues/9189
+CVE-2024-26147

changelog/v1.17.0-beta11/ignore-helm-bump.yaml

@@ -0,0 +1,8 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/solo-io/gloo/issues/9186
+  resolvesIssue: true
+  description: >
+    Choosing to ignore helm upgrade, as it does not impact the data and control planes of Gloo Edge. This only impacts glooctl, and panics will not affect future uses of glooctl. The fix to bump helm would also require bumping the k8s dependencies by several minor versions in <=1.15, which can cause issues. There is a simple resolution on the client side, so it is deemed to have little to no impact.
+      skipCI-kube-tests:true
+      skipCI-storybook-tests:true