forked from kgateway-dev/kgateway
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy path.trivyignore
88 lines (75 loc) · 4.76 KB
/
.trivyignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# emicklei/go-restful - Authorization Bypass Through User-Controlled Key
# This should be fixed in v2's 2.16.0, although talks were undergoing about why this still shows up as an issue.
# https://github.com/emicklei/go-restful/pull/503
CVE-2022-1996
# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
# Also Helm module is used in testing, which has no impact on exploitation.
# Gloo-Edge data and control planes are not impacted at all by the helm module.
# Glooctl is not a long running program, and does not affect future uses of Glooctl.
# https://github.com/solo-io/gloo/issues/7598
# https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2r
CVE-2022-23524
# https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q
CVE-2022-23525
# https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
CVE-2022-23526
# https://nvd.nist.gov/vuln/detail/CVE-2022-41721
# Ignore this vulnerability; it does not affect the gateway-proxy image.
# No handlers exposed by the control plane fall victim to this attack
# because we do not use the maxBytesHandler
CVE-2022-41721
# https://github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmw
# This CVE has not yet been patched in the kubectl version we are using, however it should not
# affect us as kubernetes does not use the affected code path (see description in
# https://github.com/kubernetes/kubernetes/pull/118036).
CVE-2023-2253
# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
# It only leads to a panic if there is a misconfigured / malicious helm plugin installed
# and can be easily resolved by removing the misconfigured / malicious plugin
# The helm bump will require bumping the k8s dependencies by +2 minor versions that can cause issues.
# https://github.com/advisories/GHSA-r53h-jv2g-vpx6
# https://github.com/solo-io/gloo/issues/9186
# https://github.com/solo-io/gloo/issues/9187
# https://github.com/solo-io/gloo/issues/9189
CVE-2024-26147
# Ignore a few istio.io/istio vulnerabilities. These CVEs are from very old versions of istio for which patches have already been merged - these come up as false positives from trivy because we pin the dependencies and trivy is unable to determine that the pinned versions already have the fix. This is due to istio's tags not following go's strict semver and therefore falling back to a go pseudo version.
CVE-2019-14993
CVE-2021-39155
CVE-2021-39156
CVE-2022-23635
# Ignore go stdlib vulnerability. Go bump to 1.22.7 in N-1 branches cover this, but older versions we aren't concerned
# about updating as it shouldn't affect us
CVE-2024-34156
# This CVE affects the imroc/req dependency which is used in go-utils
# go-utils exclusively uses this package to upload security scans to Github and as such the vulnerability does not
# impact Gateway functionality
# This dependency is removed in go-utils v0.27.0, so this entry can be removed once all LTS branches are on that version
# or later
CVE-2024-45258
# These CVEs affect the packc/pgx dependency which is used in ext-auth-service
# The dependency is exclusively used in the monetization feature which we don't believe any customer uses and which is
# set to be deprecated
# Nevertheless the CVEs have been addressed in the v1.15 LTS branch and later, however it is impractical to resolve in 1.14
# due to a number of other requisite dependency bumps
# Therefore we include this entry for now and should remove it once 1.14 is no longer an LTS branch
CVE-2024-27289
CVE-2024-27304
# https://github.com/advisories/GHSA-5fhx-39r8-3jwh
# This is resolved in versions of Gloo Gateway that rely on Go1.22 and above (1.17, 1.18)
# For earlier versions of Gloo Gateway, we confirmed that the vulnerability is not exploitable
# and captured our findings here: https://github.com/solo-io/solo-projects/issues/7157#issuecomment-2463252858
CVE-2022-30635
# https://github.com/advisories/GHSA-2mj3-vfvx-fc43
# https://github.com/advisories/GHSA-gh5c-3h97-2f3q
# These are not expected to impact us and are difficult to resolve due to breaking API changes that impact our code
# While this has been resolved on v1.17+, backporting it to lower versions is complicated and we opted to skip it
# We can remove these once moby/moby has been upgraded to v26+ on all LTS branches
# Ref: https://solo-io-corp.slack.com/archives/C03MFATU265/p1733926775760049?thread_ts=1733429266.473749&cid=C03MFATU265
CVE-2024-36621
CVE-2024-36623
# https://github.com/kubernetes/kubernetes/issues/129347
# We have updated our direct dependencies to use version of x/net that are not affected
# However, our kubectl image, which is based on the upstream one, still warns of this
# vulnerability. Per the linked issue above, there is agreement that Kubernetes is
# not affected, and thus we are skipping that vulnerability for Gloo as well
CVE-2024-45338