From 51ae3f1c9229115370f28659ee00229d12ad98d9 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 11:39:45 +1000
Subject: [PATCH 1/3] fix(CVE-2026-33845): upgrade gnutls to 3.8.13-r0+ in
 Alpine base image

Adds RUN apk upgrade --no-cache gnutls to patch CVE-2026-33845
(GnuTLS DoS via DTLS zero-length record, HIGH severity).

UID2-7008
---
 Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 1a1320c..ae8158c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,9 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 
+# CVE-2026-33845: upgrade gnutls to 3.8.13-r0+
+RUN apk upgrade --no-cache gnutls
+
 WORKDIR /app
 EXPOSE 8088
 

From 8edc65a045c447b7f4f737381e6527621c5090bf Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 13:28:51 +1000
Subject: [PATCH 2/3] fix: pin gnutls=3.8.13-r0 instead of open-ended upgrade

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ae8158c..eb682c8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,8 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 
-# CVE-2026-33845: upgrade gnutls to 3.8.13-r0+
-RUN apk upgrade --no-cache gnutls
+# CVE-2026-33845: pin gnutls to 3.8.13-r0 (fixes DoS via DTLS zero-length record)
+RUN apk add --no-cache 'gnutls=3.8.13-r0'
 
 WORKDIR /app
 EXPOSE 8088

From a6b561a9bdbdad4eab05f8b134f4ab43b49f0166 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 13:38:49 +1000
Subject: [PATCH 3/3] fix: suppress CVE-2026-33845 in trivyignore; gnutls not
 used by service

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 3 +++
 Dockerfile   | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index 09d0486..a50cac2 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -5,6 +5,9 @@
 # gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
 # See: UID2-6655
 CVE-2026-1584 exp:2026-08-27
+# gnutls DoS vulnerability via DTLS zero-length record - not impactful as gnutls is not used by our Java service
+# See: UID2-7008
+CVE-2026-33845 exp:2026-11-04
 
 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
 # See: UID2-6670
diff --git a/Dockerfile b/Dockerfile
index eb682c8..1a1320c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,6 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 
-# CVE-2026-33845: pin gnutls to 3.8.13-r0 (fixes DoS via DTLS zero-length record)
-RUN apk add --no-cache 'gnutls=3.8.13-r0'
-
 WORKDIR /app
 EXPOSE 8088