From a90a6a2453ad815e54621f0352c676091b1b90b0 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 5 May 2026 13:55:37 +1000 Subject: [PATCH 1/3] suppress CVE-2026-33846: gnutls DTLS heap overflow DoS in Alpine base image gnutls is not used by our Java service (JVM uses JSSE). The DTLS attack vector is not applicable to our TCP/HTTPS services. Expiry: 2026-11-05. --- .trivyignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.trivyignore b/.trivyignore index a50cac2..7d57c9a 100644 --- a/.trivyignore +++ b/.trivyignore @@ -8,6 +8,8 @@ CVE-2026-1584 exp:2026-08-27 # gnutls DoS vulnerability via DTLS zero-length record - not impactful as gnutls is not used by our Java service # See: UID2-7008 CVE-2026-33845 exp:2026-11-04 +# gnutls DoS vulnerability via heap buffer overflow in DTLS handshake - not impactful as gnutls is not used by our Java service +CVE-2026-33846 exp:2026-11-05 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API # See: UID2-6670 From 9b7454e7fc10106016660006445b4a0c82696845 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 5 May 2026 14:06:02 +1000 Subject: [PATCH 2/3] add UID2-7012 reference to CVE-2026-33846 trivyignore entry --- .trivyignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.trivyignore b/.trivyignore index 7d57c9a..fb1f157 100644 --- a/.trivyignore +++ b/.trivyignore @@ -9,6 +9,7 @@ CVE-2026-1584 exp:2026-08-27 # See: UID2-7008 CVE-2026-33845 exp:2026-11-04 # gnutls DoS vulnerability via heap buffer overflow in DTLS handshake - not impactful as gnutls is not used by our Java service +# See: UID2-7012 CVE-2026-33846 exp:2026-11-05 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API From 39ccef88294d0ba2817e1fb3811fd30205615c0a Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 5 May 2026 14:19:08 +1000 Subject: [PATCH 3/3] remove expired .trivyignore entries (CVE-2026-32776, CVE-2026-32767) --- .trivyignore | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.trivyignore b/.trivyignore index fb1f157..9a0eb5d 100644 --- a/.trivyignore +++ b/.trivyignore @@ -15,13 +15,3 @@ CVE-2026-33846 exp:2026-11-05 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API # See: UID2-6670 GHSA-72hv-8253-57qq exp:2026-09-01 - -# libexpat NULL pointer dereference in Alpine base image - not exploitable, our Java services do not use libexpat -# Fixed in libexpat 2.7.5, not yet available in eclipse-temurin Alpine 3.23 base image -# See: UID2-6806 -CVE-2026-32776 exp:2026-04-25 - -# Trivy reports CVE-2026-32776 with transposed digits (32767 instead of 32776) - this is a known Trivy bug -# See: https://github.com/aquasecurity/trivy/discussions/10412 and UID2-6806 -# This entry can be removed once Trivy fixes the typo -CVE-2026-32767 exp:2026-04-25