chore(trivy): suppress Netty CVE-2026-42580/42581/42585 pending image…#1379
chore(trivy): suppress Netty CVE-2026-42580/42581/42585 pending image…#1379viw-test1 wants to merge 1 commit into
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| - id: CVE-2026-42587 | ||
| statement: "Netty HttpContentDecompressor maxAllocation bypass with br/zstd/snappy Content-Encoding leads to decompression bomb. Fix: bump netty-bom to 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42587" | ||
| expired_at: 2026-05-22 | ||
| - id: CVE-2026-42580 |
There was a problem hiding this comment.
Nit: The existing suppressions (CVE-2026-41417, -42583, -42584, -42587) all have expired_at: 2026-05-22 (today). If the image rebuild with netty-bom 4.1.133.Final has not yet landed (which this PR implies, since these new CVEs share the same fix), those older entries will start failing the daily scan today.
Consider extending their expired_at to 2026-06-04 as well in this PR to keep the scan green until the rebuild is complete.
| statement: "Netty HttpContentDecompressor maxAllocation bypass with br/zstd/snappy Content-Encoding leads to decompression bomb. Fix: bump netty-bom to 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42587" | ||
| expired_at: 2026-05-22 | ||
| - id: CVE-2026-42580 | ||
| statement: "Netty netty-codec-http vulnerability - pending image rebuild with netty-bom 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42580" |
There was a problem hiding this comment.
Minor: The existing entries provide specific vulnerability descriptions (e.g. CRLF injection/request smuggling, resource exhaustion, decompression bomb) which helps future reviewers assess risk without following external links. These new entries only say Netty netty-codec-http vulnerability.
Could you add a brief description of each CVE actual impact? This makes the suppression more self-documenting and easier to audit.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1379 +/- ##
=============================================
- Coverage 85.71% 69.39% -16.33%
- Complexity 19 704 +685
=============================================
Files 3 63 +60
Lines 49 3437 +3388
Branches 5 487 +482
=============================================
+ Hits 42 2385 +2343
- Misses 3 861 +858
- Partials 4 191 +187 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
2 participants
… rebuild
Issue #, if available:
Description of changes:
Suppress 3 newly-published Netty CVEs in daily-scan.trivyignore.yaml to unblock the daily scan workflow:
CVE-2026-42580
CVE-2026-42581
CVE-2026-42585
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.