-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy path.trivyignore
More file actions
41 lines (32 loc) · 1.6 KB
/
.trivyignore
File metadata and controls
41 lines (32 loc) · 1.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# List any vulnerability that are to be accepted
# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/
# for more details
# UID2-6385
CVE-2025-66293 exp:2026-06-15
# UID2-6481
CVE-2025-68973 exp:2026-06-15
# gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
# See: UID2-6655
CVE-2026-1584 exp:2026-08-27
# jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
# See: UID2-6670
GHSA-72hv-8253-57qq exp:2026-09-01
# libpng heap buffer overflow in Alpine base image - fixed version not yet available in Alpine 3.23
# See: UID2-6677
CVE-2026-25646 exp:2026-09-02
# zlib contrib/untgz demo utility buffer overflow - not exploitable, Alpine does not ship the untgz binary
# and the core libz library used by the JRE is unaffected. The zlib maintainer disputes this CVE.
# See: UID2-6704
CVE-2026-22184 exp:2026-09-09
# libexpat NULL pointer dereference in Alpine base image - not exploitable, our Java services do not use libexpat
# Fixed in libexpat 2.7.5, not yet available in eclipse-temurin Alpine 3.23 base image
# See: UID2-6806
CVE-2026-32776 exp:2026-04-25
# Trivy reports CVE-2026-32776 with transposed digits (32767 instead of 32776) - this is a known Trivy bug
# See: https://github.com/aquasecurity/trivy/discussions/10412 and UID2-6806
# This entry can be removed once Trivy fixes the typo
CVE-2026-32767 exp:2026-04-25
# libpng use-after-free and OOB read/write in Alpine base image - not used by our Java services
# See: UID2-6837
CVE-2026-33416 exp:2026-05-01
CVE-2026-33636 exp:2026-05-01