-
Notifications
You must be signed in to change notification settings - Fork 8
Expand file tree
/
Copy path.trivyignore
More file actions
48 lines (41 loc) · 2.31 KB
/
.trivyignore
File metadata and controls
48 lines (41 loc) · 2.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Trivy vulnerability ignore file
# Format: <advisory-id> [expiry-date] [comment]
# See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore
# CVE-2026-39883 — go.opentelemetry.io/otel/sdk v1.42.0
# Severity: HIGH | Fixed in v1.43.0 (upgraded in this branch)
# Transitive dependency: mark3labs/mcp-go → opentelemetry SDK
# This ignore entry exists only so the PR itself passes Trivy (which scans
# against the base branch). Once merged to main, v1.43.0 resolves the CVE
# and this entry can be removed.
CVE-2026-39883
# CVE-2026-32285 — github.com/buger/jsonparser v1.1.1
# Severity: HIGH/MEDIUM | No fixed version available (latest is v1.1.1, released 2021-01-08)
# Transitive dependency: mark3labs/mcp-go → invopop/jsonschema → wk8/go-ordered-map → buger/jsonparser
# Not called directly by any GoSQLX code. Risk is scoped to MCP JSON schema generation.
# Re-evaluate when buger/jsonparser releases a patched version or when mcp-go updates its dependency.
CVE-2026-32285
# GHSA-6g7g-w4f8-9c9x — buger/jsonparser v1.1.1
# Severity: MEDIUM | No fixed version available (latest is v1.1.1, released 2021-01-08)
# Transitive dependency: mark3labs/mcp-go → invopop/jsonschema → wk8/go-ordered-map → buger/jsonparser
# Not called directly by any GoSQLX code. Risk is scoped to MCP JSON schema generation.
# Re-evaluate when buger/jsonparser releases a patched version or when mcp-go updates its dependency.
GHSA-6g7g-w4f8-9c9x
# CVE-2026-34040, CVE-2026-33997 — github.com/docker/docker v28.5.2+incompatible
# Severity: HIGH | No fixed version available (latest is v28.5.2)
# Transitive dependency: testcontainers-go → docker/docker
# Only used in integration tests, not in production code. Docker daemon internals, not Go client.
CVE-2026-34040
CVE-2026-33997
# CVE-2026-33750 — brace-expansion (npm, website)
# Severity: HIGH | No fixed version available
# Transitive dependency in website/package-lock.json. Not in Go code.
CVE-2026-33750
# CVE-2026-33671, CVE-2026-33672 — picomatch (npm, website)
# Severity: HIGH | No fixed version available
# Transitive dependency in website npm deps. Not in Go code.
CVE-2026-33671
CVE-2026-33672
# CVE-2026-33532 — yaml (npm, website)
# Severity: HIGH | No fixed version available
# Transitive dependency in website npm deps. Not in Go code.
CVE-2026-33532