fix: remove zlib vulnerability suppression and update review dates for Nebula ECDSA signature malleability

.grype.yaml

@@ -4,61 +4,6 @@
 # Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
 
 ignore:
-  # CVE-2026-22184: zlib Global Buffer Overflow in untgz utility
-  # Severity: CRITICAL
-  # Package: zlib 1.3.1-r2 (Alpine Linux base image)
-  # Status: No upstream fix available as of 2026-01-16
-  #
-  # Vulnerability Details:
-  # - Global buffer overflow in TGZfname() function
-  # - Unbounded strcpy() allows attacker-controlled archive names
-  # - Can lead to memory corruption, DoS, potential RCE
-  #
-  # Risk Assessment: ACCEPTED (Low exploitability in Charon context)
-  # - Charon does not use untgz utility directly
-  # - No untrusted tar archive processing in application code
-  # - Attack surface limited to OS-level utilities
-  # - Multiple layers of containerization and isolation
-  #
-  # Mitigation:
-  # - Monitor Alpine Linux security feed daily for zlib patches
-  # - Container runs with minimal privileges (no-new-privileges)
-  # - Read-only filesystem where possible
-  # - Network isolation via Docker networks
-  #
-  # Review:
-  # - Daily checks for Alpine security updates
-  # - Automatic re-scan via CI/CD on every commit
-  # - Manual review scheduled for 2026-01-23 (7 days)
-  #
-  # Removal Criteria:
-  # - Alpine releases zlib 1.3.1-r3 or higher with CVE fix
-  # - OR upstream zlib project releases patched version
-  # - Remove this suppression immediately after fix available
-  #
-  # References:
-  # - CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-22184
-  # - Alpine Security: https://security.alpinelinux.org/
-  # - GitHub Issue: https://github.com/Wikid82/Charon/issues/TBD
-  - vulnerability: CVE-2026-22184
-    package:
-      name: zlib
-      version: "1.3.1-r2"
-      type: apk  # Alpine package
-    reason: |
-      CRITICAL buffer overflow in untgz utility. No fix available from Alpine
-      as of 2026-01-16. Risk accepted: Charon does not directly use untgz or
-      process untrusted tar archives. Attack surface limited to base OS utilities.
-      Monitoring Alpine security feed for upstream patch.
-    expiry: "2026-03-14"  # Re-evaluate in 7 days
-
-    # Action items when this suppression expires:
-    # 1. Check Alpine security feed: https://security.alpinelinux.org/
-    # 2. Check zlib releases: https://github.com/madler/zlib/releases
-    # 3. If fix available: Update Dockerfile, rebuild, remove suppression
-    # 4. If no fix: Extend expiry by 7 days, document justification
-    # 5. If extended 3+ times: Escalate to security team for review
-
   # GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
   # Severity: HIGH (CVSS 8.1)
   # Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy)
@@ -98,7 +43,8 @@ ignore:
   # Review:
   # - Reviewed 2026-02-19: smallstep/certificates latest stable remains v0.27.5;
   #   no release requiring nebula v1.10+ has shipped. Suppression extended 14 days.
-  # - Next review: 2026-03-05. Remove suppression immediately once upstream fixes.
+  # - Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
+  # - Next review: 2026-04-12. Remove suppression immediately once upstream fixes.
   #
   # Removal Criteria:
   # - smallstep/certificates releases a stable version requiring nebula v1.10+
@@ -118,11 +64,11 @@ ignore:
       type: go-module
     reason: |
       HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy.
-      Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-02-19)
+      Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-03-13)
       still requires nebula v1.9.x (verified across v0.27.5–v0.30.0-rc2). Charon does
       not use Nebula VPN PKI by default. Risk accepted pending upstream smallstep fix.
-      Reviewed 2026-02-19: no new smallstep release changes this assessment.
-    expiry: "2026-03-05"  # Re-evaluate in 14 days (2026-02-19 + 14 days)
+      Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
+    expiry: "2026-04-12"  # Re-evaluated 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
 
     # Action items when this suppression expires:
     # 1. Check smallstep/certificates releases: https://github.com/smallstep/certificates/releases