fix: update Trivy action version and extend vulnerability review dates in configuration files

.github/workflows/security-pr.yml

@@ -364,7 +364,7 @@ jobs:
 
       - name: Run Trivy filesystem scan (SARIF output)
         if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
-        # aquasecurity/trivy-action v0.33.1
+        # aquasecurity/trivy-action 0.35.0
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
         with:
           scan-type: 'fs'
@@ -396,7 +396,7 @@ jobs:
 
       - name: Run Trivy filesystem scan (fail on CRITICAL/HIGH)
         if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
-        # aquasecurity/trivy-action v0.33.1
+        # aquasecurity/trivy-action 0.35.0
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
         with:
           scan-type: 'fs'

.grype.yaml

@@ -32,7 +32,8 @@ ignore:
   #
   # Review:
   # - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review.
-  # - Next review: 2026-04-18. Remove suppression immediately once upstream fixes.
+  # - Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. No upstream fix available.
+  # - Next review: 2026-05-18. Remove suppression immediately once upstream fixes.
   #
   # Removal Criteria:
   # - Alpine publishes a patched version of libcrypto3 and libssl3
@@ -52,7 +53,7 @@ ignore:
       No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon
       terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
       Risk accepted pending Alpine upstream patch.
-    expiry: "2026-04-18"  # Initial 30-day review period. Extend in 14–30 day increments with documented justification.
+    expiry: "2026-05-18"  # Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. Next review 2026-05-18.
 
     # Action items when this suppression expires:
     # 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
@@ -74,7 +75,7 @@ ignore:
       No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon
       terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
       Risk accepted pending Alpine upstream patch.
-    expiry: "2026-04-18"  # Initial 30-day review period. See libcrypto3 entry above for action items.
+    expiry: "2026-05-18"  # Extended 2026-04-04: see libcrypto3 entry above for action items.
 
   # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
   # Severity: HIGH (CVSS 7.5)
@@ -105,7 +106,8 @@ ignore:
   #
   # Review:
   # - Reviewed 2026-03-19 (initial suppression): no upstream fix exists. Set 30-day review.
-  # - Next review: 2026-04-19. Remove suppression once buger/jsonparser ships a fix and
+  # - Extended 2026-04-04: no upstream fix available. buger/jsonparser issue #275 still open.
+  # - Next review: 2026-05-19. Remove suppression once buger/jsonparser ships a fix and
   #   CrowdSec updates their dependency.
   #
   # Removal Criteria:
@@ -130,7 +132,7 @@ ignore:
       Charon does not use this package directly; the vector requires reaching CrowdSec's internal
       JSON processing pipeline. Risk accepted; no remediation path until upstream ships a fix.
       Reviewed 2026-03-19: no patched release available.
-    expiry: "2026-04-19"  # 30-day review: no fix exists. Extend in 30-day increments with documented justification.
+    expiry: "2026-05-19"  # Extended 2026-04-04: no upstream fix. Next review 2026-05-19.
 
     # Action items when this suppression expires:
     # 1. Check buger/jsonparser releases: https://github.com/buger/jsonparser/releases
@@ -174,7 +176,8 @@ ignore:
   # Review:
   # - Reviewed 2026-03-19 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
   #   Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review.
-  # - Next review: 2026-04-19. Remove suppression once CrowdSec ships with pgx/v5.
+  # - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet.
+  # - Next review: 2026-05-19. Remove suppression once CrowdSec ships with pgx/v5.
   #
   # Removal Criteria:
   # - CrowdSec releases a version with pgx/v5 (pgproto3/v3) replacing pgproto3/v2
@@ -197,7 +200,7 @@ ignore:
       Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
       Risk accepted; no remediation until CrowdSec ships with pgx/v5.
       Reviewed 2026-03-19: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
-    expiry: "2026-04-19"  # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
+    expiry: "2026-05-19"  # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5.
 
     # Action items when this suppression expires:
     # 1. Check CrowdSec releases for pgx/v5 migration:
@@ -245,7 +248,8 @@ ignore:
   # - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
   #   Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23
   #   was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking.
-  # - Next review: 2026-04-21. Remove suppression once CrowdSec ships with pgx/v5.
+  # - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet.
+  # - Next review: 2026-05-21. Remove suppression once CrowdSec ships with pgx/v5.
   #
   # Removal Criteria:
   # - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
@@ -271,7 +275,7 @@ ignore:
       Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
       Risk accepted; no remediation until CrowdSec ships with pgx/v5.
       Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
-    expiry: "2026-04-21"  # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
+    expiry: "2026-05-21"  # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5.
 
     # Action items when this suppression expires:
     # 1. Check CrowdSec releases for pgx/v5 migration:

.trivyignore

@@ -19,8 +19,8 @@ CVE-2026-22184
 # Severity: MEDIUM (CVSS 5.5 NVD / 2.9 MITRE) — Package: zlib 1.3.1-r2 in Alpine base image
 # Fix requires zlib >= 1.3.2. No upstream fix available: Alpine 3.23 still ships zlib 1.3.1-r2.
 # Attack requires local access (AV:L); the vulnerable code path is not reachable via Charon's
-# network-facing surface. Non-blocking by CI policy (MEDIUM). Review by: 2026-04-21
-# exp: 2026-04-21
+# network-facing surface. Non-blocking by CI policy (MEDIUM). Review by: 2026-05-21
+# exp: 2026-05-21
 CVE-2026-27171
 
 # CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade (libcrypto3/libssl3)
@@ -28,45 +28,47 @@ CVE-2026-27171
 # No upstream fix available: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
 # When DEFAULT is in TLS 1.3 group config, server may select a weaker key exchange group.
 # Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
-# Review by: 2026-04-18
+# Review by: 2026-05-18
 # See also: .grype.yaml for full justification
-# exp: 2026-04-18
+# exp: 2026-05-18
 CVE-2026-2673
 
 # CVE-2026-33186 / GHSA-p77j-4mvh-x3m3: gRPC-Go authorization bypass via missing leading slash
 # Severity: CRITICAL (CVSS 9.1) — Package: google.golang.org/grpc, embedded in CrowdSec (v1.74.2) and Caddy (v1.79.1)
 # Fix exists at v1.79.3 — Charon's own dep is patched. Waiting on CrowdSec and Caddy upstream releases.
 # CrowdSec's and Caddy's grpc servers are not exposed externally in a standard Charon deployment.
-# Review by: 2026-04-02
+# Suppressed for CrowdSec/Caddy embedded binaries only — Charon's direct deps are fixed (v1.79.3).
+# Review by: 2026-05-04
 # See also: .grype.yaml for full justification
-# exp: 2026-04-02
+# exp: 2026-05-04
 CVE-2026-33186
 
 # GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture)
 # Severity: HIGH (CVSS 7.5) — Package: github.com/russellhaering/goxmldsig v1.5.0, embedded in /usr/bin/caddy
 # Fix exists at v1.6.0 — waiting on Caddy upstream (or caddy-security plugin) to release with patched goxmldsig.
 # Charon does not configure SAML-based SSO by default; the vulnerable path is not reachable in a standard deployment.
-# Review by: 2026-04-02
+# Awaiting Caddy upstream update to include goxmldsig v1.6.0.
+# Review by: 2026-05-04
 # See also: .grype.yaml for full justification
-# exp: 2026-04-02
+# exp: 2026-05-04
 GHSA-479m-364c-43vc
 
 # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
 # Severity: HIGH (CVSS 7.5) — Package: github.com/buger/jsonparser v1.1.1, embedded in CrowdSec binaries
 # No upstream fix available as of 2026-03-19 (issue #275 open, golang/vulndb #4514 open).
 # Charon does not use this package; the vector requires reaching CrowdSec's internal processing pipeline.
-# Review by: 2026-04-19
+# Review by: 2026-05-19
 # See also: .grype.yaml for full justification
-# exp: 2026-04-19
+# exp: 2026-05-19
 GHSA-6g7g-w4f8-9c9x
 
 # GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
 # Severity: HIGH (CVSS 7.5) — Package: github.com/jackc/pgproto3/v2 v2.3.3, embedded in CrowdSec binaries
 # pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5.
 # Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment.
-# Review by: 2026-04-19
+# Review by: 2026-05-19
 # See also: .grype.yaml for full justification
-# exp: 2026-04-19
+# exp: 2026-05-19
 GHSA-jqcq-xjh3-6g23
 
 # GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
@@ -74,9 +76,9 @@ GHSA-jqcq-xjh3-6g23
 # NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
 # pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5.
 # Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment.
-# Review by: 2026-04-21
+# Review by: 2026-05-21
 # See also: .grype.yaml for full justification
-# exp: 2026-04-21
+# exp: 2026-05-21
 GHSA-x6gf-mpr2-68h6
 
 # CVE-2026-34040 / GHSA-x744-4wpc-v9h2: Docker AuthZ plugin bypass via oversized request body

SECURITY.md

@@ -27,7 +27,7 @@ public disclosure.
 
 ## Known Vulnerabilities
 
-Last reviewed: 2026-03-24
+Last reviewed: 2026-04-04
 
 ### [HIGH] CVE-2026-2673 · OpenSSL TLS 1.3 Key Exchange Group Downgrade
 
@@ -73,6 +73,48 @@ available, update the pinned `ALPINE_IMAGE` digest in the Dockerfile, or add an
 
 ---
 
+### [HIGH] CVE-2026-34040 · Docker AuthZ Plugin Bypass via Oversized Request Body
+
+| Field        | Value |
+|--------------|-------|
+| **ID**       | CVE-2026-34040 (GHSA-x744-4wpc-v9h2) |
+| **Severity** | High · 8.8 |
+| **Status**   | Awaiting Upstream |
+
+**What**
+Docker Engine AuthZ plugins can be bypassed when an API request body exceeds a
+certain size threshold. Charon uses the Docker client SDK only; this is a
+server-side vulnerability in the Docker daemon's authorization plugin handler.
+
+**Who**
+
+- Discovered by: Automated scan (govulncheck, Grype)
+- Reported: 2026-04-04
+- Affects: Docker Engine daemon operators; Charon application is not directly vulnerable
+
+**Where**
+
+- Component: `github.com/docker/docker` v28.5.2+incompatible (Docker client SDK)
+- Versions affected: Docker Engine < 29.3.1
+
+**When**
+
+- Discovered: 2026-04-04
+- Disclosed (if public): Public
+- Target fix: When moby/moby/v2 stabilizes or docker/docker import path is updated
+
+**How**
+The vulnerability requires an attacker to send oversized API request bodies to the
+Docker daemon. Charon uses the Docker client SDK for container management operations
+only and does not expose the Docker socket externally. The attack vector is limited
+to the Docker daemon host, not the Charon application.
+
+**Planned Remediation**
+Monitor moby/moby/v2 module stabilization. The `docker/docker` import path has no
+fix available. When a compatible module path exists, migrate the Docker SDK import.
+
+---
+
 ### [MEDIUM] CVE-2025-60876 · BusyBox wget HTTP Request Smuggling
 
 | Field        | Value |
@@ -113,13 +155,57 @@ Charon users is negligible since the vulnerable code path is not exercised.
 
 ---
 
-### [LOW] CVE-2026-26958 · edwards25519 MultiScalarMult Invalid Results
+### [MEDIUM] CVE-2026-33997 · Docker Off-by-One Plugin Privilege Validation
+
+| Field        | Value |
+|--------------|-------|
+| **ID**       | CVE-2026-33997 (GHSA-pxq6-2prw-chj9) |
+| **Severity** | Medium · 6.8 |
+| **Status**   | Awaiting Upstream |
+
+**What**
+An off-by-one error in Docker Engine's plugin privilege validation could allow
+a malicious plugin to escalate privileges. Charon uses the Docker client SDK
+for container management and does not install or manage Docker plugins.
+
+**Who**
+
+- Discovered by: Automated scan (govulncheck, Grype)
+- Reported: 2026-04-04
+- Affects: Docker Engine plugin operators; Charon application is not directly vulnerable
+
+**Where**
+
+- Component: `github.com/docker/docker` v28.5.2+incompatible (Docker client SDK)
+- Versions affected: Docker Engine < 29.3.1
+
+**When**
+
+- Discovered: 2026-04-04
+- Disclosed (if public): Public
+- Target fix: When moby/moby/v2 stabilizes or docker/docker import path is updated
+
+**How**
+The vulnerability is in Docker Engine's plugin privilege validation at the
+daemon level. Charon does not use Docker plugins — it only manages containers
+via the Docker client SDK. The attack requires a malicious Docker plugin to be
+installed on the host, which is outside Charon's operational scope.
+
+**Planned Remediation**
+Same as CVE-2026-34040: monitor moby/moby/v2 module stabilization. No fix
+available for the current `docker/docker` import path.
+
+---
+
+## Patched Vulnerabilities
+
+### ✅ [LOW] CVE-2026-26958 · edwards25519 MultiScalarMult Invalid Results
 
 | Field        | Value |
 |--------------|-------|
 | **ID**       | CVE-2026-26958 (GHSA-fw7p-63qq-7hpr) |
 | **Severity** | Low · 1.7 |
-| **Status**   | Awaiting Upstream |
+| **Patched**  | 2026-04-04 |
 
 **What**
 `filippo.io/edwards25519` v1.1.0 `MultiScalarMult` produces invalid results or undefined
@@ -130,8 +216,6 @@ CrowdSec to rebuild.
 
 - Discovered by: Automated scan (Grype)
 - Reported: 2026-03-24
-- Affects: CrowdSec Agent component within the container; not directly exposed through Charon's
-  primary application interface
 
 **Where**
 
@@ -141,21 +225,19 @@ CrowdSec to rebuild.
 **When**
 
 - Discovered: 2026-03-24
-- Disclosed (if public): Public
-- Target fix: When CrowdSec releases a build with updated dependency
+- Patched: 2026-04-04
+- Time to patch: 11 days
 
 **How**
 This is a rarely used advanced API within the edwards25519 library. CrowdSec does not directly
 expose MultiScalarMult to external input. EPSS score is 0.00018 (0.04 percentile).
 
-**Planned Remediation**
-Awaiting CrowdSec upstream release with updated dependency. No action available for Charon
-maintainers.
+**Resolution**
+Dependency no longer present in Charon's dependency tree. CrowdSec binaries no longer bundle
+affected version.
 
 ---
 
-## Patched Vulnerabilities
-
 ### ✅ [CRITICAL] CVE-2025-68121 · Go Stdlib Critical in CrowdSec Bundled Binaries
 
 | Field        | Value |

docs/reports/qa_security_audit_2026-04-04.md

@@ -0,0 +1,355 @@
+# QA Security Vulnerability Audit Report
+
+**Date:** 2026-04-04
+**Previous Review:** 2026-03-24
+**Reviewed by:** QA Security Engineer
+**Scope:** Full security scan — filesystem, dependencies, Docker image, npm, Go vulncheck
+
+---
+
+## 1. Executive Summary
+
+| Severity | Docker Image | Filesystem (Grype) | npm | govulncheck | Total Unique |
+|----------|-------------|-------------------|-----|-------------|--------------|
+| Critical | 0 | 3 | 0 | 0 | 3 |
+| High | 3 | 15+ | 0 | 2 | ~12 unique |
+| Medium | 2 | 12+ | 2 | 0 | ~8 unique |
+| Low | 0 | 3 | 0 | 0 | ~2 unique |
+
+**Key Findings:**
+- **Docker Image (production):** 5 unique vulnerabilities remaining (all previously known and suppressed). No new image-level CVEs.
+- **Filesystem (development tooling/stale caches):** Bulk of findings are from CrowdSec/Caddy embedded binaries, `.cache/` module cache (gopls tooling), GitHub Actions, and Python virtualenv tooling — **not from Charon application code**.
+- **Charon Backend (direct deps):** All direct Go deps are at or above fix thresholds. `golang.org/x/crypto` at v0.49.0, `golang.org/x/net` at v0.52.0, `google.golang.org/grpc` at v1.79.3, `quic-go` at v0.59.0, `otel/sdk` at v1.42.0.
+- **npm:** 2 moderate findings in `smol-toml` (dev dependency via `markdownlint-cli2`).
+- **govulncheck:** 2 vulnerabilities from `github.com/docker/docker v28.5.2+incompatible` (no fix available for this import path).
+- **No new CRITICAL vulnerabilities** affecting Charon production code since last review.
+
+---
+
+## 2. New Vulnerabilities (Not in SECURITY.md)
+
+### 2.1 [HIGH] GO-2026-4887 — Docker AuthZ Plugin Bypass (Oversized Request Body)
+
+| Field | Value |
+|-------|-------|
+| **ID** | GO-2026-4887 / CVE-2026-34040 / GHSA-x744-4wpc-v9h2 |
+| **Package** | `github.com/docker/docker` v28.5.2+incompatible |
+| **Fixed In** | moby/moby v29.3.1 (no fix for `docker/docker` import path) |
+| **Severity** | High (CVSS 8.8) |
+| **Status** | NEW — **already suppressed** in `.trivyignore` and `.grype.yaml` (added 2026-03-30), but **not yet documented in SECURITY.md** |
+| **EPSS** | < 0.1% (1st percentile) |
+| **Source** | govulncheck (symbol-level match), Grype (Docker image) |
+| **Action** | **WATCH** — Add to SECURITY.md Known Vulnerabilities. No fix available for import path. |
+
+**govulncheck confirmed** this is reachable via `services.DockerService.ListContainers` and `handlers.CrowdsecHandler.DiagnosticsConnectivity`. However, the vulnerability is server-side in the Docker daemon's AuthZ plugin handler — Charon only uses the Docker client SDK.
+
+### 2.2 [MEDIUM] GO-2026-4883 — Moby Off-by-One Plugin Privilege Validation
+
+| Field | Value |
+|-------|-------|
+| **ID** | GO-2026-4883 / CVE-2026-33997 / GHSA-pxq6-2prw-chj9 |
+| **Package** | `github.com/docker/docker` v28.5.2+incompatible |
+| **Fixed In** | moby/moby v29.3.1 (no fix for `docker/docker` import path) |
+| **Severity** | Medium (CVSS 6.8) |
+| **Status** | NEW — **already suppressed** in `.trivyignore` and `.grype.yaml` (added 2026-03-30), but **not yet documented in SECURITY.md** |
+| **Source** | govulncheck (symbol-level match), Grype (Docker image) |
+| **Action** | **WATCH** — Add to SECURITY.md Known Vulnerabilities. |
+
+### 2.3 [MODERATE] GHSA-v3rj-xjv7-4jmq — smol-toml DoS via Commented Lines
+
+| Field | Value |
+|-------|-------|
+| **ID** | GHSA-v3rj-xjv7-4jmq |
+| **Package** | `smol-toml` < 1.6.1 (npm, via `markdownlint-cli2`) |
+| **Fixed In** | smol-toml >= 1.6.1 |
+| **Severity** | Moderate |
+| **Status** | NEW |
+| **Source** | npm audit |
+| **Action** | **FIX NOW** — Run `npm audit fix --force` (will install markdownlint-cli2@0.21.0, breaking change). Or pin smol-toml override. |
+
+**Note:** This is a **dev-only dependency** (markdownlint-cli2 for linting docs). Not present in production Docker image. Low real-world risk.
+
+### 2.4 [HIGH] GHSA-wvj2-96wp-fq3f / GHSA-89xv-2j6f-qhc8 / GHSA-q382-vc8q-7jhj / GHSA-xw59-hvm2-8pj6 — MCP Go SDK Vulnerabilities
+
+| Field | Value |
+|-------|-------|
+| **IDs** | GHSA-wvj2-96wp-fq3f, GHSA-89xv-2j6f-qhc8, GHSA-q382-vc8q-7jhj, GHSA-xw59-hvm2-8pj6 |
+| **Package** | `github.com/modelcontextprotocol/go-sdk` v0.8.0 |
+| **Fixed In** | v1.3.1 / v1.4.0 / v1.4.1 |
+| **Severity** | High |
+| **Status** | NOT APPLICABLE — **false positive** |
+| **Source** | Grype filesystem scan (found in `.cache/go/pkg/mod/` — gopls tooling, not Charon code) |
+| **Action** | **IGNORE** — Not a Charon dependency. Present only in Go module cache from `gopls` IDE tooling. |
+
+### 2.5 [HIGH] GHSA-g754-hx8w-x2g6 / GHSA-47m2-4cr7-mhcw — quic-go Vulnerabilities
+
+| Field | Value |
+|-------|-------|
+| **ID** | GHSA-g754-hx8w-x2g6 (fixed 0.57.0), GHSA-47m2-4cr7-mhcw (fixed 0.54.1) |
+| **Package** | `github.com/quic-go/quic-go` v0.54.0, v0.55.0 |
+| **Current Version** | **v0.59.0** (backend go.mod) |
+| **Status** | NOT APPLICABLE — **false positive** |
+| **Source** | Grype filesystem scan (old versions in go.sum/cache, not in actual dependency tree) |
+| **Action** | **IGNORE** — Backend uses v0.59.0, which is above all fix thresholds. |
+
+### 2.6 [HIGH] GHSA-9h8m-3fm2-qjrq — OpenTelemetry SDK
+
+| Field | Value |
+|-------|-------|
+| **ID** | GHSA-9h8m-3fm2-qjrq |
+| **Package** | `go.opentelemetry.io/otel/sdk` v1.38.0 |
+| **Current Version** | **v1.42.0** (backend go.mod) |
+| **Fixed In** | v1.40.0 |
+| **Status** | NOT APPLICABLE — **false positive** |
+| **Source** | Grype filesystem scan (old version in go.sum/cache) |
+| **Action** | **IGNORE** — Backend uses v1.42.0, above the fix threshold. |
+
+### 2.7 [CRITICAL] GHSA-p77j-4mvh-x3m3 — gRPC-Go Authorization Bypass
+
+| Field | Value |
+|-------|-------|
+| **ID** | GHSA-p77j-4mvh-x3m3 / CVE-2026-33186 |
+| **Package** | `google.golang.org/grpc` v1.67.0 |
+| **Current Version** | **v1.79.3** (backend go.mod) |
+| **Fixed In** | v1.79.3 |
+| **Status** | NOT APPLICABLE — **already fixed** in Charon's direct deps |
+| **Source** | Grype filesystem scan (old version from CrowdSec/Caddy embedded binaries) |
+| **Action** | **IGNORE** for Charon direct deps. Already suppressed in `.trivyignore` for CrowdSec/Caddy binaries. |
+
+### 2.8 Various Go Stdlib CVEs (CrowdSec/Caddy Embedded Binaries)
+
+| CVE | Severity | Fixed In | Source |
+|-----|----------|----------|--------|
+| CVE-2025-61726 | High | go1.25.6 | CrowdSec binaries (go1.25.4/5) |
+| CVE-2026-25679 | High | go1.25.8/1.26.1 | CrowdSec binaries (go1.25.4/5/6/7) |
+| CVE-2025-68121 | Critical | go1.25.7 | CrowdSec binaries (go1.25.4/5/6) — **already patched in SECURITY.md** |
+| CVE-2025-61729 | High | go1.25.5 | CrowdSec binaries (go1.25.4) |
+| CVE-2025-68119 | High | go1.25.6 | CrowdSec binaries (go1.25.4/5) |
+| CVE-2025-61731 | High | go1.25.6 | CrowdSec binaries (go1.25.4/5) |
+| CVE-2025-61732 | High | go1.25.7 | CrowdSec binaries (go1.25.4/5/6) |
+| CVE-2026-27142 | Medium | go1.25.8/1.26.1 | CrowdSec binaries (go1.25.4/5/6/7) |
+| CVE-2025-61728 | Medium | go1.25.6 | CrowdSec binaries (go1.25.4/5) |
+| CVE-2025-61730 | Medium | go1.25.6 | CrowdSec binaries (go1.25.4/5) |
+| CVE-2025-61727 | Medium | go1.25.5 | CrowdSec binaries (go1.25.4) |
+| CVE-2026-27139 | Low | go1.25.8/1.26.1 | CrowdSec binaries (go1.25.4/5/6/7) |
+
+**Status:** These are all from CrowdSec/Caddy embedded binaries compiled with older Go versions — **not from Charon's own code** (compiled with Go 1.26.1). These are stale `go.sum` entries or binary artifacts scanned by Grype.
+
+**Action:** **WATCH** — Awaiting CrowdSec upstream rebuild with newer Go. Charon's own binaries are compiled with Go 1.26.1 and are unaffected.
+
+### 2.9 GitHub Actions Vulnerabilities
+
+| ID | Package | Severity | Fixed In | Action |
+|----|---------|----------|----------|--------|
+| GHSA-69fq-xp46-6x23 | `aquasecurity/trivy-action` 0.33.1 | Critical | 0.35.0 | **FIX NOW** |
+| GHSA-9p44-j4g5-cfx5 | `aquasecurity/trivy-action` 0.33.1 | Medium | 0.34.0 | **FIX NOW** |
+| GHSA-qmg3-hpqr-gqvc | `reviewdog/action-setup` v1 | High | — | **WATCH** |
+| GHSA-cxww-7g56-2vh6 | `actions/download-artifact` v4 | High | 4.1.3 | **FIX NOW** |
+
+**Action:** Update GitHub Actions workflow files to use latest versions.
+
+### 2.10 Python Tooling Vulnerabilities (Development Only)
+
+| ID | Package | Severity | Fixed In | Action |
+|----|---------|----------|----------|--------|
+| GHSA-58pv-8j8x-9vj2 | `jaraco-context` 5.3.0 | High | 6.1.0 | WATCH (dev tooling) |
+| GHSA-4xh5-x5gv-qwph | `pip` 24.0 | Medium | 25.3 | WATCH (dev tooling) |
+| GHSA-6vgw-5pg2-w6jp | `pip` 24.0/25.3 | Low | 26.0 | WATCH (dev tooling) |
+| GHSA-8rrh-rw8j-w5fx | `wheel` 0.45.1 | High | 0.46.2 | WATCH (dev tooling) |
+| GHSA-qmgc-5h2g-mvrw | `filelock` 3.20.0 | Medium | 3.20.3 | WATCH (dev tooling) |
+| GHSA-w853-jp5j-5j7f | `filelock` 3.20.0 | Medium | 3.20.1 | WATCH (dev tooling) |
+| GHSA-597g-3phw-6986 | `virtualenv` 20.35.4 | Medium | 20.36.1 | WATCH (dev tooling) |
+
+**Note:** These are all from Python virtualenv/pip tooling in the development environment cache, **not from Charon production code**.
+
+---
+
+## 3. Resolved Vulnerabilities
+
+### 3.1 CVE-2025-68121 — Go Stdlib Critical in CrowdSec Binaries
+
+**Status:** RESOLVED (patched 2026-03-24, already in SECURITY.md Patched section)
+
+Grype still detects older CrowdSec binary versions (go1.25.4/5/6) in the filesystem scan cache, but the **Docker image** no longer shows this CVE. The production image has CrowdSec rebuilt with Go 1.26.1.
+
+### 3.2 CVE-2026-26958 — edwards25519 MultiScalarMult
+
+**Status:** RESOLVED — `filippo.io/edwards25519` is **no longer present** in Charon's backend dependency tree (`go.mod`/`go.sum`). The original finding was from CrowdSec binaries.
+
+**Recommendation:** Move CVE-2026-26958 from Known to Patched in SECURITY.md.
+
+### 3.3 GHSA-p77j-4mvh-x3m3 / CVE-2026-33186 — gRPC-Go Authorization Bypass
+
+**Status:** RESOLVED for Charon direct deps — `google.golang.org/grpc` in backend is now at v1.79.3 (the fix version). The `.trivyignore` entry for this CVE (expiry 2026-04-02) was tracking CrowdSec/Caddy embedded binaries. **The suppression expiry has passed** — needs review.
+
+---
+
+## 4. Existing Vulnerabilities Status Update
+
+### 4.1 CVE-2026-2673 — OpenSSL TLS 1.3 Key Exchange Group Downgrade
+
+| Field | Current Status |
+|-------|---------------|
+| **Severity** | HIGH (7.5) |
+| **Package** | `libcrypto3` 3.5.5-r0, `libssl3` 3.5.5-r0 |
+| **Alpine Version** | 3.23.3 (latest) |
+| **Fix Available** | No — Alpine 3.23.3 still ships 3.5.5-r0 |
+| **Suppression Expiry** | 2026-04-18 |
+| **SECURITY.md Status** | Awaiting Upstream |
+| **Change since last review** | None. Still awaiting Alpine upstream fix. |
+| **Action** | **WATCH** — Extend suppression expiry to 2026-05-04 at next review. |
+
+### 4.2 CVE-2025-60876 — BusyBox wget HTTP Request Smuggling
+
+| Field | Current Status |
+|-------|---------------|
+| **Severity** | Medium (6.5) |
+| **Package** | `busybox` 1.37.0-r30 |
+| **Fix Available** | No — Alpine 3.23.3 still ships 1.37.0-r30 |
+| **SECURITY.md Status** | Awaiting Upstream |
+| **Change since last review** | None. Still present in Docker image scan. |
+| **Action** | **WATCH** — No urgency. Charon does not use busybox wget. |
+
+### 4.3 CVE-2026-26958 — edwards25519 MultiScalarMult
+
+| Field | Current Status |
+|-------|---------------|
+| **Severity** | Low (1.7) |
+| **Package** | `filippo.io/edwards25519` v1.1.0 |
+| **Fix Available** | v1.1.1 |
+| **SECURITY.md Status** | Awaiting Upstream |
+| **Change since last review** | **RESOLVED** — No longer in Charon's dependency tree. Not detected in Docker image scan. |
+| **Action** | **Move to Patched section in SECURITY.md.** |
+
+---
+
+## 5. Ignore/Watch File Recommendations
+
+### 5.1 Expired Suppressions (Require Immediate Action)
+
+| ID | File | Expiry | Action |
+|----|------|--------|--------|
+| CVE-2026-33186 | `.trivyignore` | 2026-04-02 | **REVIEW** — Fixed in Charon direct deps (grpc v1.79.3). Check if CrowdSec binaries still need suppression. |
+| GHSA-479m-364c-43vc | `.trivyignore` | 2026-04-02 | **REVIEW** — Check if Caddy has updated goxmldsig. |
+
+### 5.2 Suppressions Expiring Soon (Review Required)
+
+| ID | File | Expiry | Action |
+|----|------|--------|--------|
+| CVE-2026-2673 | `.trivyignore`, `.grype.yaml` | 2026-04-18 | Extend to 2026-05-18 (no upstream fix) |
+| GHSA-6g7g-w4f8-9c9x | `.trivyignore`, `.grype.yaml` | 2026-04-19 | Extend to 2026-05-19 (no upstream fix) |
+| GHSA-jqcq-xjh3-6g23 | `.trivyignore`, `.grype.yaml` | 2026-04-19 | Extend to 2026-05-19 (no upstream fix) |
+| CVE-2026-27171 | `.trivyignore` | 2026-04-21 | Extend to 2026-05-21 (no upstream fix) |
+| GHSA-x6gf-mpr2-68h6 | `.trivyignore`, `.grype.yaml` | 2026-04-21 | Extend to 2026-05-21 (no upstream fix) |
+
+### 5.3 New Suppressions to Add
+
+| ID | Recommendation | Justification |
+|----|----------------|---------------|
+| CVE-2026-34040 / GHSA-x744-4wpc-v9h2 | Already in `.trivyignore`/`.grype.yaml` | Docker client-only usage; server-side vuln |
+| CVE-2026-33997 / GHSA-pxq6-2prw-chj9 | Already in `.trivyignore`/`.grype.yaml` | Docker client-only usage; server-side vuln |
+| MCP Go SDK findings | No suppression needed | False positive (dev tooling in `.cache/`) |
+| GitHub Actions findings | No suppression needed | Fix by updating workflow files |
+
+### 5.4 codecov.yml
+
+No changes recommended. Current configuration is appropriate.
+
+---
+
+## 6. Dependency Update Recommendations
+
+### 6.1 Immediate (FIX NOW)
+
+| Package | Current | Target | CVE/GHSA | Impact |
+|---------|---------|--------|----------|--------|
+| `aquasecurity/trivy-action` | 0.33.1 | 0.35.0+ | GHSA-69fq-xp46-6x23 (Critical) | GitHub Actions workflow |
+| `actions/download-artifact` | v4 | v4.1.3+ | GHSA-cxww-7g56-2vh6 (High) | GitHub Actions workflow |
+| `smol-toml` (via markdownlint-cli2) | < 1.6.1 | >= 1.6.1 | GHSA-v3rj-xjv7-4jmq (Moderate) | Dev dependency only |
+
+### 6.2 Recommended (When Feasible)
+
+| Package | Current | Target | Reason |
+|---------|---------|--------|--------|
+| `reviewdog/action-setup` | v1 | Latest pinned SHA | GHSA-qmg3-hpqr-gqvc (High) |
+| `github.com/docker/docker` | v28.5.2+incompatible | moby/moby/v2 (when stable) | GO-2026-4887, GO-2026-4883 |
+
+### 6.3 Awaiting Upstream
+
+| Package | Blocked By | Tracking |
+|---------|-----------|----------|
+| `libcrypto3`/`libssl3` 3.5.5-r0 | Alpine 3.23 patch | CVE-2026-2673 |
+| `busybox` 1.37.0-r30 | Alpine 3.23 patch | CVE-2025-60876 |
+| `buger/jsonparser` v1.1.1 | Upstream fix + CrowdSec rebuild | GHSA-6g7g-w4f8-9c9x |
+| `jackc/pgproto3/v2` v2.3.3 | CrowdSec migration to pgx/v5 | GHSA-jqcq-xjh3-6g23 |
+
+---
+
+## 7. Alpine Base Image Status
+
+| Field | Value |
+|-------|-------|
+| **Current** | Alpine 3.23.3 (sha256:25109184c71bdad...) |
+| **Latest Available** | Alpine 3.23.3 |
+| **Status** | **Up to date** — `alpine:latest` resolves to 3.23.3 |
+| **Known Unpatched CVEs in Alpine 3.23.3** | CVE-2026-2673 (OpenSSL), CVE-2025-60876 (busybox), CVE-2026-27171 (zlib) |
+| **Recommendation** | No Alpine upgrade available. Monitor for 3.23.4 or 3.24.0. |
+
+---
+
+## 8. Scanner Summary
+
+### Trivy Filesystem Scan
+- **Result:** 0 vulnerabilities found in source code and dependencies
+- **Note:** Trivy only scanned language-specific files. Go modules resolved correctly with no findings.
+
+### Grype Filesystem Scan
+- **Result:** ~75 findings (many duplicates across versions)
+- **Unique Vulnerabilities:** ~25
+- **False Positives:** ~15 (stale go.sum entries, `.cache/` module cache, development tooling)
+- **Actionable for Charon Production:** ~5 (all previously known and suppressed)
+- **Actionable for CI/CD:** 3 (GitHub Actions version updates)
+
+### Grype Docker Image Scan
+- **Result:** 5 unique vulnerabilities
+- **All previously known** and documented in `.trivyignore`/`.grype.yaml`
+- **No new production vulnerabilities**
+
+### npm audit
+- **Result:** 2 moderate vulnerabilities in dev dependency (`smol-toml` via `markdownlint-cli2`)
+- **Action:** Low priority — dev tooling only
+
+### govulncheck
+- **Result:** 2 vulnerabilities, both in `github.com/docker/docker` v28.5.2+incompatible
+- **Symbol traces confirmed:** Code paths exist but vulnerability is server-side (Docker daemon), not client-side
+- **Action:** Already suppressed; awaiting upstream fix
+
+---
+
+## 9. SECURITY.md Update Checklist
+
+- [ ] **Move CVE-2026-26958 (edwards25519) from Known to Patched** — no longer in dependency tree
+- [ ] **Add CVE-2026-34040 / GHSA-x744-4wpc-v9h2 (Docker AuthZ bypass) to Known** — already suppressed but not documented in SECURITY.md
+- [ ] **Add CVE-2026-33997 / GHSA-pxq6-2prw-chj9 (Docker plugin privilege) to Known** — already suppressed but not documented in SECURITY.md
+- [ ] **Review expired suppression CVE-2026-33186** — expiry was 2026-04-02; grpc v1.79.3 fixes it for Charon direct deps. Check if CrowdSec/Caddy still need it.
+- [ ] **Review expired suppression GHSA-479m-364c-43vc** — expiry was 2026-04-02
+- [ ] **Update "Last reviewed" date** to 2026-04-04
+- [ ] **Extend suppression expiry dates** for CVEs still awaiting upstream (see Section 5.2)
+
+---
+
+## 10. Recommended Priority Actions
+
+### P0 — Immediate
+1. Update GitHub Actions: `aquasecurity/trivy-action` to 0.35.0+, `actions/download-artifact` to v4.1.3+
+2. Review and extend/remove expired suppressions (CVE-2026-33186, GHSA-479m-364c-43vc)
+
+### P1 — This Sprint
+3. Update SECURITY.md: move CVE-2026-26958 to Patched, add Docker CVEs to Known
+4. Fix `smol-toml` npm dev dependency vulnerability
+5. Extend suppression expiry dates for upcoming expirations (Section 5.2)
+
+### P2 — Monitor
+6. Track Alpine 3.23.4/3.24.0 for OpenSSL, busybox, zlib patches
+7. Track CrowdSec releases for dependency updates (jsonparser, pgproto3/v2, grpc)
+8. Track `moby/moby/v2` stabilization for Docker SDK migration

package-lock.json

@@ -3520,9 +3520,9 @@
       }
     },
     "node_modules/smol-toml": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.0.tgz",
-      "integrity": "sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw==",
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.1.tgz",
+      "integrity": "sha512-dWUG8F5sIIARXih1DTaQAX4SsiTXhInKf1buxdY9DIg4ZYPZK5nGM1VRIYmEbDbsHt7USo99xSLFu5Q1IqTmsg==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {

package.json

@@ -14,6 +14,9 @@
     "tldts": "^7.0.27",
     "type-check": "^0.4.0"
   },
+  "overrides": {
+    "smol-toml": ">=1.6.1"
+  },
   "devDependencies": {
     "@types/eslint-plugin-jsx-a11y": "^6.10.1",
     "@bgotink/playwright-coverage": "^0.3.2",