fix: update Trivy action version and extend vulnerability review dates in configuration files
This commit is contained in:
GitHub Actions
22
.grype.yaml
22
.grype.yaml
@@ -32,7 +32,8 @@ ignore:
|
||||
#
|
||||
# Review:
|
||||
# - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review.
|
||||
# - Next review: 2026-04-18. Remove suppression immediately once upstream fixes.
|
||||
# - Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. No upstream fix available.
|
||||
# - Next review: 2026-05-18. Remove suppression immediately once upstream fixes.
|
||||
#
|
||||
# Removal Criteria:
|
||||
# - Alpine publishes a patched version of libcrypto3 and libssl3
|
||||
@@ -52,7 +53,7 @@ ignore:
|
||||
No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon
|
||||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||||
Risk accepted pending Alpine upstream patch.
|
||||
expiry: "2026-04-18" # Initial 30-day review period. Extend in 14–30 day increments with documented justification.
|
||||
expiry: "2026-05-18" # Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. Next review 2026-05-18.
|
||||
|
||||
# Action items when this suppression expires:
|
||||
# 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||||
@@ -74,7 +75,7 @@ ignore:
|
||||
No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon
|
||||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||||
Risk accepted pending Alpine upstream patch.
|
||||
expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items.
|
||||
expiry: "2026-05-18" # Extended 2026-04-04: see libcrypto3 entry above for action items.
|
||||
|
||||
# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
|
||||
# Severity: HIGH (CVSS 7.5)
|
||||
@@ -105,7 +106,8 @@ ignore:
|
||||
#
|
||||
# Review:
|
||||
# - Reviewed 2026-03-19 (initial suppression): no upstream fix exists. Set 30-day review.
|
||||
# - Next review: 2026-04-19. Remove suppression once buger/jsonparser ships a fix and
|
||||
# - Extended 2026-04-04: no upstream fix available. buger/jsonparser issue #275 still open.
|
||||
# - Next review: 2026-05-19. Remove suppression once buger/jsonparser ships a fix and
|
||||
# CrowdSec updates their dependency.
|
||||
#
|
||||
# Removal Criteria:
|
||||
@@ -130,7 +132,7 @@ ignore:
|
||||
Charon does not use this package directly; the vector requires reaching CrowdSec's internal
|
||||
JSON processing pipeline. Risk accepted; no remediation path until upstream ships a fix.
|
||||
Reviewed 2026-03-19: no patched release available.
|
||||
expiry: "2026-04-19" # 30-day review: no fix exists. Extend in 30-day increments with documented justification.
|
||||
expiry: "2026-05-19" # Extended 2026-04-04: no upstream fix. Next review 2026-05-19.
|
||||
|
||||
# Action items when this suppression expires:
|
||||
# 1. Check buger/jsonparser releases: https://github.com/buger/jsonparser/releases
|
||||
@@ -174,7 +176,8 @@ ignore:
|
||||
# Review:
|
||||
# - Reviewed 2026-03-19 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||||
# Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review.
|
||||
# - Next review: 2026-04-19. Remove suppression once CrowdSec ships with pgx/v5.
|
||||
# - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet.
|
||||
# - Next review: 2026-05-19. Remove suppression once CrowdSec ships with pgx/v5.
|
||||
#
|
||||
# Removal Criteria:
|
||||
# - CrowdSec releases a version with pgx/v5 (pgproto3/v3) replacing pgproto3/v2
|
||||
@@ -197,7 +200,7 @@ ignore:
|
||||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||||
Reviewed 2026-03-19: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||||
expiry: "2026-04-19" # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
|
||||
expiry: "2026-05-19" # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5.
|
||||
|
||||
# Action items when this suppression expires:
|
||||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||||
@@ -245,7 +248,8 @@ ignore:
|
||||
# - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||||
# Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23
|
||||
# was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking.
|
||||
# - Next review: 2026-04-21. Remove suppression once CrowdSec ships with pgx/v5.
|
||||
# - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet.
|
||||
# - Next review: 2026-05-21. Remove suppression once CrowdSec ships with pgx/v5.
|
||||
#
|
||||
# Removal Criteria:
|
||||
# - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
|
||||
@@ -271,7 +275,7 @@ ignore:
|
||||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||||
Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||||
expiry: "2026-04-21" # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
|
||||
expiry: "2026-05-21" # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5.
|
||||
|
||||
# Action items when this suppression expires:
|
||||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||||
|
||||
Reference in New Issue
Block a user