fix: suppress pgproto3/v2 CVE-2026-4427 alias in vulnerability ignore files

.grype.yaml

@@ -442,6 +442,80 @@ ignore:
     # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
     # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
 
+  # GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
+  # Severity: HIGH (CVSS 7.5)
+  # Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
+  # Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
+  # Note: This is the NVD/Red Hat advisory alias for the same underlying vulnerability as GHSA-jqcq-xjh3-6g23
+  #
+  # Vulnerability Details:
+  # - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
+  #   can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
+  # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5)
+  #
+  # Root Cause (EOL Module + Third-Party Binary):
+  # - Same underlying vulnerability as GHSA-jqcq-xjh3-6g23; tracked separately by NVD/Red Hat as CVE-2026-4427.
+  # - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
+  #   is compiled into CrowdSec binaries for their internal database communication.
+  # - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
+  #   is migration to pgx/v5, which embeds an updated pgproto3/v3.
+  # - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
+  #   the Docker image and remove this suppression.
+  #
+  # Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
+  # - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
+  #   internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
+  #   external traffic in a standard Charon deployment.
+  # - The attack requires a compromised database server, which would imply full host compromise.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor CrowdSec releases for pgx/v5 migration:
+  #   https://github.com/crowdsecurity/crowdsec/releases
+  # - Weekly CI security rebuild flags the moment a fixed image ships.
+  #
+  # Review:
+  # - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
+  #   Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23
+  #   was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking.
+  # - Next review: 2026-04-21. Remove suppression once CrowdSec ships with pgx/v5.
+  #
+  # Removal Criteria:
+  # - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
+  # - Rebuild Docker image, run security-scan-docker-image, confirm both advisories are resolved
+  # - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries simultaneously
+  #
+  # References:
+  # - GHSA-x6gf-mpr2-68h6: https://github.com/advisories/GHSA-x6gf-mpr2-68h6
+  # - CVE-2026-4427: https://nvd.nist.gov/vuln/detail/CVE-2026-4427
+  # - Red Hat: https://access.redhat.com/security/cve/CVE-2026-4427
+  # - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
+  # - pgx/v5 (replacement): https://github.com/jackc/pgx
+  # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
+  - vulnerability: GHSA-x6gf-mpr2-68h6
+    package:
+      name: github.com/jackc/pgproto3/v2
+      version: "v2.3.3"
+      type: go-module
+    reason: |
+      HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
+      NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
+      pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
+      Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
+      Risk accepted; no remediation until CrowdSec ships with pgx/v5.
+      Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
+    expiry: "2026-04-21"  # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
+
+    # Action items when this suppression expires:
+    # 1. Check CrowdSec releases for pgx/v5 migration:
+    #    https://github.com/crowdsecurity/crowdsec/releases
+    # 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
+    #    Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
+    # 3. If CrowdSec has migrated:
+    #    a. Rebuild Docker image and run local security-scan-docker-image
+    #    b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries
+    # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
+    # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
+
 # Match exclusions (patterns to ignore during scanning)
 # Use sparingly - prefer specific CVE suppressions above
 match:

.trivyignore

@@ -60,3 +60,13 @@ GHSA-6g7g-w4f8-9c9x
 # See also: .grype.yaml for full justification
 # exp: 2026-04-19
 GHSA-jqcq-xjh3-6g23
+
+# GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
+# Severity: HIGH (CVSS 7.5) — Package: github.com/jackc/pgproto3/v2 v2.3.3, embedded in CrowdSec binaries
+# NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
+# pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5.
+# Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment.
+# Review by: 2026-04-21
+# See also: .grype.yaml for full justification
+# exp: 2026-04-21
+GHSA-x6gf-mpr2-68h6