642 lines
36 KiB
YAML
642 lines
36 KiB
YAML
# Grype vulnerability suppression configuration
|
||
# Automatically loaded by Grype for vulnerability scanning
|
||
# Review and update when upstream fixes are available
|
||
# Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
|
||
|
||
ignore:
|
||
# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
|
||
# Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18
|
||
#
|
||
# Vulnerability Details:
|
||
# - When DEFAULT is in the TLS 1.3 group configuration, the OpenSSL server may select
|
||
# a weaker key exchange group than preferred, enabling a limited key exchange downgrade.
|
||
# - Only affects systems acting as a raw TLS 1.3 server using OpenSSL's server-side group negotiation.
|
||
#
|
||
# Root Cause (No Fix Available):
|
||
# - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23.
|
||
# - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
|
||
# - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image
|
||
# and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (No upstream fix; limited exposure in Charon context)
|
||
# - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
|
||
# - The vulnerability requires the affected application to directly configure TLS 1.3 server
|
||
# group negotiation via OpenSSL, which Charon does not do.
|
||
# - Container-level isolation reduces the attack surface further.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
# - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review.
|
||
# - Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. No upstream fix available.
|
||
# - Next review: 2026-05-18. Remove suppression immediately once upstream fixes.
|
||
#
|
||
# Removal Criteria:
|
||
# - Alpine publishes a patched version of libcrypto3 and libssl3
|
||
# - Rebuild Docker image and verify CVE-2026-2673 no longer appears in grype-results.json
|
||
# - Remove both these entries and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - CVE-2026-2673: https://nvd.nist.gov/vuln/detail/CVE-2026-2673
|
||
# - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
- vulnerability: CVE-2026-2673
|
||
package:
|
||
name: libcrypto3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libcrypto3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||
Risk accepted pending Alpine upstream patch.
|
||
expiry: "2026-05-18" # Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. Next review 2026-05-18.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
# 2. If a patched Alpine package is now available:
|
||
# a. Rebuild Docker image without suppression
|
||
# b. Run local security-scan-docker-image and confirm CVE is resolved
|
||
# c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry
|
||
# 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above
|
||
# 4. If extended 3+ times: Open an issue to track the upstream status formally
|
||
|
||
# CVE-2026-2673 (libssl3) — see full justification in the libcrypto3 entry above
|
||
- vulnerability: CVE-2026-2673
|
||
package:
|
||
name: libssl3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libssl3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||
Risk accepted pending Alpine upstream patch.
|
||
expiry: "2026-05-18" # Extended 2026-04-04: see libcrypto3 entry above for action items.
|
||
|
||
# CVE-2026-31790: OpenSSL vulnerability in Alpine base image packages
|
||
# Severity: HIGH
|
||
# Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
|
||
# Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-04-09
|
||
#
|
||
# Root Cause (No Fix Available):
|
||
# - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23.
|
||
# - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-04-09.
|
||
# - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image
|
||
# and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (No upstream fix; documented in SECURITY.md)
|
||
# - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS server.
|
||
# - Container-level isolation reduces the attack surface further.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-31790
|
||
# - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-04-09 (initial suppression): no upstream fix available. Set 30-day review.
|
||
# - Next review: 2026-05-09. Remove suppression immediately once upstream fixes.
|
||
#
|
||
# Removal Criteria:
|
||
# - Alpine publishes a patched version of libcrypto3 and libssl3
|
||
# - Rebuild Docker image and verify CVE-2026-31790 no longer appears in grype-results.json
|
||
# - Remove both these entries and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - CVE-2026-31790: https://nvd.nist.gov/vuln/detail/CVE-2026-31790
|
||
# - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-31790
|
||
- vulnerability: CVE-2026-31790
|
||
package:
|
||
name: libcrypto3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL vulnerability in libcrypto3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-04-09. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS server.
|
||
Risk accepted pending Alpine upstream patch. Documented in SECURITY.md.
|
||
expiry: "2026-05-09" # Reviewed 2026-04-09: no upstream fix available. Next review 2026-05-09.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-31790
|
||
# 2. If a patched Alpine package is now available:
|
||
# a. Rebuild Docker image without suppression
|
||
# b. Run local security-scan-docker-image and confirm CVE is resolved
|
||
# c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry
|
||
# 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above
|
||
# 4. If extended 3+ times: Open an issue to track the upstream status formally
|
||
|
||
# CVE-2026-31790 (libssl3) — see full justification in the libcrypto3 entry above
|
||
- vulnerability: CVE-2026-31790
|
||
package:
|
||
name: libssl3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL vulnerability in libssl3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-04-09. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS server.
|
||
Risk accepted pending Alpine upstream patch. Documented in SECURITY.md.
|
||
expiry: "2026-05-09" # Reviewed 2026-04-09: see libcrypto3 entry above for action items.
|
||
|
||
# GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
|
||
# Severity: HIGH (CVSS 8.1)
|
||
# Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy via smallstep/certificates)
|
||
# Status: Fix exists in nebula v1.10.3 — smallstep/certificates cannot compile against v1.10+ APIs
|
||
#
|
||
# Vulnerability Details:
|
||
# - ECDSA signature malleability in nebula allows potential authentication bypass via
|
||
# crafted certificate signatures (CWE-347).
|
||
# - CVSSv3: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (CVSS 8.1)
|
||
#
|
||
# Root Cause (Third-Party Binary + Upstream API Incompatibility):
|
||
# - Charon does not use nebula directly. The library is compiled into the Caddy binary
|
||
# via the caddy-security plugin → smallstep/certificates dependency chain.
|
||
# - Nebula v1.10.3 patches the vulnerability but removes legacy APIs that
|
||
# smallstep/certificates (through v0.30.2) depends on, causing compile failures.
|
||
# - Fix path: once smallstep/certificates releases a version compatible with nebula >= v1.10.3,
|
||
# update the Dockerfile and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (No direct use + upstream API incompatibility blocks fix)
|
||
# - Charon does not use Nebula VPN PKI by default. The vulnerable code path is only
|
||
# reachable if Nebula-based certificate provisioning is explicitly configured.
|
||
# - The attack requires network access and a crafted certificate, which is not part of
|
||
# standard Charon deployment.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor smallstep/certificates releases: https://github.com/smallstep/certificates/releases
|
||
# - Monitor nebula releases: https://github.com/slackhq/nebula/releases
|
||
# - Weekly CI security rebuild flags the moment a compatible upstream ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-02-19 (initial suppression in .trivyignore): certificates v0.27.5 pins nebula v1.9.x.
|
||
# - Re-evaluated 2026-04-10: nebula v1.10.3 has the fix but certificates (through v0.30.2)
|
||
# uses legacy APIs removed in v1.10+. Still blocked. Set 30-day review.
|
||
# - Next review: 2026-05-10. Remove suppression once certificates ships with nebula >= v1.10.3.
|
||
#
|
||
# Removal Criteria:
|
||
# - smallstep/certificates releases a version compatible with nebula >= v1.10.3
|
||
# - Update Dockerfile nebula pin, rebuild, run security-scan-docker-image, confirm resolved
|
||
# - Remove this entry and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-69x3-g4r3-p962: https://github.com/advisories/GHSA-69x3-g4r3-p962
|
||
# - CVE-2026-25793: https://nvd.nist.gov/vuln/detail/CVE-2026-25793
|
||
# - Nebula releases: https://github.com/slackhq/nebula/releases
|
||
# - smallstep/certificates releases: https://github.com/smallstep/certificates/releases
|
||
- vulnerability: CVE-2026-25793
|
||
package:
|
||
name: github.com/slackhq/nebula
|
||
version: "v1.9.7"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy.
|
||
Fix exists in nebula v1.10.3 but smallstep/certificates (through v0.30.2) uses legacy APIs
|
||
removed in v1.10+, causing compile failures. Charon does not use Nebula VPN PKI by default.
|
||
Risk accepted; no remediation until smallstep/certificates ships with nebula >= v1.10.3.
|
||
Re-evaluated 2026-04-10: still blocked by upstream API incompatibility.
|
||
expiry: "2026-05-10" # Re-evaluated 2026-04-10: certificates through v0.30.2 incompatible with nebula v1.10+.
|
||
|
||
# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: UPSTREAM FIX EXISTS (v1.1.2 released 2026-03-20) — awaiting CrowdSec to update dependency
|
||
# NOTE: As of 2026-04-20, grype v0.111.0 with fresh DB no longer flags this finding in the image.
|
||
# This suppression is retained as a safety net in case future DB updates re-surface it.
|
||
#
|
||
# Vulnerability Details:
|
||
# - The Delete function fails to validate offsets on malformed JSON input, producing a
|
||
# negative slice index and a runtime panic — denial of service (CWE-125).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||
#
|
||
# Root Cause (Third-Party Binary — Fix Exists Upstream, Not Yet in CrowdSec):
|
||
# - Charon does not use buger/jsonparser directly. It is compiled into CrowdSec binaries.
|
||
# - buger/jsonparser released v1.1.2 on 2026-03-20 fixing issue #275.
|
||
# - CrowdSec has not yet released a version built with buger/jsonparser v1.1.2.
|
||
# - Fix path: once CrowdSec updates their dependency and rebuilds, rebuild the Docker image
|
||
# and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Limited exploitability; fix exists upstream but not yet in CrowdSec)
|
||
# - The DoS vector requires passing malformed JSON to the vulnerable Delete function within
|
||
# CrowdSec's internal processing pipeline; this is not a direct attack surface in Charon.
|
||
# - CrowdSec's exposed surface is its HTTP API (not raw JSON stream parsing via this path).
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor CrowdSec releases for a build using buger/jsonparser >= v1.1.2.
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-19 (initial suppression): no upstream fix. Set 30-day review.
|
||
# - Extended 2026-04-04: no upstream fix. buger/jsonparser issue #275 still open.
|
||
# - Updated 2026-04-20: buger/jsonparser v1.1.2 released 2026-03-20. CrowdSec not yet updated.
|
||
# Grype v0.111.0 with fresh DB (2026-04-20) no longer flags this finding. Suppression retained
|
||
# as a safety net. Next review: 2026-05-19 — remove if CrowdSec ships with v1.1.2+.
|
||
#
|
||
# Removal Criteria:
|
||
# - CrowdSec releases a version built with buger/jsonparser >= v1.1.2
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-6g7g-w4f8-9c9x: https://github.com/advisories/GHSA-6g7g-w4f8-9c9x
|
||
# - Upstream fix: https://github.com/buger/jsonparser/releases/tag/v1.1.2
|
||
# - golang/vulndb: https://github.com/golang/vulndb/issues/4514
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-6g7g-w4f8-9c9x
|
||
package:
|
||
name: github.com/buger/jsonparser
|
||
version: "v1.1.1"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via malformed JSON in buger/jsonparser v1.1.1 embedded in CrowdSec binaries.
|
||
Upstream fix: buger/jsonparser v1.1.2 released 2026-03-20; CrowdSec has not yet updated their
|
||
dependency. Grype no longer flags this as of 2026-04-20 (fresh DB). Suppression retained as
|
||
safety net pending CrowdSec update. Charon does not use this package directly.
|
||
Updated 2026-04-20: fix v1.1.2 exists upstream; awaiting CrowdSec dependency update.
|
||
expiry: "2026-05-19" # Review 2026-05-19: remove if CrowdSec ships with buger/jsonparser >= v1.1.2.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check if CrowdSec has released a version with buger/jsonparser >= v1.1.2:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# 2. If CrowdSec has updated: rebuild Docker image, run security-scan-docker-image,
|
||
# and remove this suppression entry and the corresponding .trivyignore entry
|
||
# 3. If grype still does not flag it with fresh DB: consider removing the suppression as
|
||
# it may no longer be necessary
|
||
# 4. If no CrowdSec update yet: Extend expiry by 30 days
|
||
|
||
# GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
|
||
#
|
||
# Vulnerability Details:
|
||
# - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
|
||
# can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||
#
|
||
# Root Cause (EOL Module + Third-Party Binary):
|
||
# - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
|
||
# is compiled into CrowdSec binaries for their internal database communication.
|
||
# - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
|
||
# is migration to pgx/v5, which embeds an updated pgproto3/v3.
|
||
# - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
|
||
# the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
|
||
# - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
|
||
# internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
|
||
# external traffic in a standard Charon deployment.
|
||
# - The attack requires a compromised database server, which would imply full host compromise.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-19 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||
# Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review.
|
||
# - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet.
|
||
# - Next review: 2026-05-19. Remove suppression once CrowdSec ships with pgx/v5.
|
||
#
|
||
# Removal Criteria:
|
||
# - CrowdSec releases a version with pgx/v5 (pgproto3/v3) replacing pgproto3/v2
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-jqcq-xjh3-6g23: https://github.com/advisories/GHSA-jqcq-xjh3-6g23
|
||
# - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
|
||
# - pgx/v5 (replacement): https://github.com/jackc/pgx
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-jqcq-xjh3-6g23
|
||
package:
|
||
name: github.com/jackc/pgproto3/v2
|
||
version: "v2.3.3"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
|
||
pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
|
||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||
Reviewed 2026-03-19: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||
expiry: "2026-05-19" # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
|
||
# Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
|
||
# 3. If CrowdSec has migrated:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this suppression entry and the corresponding .trivyignore entry
|
||
# 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
|
||
|
||
# GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
|
||
# Note: This is the NVD/Red Hat advisory alias for the same underlying vulnerability as GHSA-jqcq-xjh3-6g23
|
||
#
|
||
# Vulnerability Details:
|
||
# - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
|
||
# can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5)
|
||
#
|
||
# Root Cause (EOL Module + Third-Party Binary):
|
||
# - Same underlying vulnerability as GHSA-jqcq-xjh3-6g23; tracked separately by NVD/Red Hat as CVE-2026-4427.
|
||
# - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
|
||
# is compiled into CrowdSec binaries for their internal database communication.
|
||
# - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
|
||
# is migration to pgx/v5, which embeds an updated pgproto3/v3.
|
||
# - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
|
||
# the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
|
||
# - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
|
||
# internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
|
||
# external traffic in a standard Charon deployment.
|
||
# - The attack requires a compromised database server, which would imply full host compromise.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||
# Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23
|
||
# was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking.
|
||
# - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet.
|
||
# - Next review: 2026-05-21. Remove suppression once CrowdSec ships with pgx/v5.
|
||
#
|
||
# Removal Criteria:
|
||
# - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm both advisories are resolved
|
||
# - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-x6gf-mpr2-68h6: https://github.com/advisories/GHSA-x6gf-mpr2-68h6
|
||
# - CVE-2026-4427: https://nvd.nist.gov/vuln/detail/CVE-2026-4427
|
||
# - Red Hat: https://access.redhat.com/security/cve/CVE-2026-4427
|
||
# - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
|
||
# - pgx/v5 (replacement): https://github.com/jackc/pgx
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-x6gf-mpr2-68h6
|
||
package:
|
||
name: github.com/jackc/pgproto3/v2
|
||
version: "v2.3.3"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
|
||
NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
|
||
pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
|
||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||
Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||
expiry: "2026-05-21" # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
|
||
# Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
|
||
# 3. If CrowdSec has migrated:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries
|
||
# 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
|
||
|
||
# CVE-2026-32286: pgproto3/v2 buffer overflow in DataRow handling (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
|
||
#
|
||
# Vulnerability Details:
|
||
# - Buffer overflow in pgproto3/v2 DataRow handling allows a malicious or compromised PostgreSQL
|
||
# server to trigger a denial of service via crafted protocol messages (CWE-120).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5)
|
||
#
|
||
# Root Cause (EOL Module + Third-Party Binary):
|
||
# - Same affected module as GHSA-jqcq-xjh3-6g23 and GHSA-x6gf-mpr2-68h6 — pgproto3/v2 v2.3.3
|
||
# is the final release (repository archived Jul 12, 2025). No fix will be released.
|
||
# - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
|
||
# is compiled into CrowdSec binaries for their internal database communication.
|
||
# - Fix exists only in pgproto3/v3 (used by pgx/v5). CrowdSec v1.7.7 (latest) still depends
|
||
# on pgx/v4 → pgproto3/v2. Dockerfile already applies best-effort mitigation (pgx/v4@v4.18.3).
|
||
# - Fix path: once CrowdSec migrates to pgx/v5, rebuild the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
|
||
# - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
|
||
# internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
|
||
# external traffic in a standard Charon deployment.
|
||
# - CrowdSec's PostgreSQL code path is not directly exposed to untrusted network input in
|
||
# Charon's deployment.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-04-10 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||
# Waiting on CrowdSec to migrate to pgx/v5. Set 90-day review.
|
||
# - Next review: 2026-07-09. Remove suppression once CrowdSec ships with pgx/v5.
|
||
#
|
||
# Removal Criteria:
|
||
# - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm all pgproto3/v2 advisories are resolved
|
||
# - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, GHSA-x6gf-mpr2-68h6 entry, and all .trivyignore entries simultaneously
|
||
#
|
||
# References:
|
||
# - CVE-2026-32286: https://nvd.nist.gov/vuln/detail/CVE-2026-32286
|
||
# - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
|
||
# - pgx/v5 (replacement): https://github.com/jackc/pgx
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: CVE-2026-32286
|
||
package:
|
||
name: github.com/jackc/pgproto3/v2
|
||
version: "v2.3.3"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — Buffer overflow in pgproto3/v2 v2.3.3 DataRow handling, embedded in CrowdSec binaries.
|
||
pgproto3/v2 v2.3.3 is the final release (archived Jul 2025); no fix will be released.
|
||
Fix exists only in pgproto3/v3 (pgx/v5). CrowdSec v1.7.7 still depends on pgx/v4 → pgproto3/v2.
|
||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||
Reviewed 2026-04-10: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||
expiry: "2026-07-09" # Reviewed 2026-04-10: no fix path until CrowdSec migrates to pgx/v5. 90-day expiry.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
|
||
# Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
|
||
# 3. If CrowdSec has migrated:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, GHSA-x6gf-mpr2-68h6 entry, and all .trivyignore entries
|
||
# 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
|
||
|
||
# GHSA-pxq6-2prw-chj9 / CVE-2026-33997: Moby off-by-one error in plugin privilege validation
|
||
# Severity: MEDIUM (CVSS 6.8)
|
||
# Package: github.com/docker/docker v28.5.2+incompatible (go-module)
|
||
# Status: Fixed in moby/moby v29.3.1 — NO fix available for docker/docker import path
|
||
#
|
||
# Vulnerability Details:
|
||
# - Off-by-one error in Moby's plugin privilege validation allows potential privilege escalation
|
||
# via crafted plugin configurations.
|
||
#
|
||
# Root Cause (No Fix Available for Import Path):
|
||
# - Same import path issue as CVE-2026-34040. The fix exists in moby/moby v29.3.1 but not
|
||
# for the docker/docker import path that Charon uses.
|
||
# - Fix path: same dependency migration pattern as CVE-2026-34040 (if needed) or upstream fix.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Not exploitable in Charon context)
|
||
# - Charon uses the Docker client SDK only (list containers). The vulnerability is in Docker's
|
||
# plugin privilege validation, which is server-side functionality.
|
||
# - Charon does not run a Docker daemon, install Docker plugins, or interact with plugin privileges.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor docker/docker releases: https://github.com/moby/moby/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed version ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-30 (initial suppression): no fix for docker/docker import path. Set 30-day review.
|
||
# - Next review: 2026-04-30. Remove suppression once a fix is available for the docker/docker import path.
|
||
#
|
||
# Removal Criteria:
|
||
# - docker/docker publishes a patched version OR moby/moby/v2 stabilizes
|
||
# - Update dependency, rebuild, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry and all corresponding .trivyignore entries simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-pxq6-2prw-chj9: https://github.com/advisories/GHSA-pxq6-2prw-chj9
|
||
# - CVE-2026-33997: https://nvd.nist.gov/vuln/detail/CVE-2026-33997
|
||
# - moby/moby releases: https://github.com/moby/moby/releases
|
||
- vulnerability: GHSA-pxq6-2prw-chj9
|
||
package:
|
||
name: github.com/docker/docker
|
||
version: "v28.5.2+incompatible"
|
||
type: go-module
|
||
reason: |
|
||
MEDIUM — Off-by-one error in Moby plugin privilege validation in docker/docker v28.5.2+incompatible.
|
||
Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
|
||
Charon uses Docker client SDK only (list containers); the vulnerability is in Docker's server-side
|
||
plugin privilege validation. Charon does not run a Docker daemon or install Docker plugins.
|
||
Risk accepted; no remediation path until docker/docker publishes a fix or moby/moby/v2 stabilizes.
|
||
Reviewed 2026-03-30: no patched release available for docker/docker import path.
|
||
expiry: "2026-04-30" # 30-day review: no fix for docker/docker import path. Extend in 30-day increments with documented justification.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check docker/docker and moby/moby releases: https://github.com/moby/moby/releases
|
||
# 2. Check if moby/moby/v2 has stabilized: https://github.com/moby/moby
|
||
# 3. If a fix has shipped for docker/docker import path OR moby/moby/v2 is stable:
|
||
# a. Update the dependency and rebuild Docker image
|
||
# b. Run local security-scan-docker-image and confirm finding is resolved
|
||
# c. Remove this entry and all corresponding .trivyignore entries
|
||
# 4. If no fix yet: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an issue to track moby/moby/v2 migration feasibility
|
||
|
||
# GHSA-78h2-9frx-2jm8: go-jose JWE decryption panic (DoS)
|
||
# Severity: HIGH
|
||
# Packages: github.com/go-jose/go-jose/v3 v3.0.4 and github.com/go-jose/go-jose/v4 v4.1.3
|
||
# (embedded in /usr/bin/caddy)
|
||
# Status: Fix available in go-jose/v3 v3.0.5 and go-jose/v4 v4.1.4 — requires upstream Caddy rebuild
|
||
#
|
||
# Vulnerability Details:
|
||
# - JWE decryption can trigger a panic due to improper input validation, causing
|
||
# a denial-of-service condition (runtime crash).
|
||
#
|
||
# Root Cause (Third-Party Binary):
|
||
# - Charon does not use go-jose directly. The library is compiled into the Caddy binary
|
||
# shipped in the Docker image.
|
||
# - Fixes are available upstream (v3.0.5 and v4.1.4) but require a Caddy rebuild to pick up.
|
||
# - Fix path: once the upstream Caddy release includes the patched go-jose versions,
|
||
# rebuild the Docker image and remove these suppressions.
|
||
#
|
||
# Risk Assessment: ACCEPTED (No direct use + fix requires upstream rebuild)
|
||
# - Charon does not import or call go-jose functions; the library is only present as a
|
||
# transitive dependency inside the Caddy binary.
|
||
# - The attack vector requires crafted JWE input reaching Caddy's internal JWT handling,
|
||
# which is limited to authenticated admin-API paths not exposed in Charon deployments.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor Caddy releases: https://github.com/caddyserver/caddy/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-04-05 (initial suppression): fix available upstream but not yet in Caddy release.
|
||
# Set 30-day review.
|
||
# - Next review: 2026-05-05. Remove suppression once Caddy ships with patched go-jose.
|
||
#
|
||
# Removal Criteria:
|
||
# - Caddy releases a version built with go-jose/v3 >= v3.0.5 and go-jose/v4 >= v4.1.4
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove both entries (v3 and v4) and any corresponding .trivyignore entries simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-78h2-9frx-2jm8: https://github.com/advisories/GHSA-78h2-9frx-2jm8
|
||
# - go-jose releases: https://github.com/go-jose/go-jose/releases
|
||
# - Caddy releases: https://github.com/caddyserver/caddy/releases
|
||
- vulnerability: GHSA-78h2-9frx-2jm8
|
||
package:
|
||
name: github.com/go-jose/go-jose/v3
|
||
version: "v3.0.4"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — JWE decryption panic in go-jose v3.0.4 embedded in /usr/bin/caddy.
|
||
Fix available in v3.0.5 but requires upstream Caddy rebuild. Charon does not use go-jose
|
||
directly. Deferring to next Caddy release.
|
||
expiry: "2026-05-05" # 30-day review: remove once Caddy ships with go-jose/v3 >= v3.0.5.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check Caddy releases: https://github.com/caddyserver/caddy/releases
|
||
# 2. Verify with: `go version -m /usr/bin/caddy | grep go-jose`
|
||
# Expected: go-jose/v3 >= v3.0.5
|
||
# 3. If Caddy has updated:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this entry, the v4 entry below, and any corresponding .trivyignore entries
|
||
# 4. If not yet updated: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an upstream issue on caddyserver/caddy requesting go-jose update
|
||
|
||
# GHSA-78h2-9frx-2jm8 (go-jose/v4) — see full justification in the go-jose/v3 entry above
|
||
- vulnerability: GHSA-78h2-9frx-2jm8
|
||
package:
|
||
name: github.com/go-jose/go-jose/v4
|
||
version: "v4.1.3"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — JWE decryption panic in go-jose v4.1.3 embedded in /usr/bin/caddy.
|
||
Fix available in v4.1.4 but requires upstream Caddy rebuild. Charon does not use go-jose
|
||
directly. Deferring to next Caddy release.
|
||
expiry: "2026-05-05" # 30-day review: see go-jose/v3 entry above for action items.
|
||
|
||
# Match exclusions (patterns to ignore during scanning)
|
||
# Use sparingly - prefer specific CVE suppressions above
|
||
match:
|
||
# Exclude test fixtures and example code from vulnerability scanning
|
||
exclude:
|
||
- path: "**/test/**"
|
||
- path: "**/tests/**"
|
||
- path: "**/testdata/**"
|
||
- path: "**/examples/**"
|
||
- path: "**/*_test.go"
|
||
|
||
# Output configuration (optional)
|
||
# These settings can be overridden via CLI flags
|
||
output:
|
||
# Report only HIGH and CRITICAL by default
|
||
# Medium/Low findings are still logged but don't fail the scan
|
||
fail-on-severity: high
|
||
|
||
# Check for configuration updates
|
||
# Grype automatically updates its vulnerability database
|
||
# Run `grype db update` manually to force an update
|
||
check-for-app-update: true
|