309 lines
17 KiB
YAML
309 lines
17 KiB
YAML
# Grype vulnerability suppression configuration
|
||
# Automatically loaded by Grype for vulnerability scanning
|
||
# Review and update when upstream fixes are available
|
||
# Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
|
||
|
||
ignore:
|
||
# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
|
||
# Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18
|
||
#
|
||
# Vulnerability Details:
|
||
# - When DEFAULT is in the TLS 1.3 group configuration, the OpenSSL server may select
|
||
# a weaker key exchange group than preferred, enabling a limited key exchange downgrade.
|
||
# - Only affects systems acting as a raw TLS 1.3 server using OpenSSL's server-side group negotiation.
|
||
#
|
||
# Root Cause (No Fix Available):
|
||
# - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23.
|
||
# - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
|
||
# - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image
|
||
# and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (No upstream fix; limited exposure in Charon context)
|
||
# - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
|
||
# - The vulnerability requires the affected application to directly configure TLS 1.3 server
|
||
# group negotiation via OpenSSL, which Charon does not do.
|
||
# - Container-level isolation reduces the attack surface further.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
# - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review.
|
||
# - Next review: 2026-04-18. Remove suppression immediately once upstream fixes.
|
||
#
|
||
# Removal Criteria:
|
||
# - Alpine publishes a patched version of libcrypto3 and libssl3
|
||
# - Rebuild Docker image and verify CVE-2026-2673 no longer appears in grype-results.json
|
||
# - Remove both these entries and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - CVE-2026-2673: https://nvd.nist.gov/vuln/detail/CVE-2026-2673
|
||
# - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
- vulnerability: CVE-2026-2673
|
||
package:
|
||
name: libcrypto3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libcrypto3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||
Risk accepted pending Alpine upstream patch.
|
||
expiry: "2026-04-18" # Initial 30-day review period. Extend in 14–30 day increments with documented justification.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
# 2. If a patched Alpine package is now available:
|
||
# a. Rebuild Docker image without suppression
|
||
# b. Run local security-scan-docker-image and confirm CVE is resolved
|
||
# c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry
|
||
# 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above
|
||
# 4. If extended 3+ times: Open an issue to track the upstream status formally
|
||
|
||
# CVE-2026-2673 (libssl3) — see full justification in the libcrypto3 entry above
|
||
- vulnerability: CVE-2026-2673
|
||
package:
|
||
name: libssl3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libssl3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||
Risk accepted pending Alpine upstream patch.
|
||
expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items.
|
||
|
||
# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO upstream fix available — OSV marks "Last affected: v1.1.1" with no Fixed event
|
||
#
|
||
# Vulnerability Details:
|
||
# - The Delete function fails to validate offsets on malformed JSON input, producing a
|
||
# negative slice index and a runtime panic — denial of service (CWE-125).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||
#
|
||
# Root Cause (Third-Party Binary + No Upstream Fix):
|
||
# - Charon does not use buger/jsonparser directly. It is compiled into CrowdSec binaries.
|
||
# - The buger/jsonparser repository has no released fix as of 2026-03-19 (GitHub issue #275
|
||
# and golang/vulndb #4514 are both open).
|
||
# - Fix path: once buger/jsonparser releases a patched version and CrowdSec updates their
|
||
# dependency, rebuild the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Limited exploitability + no upstream fix)
|
||
# - The DoS vector requires passing malformed JSON to the vulnerable Delete function within
|
||
# CrowdSec's internal processing pipeline; this is not a direct attack surface in Charon.
|
||
# - CrowdSec's exposed surface is its HTTP API (not raw JSON stream parsing via this path).
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor buger/jsonparser: https://github.com/buger/jsonparser/issues/275
|
||
# - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-19 (initial suppression): no upstream fix exists. Set 30-day review.
|
||
# - Next review: 2026-04-19. Remove suppression once buger/jsonparser ships a fix and
|
||
# CrowdSec updates their dependency.
|
||
#
|
||
# Removal Criteria:
|
||
# - buger/jsonparser releases a patched version (v1.1.2 or higher)
|
||
# - CrowdSec releases a version built with the patched jsonparser
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-6g7g-w4f8-9c9x: https://github.com/advisories/GHSA-6g7g-w4f8-9c9x
|
||
# - Upstream issue: https://github.com/buger/jsonparser/issues/275
|
||
# - golang/vulndb: https://github.com/golang/vulndb/issues/4514
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-6g7g-w4f8-9c9x
|
||
package:
|
||
name: github.com/buger/jsonparser
|
||
version: "v1.1.1"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via malformed JSON in buger/jsonparser v1.1.1 embedded in CrowdSec binaries.
|
||
No upstream fix: buger/jsonparser has no released patch as of 2026-03-19 (issue #275 open).
|
||
Charon does not use this package directly; the vector requires reaching CrowdSec's internal
|
||
JSON processing pipeline. Risk accepted; no remediation path until upstream ships a fix.
|
||
Reviewed 2026-03-19: no patched release available.
|
||
expiry: "2026-04-19" # 30-day review: no fix exists. Extend in 30-day increments with documented justification.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check buger/jsonparser releases: https://github.com/buger/jsonparser/releases
|
||
# and issue #275: https://github.com/buger/jsonparser/issues/275
|
||
# 2. If a fix has shipped AND CrowdSec has updated their dependency:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this suppression entry and the corresponding .trivyignore entry
|
||
# 3. If no fix yet: Extend expiry by 30 days and update the review comment above
|
||
# 4. If extended 3+ times with no progress: Consider opening an issue upstream or
|
||
# evaluating whether CrowdSec can replace buger/jsonparser with a safe alternative
|
||
|
||
# GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
|
||
#
|
||
# Vulnerability Details:
|
||
# - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
|
||
# can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||
#
|
||
# Root Cause (EOL Module + Third-Party Binary):
|
||
# - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
|
||
# is compiled into CrowdSec binaries for their internal database communication.
|
||
# - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
|
||
# is migration to pgx/v5, which embeds an updated pgproto3/v3.
|
||
# - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
|
||
# the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
|
||
# - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
|
||
# internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
|
||
# external traffic in a standard Charon deployment.
|
||
# - The attack requires a compromised database server, which would imply full host compromise.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-19 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||
# Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review.
|
||
# - Next review: 2026-04-19. Remove suppression once CrowdSec ships with pgx/v5.
|
||
#
|
||
# Removal Criteria:
|
||
# - CrowdSec releases a version with pgx/v5 (pgproto3/v3) replacing pgproto3/v2
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-jqcq-xjh3-6g23: https://github.com/advisories/GHSA-jqcq-xjh3-6g23
|
||
# - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
|
||
# - pgx/v5 (replacement): https://github.com/jackc/pgx
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-jqcq-xjh3-6g23
|
||
package:
|
||
name: github.com/jackc/pgproto3/v2
|
||
version: "v2.3.3"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
|
||
pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
|
||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||
Reviewed 2026-03-19: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||
expiry: "2026-04-19" # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
|
||
# Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
|
||
# 3. If CrowdSec has migrated:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this suppression entry and the corresponding .trivyignore entry
|
||
# 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
|
||
|
||
# GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
|
||
# Note: This is the NVD/Red Hat advisory alias for the same underlying vulnerability as GHSA-jqcq-xjh3-6g23
|
||
#
|
||
# Vulnerability Details:
|
||
# - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
|
||
# can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5)
|
||
#
|
||
# Root Cause (EOL Module + Third-Party Binary):
|
||
# - Same underlying vulnerability as GHSA-jqcq-xjh3-6g23; tracked separately by NVD/Red Hat as CVE-2026-4427.
|
||
# - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
|
||
# is compiled into CrowdSec binaries for their internal database communication.
|
||
# - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
|
||
# is migration to pgx/v5, which embeds an updated pgproto3/v3.
|
||
# - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
|
||
# the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
|
||
# - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
|
||
# internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
|
||
# external traffic in a standard Charon deployment.
|
||
# - The attack requires a compromised database server, which would imply full host compromise.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||
# Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23
|
||
# was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking.
|
||
# - Next review: 2026-04-21. Remove suppression once CrowdSec ships with pgx/v5.
|
||
#
|
||
# Removal Criteria:
|
||
# - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm both advisories are resolved
|
||
# - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-x6gf-mpr2-68h6: https://github.com/advisories/GHSA-x6gf-mpr2-68h6
|
||
# - CVE-2026-4427: https://nvd.nist.gov/vuln/detail/CVE-2026-4427
|
||
# - Red Hat: https://access.redhat.com/security/cve/CVE-2026-4427
|
||
# - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
|
||
# - pgx/v5 (replacement): https://github.com/jackc/pgx
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-x6gf-mpr2-68h6
|
||
package:
|
||
name: github.com/jackc/pgproto3/v2
|
||
version: "v2.3.3"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
|
||
NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
|
||
pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
|
||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||
Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||
expiry: "2026-04-21" # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
|
||
# Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
|
||
# 3. If CrowdSec has migrated:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries
|
||
# 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
|
||
|
||
# Match exclusions (patterns to ignore during scanning)
|
||
# Use sparingly - prefer specific CVE suppressions above
|
||
match:
|
||
# Exclude test fixtures and example code from vulnerability scanning
|
||
exclude:
|
||
- path: "**/test/**"
|
||
- path: "**/tests/**"
|
||
- path: "**/testdata/**"
|
||
- path: "**/examples/**"
|
||
- path: "**/*_test.go"
|
||
|
||
# Output configuration (optional)
|
||
# These settings can be overridden via CLI flags
|
||
output:
|
||
# Report only HIGH and CRITICAL by default
|
||
# Medium/Low findings are still logged but don't fail the scan
|
||
fail-on-severity: high
|
||
|
||
# Check for configuration updates
|
||
# Grype automatically updates its vulnerability database
|
||
# Run `grype db update` manually to force an update
|
||
check-for-app-update: true
|