178 lines
9.4 KiB
YAML
178 lines
9.4 KiB
YAML
# Grype vulnerability suppression configuration
|
||
# Automatically loaded by Grype for vulnerability scanning
|
||
# Review and update when upstream fixes are available
|
||
# Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
|
||
|
||
ignore:
|
||
# GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
|
||
# Severity: HIGH (CVSS 8.1)
|
||
# Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy)
|
||
# Status: Cannot upgrade — smallstep/certificates v0.30.0-rc2 still pins nebula v1.9.x
|
||
#
|
||
# Vulnerability Details:
|
||
# - ECDSA signature malleability allows bypassing certificate blocklists
|
||
# - Attacker can forge alternate valid P256 ECDSA signatures for revoked
|
||
# certificates (CVSSv3: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
|
||
# - Only affects configurations using Nebula-based certificate authorities
|
||
# (non-default and uncommon in Charon deployments)
|
||
#
|
||
# Root Cause (Compile-Time Dependency Lock):
|
||
# - Caddy is built with caddy-security plugin, which transitively requires
|
||
# github.com/smallstep/certificates. That package pins nebula v1.9.x.
|
||
# - Checked: smallstep/certificates v0.27.5 → v0.30.0-rc2 all require nebula v1.9.4–v1.9.7.
|
||
# The nebula v1.10 API removal breaks compilation in the
|
||
# authority/provisioner package; xcaddy build fails with upgrade attempted.
|
||
# - Dockerfile caddy-builder stage pins nebula@v1.9.7 (Renovate tracked) with
|
||
# an inline comment explaining the constraint (Dockerfile line 247).
|
||
# - Fix path: once smallstep/certificates releases a version requiring
|
||
# nebula v1.10+, remove the pin and this suppression simultaneously.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Low exploitability in Charon context)
|
||
# - Charon uses standard ACME/Let's Encrypt TLS; Nebula VPN PKI is not
|
||
# enabled by default and rarely configured in Charon deployments.
|
||
# - Exploiting this requires a valid certificate sharing the same issuer as
|
||
# a revoked one — an uncommon and targeted attack scenario.
|
||
# - Container-level isolation reduces the attack surface further.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor smallstep/certificates releases at https://github.com/smallstep/certificates/releases
|
||
# - Weekly CI security rebuild flags any new CVEs in the full image.
|
||
# - Renovate annotation in Dockerfile (datasource=go depName=github.com/slackhq/nebula)
|
||
# will surface the pin for review when xcaddy build becomes compatible.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-02-19: smallstep/certificates latest stable remains v0.27.5;
|
||
# no release requiring nebula v1.10+ has shipped. Suppression extended 14 days.
|
||
# - Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
|
||
# - Next review: 2026-04-12. Remove suppression immediately once upstream fixes.
|
||
#
|
||
# Removal Criteria:
|
||
# - smallstep/certificates releases a stable version requiring nebula v1.10+
|
||
# - Update Dockerfile caddy-builder patch to use the new versions
|
||
# - Rebuild image, run security scan, confirm suppression no longer needed
|
||
# - Remove both this entry and the corresponding .trivyignore entry
|
||
#
|
||
# References:
|
||
# - GHSA: https://github.com/advisories/GHSA-69x3-g4r3-p962
|
||
# - CVE-2026-25793: https://nvd.nist.gov/vuln/detail/CVE-2026-25793
|
||
# - smallstep/certificates: https://github.com/smallstep/certificates/releases
|
||
# - Dockerfile pin: caddy-builder stage, line ~247 (go get nebula@v1.9.7)
|
||
- vulnerability: GHSA-69x3-g4r3-p962
|
||
package:
|
||
name: github.com/slackhq/nebula
|
||
version: "v1.9.7"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy.
|
||
Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-03-13)
|
||
still requires nebula v1.9.x (verified across v0.27.5–v0.30.0-rc2). Charon does
|
||
not use Nebula VPN PKI by default. Risk accepted pending upstream smallstep fix.
|
||
Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
|
||
expiry: "2026-04-12" # Re-evaluated 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check smallstep/certificates releases: https://github.com/smallstep/certificates/releases
|
||
# 2. If a stable version requires nebula v1.10+:
|
||
# a. Update Dockerfile caddy-builder: remove the `go get nebula@v1.9.7` pin
|
||
# b. Optionally bump smallstep/certificates to the new version
|
||
# c. Rebuild Docker image and verify no compile failures
|
||
# d. Re-run local security-scan-docker-image and confirm clean result
|
||
# e. Remove this suppression entry
|
||
# 3. If no fix yet: Extend expiry by 14 days and document justification
|
||
# 4. If extended 3+ times: Open upstream issue on smallstep/certificates
|
||
|
||
# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
|
||
# Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18
|
||
#
|
||
# Vulnerability Details:
|
||
# - When DEFAULT is in the TLS 1.3 group configuration, the OpenSSL server may select
|
||
# a weaker key exchange group than preferred, enabling a limited key exchange downgrade.
|
||
# - Only affects systems acting as a raw TLS 1.3 server using OpenSSL's server-side group negotiation.
|
||
#
|
||
# Root Cause (No Fix Available):
|
||
# - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23.
|
||
# - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
|
||
# - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image
|
||
# and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (No upstream fix; limited exposure in Charon context)
|
||
# - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
|
||
# - The vulnerability requires the affected application to directly configure TLS 1.3 server
|
||
# group negotiation via OpenSSL, which Charon does not do.
|
||
# - Container-level isolation reduces the attack surface further.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
# - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review.
|
||
# - Next review: 2026-04-18. Remove suppression immediately once upstream fixes.
|
||
#
|
||
# Removal Criteria:
|
||
# - Alpine publishes a patched version of libcrypto3 and libssl3
|
||
# - Rebuild Docker image and verify CVE-2026-2673 no longer appears in grype-results.json
|
||
# - Remove both these entries and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - CVE-2026-2673: https://nvd.nist.gov/vuln/detail/CVE-2026-2673
|
||
# - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
- vulnerability: CVE-2026-2673
|
||
package:
|
||
name: libcrypto3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libcrypto3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||
Risk accepted pending Alpine upstream patch.
|
||
expiry: "2026-04-18" # Initial 30-day review period. Extend in 14–30 day increments with documented justification.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
# 2. If a patched Alpine package is now available:
|
||
# a. Rebuild Docker image without suppression
|
||
# b. Run local security-scan-docker-image and confirm CVE is resolved
|
||
# c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry
|
||
# 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above
|
||
# 4. If extended 3+ times: Open an issue to track the upstream status formally
|
||
|
||
# CVE-2026-2673 (libssl3) — see full justification in the libcrypto3 entry above
|
||
- vulnerability: CVE-2026-2673
|
||
package:
|
||
name: libssl3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libssl3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||
Risk accepted pending Alpine upstream patch.
|
||
expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items.
|
||
|
||
# Match exclusions (patterns to ignore during scanning)
|
||
# Use sparingly - prefer specific CVE suppressions above
|
||
match:
|
||
# Exclude test fixtures and example code from vulnerability scanning
|
||
exclude:
|
||
- path: "**/test/**"
|
||
- path: "**/tests/**"
|
||
- path: "**/testdata/**"
|
||
- path: "**/examples/**"
|
||
- path: "**/*_test.go"
|
||
|
||
# Output configuration (optional)
|
||
# These settings can be overridden via CLI flags
|
||
output:
|
||
# Report only HIGH and CRITICAL by default
|
||
# Medium/Low findings are still logged but don't fail the scan
|
||
fail-on-severity: high
|
||
|
||
# Check for configuration updates
|
||
# Grype automatically updates its vulnerability database
|
||
# Run `grype db update` manually to force an update
|
||
check-for-app-update: true
|