436 lines
25 KiB
YAML
436 lines
25 KiB
YAML
# Grype vulnerability suppression configuration
|
||
# Automatically loaded by Grype for vulnerability scanning
|
||
# Review and update when upstream fixes are available
|
||
# Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
|
||
|
||
ignore:
|
||
# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
|
||
# Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18
|
||
#
|
||
# Vulnerability Details:
|
||
# - When DEFAULT is in the TLS 1.3 group configuration, the OpenSSL server may select
|
||
# a weaker key exchange group than preferred, enabling a limited key exchange downgrade.
|
||
# - Only affects systems acting as a raw TLS 1.3 server using OpenSSL's server-side group negotiation.
|
||
#
|
||
# Root Cause (No Fix Available):
|
||
# - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23.
|
||
# - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
|
||
# - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image
|
||
# and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (No upstream fix; limited exposure in Charon context)
|
||
# - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
|
||
# - The vulnerability requires the affected application to directly configure TLS 1.3 server
|
||
# group negotiation via OpenSSL, which Charon does not do.
|
||
# - Container-level isolation reduces the attack surface further.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
# - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review.
|
||
# - Next review: 2026-04-18. Remove suppression immediately once upstream fixes.
|
||
#
|
||
# Removal Criteria:
|
||
# - Alpine publishes a patched version of libcrypto3 and libssl3
|
||
# - Rebuild Docker image and verify CVE-2026-2673 no longer appears in grype-results.json
|
||
# - Remove both these entries and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - CVE-2026-2673: https://nvd.nist.gov/vuln/detail/CVE-2026-2673
|
||
# - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
- vulnerability: CVE-2026-2673
|
||
package:
|
||
name: libcrypto3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libcrypto3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||
Risk accepted pending Alpine upstream patch.
|
||
expiry: "2026-04-18" # Initial 30-day review period. Extend in 14–30 day increments with documented justification.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
|
||
# 2. If a patched Alpine package is now available:
|
||
# a. Rebuild Docker image without suppression
|
||
# b. Run local security-scan-docker-image and confirm CVE is resolved
|
||
# c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry
|
||
# 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above
|
||
# 4. If extended 3+ times: Open an issue to track the upstream status formally
|
||
|
||
# CVE-2026-2673 (libssl3) — see full justification in the libcrypto3 entry above
|
||
- vulnerability: CVE-2026-2673
|
||
package:
|
||
name: libssl3
|
||
version: "3.5.5-r0"
|
||
type: apk
|
||
reason: |
|
||
HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libssl3 3.5.5-r0 (Alpine base image).
|
||
No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon
|
||
terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
|
||
Risk accepted pending Alpine upstream patch.
|
||
expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items.
|
||
|
||
# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO upstream fix available — OSV marks "Last affected: v1.1.1" with no Fixed event
|
||
#
|
||
# Vulnerability Details:
|
||
# - The Delete function fails to validate offsets on malformed JSON input, producing a
|
||
# negative slice index and a runtime panic — denial of service (CWE-125).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||
#
|
||
# Root Cause (Third-Party Binary + No Upstream Fix):
|
||
# - Charon does not use buger/jsonparser directly. It is compiled into CrowdSec binaries.
|
||
# - The buger/jsonparser repository has no released fix as of 2026-03-19 (GitHub issue #275
|
||
# and golang/vulndb #4514 are both open).
|
||
# - Fix path: once buger/jsonparser releases a patched version and CrowdSec updates their
|
||
# dependency, rebuild the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Limited exploitability + no upstream fix)
|
||
# - The DoS vector requires passing malformed JSON to the vulnerable Delete function within
|
||
# CrowdSec's internal processing pipeline; this is not a direct attack surface in Charon.
|
||
# - CrowdSec's exposed surface is its HTTP API (not raw JSON stream parsing via this path).
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor buger/jsonparser: https://github.com/buger/jsonparser/issues/275
|
||
# - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-19 (initial suppression): no upstream fix exists. Set 30-day review.
|
||
# - Next review: 2026-04-19. Remove suppression once buger/jsonparser ships a fix and
|
||
# CrowdSec updates their dependency.
|
||
#
|
||
# Removal Criteria:
|
||
# - buger/jsonparser releases a patched version (v1.1.2 or higher)
|
||
# - CrowdSec releases a version built with the patched jsonparser
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-6g7g-w4f8-9c9x: https://github.com/advisories/GHSA-6g7g-w4f8-9c9x
|
||
# - Upstream issue: https://github.com/buger/jsonparser/issues/275
|
||
# - golang/vulndb: https://github.com/golang/vulndb/issues/4514
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-6g7g-w4f8-9c9x
|
||
package:
|
||
name: github.com/buger/jsonparser
|
||
version: "v1.1.1"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via malformed JSON in buger/jsonparser v1.1.1 embedded in CrowdSec binaries.
|
||
No upstream fix: buger/jsonparser has no released patch as of 2026-03-19 (issue #275 open).
|
||
Charon does not use this package directly; the vector requires reaching CrowdSec's internal
|
||
JSON processing pipeline. Risk accepted; no remediation path until upstream ships a fix.
|
||
Reviewed 2026-03-19: no patched release available.
|
||
expiry: "2026-04-19" # 30-day review: no fix exists. Extend in 30-day increments with documented justification.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check buger/jsonparser releases: https://github.com/buger/jsonparser/releases
|
||
# and issue #275: https://github.com/buger/jsonparser/issues/275
|
||
# 2. If a fix has shipped AND CrowdSec has updated their dependency:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this suppression entry and the corresponding .trivyignore entry
|
||
# 3. If no fix yet: Extend expiry by 30 days and update the review comment above
|
||
# 4. If extended 3+ times with no progress: Consider opening an issue upstream or
|
||
# evaluating whether CrowdSec can replace buger/jsonparser with a safe alternative
|
||
|
||
# GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
|
||
#
|
||
# Vulnerability Details:
|
||
# - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
|
||
# can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||
#
|
||
# Root Cause (EOL Module + Third-Party Binary):
|
||
# - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
|
||
# is compiled into CrowdSec binaries for their internal database communication.
|
||
# - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
|
||
# is migration to pgx/v5, which embeds an updated pgproto3/v3.
|
||
# - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
|
||
# the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
|
||
# - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
|
||
# internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
|
||
# external traffic in a standard Charon deployment.
|
||
# - The attack requires a compromised database server, which would imply full host compromise.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-19 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||
# Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review.
|
||
# - Next review: 2026-04-19. Remove suppression once CrowdSec ships with pgx/v5.
|
||
#
|
||
# Removal Criteria:
|
||
# - CrowdSec releases a version with pgx/v5 (pgproto3/v3) replacing pgproto3/v2
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry and the corresponding .trivyignore entry simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-jqcq-xjh3-6g23: https://github.com/advisories/GHSA-jqcq-xjh3-6g23
|
||
# - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
|
||
# - pgx/v5 (replacement): https://github.com/jackc/pgx
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-jqcq-xjh3-6g23
|
||
package:
|
||
name: github.com/jackc/pgproto3/v2
|
||
version: "v2.3.3"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
|
||
pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
|
||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||
Reviewed 2026-03-19: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||
expiry: "2026-04-19" # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
|
||
# Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
|
||
# 3. If CrowdSec has migrated:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this suppression entry and the corresponding .trivyignore entry
|
||
# 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
|
||
|
||
# GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
||
# Severity: HIGH (CVSS 7.5)
|
||
# Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||
# Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
|
||
# Note: This is the NVD/Red Hat advisory alias for the same underlying vulnerability as GHSA-jqcq-xjh3-6g23
|
||
#
|
||
# Vulnerability Details:
|
||
# - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
|
||
# can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
|
||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5)
|
||
#
|
||
# Root Cause (EOL Module + Third-Party Binary):
|
||
# - Same underlying vulnerability as GHSA-jqcq-xjh3-6g23; tracked separately by NVD/Red Hat as CVE-2026-4427.
|
||
# - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
|
||
# is compiled into CrowdSec binaries for their internal database communication.
|
||
# - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
|
||
# is migration to pgx/v5, which embeds an updated pgproto3/v3.
|
||
# - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
|
||
# the Docker image and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
|
||
# - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
|
||
# internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
|
||
# external traffic in a standard Charon deployment.
|
||
# - The attack requires a compromised database server, which would imply full host compromise.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
|
||
# Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23
|
||
# was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking.
|
||
# - Next review: 2026-04-21. Remove suppression once CrowdSec ships with pgx/v5.
|
||
#
|
||
# Removal Criteria:
|
||
# - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
|
||
# - Rebuild Docker image, run security-scan-docker-image, confirm both advisories are resolved
|
||
# - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-x6gf-mpr2-68h6: https://github.com/advisories/GHSA-x6gf-mpr2-68h6
|
||
# - CVE-2026-4427: https://nvd.nist.gov/vuln/detail/CVE-2026-4427
|
||
# - Red Hat: https://access.redhat.com/security/cve/CVE-2026-4427
|
||
# - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
|
||
# - pgx/v5 (replacement): https://github.com/jackc/pgx
|
||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||
- vulnerability: GHSA-x6gf-mpr2-68h6
|
||
package:
|
||
name: github.com/jackc/pgproto3/v2
|
||
version: "v2.3.3"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
|
||
NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
|
||
pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
|
||
Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
|
||
Risk accepted; no remediation until CrowdSec ships with pgx/v5.
|
||
Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
|
||
expiry: "2026-04-21" # 30-day review: no fix path until CrowdSec migrates to pgx/v5.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check CrowdSec releases for pgx/v5 migration:
|
||
# https://github.com/crowdsecurity/crowdsec/releases
|
||
# 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
|
||
# Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
|
||
# 3. If CrowdSec has migrated:
|
||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||
# b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries
|
||
# 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
|
||
|
||
# GHSA-x744-4wpc-v9h2 / CVE-2026-34040: Docker AuthZ plugin bypass via oversized request body
|
||
# Severity: HIGH (CVSS 8.8)
|
||
# CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
||
# CWE: CWE-863 (Incorrect Authorization)
|
||
# Package: github.com/docker/docker v28.5.2+incompatible (go-module)
|
||
# Status: Fixed in moby/moby v29.3.1 — NO fix available for docker/docker import path
|
||
#
|
||
# Vulnerability Details:
|
||
# - Incomplete fix for Docker AuthZ plugin bypass (CVE-2024-41110). An attacker can send an
|
||
# oversized request body to the Docker daemon, causing it to forward the request to the AuthZ
|
||
# plugin without the body, allowing unauthorized approvals.
|
||
#
|
||
# Root Cause (No Fix Available for Import Path):
|
||
# - The fix exists in moby/moby v29.3.1, but not for the docker/docker import path that Charon uses.
|
||
# - Migration to moby/moby/v2 is not practical: currently beta with breaking changes.
|
||
# - Fix path: once docker/docker publishes a patched version or moby/moby/v2 stabilizes,
|
||
# update the dependency and remove this suppression.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Not exploitable in Charon context)
|
||
# - Charon uses the Docker client SDK only (list containers). The vulnerability is server-side
|
||
# in the Docker daemon's AuthZ plugin handler.
|
||
# - Charon does not run a Docker daemon or use AuthZ plugins.
|
||
# - The attack vector requires local access to the Docker daemon socket with AuthZ plugins enabled.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor docker/docker releases: https://github.com/moby/moby/releases
|
||
# - Monitor moby/moby/v2 stabilization: https://github.com/moby/moby
|
||
# - Weekly CI security rebuild flags the moment a fixed version ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-30 (initial suppression): no fix for docker/docker import path. Set 30-day review.
|
||
# - Next review: 2026-04-30. Remove suppression once a fix is available for the docker/docker import path.
|
||
#
|
||
# Removal Criteria:
|
||
# - docker/docker publishes a patched version OR moby/moby/v2 stabilizes and migration is feasible
|
||
# - Update dependency, rebuild, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry, the GHSA-pxq6-2prw-chj9 entry, and the corresponding .trivyignore entries simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-x744-4wpc-v9h2: https://github.com/advisories/GHSA-x744-4wpc-v9h2
|
||
# - CVE-2026-34040: https://nvd.nist.gov/vuln/detail/CVE-2026-34040
|
||
# - CVE-2024-41110 (original): https://nvd.nist.gov/vuln/detail/CVE-2024-41110
|
||
# - moby/moby releases: https://github.com/moby/moby/releases
|
||
- vulnerability: GHSA-x744-4wpc-v9h2
|
||
package:
|
||
name: github.com/docker/docker
|
||
version: "v28.5.2+incompatible"
|
||
type: go-module
|
||
reason: |
|
||
HIGH — Docker AuthZ plugin bypass via oversized request body in docker/docker v28.5.2+incompatible.
|
||
Incomplete fix for CVE-2024-41110. Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
|
||
Charon uses Docker client SDK only (list containers); the vulnerability is server-side in the Docker
|
||
daemon's AuthZ plugin handler. Charon does not run a Docker daemon or use AuthZ plugins.
|
||
Risk accepted; no remediation path until docker/docker publishes a fix or moby/moby/v2 stabilizes.
|
||
Reviewed 2026-03-30: no patched release available for docker/docker import path.
|
||
expiry: "2026-04-30" # 30-day review: no fix for docker/docker import path. Extend in 30-day increments with documented justification.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check docker/docker and moby/moby releases: https://github.com/moby/moby/releases
|
||
# 2. Check if moby/moby/v2 has stabilized: https://github.com/moby/moby
|
||
# 3. If a fix has shipped for docker/docker import path OR moby/moby/v2 is stable:
|
||
# a. Update the dependency and rebuild Docker image
|
||
# b. Run local security-scan-docker-image and confirm finding is resolved
|
||
# c. Remove this entry, GHSA-pxq6-2prw-chj9 entry, and all corresponding .trivyignore entries
|
||
# 4. If no fix yet: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an issue to track moby/moby/v2 migration feasibility
|
||
|
||
# GHSA-pxq6-2prw-chj9 / CVE-2026-33997: Moby off-by-one error in plugin privilege validation
|
||
# Severity: MEDIUM (CVSS 6.8)
|
||
# Package: github.com/docker/docker v28.5.2+incompatible (go-module)
|
||
# Status: Fixed in moby/moby v29.3.1 — NO fix available for docker/docker import path
|
||
#
|
||
# Vulnerability Details:
|
||
# - Off-by-one error in Moby's plugin privilege validation allows potential privilege escalation
|
||
# via crafted plugin configurations.
|
||
#
|
||
# Root Cause (No Fix Available for Import Path):
|
||
# - Same import path issue as GHSA-x744-4wpc-v9h2. The fix exists in moby/moby v29.3.1 but not
|
||
# for the docker/docker import path that Charon uses.
|
||
# - Fix path: same as GHSA-x744-4wpc-v9h2 — wait for docker/docker patch or moby/moby/v2 stabilization.
|
||
#
|
||
# Risk Assessment: ACCEPTED (Not exploitable in Charon context)
|
||
# - Charon uses the Docker client SDK only (list containers). The vulnerability is in Docker's
|
||
# plugin privilege validation, which is server-side functionality.
|
||
# - Charon does not run a Docker daemon, install Docker plugins, or interact with plugin privileges.
|
||
#
|
||
# Mitigation (active while suppression is in effect):
|
||
# - Monitor docker/docker releases: https://github.com/moby/moby/releases
|
||
# - Weekly CI security rebuild flags the moment a fixed version ships.
|
||
#
|
||
# Review:
|
||
# - Reviewed 2026-03-30 (initial suppression): no fix for docker/docker import path. Set 30-day review.
|
||
# - Next review: 2026-04-30. Remove suppression once a fix is available for the docker/docker import path.
|
||
#
|
||
# Removal Criteria:
|
||
# - Same as GHSA-x744-4wpc-v9h2: docker/docker publishes a patched version OR moby/moby/v2 stabilizes
|
||
# - Update dependency, rebuild, run security-scan-docker-image, confirm finding is resolved
|
||
# - Remove this entry, GHSA-x744-4wpc-v9h2 entry, and all corresponding .trivyignore entries simultaneously
|
||
#
|
||
# References:
|
||
# - GHSA-pxq6-2prw-chj9: https://github.com/advisories/GHSA-pxq6-2prw-chj9
|
||
# - CVE-2026-33997: https://nvd.nist.gov/vuln/detail/CVE-2026-33997
|
||
# - moby/moby releases: https://github.com/moby/moby/releases
|
||
- vulnerability: GHSA-pxq6-2prw-chj9
|
||
package:
|
||
name: github.com/docker/docker
|
||
version: "v28.5.2+incompatible"
|
||
type: go-module
|
||
reason: |
|
||
MEDIUM — Off-by-one error in Moby plugin privilege validation in docker/docker v28.5.2+incompatible.
|
||
Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
|
||
Charon uses Docker client SDK only (list containers); the vulnerability is in Docker's server-side
|
||
plugin privilege validation. Charon does not run a Docker daemon or install Docker plugins.
|
||
Risk accepted; no remediation path until docker/docker publishes a fix or moby/moby/v2 stabilizes.
|
||
Reviewed 2026-03-30: no patched release available for docker/docker import path.
|
||
expiry: "2026-04-30" # 30-day review: no fix for docker/docker import path. Extend in 30-day increments with documented justification.
|
||
|
||
# Action items when this suppression expires:
|
||
# 1. Check docker/docker and moby/moby releases: https://github.com/moby/moby/releases
|
||
# 2. Check if moby/moby/v2 has stabilized: https://github.com/moby/moby
|
||
# 3. If a fix has shipped for docker/docker import path OR moby/moby/v2 is stable:
|
||
# a. Update the dependency and rebuild Docker image
|
||
# b. Run local security-scan-docker-image and confirm finding is resolved
|
||
# c. Remove this entry, GHSA-x744-4wpc-v9h2 entry, and all corresponding .trivyignore entries
|
||
# 4. If no fix yet: Extend expiry by 30 days and update the review comment above
|
||
# 5. If extended 3+ times: Open an issue to track moby/moby/v2 migration feasibility
|
||
|
||
# Match exclusions (patterns to ignore during scanning)
|
||
# Use sparingly - prefer specific CVE suppressions above
|
||
match:
|
||
# Exclude test fixtures and example code from vulnerability scanning
|
||
exclude:
|
||
- path: "**/test/**"
|
||
- path: "**/tests/**"
|
||
- path: "**/testdata/**"
|
||
- path: "**/examples/**"
|
||
- path: "**/*_test.go"
|
||
|
||
# Output configuration (optional)
|
||
# These settings can be overridden via CLI flags
|
||
output:
|
||
# Report only HIGH and CRITICAL by default
|
||
# Medium/Low findings are still logged but don't fail the scan
|
||
fail-on-severity: high
|
||
|
||
# Check for configuration updates
|
||
# Grype automatically updates its vulnerability database
|
||
# Run `grype db update` manually to force an update
|
||
check-for-app-update: true
|