-
-
Notifications
You must be signed in to change notification settings - Fork 58
Expand file tree
/
Copy path.trivyignore.yaml
More file actions
37 lines (35 loc) · 1.99 KB
/
Copy path.trivyignore.yaml
File metadata and controls
37 lines (35 loc) · 1.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Copyright (C) 2026 Garudex Labs. All Rights Reserved.
# Caracal, a product of Garudex Labs
#
# Time-boxed Trivy suppressions for upstream-pending base image CVEs that Caracal cannot remediate by pinning.
# The gcr.io/distroless/nodejs24-debian12:nonroot runtime base ships libssl3
# 3.0.18-1~deb12u2. Debian has published the fix, but the distroless image has
# not been rebuilt yet, and the :nonroot tag still resolves to our pinned digest,
# so there is no newer digest to bump to. These entries expire so the findings
# resurface for re-evaluation once the base image is rebuilt.
vulnerabilities:
- id: CVE-2026-31789
statement: "libssl3 fix pending upstream distroless/nodejs24 rebuild; no newer base digest available."
expired_at: 2026-07-21
- id: CVE-2026-28387
statement: "libssl3 fix pending upstream distroless/nodejs24 rebuild; no newer base digest available."
expired_at: 2026-07-21
- id: CVE-2026-28388
statement: "libssl3 fix pending upstream distroless/nodejs24 rebuild; no newer base digest available."
expired_at: 2026-07-21
- id: CVE-2026-28389
statement: "libssl3 fix pending upstream distroless/nodejs24 rebuild; no newer base digest available."
expired_at: 2026-07-21
- id: CVE-2026-28390
statement: "libssl3 fix pending upstream distroless/nodejs24 rebuild; no newer base digest available."
expired_at: 2026-07-21
- id: CVE-2026-45447
statement: "libssl3 fix pending upstream distroless/nodejs24 rebuild; no newer base digest available."
expired_at: 2026-07-21
# The postgres:18-alpine base image ships gosu built against golang.org/x/sys
# v0.1.0. CVE-2026-39824 is in the x/sys windows package (NewNTUnicodeString),
# which is not compiled into the linux/amd64 gosu binary, so the finding is not
# reachable on this platform. Remediation requires an upstream gosu rebuild.
- id: CVE-2026-39824
statement: "Windows-only x/sys code path in upstream gosu inside postgres:18-alpine; unreachable in linux/amd64 builds."
expired_at: 2026-07-30