forked from k8sgateway/k8sgateway
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.trivyignore
64 lines (56 loc) · 3.45 KB
/
.trivyignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# emicklei/go-restful - Authorization Bypass Through User-Controlled Key
# This should be fixed in v2's 2.16.0, although talks were undergoing about why this still shows up as an issue.
# https://github.com/emicklei/go-restful/pull/503
CVE-2022-1996
# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
# Also Helm module is used in testing, which has no impact on exploitation.
# Gloo-Edge data and control planes are not impacted at all by the helm module.
# Glooctl is not a long running program, and does not affect future uses of Glooctl.
# https://github.com/solo-io/gloo/issues/7598
# https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2r
CVE-2022-23524
# https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q
CVE-2022-23525
# https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
CVE-2022-23526
# https://nvd.nist.gov/vuln/detail/CVE-2022-41721
# Ignore this vulnerability; it does not affect the gateway-proxy image.
# No handlers exposed by the control plane fall victim to this attack
# because we do not use the maxBytesHandler
CVE-2022-41721
# https://github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmw
# This CVE has not yet been patched in the kubectl version we are using, however it should not
# affect us as kubernetes does not use the affected code path (see description in
# https://github.com/kubernetes/kubernetes/pull/118036).
CVE-2023-2253
# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
# It only leads to a panic if there is a misconfigured / malicious helm plugin installed
# and can be easily resolved by removing the misconfigured / malicious plugin
# The helm bump will require bumping the k8s dependencies by +2 minor versions that can cause issues.
# https://github.com/advisories/GHSA-r53h-jv2g-vpx6
# https://github.com/solo-io/gloo/issues/9186
# https://github.com/solo-io/gloo/issues/9187
# https://github.com/solo-io/gloo/issues/9189
CVE-2024-26147
# Ignore a few istio.io/istio vulnerabilities. These CVEs are from very old versions of istio for which patches have already been merged - these come up as false positives from trivy because we pin the dependencies and trivy is unable to determine that the pinned versions already have the fix. This is due to istio's tags not following go's strict semver and therefore falling back to a go pseudo version.
CVE-2019-14993
CVE-2021-39155
CVE-2021-39156
CVE-2022-23635
# Ignore go stdlib vulnerability. Go bump to 1.22.7 in N-1 branches cover this, but older versions we aren't concerned
# about updating as it shouldn't affect us
CVE-2024-34156
# This CVE affects the imroc/req dependency which is used in go-utils
# go-utils exclusively uses this package to upload security scans to Github and as such the vulnerability does not
# impact Gateway functionality
# This dependency is removed in go-utils v0.27.0, so this entry can be removed once all LTS branches are on that version
# or later
CVE-2024-45258
# These CVEs affect the packc/pgx dependency which is used in ext-auth-service
# The dependency is exclusively used in the monetization feature which we don't believe any customer uses and which is
# set to be deprecated
# Nevertheless the CVEs have been addressed in the v1.15 LTS branch and later, however it is impractical to resolve in 1.14
# due to a number of other requisite dependency bumps
# Therefore we include this entry for now and should remove it once 1.14 is no longer an LTS branch
CVE-2024-27289
CVE-2024-27304