mirror of
https://github.com/tmdinosaurcenter/kiosk-guestbook.git
synced 2026-06-04 00:10:16 -06:00
ci: suppress 3 unfixed Debian CVEs via .trivyignore
CVE-2025-69720 (ncurses), CVE-2026-27135 (nghttp2), and CVE-2026-29111 (systemd) have no upstream fix available. .trivyignore suppresses them so Trivy can still gate on all other CRITICAL/HIGH findings without relying on the coarser ignore-unfixed flag in the workflow.
This commit is contained in:
@@ -0,0 +1,11 @@
|
||||
# Unfixed OS-level vulnerabilities in Debian 13 (trixie) base image.
|
||||
# No fix available upstream as of 2026-04-27; revisit when patches land.
|
||||
|
||||
# ncurses: buffer overflow (libncursesw6, libtinfo6, ncurses-base, ncurses-bin)
|
||||
CVE-2025-69720
|
||||
|
||||
# nghttp2: DoS via malformed HTTP/2 frames after session termination (libnghttp2-14)
|
||||
CVE-2026-27135
|
||||
|
||||
# systemd: arbitrary code execution / DoS via spurious IPC (libsystemd0, libudev1)
|
||||
CVE-2026-29111
|
||||
Reference in New Issue
Block a user