-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.trivyignore
More file actions
162 lines (113 loc) · 4.97 KB
/
.trivyignore
File metadata and controls
162 lines (113 loc) · 4.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Trivy ignore file
# Add CVE IDs to ignore specific vulnerabilities
# esbuild Go stdlib vulnerabilities (build-time tool only)
# esbuild is a JS/TS bundler that doesn't use these Go stdlib features
# net/netip: IPv4-mapped IPv6 address parsing - esbuild doesn't do network ops
CVE-2024-24790
# net/http, x/net/http2: HTTP/2 DoS vulnerabilities - esbuild doesn't serve HTTP
CVE-2023-39325
CVE-2023-45288
# filepath: Windows \??\ path prefix - Linux containers only
CVE-2023-45283
# encoding/gob: nested struct decoding - esbuild doesn't use gob
CVE-2024-34156
# database/sql: Postgres race condition - esbuild doesn't use databases
CVE-2025-47907
# archive/tar: GNU sparse map allocation - esbuild doesn't parse tar files
CVE-2025-58183
# crypto/x509: certificate error string DoS - esbuild doesn't validate certs
CVE-2025-61729
# net/url: bracketed IPv6 hostname validation - esbuild doesn't parse URLs
CVE-2025-47912
# encoding/asn1: DER payload memory exhaustion - esbuild doesn't parse ASN.1
CVE-2025-58185
# net/http: cookie parsing memory exhaustion - esbuild doesn't serve HTTP
CVE-2025-58186
# crypto/x509: quadratic name constraint checking - esbuild doesn't validate certs
CVE-2025-58187
# crypto/x509: DSA public key certificate panic - esbuild doesn't validate certs
CVE-2025-58188
# crypto/tls: ALPN negotiation error text leak - esbuild doesn't do TLS
CVE-2025-58189
# encoding/pem: quadratic parsing of invalid inputs - esbuild doesn't parse PEM
CVE-2025-61723
# net/textproto: excessive CPU in ReadResponse - esbuild doesn't do text protocol I/O
CVE-2025-61724
# net/mail: excessive CPU in ParseAddress - esbuild doesn't parse email
CVE-2025-61725
# cmd/cgo: comment parsing code smuggling - esbuild binary is pre-compiled, no cgo at runtime
CVE-2025-61732
# golang.org/x/net/html: infinite loop in html.Parse - esbuild doesn't parse HTML
CVE-2025-58190
# golang.org/x/net/html: quadratic complexity in html.Parse - esbuild doesn't parse HTML
CVE-2025-47911
# net/http: request smuggling - esbuild doesn't serve HTTP
CVE-2025-22871
# crypto/tls: unexpected session resumption - esbuild doesn't do TLS
CVE-2025-68121
# net/url: memory exhaustion in query parameter parsing - esbuild doesn't parse URLs
CVE-2025-61726
# archive/zip: excessive CPU building archive index - esbuild doesn't process zip files
CVE-2025-61728
# crypto/tls: TLS 1.3 handshake multiple messages in records - esbuild doesn't do TLS
CVE-2025-61730
# Debian system packages - not used by Node.js runtime
# libgnutls30: GnuTLS SAN export - Node.js uses OpenSSL, not GnuTLS
CVE-2025-32988
# libgnutls30: GnuTLS certtool parsing - certtool not used at runtime
CVE-2025-32990
# perl-base: CPAN TLS verification - CPAN module installer not used at runtime
CVE-2023-31484
# gpgv: GnuPG out-of-bounds write - gpg signature verification not used at runtime
CVE-2025-68973
# libpam: directory traversal - PAM auth not used by Node.js/Bun runtime
CVE-2025-6020
# minimatch: ReDoS via crafted glob patterns - transitive dev dep (ESLint), not exposed to user input
CVE-2026-26996
CVE-2026-27903
CVE-2026-27904
# node-tar: symlink poisoning, path traversal, race condition, hardlink exploits
# tar is a transitive build/install dep, not used to extract untrusted archives at runtime
CVE-2026-23745
CVE-2026-23950
CVE-2026-24842
CVE-2026-26960
CVE-2026-29786
# TODO: Remove these ignores once fixed
# TODO: glob command injection - Already fixed in bun.lock (10.5.0+)
# Check: Rebuild Docker image and re-run Trivy scan to confirm fix
# Remove this ignore once scan passes without it
CVE-2025-64756
# TODO: glibc setuid/dlopen vulnerability
# Check: Update base image when Debian 12.12 is released (fixes libc 2.36-9+deb12u11)
# Remove this ignore once base image is updated
CVE-2025-4802
CVE-2026-22774
CVE-2026-22775
CVE-2026-31802
CVE-2026-25679
CVE-2026-27142
# kysely: SQL injection via JSON path keys / backslash escaping in sql.lit()
# Transitive dep of @inlang/sdk (i18n tooling), not used in app code. Uses internal SQLite only.
CVE-2026-32763
CVE-2026-33468
# picomatch: ReDoS via crafted extglob patterns - transitive dep of rollup/micromatch, build-time only
CVE-2026-33671
# crypto/x509: excessive work during certificate chain building - esbuild doesn't validate certs
CVE-2026-32280
# syscall/unix: Root.Chmod follows symlinks outside root - esbuild doesn't use Root.Chmod
CVE-2026-32282
# crypto/x509: DoS via inefficient certificate chain validation - esbuild doesn't validate certs
CVE-2026-32281
# crypto/tls: DoS via multiple TLS 1.3 key update messages - esbuild doesn't do TLS
CVE-2026-32283
# net: LookupCNAME DoS via very long CNAME chain - esbuild doesn't do DNS
CVE-2026-33811
# net/http: HTTP/2 SETTINGS frame infinite loop - esbuild doesn't serve HTTP/2
CVE-2026-33814
# net/mail: ParseAddress/ParseAddressList DoS on crafted input - esbuild doesn't parse email
CVE-2026-39820
# net: Dial/LookupPort NUL byte panic on Windows - Linux containers only
CVE-2026-39836
# net/mail: DoS via consumePhrase - esbuild doesn't parse email
CVE-2026-42499