UID2-6655: Suppress CVE-2026-1584 (gnutls) in .trivyignore (#378)

sunnywu · claude · web-flow · commit c7783289b900 · 2026-02-27T13:32:24.000+11:00
* Upgrade gnutls to fix CVE-2026-1584 vulnerability Add explicit gnutls upgrade in Dockerfile to address HIGH severity vulnerability CVE-2026-1584 in gnutls 3.8.11-r0 (fixed in 3.8.12-r0) in the alpine base image. The vulnerability allows Remote Denial of Service via crafted ClientHello with invalid PSK. Jira: UID2-6655 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * UID2-6655: Add CVE-2026-1584 to .trivyignore instead of upgrading gnutls gnutls is an OS-level library present in the alpine base image but is not used by our Java service. Upgrading it via apk introduces unnecessary risk of breaking system-level dependencies. The vulnerability (Remote DoS via crafted ClientHello) has no impact on our software. CVE-2026-1584 exp:2026-08-27 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.trivyignore b/.trivyignore
@@ -1,3 +1,7 @@
 # List any vulnerability that are to be accepted
-# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ 
+# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/
 # for more details
+
+# gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
+# See: UID2-6655
+CVE-2026-1584 exp:2026-08-27
