forked from solo-io/gloo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.trivyignore
44 lines (39 loc) · 2.4 KB
/
.trivyignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# emicklei/go-restful - Authorization Bypass Through User-Controlled Key
# This should be fixed in v2's 2.16.0, although talks were undergoing about why this still shows up as an issue.
# https://github.com/emicklei/go-restful/pull/503
CVE-2022-1996
# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
# Also Helm module is used in testing, which has no impact on exploitation.
# Gloo-Edge data and control planes are not impacted at all by the helm module.
# Glooctl is not a long running program, and does not affect future uses of Glooctl.
# https://github.com/solo-io/gloo/issues/7598
# https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2r
CVE-2022-23524
# https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q
CVE-2022-23525
# https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
CVE-2022-23526
# https://nvd.nist.gov/vuln/detail/CVE-2022-41721
# Ignore this vulnerability; it does not affect the gateway-proxy image.
# No handlers exposed by the control plane fall victim to this attack
# because we do not use the maxBytesHandler
CVE-2022-41721
# https://github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmw
# This CVE has not yet been patched in the kubectl version we are using, however it should not
# affect us as kubernetes does not use the affected code path (see description in
# https://github.com/kubernetes/kubernetes/pull/118036).
CVE-2023-2253
# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
# It only leads to a panic if there is a misconfigured / malicious helm plugin installed
# and can be easily resolved by removing the misconfigured / malicious plugin
# The helm bump will require bumping the k8s dependencies by +2 minor versions that can cause issues.
# https://github.com/advisories/GHSA-r53h-jv2g-vpx6
# https://github.com/solo-io/gloo/issues/9186
# https://github.com/solo-io/gloo/issues/9187
# https://github.com/solo-io/gloo/issues/9189
CVE-2024-26147
# Ignore a few istio.io/istio vulnerabilities. These CVEs are from very old versions of istio for which patches have already been merged - these come up as false positives from trivy because we pin the dependencies and trivy is unable to determine that the pinned versions already have the fix. This is due to istio's tags not following go's strict semver and therefore falling back to a go pseudo version.
CVE-2019-14993
CVE-2021-39155
CVE-2021-39156
CVE-2022-23635