Commit b46f88d
UID2-7376: suppress CVE-2026-2100 (p11-kit) - not exploitable
CVE-2026-2100 is a NULL pointer dereference in p11-kit (Alpine base image)
triggered via C_DeriveKey. Our services are pure Java: the JVM uses JSSE for
TLS and the Java cacerts keystore for trust, and never loads the native
p11-kit PKCS#11 module loader or calls C_DeriveKey, so the vulnerable code
path is not reachable.
Following the established treatment for non-exploitable native base-image
CVEs (cf. CVE-2026-45447 libcrypto3), this is suppressed in .trivyignore with
a 'not reachable from the JVM' rationale and an expiry, rather than upgraded.
A fix exists in Alpine v3.23 (>= 0.26.2-r0) but the pinned eclipse-temurin
base image has not yet been rebuilt with it; the expiry resurfaces this for
review once that lands.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent d2be4c8 commit b46f88d
1 file changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
0 commit comments