|
4 | 4 | # Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore |
5 | 5 |
|
6 | 6 | ignore: |
7 | | - # GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability |
8 | | - # Severity: HIGH (CVSS 8.1) |
9 | | - # Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy) |
10 | | - # Status: Cannot upgrade — smallstep/certificates v0.30.0-rc2 still pins nebula v1.9.x |
11 | | - # |
12 | | - # Vulnerability Details: |
13 | | - # - ECDSA signature malleability allows bypassing certificate blocklists |
14 | | - # - Attacker can forge alternate valid P256 ECDSA signatures for revoked |
15 | | - # certificates (CVSSv3: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) |
16 | | - # - Only affects configurations using Nebula-based certificate authorities |
17 | | - # (non-default and uncommon in Charon deployments) |
18 | | - # |
19 | | - # Root Cause (Compile-Time Dependency Lock): |
20 | | - # - Caddy is built with caddy-security plugin, which transitively requires |
21 | | - # github.com/smallstep/certificates. That package pins nebula v1.9.x. |
22 | | - # - Checked: smallstep/certificates v0.27.5 → v0.30.0-rc2 all require nebula v1.9.4–v1.9.7. |
23 | | - # The nebula v1.10 API removal breaks compilation in the |
24 | | - # authority/provisioner package; xcaddy build fails with upgrade attempted. |
25 | | - # - Dockerfile caddy-builder stage pins nebula@v1.9.7 (Renovate tracked) with |
26 | | - # an inline comment explaining the constraint (Dockerfile line 247). |
27 | | - # - Fix path: once smallstep/certificates releases a version requiring |
28 | | - # nebula v1.10+, remove the pin and this suppression simultaneously. |
29 | | - # |
30 | | - # Risk Assessment: ACCEPTED (Low exploitability in Charon context) |
31 | | - # - Charon uses standard ACME/Let's Encrypt TLS; Nebula VPN PKI is not |
32 | | - # enabled by default and rarely configured in Charon deployments. |
33 | | - # - Exploiting this requires a valid certificate sharing the same issuer as |
34 | | - # a revoked one — an uncommon and targeted attack scenario. |
35 | | - # - Container-level isolation reduces the attack surface further. |
36 | | - # |
37 | | - # Mitigation (active while suppression is in effect): |
38 | | - # - Monitor smallstep/certificates releases at https://github.com/smallstep/certificates/releases |
39 | | - # - Weekly CI security rebuild flags any new CVEs in the full image. |
40 | | - # - Renovate annotation in Dockerfile (datasource=go depName=github.com/slackhq/nebula) |
41 | | - # will surface the pin for review when xcaddy build becomes compatible. |
42 | | - # |
43 | | - # Review: |
44 | | - # - Reviewed 2026-02-19: smallstep/certificates latest stable remains v0.27.5; |
45 | | - # no release requiring nebula v1.10+ has shipped. Suppression extended 14 days. |
46 | | - # - Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days. |
47 | | - # - Next review: 2026-04-12. Remove suppression immediately once upstream fixes. |
48 | | - # |
49 | | - # Removal Criteria: |
50 | | - # - smallstep/certificates releases a stable version requiring nebula v1.10+ |
51 | | - # - Update Dockerfile caddy-builder patch to use the new versions |
52 | | - # - Rebuild image, run security scan, confirm suppression no longer needed |
53 | | - # - Remove both this entry and the corresponding .trivyignore entry |
54 | | - # |
55 | | - # References: |
56 | | - # - GHSA: https://github.com/advisories/GHSA-69x3-g4r3-p962 |
57 | | - # - CVE-2026-25793: https://nvd.nist.gov/vuln/detail/CVE-2026-25793 |
58 | | - # - smallstep/certificates: https://github.com/smallstep/certificates/releases |
59 | | - # - Dockerfile pin: caddy-builder stage, line ~247 (go get nebula@v1.9.7) |
60 | | - - vulnerability: GHSA-69x3-g4r3-p962 |
61 | | - package: |
62 | | - name: github.com/slackhq/nebula |
63 | | - version: "v1.9.7" |
64 | | - type: go-module |
65 | | - reason: | |
66 | | - HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy. |
67 | | - Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-03-13) |
68 | | - still requires nebula v1.9.x (verified across v0.27.5–v0.30.0-rc2). Charon does |
69 | | - not use Nebula VPN PKI by default. Risk accepted pending upstream smallstep fix. |
70 | | - Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days. |
71 | | - expiry: "2026-04-12" # Re-evaluated 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days. |
72 | | - |
73 | | - # Action items when this suppression expires: |
74 | | - # 1. Check smallstep/certificates releases: https://github.com/smallstep/certificates/releases |
75 | | - # 2. If a stable version requires nebula v1.10+: |
76 | | - # a. Update Dockerfile caddy-builder: remove the `go get nebula@v1.9.7` pin |
77 | | - # b. Optionally bump smallstep/certificates to the new version |
78 | | - # c. Rebuild Docker image and verify no compile failures |
79 | | - # d. Re-run local security-scan-docker-image and confirm clean result |
80 | | - # e. Remove this suppression entry |
81 | | - # 3. If no fix yet: Extend expiry by 14 days and document justification |
82 | | - # 4. If extended 3+ times: Open upstream issue on smallstep/certificates |
83 | | - |
84 | 7 | # CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade |
85 | 8 | # Severity: HIGH (CVSS 7.5) |
86 | 9 | # Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk) |
@@ -153,161 +76,6 @@ ignore: |
153 | 76 | Risk accepted pending Alpine upstream patch. |
154 | 77 | expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items. |
155 | 78 |
|
156 | | - # CVE-2026-33186 / GHSA-p77j-4mvh-x3m3: gRPC-Go authorization bypass via missing leading slash |
157 | | - # Severity: CRITICAL (CVSS 9.1) |
158 | | - # Package: google.golang.org/grpc v1.74.2 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli) |
159 | | - # Status: Fix available at v1.79.3 — waiting on CrowdSec upstream to release with patched grpc |
160 | | - # |
161 | | - # Vulnerability Details: |
162 | | - # - gRPC-Go server path-based authorization (grpc/authz) fails to match deny rules when |
163 | | - # the HTTP/2 :path pseudo-header is missing its leading slash (e.g., "Service/Method" |
164 | | - # instead of "/Service/Method"), allowing a fallback allow-rule to grant access instead. |
165 | | - # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
166 | | - # |
167 | | - # Root Cause (Third-Party Binary): |
168 | | - # - Charon's own grpc dependency is patched to v1.79.3 (updated 2026-03-19). |
169 | | - # - CrowdSec ships grpc v1.74.2 compiled into its binary; Charon has no control over this. |
170 | | - # - This is a server-side vulnerability. CrowdSec uses grpc as a server; Charon uses it |
171 | | - # only as a client (via the Docker SDK). CrowdSec's internal grpc server is not exposed |
172 | | - # to external traffic in a standard Charon deployment. |
173 | | - # - Fix path: once CrowdSec releases a version built with grpc >= v1.79.3, rebuild the |
174 | | - # Docker image (Renovate tracks the CrowdSec version) and remove this suppression. |
175 | | - # |
176 | | - # Risk Assessment: ACCEPTED (Constrained exploitability in Charon context) |
177 | | - # - The vulnerable code path requires an attacker to reach CrowdSec's internal grpc server, |
178 | | - # which is bound to localhost/internal interfaces in the Charon container network. |
179 | | - # - Container-level isolation (no exposed grpc port) significantly limits exposure. |
180 | | - # - Charon does not configure grpc/authz deny rules on CrowdSec's server. |
181 | | - # |
182 | | - # Mitigation (active while suppression is in effect): |
183 | | - # - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases |
184 | | - # - Weekly CI security rebuild flags the moment a fixed CrowdSec image ships. |
185 | | - # |
186 | | - # Review: |
187 | | - # - Reviewed 2026-03-19 (initial suppression): grpc v1.79.3 fix exists; CrowdSec has not |
188 | | - # yet shipped an updated release. Suppression set for 14-day review given fix availability. |
189 | | - # - Next review: 2026-04-02. Remove suppression once CrowdSec ships with grpc >= v1.79.3. |
190 | | - # |
191 | | - # Removal Criteria: |
192 | | - # - CrowdSec releases a version built with google.golang.org/grpc >= v1.79.3 |
193 | | - # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved |
194 | | - # - Remove this entry and the corresponding .trivyignore entry simultaneously |
195 | | - # |
196 | | - # References: |
197 | | - # - GHSA-p77j-4mvh-x3m3: https://github.com/advisories/GHSA-p77j-4mvh-x3m3 |
198 | | - # - CVE-2026-33186: https://nvd.nist.gov/vuln/detail/CVE-2026-33186 |
199 | | - # - grpc fix (v1.79.3): https://github.com/grpc/grpc-go/releases/tag/v1.79.3 |
200 | | - # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases |
201 | | - - vulnerability: CVE-2026-33186 |
202 | | - package: |
203 | | - name: google.golang.org/grpc |
204 | | - version: "v1.74.2" |
205 | | - type: go-module |
206 | | - reason: | |
207 | | - CRITICAL — gRPC-Go authorization bypass in grpc v1.74.2 embedded in /usr/local/bin/crowdsec |
208 | | - and /usr/local/bin/cscli. Fix available at v1.79.3 (Charon's own dep is patched); waiting |
209 | | - on CrowdSec upstream to release with patched grpc. CrowdSec's grpc server is not exposed |
210 | | - externally in a standard Charon deployment. Risk accepted pending CrowdSec upstream fix. |
211 | | - Reviewed 2026-03-19: CrowdSec has not yet released with grpc >= v1.79.3. |
212 | | - expiry: "2026-04-02" # 14-day review: fix exists at v1.79.3; check CrowdSec releases. |
213 | | - |
214 | | - # Action items when this suppression expires: |
215 | | - # 1. Check CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases |
216 | | - # 2. If CrowdSec ships with grpc >= v1.79.3: |
217 | | - # a. Renovate should auto-PR the new CrowdSec version in the Dockerfile |
218 | | - # b. Merge the Renovate PR, rebuild Docker image |
219 | | - # c. Run local security-scan-docker-image and confirm grpc v1.74.2 is gone |
220 | | - # d. Remove this suppression entry and the corresponding .trivyignore entry |
221 | | - # 3. If no fix yet: Extend expiry by 14 days and document justification |
222 | | - # 4. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec |
223 | | - |
224 | | - # CVE-2026-33186 (Caddy) — see full justification in the CrowdSec entry above |
225 | | - # Package: google.golang.org/grpc v1.79.1 (embedded in /usr/bin/caddy) |
226 | | - # Status: Fix available at v1.79.3 — waiting on a new Caddy release built with patched grpc |
227 | | - - vulnerability: CVE-2026-33186 |
228 | | - package: |
229 | | - name: google.golang.org/grpc |
230 | | - version: "v1.79.1" |
231 | | - type: go-module |
232 | | - reason: | |
233 | | - CRITICAL — gRPC-Go authorization bypass in grpc v1.79.1 embedded in /usr/bin/caddy. |
234 | | - Fix available at v1.79.3; waiting on Caddy upstream to release a build with patched grpc. |
235 | | - Caddy's grpc server is not exposed externally in a standard Charon deployment. |
236 | | - Risk accepted pending Caddy upstream fix. Reviewed 2026-03-19: no Caddy release with grpc >= v1.79.3 yet. |
237 | | - expiry: "2026-04-02" # 14-day review: fix exists at v1.79.3; check Caddy releases. |
238 | | - |
239 | | - # Action items when this suppression expires: |
240 | | - # 1. Check Caddy releases: https://github.com/caddyserver/caddy/releases |
241 | | - # (or the custom caddy-builder in the Dockerfile for caddy-security plugin) |
242 | | - # 2. If a new Caddy build ships with grpc >= v1.79.3: |
243 | | - # a. Update the Caddy version pin in the Dockerfile caddy-builder stage |
244 | | - # b. Rebuild Docker image and run local security-scan-docker-image |
245 | | - # c. Remove this suppression entry and the corresponding .trivyignore entry |
246 | | - # 3. If no fix yet: Extend expiry by 14 days and document justification |
247 | | - # 4. If extended 3+ times: Open an issue on caddyserver/caddy |
248 | | - |
249 | | - # GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture) |
250 | | - # Severity: HIGH (CVSS 7.5) |
251 | | - # Package: github.com/russellhaering/goxmldsig v1.5.0 (embedded in /usr/bin/caddy) |
252 | | - # Status: Fix available at v1.6.0 — waiting on a new Caddy release built with patched goxmldsig |
253 | | - # |
254 | | - # Vulnerability Details: |
255 | | - # - Loop variable capture in validateSignature causes the signature reference to always |
256 | | - # point to the last element in SignedInfo.References; an attacker can substitute signed |
257 | | - # element content and bypass XML signature integrity validation (CWE-347, CWE-682). |
258 | | - # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
259 | | - # |
260 | | - # Root Cause (Third-Party Binary): |
261 | | - # - Charon does not use goxmldsig directly. The package is compiled into /usr/bin/caddy |
262 | | - # via the caddy-security plugin's SAML/SSO support. |
263 | | - # - Fix path: once Caddy (or the caddy-security plugin) releases a build with |
264 | | - # goxmldsig >= v1.6.0, rebuild the Docker image and remove this suppression. |
265 | | - # |
266 | | - # Risk Assessment: ACCEPTED (Low exploitability in default Charon context) |
267 | | - # - The vulnerability only affects SAML/XML signature validation workflows. |
268 | | - # - Charon does not enable or configure SAML-based SSO in its default setup. |
269 | | - # - Exploiting this requires an active SAML integration, which is non-default. |
270 | | - # |
271 | | - # Mitigation (active while suppression is in effect): |
272 | | - # - Monitor caddy-security plugin releases: https://github.com/greenpau/caddy-security/releases |
273 | | - # - Monitor Caddy releases: https://github.com/caddyserver/caddy/releases |
274 | | - # - Weekly CI security rebuild flags the moment a fixed image ships. |
275 | | - # |
276 | | - # Review: |
277 | | - # - Reviewed 2026-03-19 (initial suppression): goxmldsig v1.6.0 fix exists; Caddy has not |
278 | | - # yet shipped with the updated dep. Set 14-day review given fix availability. |
279 | | - # - Next review: 2026-04-02. Remove suppression once Caddy ships with goxmldsig >= v1.6.0. |
280 | | - # |
281 | | - # Removal Criteria: |
282 | | - # - Caddy (or caddy-security plugin) releases a build with goxmldsig >= v1.6.0 |
283 | | - # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved |
284 | | - # - Remove this entry and the corresponding .trivyignore entry simultaneously |
285 | | - # |
286 | | - # References: |
287 | | - # - GHSA-479m-364c-43vc: https://github.com/advisories/GHSA-479m-364c-43vc |
288 | | - # - goxmldsig v1.6.0 fix: https://github.com/russellhaering/goxmldsig/releases/tag/v1.6.0 |
289 | | - # - caddy-security plugin: https://github.com/greenpau/caddy-security/releases |
290 | | - - vulnerability: GHSA-479m-364c-43vc |
291 | | - package: |
292 | | - name: github.com/russellhaering/goxmldsig |
293 | | - version: "v1.5.0" |
294 | | - type: go-module |
295 | | - reason: | |
296 | | - HIGH — XML signature validation bypass in goxmldsig v1.5.0 embedded in /usr/bin/caddy. |
297 | | - Fix available at v1.6.0; waiting on Caddy upstream to release a build with patched goxmldsig. |
298 | | - Charon does not configure SAML-based SSO by default; the vulnerable XML signature path |
299 | | - is not reachable in a standard deployment. Risk accepted pending Caddy upstream fix. |
300 | | - Reviewed 2026-03-19: no Caddy release with goxmldsig >= v1.6.0 yet. |
301 | | - expiry: "2026-04-02" # 14-day review: fix exists at v1.6.0; check Caddy/caddy-security releases. |
302 | | - |
303 | | - # Action items when this suppression expires: |
304 | | - # 1. Check caddy-security releases: https://github.com/greenpau/caddy-security/releases |
305 | | - # 2. If a new build ships with goxmldsig >= v1.6.0: |
306 | | - # a. Update the Caddy version pin in the Dockerfile caddy-builder stage if needed |
307 | | - # b. Rebuild Docker image and run local security-scan-docker-image |
308 | | - # c. Remove this suppression entry and the corresponding .trivyignore entry |
309 | | - # 3. If no fix yet: Extend expiry by 14 days and document justification |
310 | | - |
311 | 79 | # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS) |
312 | 80 | # Severity: HIGH (CVSS 7.5) |
313 | 81 | # Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli) |
|
0 commit comments