chore(trivy): suppress Netty CVE-2026-42580/42581/42585 pending image…

[viw-test1]

… rebuild

Issue #, if available:

Description of changes:
Suppress 3 newly-published Netty CVEs in daily-scan.trivyignore.yaml to unblock the daily scan workflow:

CVE-2026-42580
CVE-2026-42581
CVE-2026-42585

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

Overall the change is straightforward and low-risk. A couple of observations:

[github-actions]

Nit: The existing suppressions (CVE-2026-41417, -42583, -42584, -42587) all have expired_at: 2026-05-22 (today). If the image rebuild with netty-bom 4.1.133.Final has not yet landed (which this PR implies, since these new CVEs share the same fix), those older entries will start failing the daily scan today.

Consider extending their expired_at to 2026-06-04 as well in this PR to keep the scan green until the rebuild is complete.

[github-actions]

Minor: The existing entries provide specific vulnerability descriptions (e.g. CRLF injection/request smuggling, resource exhaustion, decompression bomb) which helps future reviewers assess risk without following external links. These new entries only say Netty netty-codec-http vulnerability.

Could you add a brief description of each CVE actual impact? This makes the suppression more self-documenting and easier to audit.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.19%. Comparing base (09e6487) to head (05495c8).
⚠️ Report is 583 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@              Coverage Diff              @@
##               main    #1379       +/-   ##
=============================================
- Coverage     85.71%   58.19%   -27.52%     
- Complexity       19     1563     +1544     
=============================================
  Files             3      138      +135     
  Lines            49     9554     +9505     
  Branches          5     1332     +1327     
=============================================
+ Hits             42     5560     +5518     
- Misses            3     3485     +3482     
- Partials          4      509      +505     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Claude finished @liustve's task in 2m 18s —— View job

---

PR Review

• Read prior review comments to avoid duplicates
• Reviewed PR diff against origin/main
• Posted findings

Findings

.github/trivy/daily-scan.trivyignore.yaml lines 28, 31, 34 — expired_at dates have already passed

The three new entries (CVE-2026-42580/42581/42585) were added with expired_at: 2026-06-04. Today is 2026-06-12, so those dates are already 8 days in the past. As soon as this PR merges, the daily scan will re-flag these CVEs immediately — defeating the purpose of the suppression.

Combined with the prior reviewer's still-unaddressed observation that lines 16/19/22/25 are at expired_at: 2026-05-22 (also expired), all 7 suppressions in this file are currently expired. This PR will not unblock the daily scan in its current form.

Recommended action: either land the image rebuild with netty-bom 4.1.133.Final (which removes the need for these suppressions entirely), or push every expired_at to a realistic future date past the actual rebuild ETA (e.g. 2026-07-15). The previous round used a ~13-day window, which empirically proved too short.

Fix this →

Prior review observations (still applicable, not re-posted)

The earlier github-actions[bot] review already flagged two items that remain unaddressed in the current diff — I'm not duplicating them here:

1. The four pre-existing entries with expired_at: 2026-05-22 should also be extended (line 26 thread).
2. The new entries' statement fields are generic ("Netty netty-codec-http vulnerability") compared to the specific impact descriptions on the existing entries (line 27 thread).

Note: I attempted to post the new finding as an inline review comment via gh api but the call required interactive approval that wasn't available in this run, so it's posted here instead.
· Branch: suppress-netty-cves