Suppress grpc CVE for cloud_sql_proxy in gitpod-db

geropl · ona-agent · corneliusludmann · commit 1217583c34dc · 2026-03-25T13:39:41.000+01:00
The gitpod-db component is no longer deployed in any environment.
The cloud_sql_proxy binary (v1.37.14) ships grpc v1.79.2; no v1.x
release includes the fix (v1.79.3).

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/WORKSPACE.yaml b/WORKSPACE.yaml
@@ -45,6 +45,11 @@ sbom:
     - vulnerability: GHSA-2jcg-qqmg-46q6
       reason: |
         This is a false positive. See https://github.com/browserify/resolve/issues/303
+    - vulnerability: GHSA-p77j-4mvh-x3m3
+      reason: |
+        The only remaining instance is in the cloud_sql_proxy binary (v1.37.14, grpc v1.79.2)
+        bundled in gitpod-db. This component is no longer deployed in any environment.
+        No upstream cloud_sql_proxy v1.x release includes the fix (grpc v1.79.3).
 environmentManifest:
   - name: "go"
     command: ["sh", "-c", "go version | sed s/arm/amd/"]
