From d6415cb1077c63ae1f0702533d5c79e87c38a522 Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Mon, 23 Feb 2026 12:56:51 +0000 Subject: [PATCH 1/9] envrc ignored --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 7061e3a..35bc1fd 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ node_modules/ src/base/.devcontainer/language_versions/ .trivyignore_combined.yaml .out/ +.envrc From 91ec9d6183d13cc625524728072440a31c6981d8 Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Mon, 23 Feb 2026 12:57:04 +0000 Subject: [PATCH 2/9] terraform image --- .../.devcontainer/.tool-versions | 1 + .../.devcontainer/Dockerfile | 39 +++++++ .../.devcontainer/devcontainer.json | 18 +++ .../.devcontainer/scripts/root_install.sh | 7 ++ .../.devcontainer/scripts/vscode_install.sh | 6 + .../eps-storage-terraform/.trivyignore.yaml | 107 ++++++++++++++++++ src/projects/eps-storage-terraform/trivy.yaml | 1 + 7 files changed, 179 insertions(+) create mode 100644 src/projects/eps-storage-terraform/.devcontainer/.tool-versions create mode 100644 src/projects/eps-storage-terraform/.devcontainer/Dockerfile create mode 100644 src/projects/eps-storage-terraform/.devcontainer/devcontainer.json create mode 100755 src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh create mode 100755 src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh create mode 100644 src/projects/eps-storage-terraform/.trivyignore.yaml create mode 100644 src/projects/eps-storage-terraform/trivy.yaml diff --git a/src/projects/eps-storage-terraform/.devcontainer/.tool-versions b/src/projects/eps-storage-terraform/.devcontainer/.tool-versions new file mode 100644 index 0000000..209b802 --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/.tool-versions @@ -0,0 +1 @@ +terraform 1.14.2 diff --git a/src/projects/eps-storage-terraform/.devcontainer/Dockerfile b/src/projects/eps-storage-terraform/.devcontainer/Dockerfile new file mode 100644 index 0000000..8226af2 --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/Dockerfile @@ -0,0 +1,39 @@ +ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} + +FROM ${BASE_IMAGE} + +ARG SCRIPTS_DIR=/usr/local/share/eps +ARG CONTAINER_NAME +ARG MULTI_ARCH_TAG +ARG BASE_VERSION_TAG +ARG IMAGE_TAG +ARG TARGETARCH + +ENV SCRIPTS_DIR=${SCRIPTS_DIR} +ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} +ENV IMAGE_TAG=${IMAGE_TAG} +ENV TARGETARCH=${TARGETARCH} + +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.base.name=${BASE_IMAGE} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} + +USER root +COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +RUN ./root_install.sh + +USER vscode + +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +COPY .tool-versions /tmp/.tool-versions +RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions + +RUN ./vscode_install.sh + +# Switch back to root to install the devcontainer CLI globally +USER root diff --git a/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json b/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json new file mode 100644 index 0000000..95c0a22 --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json @@ -0,0 +1,18 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "Dockerfile", + "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" + }, + "context": "." + }, + "features": {} + } + diff --git a/src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh b/src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..474c45b --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +set -e + +# clean up +apt-get clean +rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh b/src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..d47719f --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -e + +# install terraform using asdf +asdf plugin add terraform +asdf install diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml new file mode 100644 index 0000000..4443daa --- /dev/null +++ b/src/projects/eps-storage-terraform/.trivyignore.yaml @@ -0,0 +1,107 @@ +vulnerabilities: + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-12 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 diff --git a/src/projects/eps-storage-terraform/trivy.yaml b/src/projects/eps-storage-terraform/trivy.yaml new file mode 100644 index 0000000..06fd4b7 --- /dev/null +++ b/src/projects/eps-storage-terraform/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/projects/eps-storage-terraform/.trivyignore_combined.yaml" From 002b4b08d4f64ffa52010e759f87c21f0461b335 Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Wed, 25 Feb 2026 15:41:28 +0000 Subject: [PATCH 3/9] double quotes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ac47623..5c473f5 100644 --- a/README.md +++ b/README.md @@ -62,9 +62,9 @@ USER root # specify DOCKER_GID to force container docker group id to match host RUN if [ -n "${DOCKER_GID}" ]; then \ if ! getent group docker; then \ - groupadd -g ${DOCKER_GID} docker; \ + groupadd -g "${DOCKER_GID}" docker; \ else \ - groupmod -g ${DOCKER_GID} docker; \ + groupmod -g "${DOCKER_GID}" docker; \ fi && \ usermod -aG docker vscode; \ fi From de15bf6f5fd4f8a7d0a5eb953087735d50771f71 Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Wed, 25 Feb 2026 16:14:12 +0000 Subject: [PATCH 4/9] readme update --- README.md | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 5c473f5..104ce8c 100644 --- a/README.md +++ b/README.md @@ -108,24 +108,15 @@ IMAGE_NAME and IMAGE_VERSION should be changed as appropriate. You should not need to add any features as these are already baked into the image ## Getting image name and version in GitHub Actions -This job should be used in GitHub Actions wherever you need to get the dev container name or tag +This shared workflow should be used in GitHub Actions wherever you need to get the dev container name or tag. + +verify_published_from_main_image should be set to false for testing pull request images. ``` get_config_values: - runs-on: ubuntu-22.04 - outputs: - devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }} - devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Load config value - id: load-config - run: | - DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json) - DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) - echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT" - echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815 + with: + verify_published_from_main_image: false ``` ## Using images in GitHub Actions To use the image in GitHub Actions, you should first verify the attestation of the image and reference the image by the digest From 6bf3826142596ce51217c3af8c25c576366bdf81 Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Wed, 25 Feb 2026 16:15:52 +0000 Subject: [PATCH 5/9] readme update --- README.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 104ce8c..388b233 100644 --- a/README.md +++ b/README.md @@ -123,16 +123,11 @@ To use the image in GitHub Actions, you should first verify the attestation of t For CI and release pipelines, you should set verify_published_from_main_image to ensure that only images published from main are used. ``` jobs: - verify_attestation: - uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@ - with: - runtime_docker_image: "${{ inputs.runtime_docker_image }}" - verify_published_from_main_image: false my_job_name: runs-on: ubuntu-22.04 - needs: verify_attestation + needs: get_config_values container: - image: ${{ needs.verify_attestation.outputs.pinned_image }} + image: ${{ needs.get_config_values.outputs.pinned_image }} options: --user 1001:1001 --group-add 128 defaults: run: @@ -144,7 +139,6 @@ jobs: ... other steps .... ``` It is important that: -- the image specified uses the tag starting githubactions- - there is `options: --user 1001:1001 --group-add 128` below image to ensure it uses the correct user id and is added to the docker group - the default shell is set to be bash - the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions From 85f7612f673c1fd94247c286280c2dfa066ff479 Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Thu, 26 Feb 2026 11:17:30 +0000 Subject: [PATCH 6/9] updates trivy ignore --- src/base/.trivyignore.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml index 8697da6..30f0fb7 100644 --- a/src/base/.trivyignore.yaml +++ b/src/base/.trivyignore.yaml @@ -1 +1,36 @@ vulnerabilities: + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-26 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-26 + - id: CVE-2025-37849 + statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-26 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-26 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-26 + - id: CVE-2026-23111 + statement: "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-26 + - id: CVE-2025-61594 + statement: "uri: URI module: Credential exposure via URI + operator" + purls: + - "pkg:gem/uri@0.13.0" + expired_at: 2026-08-26 From 2810e0ddd89951c2ecf796542c13b912be6c2ed0 Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Thu, 26 Feb 2026 11:37:11 +0000 Subject: [PATCH 7/9] updates trivyignore for amd64 --- src/base/.trivyignore.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml index 30f0fb7..6da1525 100644 --- a/src/base/.trivyignore.yaml +++ b/src/base/.trivyignore.yaml @@ -2,31 +2,37 @@ vulnerabilities: - id: CVE-2024-35870 statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-26 - id: CVE-2024-53179 statement: "kernel: smb: client: fix use-after-free of signing key" purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-26 - id: CVE-2025-37849 statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-26 - id: CVE-2025-37899 statement: "kernel: ksmbd: fix use-after-free in session logoff" purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-26 - id: CVE-2025-38118 statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-26 - id: CVE-2026-23111 statement: "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check" purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-26 - id: CVE-2025-61594 From ce7e82970af0ee663c1f703b435634722ebf623f Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Thu, 26 Feb 2026 12:03:06 +0000 Subject: [PATCH 8/9] moves to common trivyignore --- src/base/.trivyignore.yaml | 41 ------------------------------------ src/common/.trivyignore.yaml | 26 ++++++++++++++++++----- 2 files changed, 21 insertions(+), 46 deletions(-) diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml index 6da1525..8697da6 100644 --- a/src/base/.trivyignore.yaml +++ b/src/base/.trivyignore.yaml @@ -1,42 +1 @@ vulnerabilities: - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-26 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-26 - - id: CVE-2025-37849 - statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-26 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-26 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-26 - - id: CVE-2026-23111 - statement: "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-26 - - id: CVE-2025-61594 - statement: "uri: URI module: Credential exposure via URI + operator" - purls: - - "pkg:gem/uri@0.13.0" - expired_at: 2026-08-26 diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index bd4d87e..3ed5c49 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -2,28 +2,44 @@ vulnerabilities: - id: CVE-2024-35870 statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2024-53179 statement: "kernel: smb: client: fix use-after-free of signing key" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2025-37849 statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2025-37899 statement: "kernel: ksmbd: fix use-after-free in session logoff" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2025-38118 statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 + - id: CVE-2026-23111 + statement: "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-26 + - id: CVE-2025-61594 + statement: "uri: URI module: Credential exposure via URI + operator" + purls: + - "pkg:gem/uri@0.13.0" + expired_at: 2026-08-26 - id: CVE-2026-26007 statement: "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves" purls: From e94b889bb541b43312dd732a64fe59e30695a5b4 Mon Sep 17 00:00:00 2001 From: Jack Spagnoli Date: Thu, 26 Feb 2026 13:38:59 +0000 Subject: [PATCH 9/9] updates trivy ignore --- src/projects/fhir_facade_api/.trivyignore.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml index 4443daa..d8a3458 100644 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ b/src/projects/fhir_facade_api/.trivyignore.yaml @@ -3,21 +3,29 @@ vulnerabilities: statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2022-25236 statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2022-26485 statement: "Mozilla: Use-after-free in XSLT parameter processing" purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2022-26486 statement: "Mozilla: Use-after-free in WebGPU IPC Framework" purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2026-25547 statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion"