Moby CVEs trivyignore (#10438)

Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: David Jumani <[email protected]> Co-authored-by: ashish b <[email protected]>
solo-io · Dec 23, 2024 · f82e330 · f82e330
1 parent 058276b
commit f82e330
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/.trivyignore b/.trivyignore
@@ -67,4 +67,13 @@ CVE-2024-27304
 # This is resolved in versions of Gloo Gateway that rely on Go1.22 and above (1.17, 1.18)
 # For earlier versions of Gloo Gateway, we confirmed that the vulnerability is not exploitable
 # and captured our findings here: https://github.com/solo-io/solo-projects/issues/7157#issuecomment-2463252858
-CVE-2022-30635
+CVE-2022-30635
+
+# https://github.com/advisories/GHSA-2mj3-vfvx-fc43
+# https://github.com/advisories/GHSA-gh5c-3h97-2f3q
+# These are not expected to impact us and are difficult to resolve due to breaking API changes that impact our code
+# While this has been resolved on v1.17+, backporting it to lower versions is complicated and we opted to skip it
+# We can remove these once moby/moby has been upgraded to v26+ on all LTS branches
+# Ref: https://solo-io-corp.slack.com/archives/C03MFATU265/p1733926775760049?thread_ts=1733429266.473749&cid=C03MFATU265
+CVE-2024-36621
+CVE-2024-36623
diff --git a/changelog/v1.19.0-beta3/moby-cves-trivyignore.yaml b/changelog/v1.19.0-beta3/moby-cves-trivyignore.yaml
@@ -0,0 +1,14 @@
+changelog:
+  - type: NON_USER_FACING
+    description: Add CVE-2024-36621 and CVE-2024-36623 to trivyignore
+    issueLink: https://github.com/solo-io/solo-projects/issues/7357
+  - type: NON_USER_FACING
+    description: This also resolves the issue for 1.15
+    issueLink: https://github.com/solo-io/solo-projects/issues/7358
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/solo-projects/issues/7359
+    description: >-
+      This also resolves the issue for 1.14
+
+      skipCI-kube-tests:true
+      skipCI-docs-build:true