Skip to content

UID2-6655: Suppress CVE-2026-1584 (gnutls) in .trivyignore#384

Merged
sunnywu merged 2 commits intomainfrom
syw-UID2-6655-fix-gnutls-cve
Feb 27, 2026
Merged

UID2-6655: Suppress CVE-2026-1584 (gnutls) in .trivyignore#384
sunnywu merged 2 commits intomainfrom
syw-UID2-6655-fix-gnutls-cve

Conversation

@sunnywu
Copy link
Contributor

@sunnywu sunnywu commented Feb 25, 2026
edited
Loading

Summary

CVE-2026-1584 (HIGH severity) was discovered in gnutls 3.8.11-r0 in the eclipse-temurin alpine base image.

Decision: Suppress in .trivyignore rather than upgrading gnutls via apk.

Rationale

gnutls is an OS-level TLS library present in the alpine base image but is not used by our Java service. The vulnerability allows Remote Denial of Service via a crafted ClientHello with invalid PSK — a TLS-layer attack vector that has no impact on our application since we do not use gnutls for any TLS handling (the JVM handles all TLS operations).

Upgrading OS libraries via apk add --upgrade in Dockerfiles introduces unnecessary risk of unintended system-level dependency changes and should be avoided when the library does not directly affect our software.

Changes

  • Removed gnutls from apk add --no-cache --upgrade in Dockerfile
  • Added CVE-2026-1584 to .trivyignore with expiry 2026-08-27 (6 months)

CVE Details

  • CVE: CVE-2026-1584
  • Severity: HIGH
  • Package: gnutls 3.8.11-r0 (alpine)
  • Fixed in: 3.8.12-r0
  • Impact on our service: None — gnutls is not invoked by our Java application
  • Jira: UID2-6655

Test plan

  • Verify CI vulnerability scan passes (CVE suppressed via .trivyignore)
  • Confirm no regression in application behaviour

🤖 Generated with Claude Code

sunnywu and others added 2 commits February 25, 2026 16:03
@sunnywu @claude
Upgrade gnutls to fix CVE-2026-1584 vulnerability
bd73312 
Add explicit gnutls upgrade in Dockerfile to address HIGH severity
vulnerability CVE-2026-1584 in gnutls 3.8.11-r0 (fixed in 3.8.12-r0)
in the alpine base image. The vulnerability allows Remote Denial of
Service via crafted ClientHello with invalid PSK.

Jira: UID2-6655

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sunnywu @claude
UID2-6655: Add CVE-2026-1584 to .trivyignore instead of upgrading gnutls
ceec67f 
gnutls is an OS-level library present in the alpine base image but is not
used by our Java service. Upgrading it via apk introduces unnecessary risk
of breaking system-level dependencies. The vulnerability (Remote DoS via
crafted ClientHello) has no impact on our software.

CVE-2026-1584 exp:2026-08-27

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sunnywu sunnywu changed the title Upgrade gnutls to fix CVE-2026-1584 vulnerability (UID2-6655) UID2-6655: Suppress CVE-2026-1584 (gnutls) in .trivyignore Feb 27, 2026
@sunnywu sunnywu merged commit 5822410 into main Feb 27, 2026
4 checks passed
@sunnywu sunnywu deleted the syw-UID2-6655-fix-gnutls-cve branch February 27, 2026 02:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollins-ttd mcollins-ttd mcollins-ttd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunnywu @mcollins-ttd