From bd73312c5bf7bb8362d517ab9cbdfe6c50a4ee3d Mon Sep 17 00:00:00 2001
From: Sunny Wu <sunny.wu@thetradedesk.com>
Date: Wed, 25 Feb 2026 16:03:17 +1100
Subject: [PATCH 1/2] Upgrade gnutls to fix CVE-2026-1584 vulnerability

Add explicit gnutls upgrade in Dockerfile to address HIGH severity
vulnerability CVE-2026-1584 in gnutls 3.8.11-r0 (fixed in 3.8.12-r0)
in the alpine base image. The vulnerability allows Remote Denial of
Service via crafted ClientHello with invalid PSK.

Jira: UID2-6655

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index f66e012e..acf75b63 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,7 @@ COPY ./run_tool.sh /app
 COPY ./conf/default-config.json /app/conf/
 COPY ./conf/*.xml /app/conf/
 
-RUN apk add --no-cache --upgrade libpng && addgroup --gid 1100 uidusers && adduser -D -G uidusers --uid 1100 uid2-optout && mkdir -p /opt/uid2 && chmod 755 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
+RUN apk add --no-cache --upgrade libpng gnutls && addgroup --gid 1100 uidusers && adduser -D -G uidusers --uid 1100 uid2-optout && mkdir -p /opt/uid2 && chmod 755 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
 USER uid2-optout
 
 CMD java \

From ceec67fed6c895cc010adafaff854b751629bd75 Mon Sep 17 00:00:00 2001
From: Sunny Wu <sunny.wu@thetradedesk.com>
Date: Fri, 27 Feb 2026 11:41:57 +1100
Subject: [PATCH 2/2] UID2-6655: Add CVE-2026-1584 to .trivyignore instead of
 upgrading gnutls

gnutls is an OS-level library present in the alpine base image but is not
used by our Java service. Upgrading it via apk introduces unnecessary risk
of breaking system-level dependencies. The vulnerability (Remote DoS via
crafted ClientHello) has no impact on our software.

CVE-2026-1584 exp:2026-08-27

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 6 +++++-
 Dockerfile   | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index 0a8aa9aa..ab7245e5 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,3 +1,7 @@
 # List any vulnerability that are to be accepted
-# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ 
+# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/
 # for more details
+
+# gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
+# See: UID2-6655
+CVE-2026-1584 exp:2026-08-27
diff --git a/Dockerfile b/Dockerfile
index acf75b63..f66e012e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,7 @@ COPY ./run_tool.sh /app
 COPY ./conf/default-config.json /app/conf/
 COPY ./conf/*.xml /app/conf/
 
-RUN apk add --no-cache --upgrade libpng gnutls && addgroup --gid 1100 uidusers && adduser -D -G uidusers --uid 1100 uid2-optout && mkdir -p /opt/uid2 && chmod 755 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
+RUN apk add --no-cache --upgrade libpng && addgroup --gid 1100 uidusers && adduser -D -G uidusers --uid 1100 uid2-optout && mkdir -p /opt/uid2 && chmod 755 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
 USER uid2-optout
 
 CMD java \