From 21925c56880cc3fd3c1f9af21f85e84125c06fd1 Mon Sep 17 00:00:00 2001 From: Jeff Culverhouse Date: Mon, 19 Jan 2026 13:57:33 -0500 Subject: [PATCH] chore: enhance Trivy security scanning configuration - Add ignore-unfixed: true to Trivy workflow to focus on actionable vulnerabilities - Expand .trivyignore from 1 to 10 CVEs with detailed categorization - Document why each CVE is ignored (system libraries, unused features) - Ignore glibc/libtasn1 system library CVEs pending upstream fixes - Ignore curl CVEs for SSH/OAuth2/LDAP features not used by application - Ignore OpenLDAP CVE as library is not used by amcrest2mqtt This aligns with govee2mqtt security configuration and reduces noise from unfixable or non-applicable security alerts while maintaining focus on CRITICAL and HIGH severity issues that can be addressed. Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/deploy.yaml | 1 + .trivyignore | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index b40aff2..785f582 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -191,6 +191,7 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + ignore-unfixed: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@27fcff4ecb39e96348e7ceddcc2d9ef42308b6fc # v4 diff --git a/.trivyignore b/.trivyignore index 0efa269..24e9443 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,3 +1,34 @@ +# ============================================================================= +# System Libraries - Waiting for upstream fixes in python:3.14-slim base image +# ============================================================================= + +# glibc vulnerabilities - system library, waiting for Debian/Python base image updates +CVE-2026-0861 # glibc: Integer overflow in memalign leads to heap corruption +CVE-2026-0915 # glibc: Information disclosure via zero-valued network query + +# libtasn1 - system library dependency, not directly used by amcrest2mqtt +CVE-2025-13151 # libtasn1: DoS via stack-based buffer overflow in asn1_expend_octet_string + +# ============================================================================= +# curl - Pulled in as system dependency but specific vulnerable features not used +# ============================================================================= +# amcrest2mqtt uses Python requests library for HTTP, not curl directly +# These CVEs relate to curl features (SSH, OAuth2, LDAP, cert pinning) not used by this app + +CVE-2025-15224 # curl: SSH/SCP/SFTP transfers - not used +CVE-2025-15079 # curl: SSH transfers with specific options - not used +CVE-2025-14819 # curl: TLS with reused easy/multi handles - not used +CVE-2025-14524 # curl: OAuth2 bearer tokens - not used +CVE-2025-14017 # curl: Multi-threaded LDAPS transfers - not used +CVE-2025-13034 # curl: CURLOPT_PINNEDPUBLICKEY option - not used + +# ============================================================================= +# Other system dependencies not used by application +# ============================================================================= + +# OpenLDAP - not used by amcrest2mqtt (connects to Amcrest cameras and MQTT only) +CVE-2026-22185 # OpenLDAP LMDB: DoS and Info Disclosure via Heap Buffer Underflow + # libexpat is only pulled in via apt-get install git during build. # It is not used in the final runtime image or by amcrest2mqtt at all. CVE-2025-59375