Skip to content

UID2-7456: Suppress CVE-2026-56131/56407/56408 (libexpat) in .trivyignore#2642

Merged
BehnamMozafari merged 1 commit into
mainfrom
bmz-UID2-7456-libexpat
Jul 9, 2026
Merged

UID2-7456: Suppress CVE-2026-56131/56407/56408 (libexpat) in .trivyignore#2642
BehnamMozafari merged 1 commit into
mainfrom
bmz-UID2-7456-libexpat

Conversation

@BehnamMozafari

@BehnamMozafari BehnamMozafari commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

UID2-7456: Suppress CVE-2026-56131 / CVE-2026-56407 / CVE-2026-56408 (libexpat) in .trivyignore

Trivy flagged three HIGH-severity CVEs in the Alpine system library libexpat (installed 2.8.1-r0) shipped in the eclipse-temurin:21-jre-alpine-3.23 base image:

Decision

Suppress in .trivyignore with a 1-month expiry (exp:2026-08-09).

Rationale

Not exploitable in our context — libexpat is a native C XML parser; this service parses XML via the JVM's built-in JAXP/Xerces implementation (pure Java), with no JNI bindings or native dependencies that call into libexpat, so the crafted-XML attack path is not reachable. All three CVEs are fixed in Alpine v3.23 libexpat >= 2.8.2-r0; the suppression will be revisited when the pinned eclipse-temurin base image is rebuilt with the fixed package (at which point the entry can be removed).

Jira: https://thetradedesk.atlassian.net/browse/UID2-7456

@BehnamMozafari BehnamMozafari changed the title UID2-7456: Upgrade libexpat to patch CVE-2026-56131/56407/56408 UID2-7456: Suppress CVE-2026-56131/56407/56408 (libexpat) in .trivyignore Jul 9, 2026
@BehnamMozafari BehnamMozafari force-pushed the bmz-UID2-7456-libexpat branch from d27e458 to 746f30e Compare July 9, 2026 01:54
@BehnamMozafari BehnamMozafari merged commit 19e549b into main Jul 9, 2026
10 checks passed
@BehnamMozafari BehnamMozafari deleted the bmz-UID2-7456-libexpat branch July 9, 2026 02:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants