From 746f30e8bd44b3b8e434183ae1e4a5789ca112ec Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Thu, 9 Jul 2026 11:25:44 +1000 Subject: [PATCH] UID2-7456: suppress CVE-2026-56131/56407/56408 (libexpat) in .trivyignore --- .trivyignore | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.trivyignore b/.trivyignore index f6915db40..938c77478 100644 --- a/.trivyignore +++ b/.trivyignore @@ -52,3 +52,13 @@ CVE-2026-54513 exp:2026-07-25 # eclipse-temurin base image has not yet been rebuilt with it. # See: UID2-7376 CVE-2026-2100 exp:2026-09-01 + +# CVE-2026-56131 / CVE-2026-56407 / CVE-2026-56408 — libexpat stack exhaustion / integer overflows +# in the Alpine base image. uid2-operator is a pure Java service; the JVM parses XML via the built-in +# JAXP/Xerces implementation, not the native libexpat C library, and there are no JNI bindings or +# native deps that call into libexpat, so the crafted-XML attack path is not reachable. Fixed in +# Alpine v3.23 libexpat >= 2.8.2-r0; the pinned eclipse-temurin base image has not yet been rebuilt with it. +# See: UID2-7456 +CVE-2026-56131 exp:2026-08-09 +CVE-2026-56407 exp:2026-08-09 +CVE-2026-56408 exp:2026-08-09