From 2e60fd7d92511db7f80daa53b6c949df9e1a785f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 9 Mar 2026 14:54:00 +0000 Subject: [PATCH 1/5] upgrade to latest trivy --- .github/workflows/build_multi_arch_image.yml | 2 +- .tool-versions | 2 +- src/base/.devcontainer/.tool-versions | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index ce560f0..65381de 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -66,7 +66,7 @@ jobs: - name: setup trivy uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 with: - version: v0.69.1 + version: v0.69.3 - name: setup node uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: diff --git a/.tool-versions b/.tool-versions index e4a19f0..1aed182 100644 --- a/.tool-versions +++ b/.tool-versions @@ -5,5 +5,5 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.69.1 +trivy 0.69.3 yq 4.52.2 diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index f492e92..24d49bd 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -2,5 +2,5 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.69.1 +trivy 0.69.3 yq 4.52.2 From 6f197e2c6cd6a7baedd6cb0bf957121ccb24bb19 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 9 Mar 2026 15:02:06 +0000 Subject: [PATCH 2/5] create java image --- .../.devcontainer/.tool-versions | 4 ++++ .../.devcontainer/devcontainer.json | 18 ++++++++++++++++++ .../.devcontainer/scripts/root_install.sh | 7 +++++++ .../.devcontainer/scripts/vscode_install.sh | 13 +++++++++++++ .../.trivyignore.yaml | 11 +++++++++++ .../node_24_python_3_14_java_24/trivy.yaml | 1 + 6 files changed, 54 insertions(+) create mode 100644 src/languages/node_24_python_3_14_java_24/.devcontainer/.tool-versions create mode 100644 src/languages/node_24_python_3_14_java_24/.devcontainer/devcontainer.json create mode 100755 src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/root_install.sh create mode 100755 src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/vscode_install.sh create mode 100644 src/languages/node_24_python_3_14_java_24/.trivyignore.yaml create mode 100644 src/languages/node_24_python_3_14_java_24/trivy.yaml diff --git a/src/languages/node_24_python_3_14_java_24/.devcontainer/.tool-versions b/src/languages/node_24_python_3_14_java_24/.devcontainer/.tool-versions new file mode 100644 index 0000000..944ca8c --- /dev/null +++ b/src/languages/node_24_python_3_14_java_24/.devcontainer/.tool-versions @@ -0,0 +1,4 @@ +python 3.14.3 +poetry 2.3.2 +java temurin-24.0.2+12 +maven 3.9.13 diff --git a/src/languages/node_24_python_3_14_java_24/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14_java_24/.devcontainer/devcontainer.json new file mode 100644 index 0000000..8580944 --- /dev/null +++ b/src/languages/node_24_python_3_14_java_24/.devcontainer/devcontainer.json @@ -0,0 +1,18 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.14", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../../common_node_24/Dockerfile", + "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" + }, + "context": "." + }, + "features": {} + } + diff --git a/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..52fa2b1 --- /dev/null +++ b/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/root_install.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +set -e +export DEBIAN_FRONTEND=noninteractive + +# clean up +apt-get clean +rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..c68251d --- /dev/null +++ b/src/languages/node_24_python_3_14_java_24/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git +asdf plugin add java +asdf plugin add maven + +asdf install python +asdf install + +# install cfn-lint +pip install --user cfn-lint diff --git a/src/languages/node_24_python_3_14_java_24/.trivyignore.yaml b/src/languages/node_24_python_3_14_java_24/.trivyignore.yaml new file mode 100644 index 0000000..8799951 --- /dev/null +++ b/src/languages/node_24_python_3_14_java_24/.trivyignore.yaml @@ -0,0 +1,11 @@ +vulnerabilities: + - id: CVE-2026-23949 + statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" + purls: + - "pkg:pypi/jaraco.context@5.3.0" + expired_at: 2026-08-12 + - id: CVE-2026-24049 + statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" + purls: + - "pkg:pypi/wheel@0.45.1" + expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_14_java_24/trivy.yaml b/src/languages/node_24_python_3_14_java_24/trivy.yaml new file mode 100644 index 0000000..e786be4 --- /dev/null +++ b/src/languages/node_24_python_3_14_java_24/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/languages/node_24_python_3_14/.trivyignore_combined.yaml" From a3be8fbba5fec1d1b89ea258803e26b0117c41e5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 9 Mar 2026 15:26:43 +0000 Subject: [PATCH 3/5] new vulns --- src/common/.trivyignore.yaml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index 3ed5c49..1f9727c 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -323,3 +323,40 @@ vulnerabilities: purls: - "pkg:golang/stdlib@v1.25.6" expired_at: 2026-08-13 + - id: CVE-2025-15558 + statement: "docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries" + purls: + - "pkg:golang/github.com/docker/cli@v28.5.1%2Bincompatible" + - "pkg:golang/github.com/docker/cli@v29.0.3%2Bincompatible" + - "pkg:golang/github.com/docker/cli@v29.1.1%2Bincompatible" + expired_at: 2026-09-09 + - id: CVE-2026-24051 + statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" + purls: + - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.36.0" + expired_at: 2026-09-09 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-09-09 From 8d1a69610eb63243cd9e76b2289be932f262b4e8 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 9 Mar 2026 16:40:14 +0000 Subject: [PATCH 4/5] new vuln --- src/common_node_24/.trivyignore.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml index 5491da7..ca220bd 100644 --- a/src/common_node_24/.trivyignore.yaml +++ b/src/common_node_24/.trivyignore.yaml @@ -53,3 +53,8 @@ vulnerabilities: - "pkg:npm/minimatch@10.0.3" - "pkg:npm/minimatch@9.0.5" expired_at: 2026-08-27 + - id: CVE-2026-29786 + statement: "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, ..." + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-09-09 From eb0a822c5269953b70e9c4f983bf3c94399a0f61 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 10 Mar 2026 10:18:00 +0000 Subject: [PATCH 5/5] new vuln --- src/projects/eps-storage-terraform/.trivyignore.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml index 4443daa..79605cd 100644 --- a/src/projects/eps-storage-terraform/.trivyignore.yaml +++ b/src/projects/eps-storage-terraform/.trivyignore.yaml @@ -105,3 +105,8 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-16 + - id: CVE-2026-24051 + statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" + purls: + - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0" + expired_at: 2026-09-10