From ad7fac95dda3c0986f6b2b7711e08df04cb5a54e Mon Sep 17 00:00:00 2001 From: Oleksandr Akhtyrskiy Date: Sat, 21 Mar 2026 08:28:20 -0600 Subject: [PATCH 1/2] Suppress unfixable Go stdlib CVEs in actionlint and yq CVE-2026-25679 (net/url) and CVE-2026-27137 (crypto/x509) are both Go stdlib issues requiring Go >= 1.26.1. Neither CVE is exploitable in offline lint tools. Suppress until upstream ships patched builds. Co-Authored-By: Claude Opus 4.6 (1M context) --- images/ci-tools/.trivyignore | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/images/ci-tools/.trivyignore b/images/ci-tools/.trivyignore index e69de29..6b57654 100644 --- a/images/ci-tools/.trivyignore +++ b/images/ci-tools/.trivyignore @@ -0,0 +1,15 @@ +# actionlint v1.7.11 (Go 1.25.7) / yq v4.52.4 (Go 1.26.0) +# Go stdlib CVEs — waiting on upstream releases built with Go >= 1.26.1. +# +# These are lint/formatting tools that run offline against local files. +# Neither tool uses net/url for parsing untrusted URLs or crypto/x509 for +# certificate verification at runtime, so the practical risk is negligible. +# Remove these entries once actionlint and yq ship builds on Go >= 1.26.1. + +# net/url: Incorrect parsing of IPv6 host literals (fixed in Go 1.25.8 / 1.26.1) +# Affects: actionlint (Go 1.25.7), yq (Go 1.26.0) +CVE-2026-25679 + +# crypto/x509: Incorrect enforcement of email constraints (fixed in Go 1.26.1) +# Affects: yq (Go 1.26.0) +CVE-2026-27137 From 7f91c005d47d7468f273700b15d0a0903c837032 Mon Sep 17 00:00:00 2001 From: Oleksandr Akhtyrskiy Date: Sat, 21 Mar 2026 08:28:56 -0600 Subject: [PATCH 2/2] Add "stdlib" to cspell.json words list --- cspell.json | 1 + 1 file changed, 1 insertion(+) diff --git a/cspell.json b/cspell.json index b76abfe..5e58077 100644 --- a/cspell.json +++ b/cspell.json @@ -21,6 +21,7 @@ "shfmt", "sigstore", "startswith", + "stdlib", "stylelint", "trivy", "xmlstarlet"