buildcage/.trivyignore at main · dash14/buildcage · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# crypto/tls: Unexpected session resumption (Go stdlib)
# Affected binaries (buildkitd, buildkit-runc, CNI plugins) do not use
# TLS session resumption with dynamic Config mutation, so no practical impact.
CVE-2025-68121

# OpenTelemetry Go SDK PATH Hijacking (macOS/Darwin only)
# This product runs in Linux containers; macOS code path is never executed.
CVE-2026-24051

# Go stdlib vulnerabilities affecting CNI plugins only.
# CNI plugins (bridge, host-local, loopback, firewall) do not perform
# TLS connections, certificate validation, ZIP processing, or URL parsing.
CVE-2025-61730
CVE-2025-61729
CVE-2025-61728
CVE-2025-61726

# buildkit-runc does not use proxy-based HTTP communication or HTML parsing.
CVE-2025-22870
CVE-2025-22872

# CNI plugins do not perform x509 certificate validation.
CVE-2025-61727

# sigstore/rekor server-side vulnerabilities.
# buildkitd does not run as a Rekor server.
CVE-2026-23831
CVE-2026-24117

# go-tuf client vulnerabilities.
# buildkitd does not directly use TUF client with untrusted repositories.
CVE-2026-23991
CVE-2026-23992
CVE-2026-24686

# sigstore TUF client path traversal via disk cache.
# buildkitd does not use sigstore TUF client with disk caching directly.
CVE-2026-24137

# libexpat integer overflow in tag buffer reallocation.
# No external XML processing path exists in this product.
CVE-2026-25210

# CIRCL ecc/p384 CombinedMult incorrect value for specific inputs.
# buildkitd does not use CombinedMult directly; ECDH/ECDSA are unaffected.
CVE-2026-1229

# libexpat: XML_ExternalEntityParserCreate does not copy encoding handler user data.
# No external XML entity processing path exists in this product.
CVE-2026-24515

# QuickJS stack overflow via deeply nested JS input.
# Only internal tool scripts (convert-rule.mjs, report.mjs) are executed;
# no untrusted JavaScript is evaluated.
CVE-2023-31922

# zlib: buffer overflow in standalone untgz demo utility.
# The core zlib library (libz) is unaffected; untgz is not used in this image.
CVE-2026-22184

# Go stdlib net/url: incorrect parsing of IPv6 host literals.
# CNI plugins do not parse user-supplied URLs.
CVE-2026-25679

# zlib: DoS via infinite loop in crc32_combine functions.
# No code path in this product calls crc32_combine directly.
CVE-2026-27171

# Go stdlib html/template: URL escaping issue in meta content attribute.
# CNI plugins do not generate or serve HTML.
CVE-2026-27142

# Go stdlib os: FileInfo can escape from a Root in ReadDir.
# CNI plugins do not use the os.Root sandboxed filesystem API.
CVE-2026-27139