also add trivy image-scan exclusion for CVE-2026-24051

2026-03-27 04:45:23 +00:00 · 2026-03-03 10:10:39 -08:00
parent 6997d60c79
commit 55db644832
1 changed files with 11 additions and 3 deletions
--- a/pipelines/shared-tasks/scan-image-trivy/task.yml
+++ b/pipelines/shared-tasks/scan-image-trivy/task.yml
@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 ---
@@ -12,8 +12,16 @@ inputs:
 outputs:
 params:
  GITHUB_TOKEN:
-  # For format see https://aquasecurity.github.io/trivy/v0.24.2/vulnerability/examples/filter/#by-vulnerability-ids
-  IGNORE_VULNERABILITY_IDS: ""
+  # For format see https://trivy.dev/docs/latest/guide/configuration/filtering/#by-finding-ids
+  IGNORE_VULNERABILITY_IDS: |
+    # CVE-2026-24051 is in go.opentelemetry.io/otel/sdk before v1.40.0. This is an indirect dep that we
+    # get through various k8s modules and through fosite. The CVE description says that it only applies
+    # to MacOS. We do not use opentelemetry in the Pinniped CLI, and our other code never runs on MacOS,
+    # so we should have no exposure to this issue. We can wait for the next version of k8s packages to
+    # update this dependency, if they choose to do so.
+    # See https://ossindex.sonatype.org/vulnerability/CVE-2026-24051?component-type=golang&component-name=go.opentelemetry.io%2Fotel%2Fsdk&utm_source=nancy-client&utm_medium=integration&utm_content=1.2.0
+    CVE-2026-24051 exp:2026-06-04
+
 run:
  path: ash
  args: