diff --git a/.trivyignore.yaml b/.trivyignore.yaml index 1539402..a7de35b 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -1,10 +1,9 @@ vulnerabilities: - id: CVE-2026-40393 - paths: - - "usr/lib/x86_64-linux-gnu/libgbm.so.*" - - "usr/lib/x86_64-linux-gnu/dri/*" - - "usr/lib/x86_64-linux-gnu/libGLX_mesa.so.*" - - "usr/lib/x86_64-linux-gnu/libgallium-*.so" + # No `paths:` constraint — Trivy reports OS-package CVEs against the + # package name (libgbm1, libgl1-mesa-dri, libglx-mesa0, mesa-libgallium), + # not against installed file paths. A `paths:` filter would silently + # fail to match and the ignore would be a no-op (which it was). statement: >- Mesa OOB read (fix: Mesa 25.3.6 / 26.0.1). No Debian 13 backport available. Pulled transitively by libgl1 (required by OpenCV/RapidOCR). Tracked in #189