From 628027d8619ce6892e896436f1e17aae55e8c870 Mon Sep 17 00:00:00 2001 From: Pier-Jean Malandrino Date: Wed, 29 Apr 2026 11:21:37 +0200 Subject: [PATCH] fix(ci): drop paths constraint from CVE-2026-40393 trivy ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Trivy reports OS-package CVEs against the package name (libgbm1, libgl1-mesa-dri, libglx-mesa0, mesa-libgallium) — not against installed file paths. The previous `paths:` filter silently failed to match, so the ignore was a no-op and the gate kept failing on a CVE we explicitly chose to defer. Trace from the failing run (#25097385670): Using YAML ignorefile '.trivyignore.yaml': - id: CVE-2026-40393 ... libgbm1 CVE-2026-40393 CRITICAL affected 25.0.7-2 ... ##[error]Process completed with exit code 1. Removing `paths:` lets the ID-only match apply across all 4 affected Mesa packages until 2026-06-30. Refs #189 --- .trivyignore.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.trivyignore.yaml b/.trivyignore.yaml index 1539402..a7de35b 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -1,10 +1,9 @@ vulnerabilities: - id: CVE-2026-40393 - paths: - - "usr/lib/x86_64-linux-gnu/libgbm.so.*" - - "usr/lib/x86_64-linux-gnu/dri/*" - - "usr/lib/x86_64-linux-gnu/libGLX_mesa.so.*" - - "usr/lib/x86_64-linux-gnu/libgallium-*.so" + # No `paths:` constraint — Trivy reports OS-package CVEs against the + # package name (libgbm1, libgl1-mesa-dri, libglx-mesa0, mesa-libgallium), + # not against installed file paths. A `paths:` filter would silently + # fail to match and the ignore would be a no-op (which it was). statement: >- Mesa OOB read (fix: Mesa 25.3.6 / 26.0.1). No Debian 13 backport available. Pulled transitively by libgl1 (required by OpenCV/RapidOCR). Tracked in #189