fix(ci): drop paths constraint from CVE-2026-40393 trivy ignore
Trivy reports OS-package CVEs against the package name (libgbm1, libgl1-mesa-dri, libglx-mesa0, mesa-libgallium) — not against installed file paths. The previous `paths:` filter silently failed to match, so the ignore was a no-op and the gate kept failing on a CVE we explicitly chose to defer. Trace from the failing run (#25097385670): Using YAML ignorefile '.trivyignore.yaml': - id: CVE-2026-40393 ... libgbm1 CVE-2026-40393 CRITICAL affected 25.0.7-2 ... ##[error]Process completed with exit code 1. Removing `paths:` lets the ID-only match apply across all 4 affected Mesa packages until 2026-06-30. Refs #189
This commit is contained in:
parent
a7fbdf7b1b
commit
628027d861
1 changed files with 4 additions and 5 deletions
|
|
@ -1,10 +1,9 @@
|
|||
vulnerabilities:
|
||||
- id: CVE-2026-40393
|
||||
paths:
|
||||
- "usr/lib/x86_64-linux-gnu/libgbm.so.*"
|
||||
- "usr/lib/x86_64-linux-gnu/dri/*"
|
||||
- "usr/lib/x86_64-linux-gnu/libGLX_mesa.so.*"
|
||||
- "usr/lib/x86_64-linux-gnu/libgallium-*.so"
|
||||
# No `paths:` constraint — Trivy reports OS-package CVEs against the
|
||||
# package name (libgbm1, libgl1-mesa-dri, libglx-mesa0, mesa-libgallium),
|
||||
# not against installed file paths. A `paths:` filter would silently
|
||||
# fail to match and the ignore would be a no-op (which it was).
|
||||
statement: >-
|
||||
Mesa OOB read (fix: Mesa 25.3.6 / 26.0.1). No Debian 13 backport available.
|
||||
Pulled transitively by libgl1 (required by OpenCV/RapidOCR). Tracked in #189
|
||||
|
|
|
|||
Loading…
Reference in a new issue