From cc535a982d2d2007ad55ac9102526b2b5566141a Mon Sep 17 00:00:00 2001 From: Pier-Jean Malandrino Date: Mon, 27 Apr 2026 17:22:15 +0200 Subject: [PATCH] =?UTF-8?q?fix(ci):=20ignore=20CVE-2026-40393=20(Mesa)=20w?= =?UTF-8?q?ith=20expiry=20=E2=80=94=20Debian=20has=20no=20backport=20(#190?= =?UTF-8?q?)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refs #189 --- .trivyignore.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .trivyignore.yaml diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..1539402 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,12 @@ +vulnerabilities: + - id: CVE-2026-40393 + paths: + - "usr/lib/x86_64-linux-gnu/libgbm.so.*" + - "usr/lib/x86_64-linux-gnu/dri/*" + - "usr/lib/x86_64-linux-gnu/libGLX_mesa.so.*" + - "usr/lib/x86_64-linux-gnu/libgallium-*.so" + statement: >- + Mesa OOB read (fix: Mesa 25.3.6 / 26.0.1). No Debian 13 backport available. + Pulled transitively by libgl1 (required by OpenCV/RapidOCR). Tracked in #189 + with follow-up to drop libgl1 via opencv-python-headless. + expired_at: 2026-06-30