Commit graph

2 commits

Author SHA1 Message Date
Pier-Jean Malandrino
628027d861 fix(ci): drop paths constraint from CVE-2026-40393 trivy ignore
Trivy reports OS-package CVEs against the package name (libgbm1,
libgl1-mesa-dri, libglx-mesa0, mesa-libgallium) — not against
installed file paths. The previous `paths:` filter silently failed
to match, so the ignore was a no-op and the gate kept failing on a
CVE we explicitly chose to defer.

Trace from the failing run (#25097385670):

  Using YAML ignorefile '.trivyignore.yaml':
    - id: CVE-2026-40393
  ...
  libgbm1  CVE-2026-40393  CRITICAL  affected  25.0.7-2
  ...
  ##[error]Process completed with exit code 1.

Removing `paths:` lets the ID-only match apply across all 4 affected
Mesa packages until 2026-06-30.

Refs #189
2026-04-29 14:00:00 +02:00
Pier-Jean Malandrino
cc535a982d fix(ci): ignore CVE-2026-40393 (Mesa) with expiry — Debian has no backport (#190)
Refs #189
2026-04-29 14:00:00 +02:00