trivy ignore pgx cve (#10142)

solo-io · Oct 1, 2024 · bf36897 · bf36897
1 parent d4ab5d4
commit bf36897
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/.trivyignore b/.trivyignore
@@ -54,10 +54,11 @@ CVE-2024-34156
 # or later
 CVE-2024-45258
 
-# This CVE affects the packc/pgx dependency which is used in ext-auth-service
+# These CVEs affect the packc/pgx dependency which is used in ext-auth-service
 # The dependency is exclusively used in the monetization feature which we don't believe any customer uses and which is
 # set to be deprecated
-# Nevertheless the CVE has been addressed in the v1.15 LTS branch and later, however it is impractical to resolve in 1.14
+# Nevertheless the CVEs have been addressed in the v1.15 LTS branch and later, however it is impractical to resolve in 1.14
 # due to a number of other requisite dependency bumps
 # Therefore we include this entry for now and should remove it once 1.14 is no longer an LTS branch
-CVE-2024-27289
+CVE-2024-27289
+CVE-2024-27304
diff --git a/changelog/v1.18.0-beta25/trivy-ignore-pgx.yaml b/changelog/v1.18.0-beta25/trivy-ignore-pgx.yaml
@@ -0,0 +1,9 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >-
+      Add CVE-2024-27304 to trivyignore as we are not planning on fixing in 1.14 and it does not impact Gateway 
+      functionality.
+      
+      skipCI-kube-tests:true
+      skipCI-storybook-tests:true
+      skipCI-docs-build:true