UID2-6704: Suppress CVE-2026-22184 (zlib untgz) in .trivyignore

swibi-ttd · claude · swibi-ttd · commit 23a62637297b · 2026-03-09T14:38:37.000+11:00
The vulnerability is in zlib's contrib/untgz demo utility, not the core
libz library. Alpine does not ship the untgz binary, and the JRE only
uses libz for compression. The zlib maintainer disputes this CVE and
removed the untgz tool entirely. Not exploitable in our context.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.trivyignore b/.trivyignore
@@ -18,4 +18,9 @@ GHSA-72hv-8253-57qq exp:2026-09-01
 
 # libpng heap buffer overflow in Alpine base image - fixed version not yet available in Alpine 3.23
 # See: UID2-6677
-CVE-2026-25646 exp:2026-09-02
+CVE-2026-25646 exp:2026-09-02
+
+# zlib contrib/untgz demo utility buffer overflow - not exploitable, Alpine does not ship the untgz binary
+# and the core libz library used by the JRE is unaffected. The zlib maintainer disputes this CVE.
+# See: UID2-6704
+CVE-2026-22184 exp:2026-09-09
