UID2-6837: Silence CVE-2026-33416 and CVE-2026-33636 (libpng) in .trivyignore

libpng is an OS-level Alpine package not used by our Java services.
Silence with 1-month expiry (2026-05-01) pending base image update.
Reverts Dockerfile apk upgrade approach in favor of .trivyignore.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: BehnamMozafari

.trivyignore

@@ -33,4 +33,9 @@ CVE-2026-32776 exp:2026-04-25
 # Trivy reports CVE-2026-32776 with transposed digits (32767 instead of 32776) - this is a known Trivy bug
 # See: https://github.com/aquasecurity/trivy/discussions/10412 and UID2-6806
 # This entry can be removed once Trivy fixes the typo
-CVE-2026-32767 exp:2026-04-25
+CVE-2026-32767 exp:2026-04-25
+
+# libpng use-after-free and OOB read/write in Alpine base image - not used by our Java services
+# See: UID2-6837
+CVE-2026-33416 exp:2026-05-01
+CVE-2026-33636 exp:2026-05-01

Dockerfile

@@ -1,9 +1,6 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 
-# Upgrade libpng to fix CVE-2026-33416 and CVE-2026-33636
-RUN apk upgrade --no-cache libpng
-
 # For Amazon Corretto Crypto Provider
 RUN apk add --no-cache gcompat
 

scripts/azure-cc/Dockerfile

@@ -2,7 +2,7 @@
 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 
 # Install necessary packages and set up virtual environment
-RUN apk update && apk add --no-cache --upgrade libpng && apk add --no-cache jq python3 py3-pip && \
+RUN apk update && apk add --no-cache jq python3 py3-pip && \
     python3 -m venv /venv && \
     . /venv/bin/activate && \
     pip install --no-cache-dir requests azure-identity azure-keyvault-secrets && \