Merge pull request #2457 from IABTechLab/bmz-UID2-6806-CVE-2026-32776

BehnamMozafari · web-flow · commit a8f0e751ca89 · 2026-03-25T15:51:17.000+11:00
UID2-6806: suppress CVE-2026-32776 (libexpat) in .trivyignore
diff --git a/.trivyignore b/.trivyignore
@@ -23,4 +23,14 @@ CVE-2026-25646 exp:2026-09-02
 # zlib contrib/untgz demo utility buffer overflow - not exploitable, Alpine does not ship the untgz binary
 # and the core libz library used by the JRE is unaffected. The zlib maintainer disputes this CVE.
 # See: UID2-6704
-CVE-2026-22184 exp:2026-09-09
+CVE-2026-22184 exp:2026-09-09
+
+# libexpat NULL pointer dereference in Alpine base image - not exploitable, our Java services do not use libexpat
+# Fixed in libexpat 2.7.5, not yet available in eclipse-temurin Alpine 3.23 base image
+# See: UID2-6806
+CVE-2026-32776 exp:2026-04-25
+
+# Trivy reports CVE-2026-32776 with transposed digits (32767 instead of 32776) - this is a known Trivy bug
+# See: https://github.com/aquasecurity/trivy/discussions/10412 and UID2-6806
+# This entry can be removed once Trivy fixes the typo
+CVE-2026-32767 exp:2026-04-25
