From a6c98a26ba3e13de2925a230ef35fe33d8be3eed Mon Sep 17 00:00:00 2001
From: Katherine Chen <katherine.chen@thetradedesk.com>
Date: Thu, 11 Jun 2026 15:29:35 +1000
Subject: [PATCH] UID2-7279: suppress CVE-2026-45447 (libcrypto3); extend
 CVE-2026-42577 expiry

- .trivyignore: add CVE-2026-45447 (libcrypto3 Alpine OS lib, not used by JVM/JSSE)
  with exp:2026-07-11
- .trivyignore: extend CVE-2026-42577 expiry to 2026-09-11 (no 4.1.x fix yet)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.trivyignore b/.trivyignore
index ec3a4ac04..773e22e06 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -28,4 +28,10 @@ CVE-2026-22184 exp:2026-09-09
 # gateway) so anonymous external attackers cannot reach the netty epoll socket directly;
 # LB-level connection limits and idle timeouts further cap the blast radius. CVSS impact is
 # Availability only (C:N/I:N/A:H). Tracking via UID2-7035; revisit on vert.x 5 migration.
-CVE-2026-42577 exp:2026-06-08
+CVE-2026-42577 exp:2026-09-11
+
+# CVE-2026-45447 — libcrypto3 PKCS#7/S/MIME memory corruption in Alpine base image.
+# uid2-operator is a pure Java service; the JVM uses JSSE for TLS, not the native
+# libcrypto3 C library. No JNI or OpenSSL calls in source. Attack vector (malformed
+# PKCS#7/S/MIME parsing) is not reachable from this service. See: UID2-7279
+CVE-2026-45447 exp:2026-07-11