chore(trivy): ignore CVE-2026-39832 in oCIS 8.0.5 image#24
Conversation
golang.org/x/crypto v0.51.0 dependency; unfixable by this repo, will be fixed in oCIS 8.0.6. Added to the existing x/crypto block with the same exp:2026-10-22 expiry as its siblings. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
DeepDiver1975
left a comment
DeepDiver1975
left a comment
There was a problem hiding this comment.
Security review — CVE suppression
Verdict: looks correct, approve in spirit (review-only — see note).
Verified CVE-2026-39832 against the GitHub Advisory DB: it is in golang.org/x/crypto/ssh/agent (CRITICAL), vulnerable range < 0.52.0, first patched in 0.52.0. That matches the PR exactly — the oCIS 8.0.5 binary bundles x/crypto v0.51.0, and the new entry lands in the existing golang.org/x/crypto v0.51.0 block whose header already reads "(fixed in 0.52.0) — will be fixed in oCIS 8.0.6".
What I checked:
- Fix availability: the fix (x/crypto 0.52.0) exists, but it is a transitive Go dependency baked into the upstream owncloud/ocis binary — this image repo cannot bump it. Suppress-until-upstream-release (8.0.6) is the right call here; bumping is not an option in this repo. ✅
- Scoping: single specific CVE id, numeric order, with
exp:2026-10-22matching its siblings — not a blanket suppression, and it auto-expires to force re-evaluation. ✅ - CI: all required checks green (build amd64/arm64 for both 8.0.5 and 8.1.0-rc.2, lint, prepare). ✅
One thing to note (non-blocking): the advisory is CRITICAL and concerns ssh/agent destination restrictions being silently stripped during key forwarding. The justification here is purely "unfixable in this repo, deferred upstream" — which is mechanically true — but it would be stronger to state the exploitability posture: oCIS is a server and does not use x/crypto/ssh/agent key forwarding, so the practical risk in this image is negligible. Suggest adding that one-liner to the block comment / PR rationale for the audit trail. The current rationale + expiry is acceptable as-is.
No changelog in this repo (only .trivyignore, README, LICENSE, v8/) — n/a for a trivy-config chore.
🤖 Generated with Claude Code
2 participants
Summary
Trivy flags CVE-2026-39832 in the oCIS 8.0.5 (v8) image. It originates in the bundled
golang.org/x/crypto v0.51.0Go dependency and cannot be fixed by this repo — it requires an upstream owncloud/ocis release (fix lands in oCIS 8.0.6, like the other x/crypto CVEs already listed).Added a single entry to the existing
golang.org/x/crypto v0.51.0block inv8/.trivyignore, in numeric order, with the sameexp:2026-10-22expiry as its siblings. This file is consumed by bothmain.yml(release) androlling.ymlscans.Test plan
CVE-<id> exp:2026-10-22)🤖 Generated with Claude Code