From 2675675ec5d459ccced360fd361d27ce7dbacd62 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Wed, 25 Mar 2026 15:18:15 +1100
Subject: [PATCH] UID2-6806: suppress CVE-2026-32776 (libexpat) in .trivyignore

libexpat NULL pointer dereference (CVE-2026-32776) - not exploitable as our
Java services do not use libexpat. Fix requires libexpat 2.7.5, not yet
available in eclipse-temurin Alpine 3.23. Also suppressing CVE-2026-32767
which is the same CVE with a Trivy typo (transposed digits).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.trivyignore b/.trivyignore
index 80238c49..ba684ed7 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -17,3 +17,13 @@ CVE-2026-1584 exp:2026-08-27
 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
 # See: UID2-6670
 GHSA-72hv-8253-57qq exp:2026-09-01
+
+# libexpat NULL pointer dereference in Alpine base image - not exploitable, our Java services do not use libexpat
+# Fixed in libexpat 2.7.5, not yet available in eclipse-temurin Alpine 3.23 base image
+# See: UID2-6806
+CVE-2026-32776 exp:2026-04-25
+
+# Trivy reports CVE-2026-32776 with transposed digits (32767 instead of 32776) - this is a known Trivy bug
+# See: https://github.com/aquasecurity/trivy/discussions/10412 and UID2-6806
+# This entry can be removed once Trivy fixes the typo
+CVE-2026-32767 exp:2026-04-25