Backport of suppressing alpine CVEs as there is no fix yet into release/1.21.x (#22281)

nitin-sachdev-29 · hc-github-team-consul-core · web-flow · commit aad6d4826447 · 2025-04-18T07:00:19.000Z
* Backport of CVE Fix into release/1.21.x (#22269) * backport of commit 73c592c * CVE Fix (#22268) * Fixed following CVEs: GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0 GO-2025-3595 in golang.org/x/net@v0.37.0 GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1 GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1 stdlib in Go GO-2025-3563@1.23.7 * added changelog (cherry picked from commit 519fb0a) --------- Co-authored-by: nitin.sachdev <nitin.sachdev@hashicorp.com> * Backport of Upgraded go to 1.23.8 into release/1.21.x (#22274) * backport of commit cedded6 * backport of commit dd4f628 --------- Co-authored-by: nitin.sachdev <nitin.sachdev@hashicorp.com> * backport of commit 5d7f3ee --------- Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -39,7 +39,14 @@ container {
 			vulnerabilities = [
 				"CVE-2024-4067", # libsolv@0:0.7.24-3.el9
 				"CVE-2019-12900", # bzip2-libs@0:1.0.8-8.el9
-				"CVE-2024-12797" # openssl-libs@1:3.2.2-6.el9_5
+				"CVE-2024-12797", # openssl-libs@1:3.2.2-6.el9_5
+				"CVE-2024-53427", # jq@1.7.1-r0
+				"CVE-2025-31498", # c-ares@1.34.3-r0
+				"CVE-2025-30258", # gnupg@2.4.7-r0
+				"CVE-2025-31498", # c-ares@1.34.3-r0
+				"CVE-2025-30258", #  gnupg@2.4.7-r0
+				"CVE-2024-53427", # jq@1.7.1-r0
+				"CVE-2022-49043" # libxml2@0:2.9.13-6.el9_5.2
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",
