VAULT-35615 security(scanner): suppress CVE-2025-46394 (#30350)

An upstream CVE in busybox is tripping the security scanner: https://github.com/hashicorp/crt-workflows-common/actions/runs/14623987904/job/41031896870#step:9:16 Since this will require a new version of Alpine we can’t do much except suppress it until a new version has been released with Busybox >= 1.38 We’re already rolling on the latest Alpine 3 so we ought to get the fix as soon as it’s released and available, but this will unbreak the pipeline until then. Signed-off-by: Ryan Cragun <me@ryan.ec>
2025-08-05 22:27:03 +02:00 · 2025-04-23 13:43:33 -06:00 · 2025-04-23 13:43:33 -06:00 · 9859b06401
commit 9859b06401
parent 87c08a0af3
2 changed files with 32 additions and 32 deletions
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@ -1,27 +1,25 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1

-container {
-	dependencies = true
-	alpine_secdb = true
-	secrets      = true
-}
-
 binary {
-	secrets      = false
-	go_modules   = true
-	go_stdlib    = true
-	osv          = true
-	oss_index    = true
-	nvd          = false
-
-	# Triage items that are _safe_ to ignore here. Note that this list should be
-	# periodically cleaned up to remove items that are no longer found by the scanner.
-	triage {
-		suppress {
-			vulnerabilities = [
-				"GO-2022-0635", // github.com/aws/aws-sdk-go@v1.55.5
-			]
-		}
-	}
+  secrets    = false
+  go_modules = false
+  osv        = true
+  oss_index  = true
+  nvd        = false
+}
+
+container {
+  dependencies    = true
+  alpine_security = true
+  secrets         = true
+
+  triage {
+    suppress {
+      vulnerabilities = [
+        "CVE-2025-46394", // We can't do anything about this until a new Alpine container with busybox 1.38 is available.
+        "GO-2022-0635",   // github.com/aws/aws-sdk-go@v1.x
+      ]
+    }
+  }
 }
--- a/scan.hcl
+++ b/scan.hcl
@ -3,18 +3,20 @@

 repository {
  go_modules = true
-  osv = true
-  secrets {
-    all = true
-  } 
+  osv        = true
+
  dependabot {
-    required = true
+    required     = true
    check_config = true
  }
-  
+
+  plugin "codeql" {
+    languages = ["go"]
+  }
+
  plugin "semgrep" {
    use_git_ignore = true
-    exclude = ["vendor"]
+    exclude        = ["vendor"]
    config = [
      "tools/semgrep/ci",
      "p/r2c-security-audit",
@ -24,8 +26,8 @@ repository {
    ]
    exclude_rule = ["generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var"]
  }
-  
-  plugin "codeql" {
-    languages = ["go"]
+
+  secrets {
+    all = true
  }
 }