From 4cd7d5d7cd372b273451ccd0b006f8d31e2b13ec Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 11:39:54 +1000
Subject: [PATCH 1/3] fix(CVE-2026-33845): upgrade gnutls to 3.8.13-r0+ in
 Alpine base image

Adds RUN apk upgrade --no-cache gnutls to patch CVE-2026-33845
(GnuTLS DoS via DTLS zero-length record, HIGH severity).

UID2-7008
---
 Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 287bba32..2c772a0e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,9 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 
+# CVE-2026-33845: upgrade gnutls to 3.8.13-r0+
+RUN apk upgrade --no-cache gnutls
+
 WORKDIR /app
 EXPOSE 8089
 

From d8d76069b56c329a3caf0c7d0cce4dae0228936f Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 13:28:56 +1000
Subject: [PATCH 2/3] fix: pin gnutls=3.8.13-r0 instead of open-ended upgrade

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2c772a0e..79921e5a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,8 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 
-# CVE-2026-33845: upgrade gnutls to 3.8.13-r0+
-RUN apk upgrade --no-cache gnutls
+# CVE-2026-33845: pin gnutls to 3.8.13-r0 (fixes DoS via DTLS zero-length record)
+RUN apk add --no-cache 'gnutls=3.8.13-r0'
 
 WORKDIR /app
 EXPOSE 8089

From 9d0ce672de07a59c451df5019b92d9368813f8c0 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 13:38:54 +1000
Subject: [PATCH 3/3] fix: suppress CVE-2026-33845 in trivyignore; gnutls not
 used by service

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 3 +++
 Dockerfile   | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index ba684ed7..378a143d 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -13,6 +13,9 @@ CVE-2025-1686
 # gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
 # See: UID2-6655
 CVE-2026-1584 exp:2026-08-27
+# gnutls DoS vulnerability via DTLS zero-length record - not impactful as gnutls is not used by our Java service
+# See: UID2-7008
+CVE-2026-33845 exp:2026-11-04
 
 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
 # See: UID2-6670
diff --git a/Dockerfile b/Dockerfile
index 79921e5a..287bba32 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,6 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6
 
-# CVE-2026-33845: pin gnutls to 3.8.13-r0 (fixes DoS via DTLS zero-length record)
-RUN apk add --no-cache 'gnutls=3.8.13-r0'
-
 WORKDIR /app
 EXPOSE 8089