From 1af67cef7f751ea455e37920d4a8c563ae2382e3 Mon Sep 17 00:00:00 2001
From: Sunny Wu <sunny.wu@thetradedesk.com>
Date: Sat, 2 May 2026 19:55:17 +1000
Subject: [PATCH] UID2-6481: suppress CVE-2025-68973 in trivyignore

GnuPG packages (dirmngr, gnupg, gpg-agent, etc.) in Ubuntu 24.04 base
image have a HIGH-severity out-of-bounds write vulnerability.
Fix is available in 2.4.4-2ubuntu17.4 but was not yet propagated to
Ubuntu apt repos at CI build time. Dockerfile already performs
apt-get upgrade; this suppression will expire 2026-08-01 by which
time the patched package will be present in all rebuild environments.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.trivyignore b/.trivyignore
index 7902316..76bf90e 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -4,4 +4,10 @@
 
 # UID2-6837
 # plexus-utils directory traversal - comes from Maven installation in base image (maven:3.9.11-eclipse-temurin-21), not from our code dependencies. Not exploitable at runtime.
-CVE-2025-67030 exp:2026-10-01
\ No newline at end of file
+CVE-2025-67030 exp:2026-10-01
+
+# UID2-6481
+# GnuPG information disclosure / out-of-bounds write in Ubuntu 24.04 base image packages (dirmngr, gnupg, gpg, etc).
+# Fix available in 2.4.4-2ubuntu17.4. Dockerfile already performs apt-get upgrade; will self-resolve
+# once the Ubuntu security update propagates to the build environment.
+CVE-2025-68973 exp:2026-08-01
\ No newline at end of file