# Trivy vulnerability ignore file
# See: https://trivy.dev/docs/latest/configuration/filtering/
#
# Review Policy: All suppressions should be reviewed periodically.
# Expiration dates use format: exp:YYYY-MM-DD (Trivy native syntax)
# Last full review: 2026-02-23

# =============================================================================
# MITIGATED BY RUNTIME ENVIRONMENT
# =============================================================================

# CVE-2025-8869: pip symbolic link extraction path traversal
# Severity: MEDIUM (CVSS 5.9) - Not applicable when mitigated
#
# MITIGATED: This vulnerability only affects pip's fallback tar extraction
# on Python versions that don't implement PEP 706. Safe versions:
# Python >= 3.9.17, >= 3.10.12, >= 3.11.4, or >= 3.12 (all versions).
# This project uses Python 3.13 which implements PEP 706, so the vulnerable
# fallback code path is never executed.
#
# Fix available in pip 25.3+, but not needed for PEP 706-compliant Python.
# See: https://github.com/advisories/GHSA-4xh5-x5gv-qwph
CVE-2025-8869

# =============================================================================
# DEBIAN OS-LEVEL CVEs (No fix available in bookworm)
# =============================================================================

# CVE-2025-14104: util-linux heap buffer overread in setpwnam()
# Severity: MEDIUM (CVSS 6.1)
# Review: 2026-07-01
#
# UNFIXABLE IN BOOKWORM: Debian classified as "Minor issue", no DSA planned.
# Exploitation requires 256-byte usernames (useradd enforces 32-char limit).
# Container runs as non-root (ldruser) and doesn't use SUID utilities.
# Fixed in: Debian Sid 2.41.3-3, Forky 2.41.3-2
# Tracking: https://security-tracker.debian.org/tracker/CVE-2025-14104
CVE-2025-14104 exp:2026-07-01

# CVE-2025-59375: libexpat memory allocation DoS via small crafted XML
# Severity: HIGH (CVSS 7.5)
# Review: 2026-07-01
#
# DEBIAN IGNORED: Classified as "Minor issue", no backport planned.
# Allows disproportionately large memory allocations via small XML documents.
# App doesn't process untrusted XML from external sources. DoS only.
# Fixed in: libexpat 2.7.2 (bookworm has 2.5.0)
# Tracking: https://security-tracker.debian.org/tracker/CVE-2025-59375
CVE-2025-59375 exp:2026-07-01

# CVE-2025-66382: libexpat DoS via 2MB crafted XML
# Severity: LOW (CVSS 2.9)
# Review: 2026-07-01
#
# NOT FIXED ANYWHERE: No upstream fix available yet. Debian marked "postponed".
# App doesn't process large untrusted XML from external sources.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2025-66382
CVE-2025-66382 exp:2026-07-01

# CVE-2025-7709: SQLite FTS5 integer overflow
# Severity: MEDIUM (CVSS 6.9)
# Review: 2026-07-01
#
# DEBIAN NO-DSA: Classified as "Minor issue". Fixed in Sid 3.46.1-8.
# Project uses SQLCipher for encrypted internal storage only.
# FTS5 full-text search not exposed to untrusted input.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2025-7709
CVE-2025-7709 exp:2026-07-01

# CVE-2025-70873: SQLite zipfileInflate info disclosure
# Severity: LOW
# Review: 2026-09-01
#
# NOT EXPLOITABLE: Python's sqlite3 module does not load the zipfile
# extension by default. The vulnerable code path is never executed.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2025-70873
CVE-2025-70873 exp:2026-09-01

# =============================================================================
# VENDORED DEPENDENCY
# =============================================================================

# CVE-2026-24049: Path traversal in wheel (bundled in setuptools)
#
# VENDORED DEPENDENCY: This vulnerability is in setuptools' internal _vendor
# copy (wheel 0.45.1), NOT our direct dependency (wheel >=0.46.2).
# Setuptools vendors older versions that cannot be updated independently.
# Our project installs the fixed wheel version in Dockerfile.
#
# Monitoring: Check future setuptools releases for updated vendor.
# As of setuptools 80.10.1, the vendored wheel is still 0.45.1.
CVE-2026-24049

# =============================================================================
# DEBIAN TRIXIE (13) OS-LEVEL CVEs (No fix available)
# =============================================================================

# CVE-2025-8176: libtiff6 — crash in tiffmedian CLI tool
# Severity: HIGH
# Review: 2026-09-01
#
# UNFIXABLE IN TRIXIE: Fix only in sid (4.7.1-1), Trixie has 4.7.0-3+deb13u1.
# Debian classified as "no security impact" — CLI tool crash only.
# Container does not use libtiff CLI tools.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2025-8176
CVE-2025-8176 exp:2026-09-01

# CVE-2025-8177: libtiff6 — crash in thumbnail CLI tool
# Severity: HIGH
# Review: 2026-09-01
#
# UNFIXABLE IN TRIXIE: Fix only in sid (4.7.1-1), Trixie has 4.7.0-3+deb13u1.
# Debian classified as "no security impact" — CLI tool crash only.
# Container does not use libtiff CLI tools.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2025-8177
CVE-2025-8177 exp:2026-09-01

# CVE-2017-18018: coreutils — race condition in chown -R -L
# Severity: HIGH
# Review: 2026-09-01
#
# UPSTREAM WON'T FIX: Chose documentation-only fix.
# Container entrypoint uses chown -R (without -L), not affected.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2017-18018
CVE-2017-18018 exp:2026-09-01

# CVE-2026-3063: Chrome DevTools — requires malicious extension
# Severity: HIGH
# Review: 2026-09-01
#
# UNFIXABLE: Chrome 145.0.7632.6 in Playwright, fix requires newer version.
# Requires malicious browser extension — low risk in headless Docker scraping.
# Tracking: https://chromereleases.googleblog.com/
CVE-2026-3063 exp:2026-09-01

# CVE-2026-0861: libc6/libc-bin — heap overflow in memalign
# Severity: HIGH
# Review: 2026-09-01
#
# UNFIXABLE IN TRIXIE: Needs glibc 2.43, Trixie has 2.41. Debian no-dsa.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-0861
CVE-2026-0861 exp:2026-09-01

# CVE-2026-0915: libc6/libc-bin — NSS DNS info disclosure
# Severity: HIGH
# Review: 2026-09-01
#
# UNFIXABLE IN TRIXIE: Needs glibc 2.43, Trixie has 2.41. Debian no-dsa.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-0915
CVE-2026-0915 exp:2026-09-01

# CVE-2026-5358: libc6/libc-bin — buffer overflow in obsolete nis_local_principal
# Severity: CRITICAL (CVSS 9.1)
# Review: 2026-10-01
#
# UNFIXABLE IN TRIXIE: Needs glibc 2.44, Trixie has 2.41. No Debian fix yet (published 2026-04-20).
# NIS deprecated since glibc 2.26; container does not use NIS. Very low exploitability.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-5358
CVE-2026-5358 exp:2026-10-01

# CVE-2026-5450: libc6/libc-bin — one-byte heap overflow in scanf %mc
# Severity: CRITICAL (CVSS 9.8, CISA-ADP)
# Review: 2026-10-01
#
# UNFIXABLE IN TRIXIE: Needs glibc 2.44, Trixie has 2.41. No Debian fix yet (published 2026-04-20).
# Python never calls scanf with %mc format specifier and width > 1024. Very low exploitability.
# Debian bug: https://bugs.debian.org/1134543
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-5450
CVE-2026-5450 exp:2026-10-01

# CVE-2026-5928: libc6/libc-bin — buffer under-read in ungetwc
# Severity: HIGH
# Review: 2026-10-01
#
# UNFIXABLE IN TRIXIE: Needs glibc 2.44, Trixie has 2.41. No Debian fix yet (published 2026-04-20).
# Info disclosure requires non-Unicode character encodings; explicitly stated not possible in
# standard Unicode. Python does not call ungetwc directly. Very low exploitability.
# Debian bug: https://bugs.debian.org/1134544
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-5928
CVE-2026-5928 exp:2026-10-01

# CVE-2026-5435: libc6/libc-bin — buffer overflow in deprecated ns_sprintrrf TSIG handling
# Severity: HIGH (CVSS 7.3)
# Review: 2026-10-01
#
# UNFIXABLE IN TRIXIE: Needs glibc 2.43, Trixie has 2.41. Debian no-dsa.
# Affects deprecated DNS functions (ns_printrrf, ns_printrr, fp_nquery).
# Container never calls these deprecated functions directly.
# GLIBC-SA-2026-0011
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-5435
CVE-2026-5435 exp:2026-10-01

# CVE-2026-6238: libc6/libc-bin — buffer overread in deprecated ns_printrrf RDATA validation
# Severity: MEDIUM (CVSS 6.5)
# Review: 2026-10-01
#
# UNFIXABLE IN TRIXIE: Needs glibc 2.43, Trixie has 2.41. Debian no-dsa.
# Affects deprecated DNS functions. Triggered by corrupted DNS response RDATA.
# Container never calls these deprecated functions directly.
# GLIBC-SA-2026-0011
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-6238
CVE-2026-6238 exp:2026-10-01

# CVE-2026-32776: libexpat NULL deref in empty external parameter entity
# Severity: MEDIUM (CVSS 4.0)
# Review: 2026-09-01
#
# UNFIXABLE: Needs expat 2.7.5, not available in Trixie or sid.
# DoS only via DTD processing. API XML (PubMed/arXiv) uses defusedxml;
# XML file upload uses lxml/libxml2 (not expat). Low exploitability.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-32776
CVE-2026-32776 exp:2026-09-01

# CVE-2026-32777: libexpat infinite loop in DTD parsing
# Severity: MEDIUM (CVSS 4.0)
# Review: 2026-09-01
#
# UNFIXABLE: Needs expat 2.7.5, not available in Trixie or sid.
# Local attack vector, DoS only. API XML (PubMed/arXiv) uses defusedxml;
# XML file upload uses lxml/libxml2 (not expat). Low exploitability.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-32777
CVE-2026-32777 exp:2026-09-01

# CVE-2026-32778: libexpat NULL deref in setContext after OOM
# Severity: LOW per CNA (CVSS 2.9) / MEDIUM per NIST (CVSS 5.5)
# Review: 2026-09-01
#
# UNFIXABLE: Needs expat 2.7.5, not available in Trixie or sid.
# Requires OOM precondition to trigger. Crash only, no code execution.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2026-32778
CVE-2026-32778 exp:2026-09-01

# CVE-2019-1010023: libc6 — library remapping via ldd
# Severity: HIGH
# Review: 2026-09-01
#
# UPSTREAM NOT A SECURITY ISSUE: Upstream explicitly classified as
# "not a legitimate security issue". Debian: unimportant.
# Tracking: https://security-tracker.debian.org/tracker/CVE-2019-1010023
CVE-2019-1010023 exp:2026-09-01

# CVE-2025-69720: ncurses low vulnerability
# Severity: LOW
# Review: 2026-09-01
#
# UNFIXABLE: Affects ncurses 6.5+20250216-2 (ncurses-bin, ncurses-base,
# libncursesw6, libtinfo6). No fix available in Trixie.
CVE-2025-69720 exp:2026-09-01

# CVE-2026-3479: Python 3.14.3 low vulnerability
# Severity: LOW
# Review: 2026-09-01
#
# UNFIXABLE: No fix available — latest python:3.14-slim still ships 3.14.3.
# Awaiting Python 3.14.4.
CVE-2026-3479 exp:2026-09-01

# CVE-2026-27456: util-linux low-severity vulnerability
# Severity: LOW
# Review: 2026-10-01
#
# UNFIXABLE IN TRIXIE: Debian classified as no-dsa, no fix planned.
# Affects bsdutils, libblkid1, libmount1, libsmartcols1, libuuid1,
# liblastlog2-2, login, mount, util-linux. Container runs non-root
# with dropped capabilities.
CVE-2026-27456 exp:2026-10-01
