security: add CVE-2026-32285 to .trivyignore

[ajitpratap0]

Summary

Adds CVE-2026-32285 to .trivyignore to fix failing Trivy Repository Scan CI checks on PR #475 and PR #477.

Root Cause

CVE-2026-32285 affects github.com/buger/jsonparser v1.1.1, a transitive dependency via:
mark3labs/mcp-go → invopop/jsonschema → wk8/go-ordered-map → buger/jsonparser

No fixed version is available upstream. The package is not used directly by GoSQLX code.

Impact

• Not called directly by any GoSQLX code
• Risk is scoped to MCP JSON schema generation
• Consistent with existing .trivyignore entries for buger/jsonparser (GHSA-6g7g-w4f8-9c9x)

Action Items

Re-evaluate when buger/jsonparser releases a patched version or when mcp-go updates its dependency.

[github-actions]

Claude finished @ajitpratap0's task —— View job

---

Pull Request Review

Reviewing PR #478: Adding CVE-2026-32285 to .trivyignore

Todo List

• Read and analyze the .trivyignore file changes
• Review existing security practices in the repository
• Evaluate the security impact and justification
• Provide comprehensive feedback on code quality, security, and best practices
• Check for any missing documentation or process improvements

---

Review Feedback

✅ Code Quality & Best Practices

Excellent documentation pattern: The change follows the established format in .trivyignore:5-10 with:

• Clear CVE identifier and affected package version
• Severity classification (HIGH/MEDIUM)
• Complete dependency chain mapping
• Impact scope assessment
• Re-evaluation trigger conditions

Consistency: Mirrors the existing GHSA-6g7g-w4f8-9c9x entry for the same buger/jsonparser package, maintaining documentation standards.

✅ Security Assessment

Low Risk Profile:

• ✅ Transitive dependency only: mark3labs/mcp-go → invopop/jsonschema → wk8/go-ordered-map → buger/jsonparser
• ✅ No direct usage: Confirmed in go.mod:24 as indirect dependency
• ✅ Scoped impact: Limited to MCP JSON schema generation (pkg/mcp/ functionality)
• ✅ Upstream limitation: No fixed version available (package last updated 2021-01-08)

Risk Mitigation: The MCP server is an optional component primarily for AI assistant integration, not core GoSQLX functionality.

✅ Process Compliance

Proper justification: The PR description clearly explains:

• Root cause analysis
• Impact assessment
• Alignment with project security posture
• Clear action items for re-evaluation

Follows established patterns: Consistent with 6 existing CVE entries in .trivyignore, showing this is part of a mature vulnerability management process.

⚠️ Recommendations

1. Consider dependency audit: While acceptable for now, consider tracking when mark3labs/mcp-go might update its dependency chain to eliminate this transitive risk.

2. Monitor upstream: Set a calendar reminder to check buger/jsonparser releases quarterly, as this package hasn't been updated since 2021.

3. Documentation enhancement (optional): Consider adding the CVE description/impact to the comment for future maintainers.

✅ Test Coverage

No test changes required - this is a security configuration change that doesn't affect code functionality.

Verdict: APPROVED ✅

This is a well-documented, low-risk security exception that follows established project patterns. The change is necessary to unblock CI while maintaining security visibility.

---

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gosqlx-website	Ready	Preview, Comment	Mar 31, 2026 9:48pm