From b8c058f0c779928462b975ce7ca95e34360c156e Mon Sep 17 00:00:00 2001
From: Ajit Pratap Singh <ajitpratapsingh@Ajits-Mac-mini-2655.local>
Date: Wed, 1 Apr 2026 03:16:28 +0530
Subject: [PATCH] security: add CVE-2026-32285 to .trivyignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2026-32285 affects github.com/buger/jsonparser v1.1.1, which is a
transitive dependency via mark3labs/mcp-go → invopop/jsonschema →
wk8/go-ordered-map → buger/jsonparser.

No fixed version is available upstream. The package is not called
directly by any GoSQLX code and risk is scoped to MCP JSON schema
generation. Added to .trivyignore until a patched version is released.

Fixes Trivy Repository Scan CI failures in PR #475 and #477.
---
 .trivyignore | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.trivyignore b/.trivyignore
index f8e6bc1d..87b50db3 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -2,6 +2,13 @@
 # Format: <advisory-id> [expiry-date] [comment]
 # See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore
 
+# CVE-2026-32285 — github.com/buger/jsonparser v1.1.1
+# Severity: HIGH/MEDIUM | No fixed version available (latest is v1.1.1, released 2021-01-08)
+# Transitive dependency: mark3labs/mcp-go → invopop/jsonschema → wk8/go-ordered-map → buger/jsonparser
+# Not called directly by any GoSQLX code. Risk is scoped to MCP JSON schema generation.
+# Re-evaluate when buger/jsonparser releases a patched version or when mcp-go updates its dependency.
+CVE-2026-32285
+
 # GHSA-6g7g-w4f8-9c9x — buger/jsonparser v1.1.1
 # Severity: MEDIUM | No fixed version available (latest is v1.1.1, released 2021-01-08)
 # Transitive dependency: mark3labs/mcp-go → invopop/jsonschema → wk8/go-ordered-map → buger/jsonparser