Skip to content

security: add CVE-2026-32285 to .trivyignore#478

Open
ajitpratap0 wants to merge 1 commit intomainfrom
fix/trivy-cve-2026-32285
Open

security: add CVE-2026-32285 to .trivyignore#478
ajitpratap0 wants to merge 1 commit intomainfrom
fix/trivy-cve-2026-32285

Conversation

@ajitpratap0
Copy link
Copy Markdown
Owner

@ajitpratap0 ajitpratap0 commented Mar 31, 2026

Summary

Adds CVE-2026-32285 to .trivyignore to fix failing Trivy Repository Scan CI checks on PR #475 and PR #477.

Root Cause

CVE-2026-32285 affects github.com/buger/jsonparser v1.1.1, a transitive dependency via:
mark3labs/mcp-go → invopop/jsonschema → wk8/go-ordered-map → buger/jsonparser

No fixed version is available upstream. The package is not used directly by GoSQLX code.

Impact

  • Not called directly by any GoSQLX code
  • Risk is scoped to MCP JSON schema generation
  • Consistent with existing .trivyignore entries for buger/jsonparser (GHSA-6g7g-w4f8-9c9x)

Action Items

Re-evaluate when buger/jsonparser releases a patched version or when mcp-go updates its dependency.

security: add CVE-2026-32285 to .trivyignore
b8c058f 
CVE-2026-32285 affects github.com/buger/jsonparser v1.1.1, which is a
transitive dependency via mark3labs/mcp-go → invopop/jsonschema →
wk8/go-ordered-map → buger/jsonparser.

No fixed version is available upstream. The package is not called
directly by any GoSQLX code and risk is scoped to MCP JSON schema
generation. Added to .trivyignore until a patched version is released.

Fixes Trivy Repository Scan CI failures in PR #475 and #477.
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 31, 2026
edited
Loading

Claude finished @ajitpratap0's task —— View job

Pull Request Review

Reviewing PR #478: Adding CVE-2026-32285 to .trivyignore

Todo List

  • Read and analyze the .trivyignore file changes
  • Review existing security practices in the repository
  • Evaluate the security impact and justification
  • Provide comprehensive feedback on code quality, security, and best practices
  • Check for any missing documentation or process improvements

Review Feedback

Code Quality & Best Practices

Excellent documentation pattern: The change follows the established format in .trivyignore:5-10 with:

  • Clear CVE identifier and affected package version
  • Severity classification (HIGH/MEDIUM)
  • Complete dependency chain mapping
  • Impact scope assessment
  • Re-evaluation trigger conditions

Consistency: Mirrors the existing GHSA-6g7g-w4f8-9c9x entry for the same buger/jsonparser package, maintaining documentation standards.

Security Assessment

Low Risk Profile:

  • Transitive dependency only: mark3labs/mcp-go → invopop/jsonschema → wk8/go-ordered-map → buger/jsonparser
  • No direct usage: Confirmed in go.mod:24 as indirect dependency
  • Scoped impact: Limited to MCP JSON schema generation (pkg/mcp/ functionality)
  • Upstream limitation: No fixed version available (package last updated 2021-01-08)

Risk Mitigation: The MCP server is an optional component primarily for AI assistant integration, not core GoSQLX functionality.

Process Compliance

Proper justification: The PR description clearly explains:

  • Root cause analysis
  • Impact assessment
  • Alignment with project security posture
  • Clear action items for re-evaluation

Follows established patterns: Consistent with 6 existing CVE entries in .trivyignore, showing this is part of a mature vulnerability management process.

⚠️ Recommendations

  1. Consider dependency audit: While acceptable for now, consider tracking when mark3labs/mcp-go might update its dependency chain to eliminate this transitive risk.

  2. Monitor upstream: Set a calendar reminder to check buger/jsonparser releases quarterly, as this package hasn't been updated since 2021.

  3. Documentation enhancement (optional): Consider adding the CVE description/impact to the comment for future maintainers.

Test Coverage

No test changes required - this is a security configuration change that doesn't affect code functionality.

Verdict: APPROVED

This is a well-documented, low-risk security exception that follows established project patterns. The change is necessary to unblock CI while maintaining security visibility.

@vercel
Copy link
Copy Markdown

vercel bot commented Mar 31, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
gosqlx-website Ready Ready Preview, Comment Mar 31, 2026 9:48pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ajitpratap0