Skip to content

UID2-7035/UID2-7297: .trivyignore cleanup + netty upgrade to 4.1.135.Final#650

Merged
sophia-chen-ttd merged 2 commits into
mainfrom
sophia-chen-ttd-trivyignore-cleanup-jun26
Jun 15, 2026
Merged

UID2-7035/UID2-7297: .trivyignore cleanup + netty upgrade to 4.1.135.Final#650
sophia-chen-ttd merged 2 commits into
mainfrom
sophia-chen-ttd-trivyignore-cleanup-jun26

Conversation

@sophia-chen-ttd

@sophia-chen-ttd sophia-chen-ttd commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Two changes bundled:

1. .trivyignore cleanup (UID2-7035)

Extends CVE-2026-42577 (netty-transport-native-epoll DoS) expiry from 2026-06-08 to 2026-09-11, aligning with uid2-core, uid2-operator, and uid2-optout which were already extended under UID2-7035. Rationale unchanged: netty 4.1.x has no fix (only 4.2.13.Final+), service sits behind mTLS LB, CVSS impact is Availability only. Revisit on vert.x 5 migration.

2. netty upgrade 4.1.133.Final → 4.1.135.Final (UID2-7297)

Fixes four HIGH severity vulnerabilities detected by Trivy:

uid2-admin runs a netty server and these code paths are reachable. The fix is a patch-level upgrade within 4.1.x, fully compatible with vert.x 4.5.21. The <netty.version> property and netty-bom import in dependencyManagement ensures all netty artifacts upgrade consistently.

Test plan

  • Trivy vulnerability scan passes in CI (no HIGH/CRITICAL findings)
  • All unit tests pass
  • No new CVEs introduced

🤖 Generated with Claude Code

sophia-chen-ttd and others added 2 commits June 15, 2026 11:04
@sophia-chen-ttd @claude
UID2-7035: extend CVE-2026-42577 expiry to 2026-09-11
e52a229 
Aligns uid2-admin with uid2-core, uid2-operator, and uid2-optout which
were already extended to 2026-09-11 under the same ticket. Rationale is
unchanged: netty 4.1.x has no fix (only backported to 4.2.13.Final),
service sits behind mTLS LB limiting blast radius to Availability only.
Revisit on vert.x 5 migration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sophia-chen-ttd @claude
UID2-7297: upgrade netty to 4.1.135.Final to fix CVE-2026-44249 et al.
2d16cf0 
Bumps <netty.version> from 4.1.133.Final to 4.1.135.Final, which fixes
four HIGH severity vulnerabilities detected by Trivy:
  - CVE-2026-44249, CVE-2026-45416 (netty-handler)
  - CVE-2026-45674, CVE-2026-47691 (netty-resolver-dns)

The netty-bom import in dependencyManagement ensures all netty artifacts
are upgraded consistently. 4.1.135.Final is a patch release fully
compatible with vert.x 4.5.21.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sophia-chen-ttd sophia-chen-ttd changed the title UID2-7035: .trivyignore cleanup — extend CVE-2026-42577 expiry to 2026-09-11 UID2-7035/UID2-7297: .trivyignore cleanup + netty upgrade to 4.1.135.Final Jun 15, 2026
@sophia-chen-ttd sophia-chen-ttd merged commit 2fd65b7 into main Jun 15, 2026
4 checks passed
@sophia-chen-ttd sophia-chen-ttd deleted the sophia-chen-ttd-trivyignore-cleanup-jun26 branch June 15, 2026 01:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BehnamMozafari BehnamMozafari BehnamMozafari approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sophia-chen-ttd @BehnamMozafari