Ignore false positive CVE in fleet (#41643)

Fixes: https://github.com/fleetdm/fleet/actions/runs/23038788027/job/66912481418 Run with this branch: https://github.com/fleetdm/fleet/actions/runs/23060265057
2026-04-21 13:37:30 +00:00 · 2026-03-16 10:36:50 -03:00 · 2026-03-16 10:36:50 -03:00 · 7bb72ccaa1
commit 7bb72ccaa1
parent b4da015539
3 changed files with 68 additions and 0 deletions
--- a/security/status.md
+++ b/security/status.md
@ -5,6 +5,14 @@ Following is the vulnerability report of Fleet and its dependencies.

 ## `fleetdm/fleet` docker image

+### [CVE-2026-22184](https://nvd.nist.gov/vuln/detail/CVE-2026-22184)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** The vulnerability is in zlib's contrib/untgz standalone demo utility, not in the core zlib library.
+- **Products:**: `fleet`,`pkg:apk/alpine/zlib@1.3.1-r2`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-03-13 12:01:11
+
 ### [CVE-2025-9230](https://nvd.nist.gov/vuln/detail/CVE-2025-9230)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
@ -21,6 +29,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-01-03 15:15:53

+### [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** Fleet does not mutate CA pool store between TLS sessions.
+- **Products:**: `fleet`,`pkg:golang/stdlib`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-03-13 13:23:41
+
 ### [CVE-2025-61729](https://nvd.nist.gov/vuln/detail/CVE-2025-61729)
 #### Statement:
 - **Author:** @lucasmrod
--- a/security/vex/fleet/CVE-2025-68121.vex.json
+++ b/security/vex/fleet/CVE-2025-68121.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-226b4395bf617c07302548d13a5881750dda54e52b990a6dde50c22a3baa875a",
+  "author": "@lucasmrod",
+  "timestamp": "2026-03-13T13:23:41.011667-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2025-68121"
+      },
+      "timestamp": "2026-03-13T13:23:41.011667-03:00",
+      "products": [
+        {
+          "@id": "fleet"
+        },
+        {
+          "@id": "pkg:golang/stdlib"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "Fleet does not mutate CA pool store between TLS sessions",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}
--- a/security/vex/fleet/CVE-2026-22184.vex.json
+++ b/security/vex/fleet/CVE-2026-22184.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-1bc36dbb5a508304a4dcbb1fbe45ae6566a048c6e8ea25d87c7876c0eac6fe2f",
+  "author": "@lucasmrod",
+  "timestamp": "2026-03-13T12:01:11.194823-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-22184"
+      },
+      "timestamp": "2026-03-13T12:01:11.194824-03:00",
+      "products": [
+        {
+          "@id": "fleet"
+        },
+        {
+          "@id": "pkg:apk/alpine/zlib@1.3.1-r2"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "The vulnerability is in zlib's contrib/untgz standalone demo utility, not in the core zlib library.",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}