Ignore CVEs on fleetdm/wix (#43226)

Fixes https://github.com/fleetdm/fleet/actions/runs/24121241577. New run: https://github.com/fleetdm/fleet/actions/runs/24140346610
2026-04-21 13:37:30 +00:00 · 2026-04-08 17:48:42 -03:00 · 2026-04-08 17:48:42 -03:00 · 9a6c5c3f48
commit 9a6c5c3f48
parent 30f1719aca
3 changed files with 68 additions and 0 deletions
--- a/security/status.md
+++ b/security/status.md
@ -437,6 +437,22 @@ Following is the vulnerability report of Fleet and its dependencies.

 ## `fleetdm/wix` docker image

+### [CVE-2026-33636](https://nvd.nist.gov/vuln/detail/CVE-2026-33636)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
+- **Products:**: `wix`,`pkg:deb/debian/libpng16-16t64`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-04-08 11:43:22
+
+### [CVE-2026-33416](https://nvd.nist.gov/vuln/detail/CVE-2026-33416)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
+- **Products:**: `wix`,`pkg:deb/debian/libpng16-16t64`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-04-08 11:01:10
+
 ### [CVE-2026-2921](https://nvd.nist.gov/vuln/detail/CVE-2026-2921)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
--- a/security/vex/wix/CVE-2026-33416.vex.json
+++ b/security/vex/wix/CVE-2026-33416.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-2b825460105602469813cbb2c373d2172d7ea26e380a4493cbffaa01d6412bd9",
+  "author": "@lucasmrod",
+  "timestamp": "2026-04-08T11:01:10.035705-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-33416"
+      },
+      "timestamp": "2026-04-08T11:01:10.035705-03:00",
+      "products": [
+        {
+          "@id": "wix"
+        },
+        {
+          "@id": "pkg:deb/debian/libpng16-16t64"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "fleetctl does not do PNG processing when using fleetdm/wix",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}
--- a/security/vex/wix/CVE-2026-33636.vex.json
+++ b/security/vex/wix/CVE-2026-33636.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-3fa993f7b4dc561d2cd33ee85cb68d9c044b224ae340af12c6748bba62df9441",
+  "author": "@lucasmrod",
+  "timestamp": "2026-04-08T11:43:22.260041-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-33636"
+      },
+      "timestamp": "2026-04-08T11:43:22.260042-03:00",
+      "products": [
+        {
+          "@id": "wix"
+        },
+        {
+          "@id": "pkg:deb/debian/libpng16-16t64"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "fleetctl does not do PNG processing when using fleetdm/wix",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}