Ignore vulnerabilities in fleetdm/wix (#43764)

Run: https://github.com/fleetdm/fleet/actions/runs/24676558778.  ## Summary by CodeRabbit * **Documentation** * Added security vulnerability assessments for CVE-2026-28390, CVE-2026-4775, and CVE-2026-5201, confirming these issues do not affect the product. Statements note that vulnerable code is not in the product’s execution path and relevant processing (TLS/TIFF/graphics) is not performed by the shipped components. Includes timestamps and metadata for traceability.  --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-21 13:37:30 +00:00 · 2026-04-20 13:53:36 -03:00 · 2026-04-20 13:53:36 -03:00 · bdf69537e4
commit bdf69537e4
parent 682202444c
4 changed files with 111 additions and 0 deletions
--- a/security/status.md
+++ b/security/status.md
@ -437,6 +437,22 @@ Following is the vulnerability report of Fleet and its dependencies.

 ## `fleetdm/wix` docker image

+### [CVE-2026-5201](https://nvd.nist.gov/vuln/detail/CVE-2026-5201)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** fleetctl does not do JPEG processing when using fleetdm/wix.
+- **Products:**: `wix`,`pkg:deb/debian/libgdk-pixbuf-2.0-0`,`pkg:deb/debian/libgdk-pixbuf2.0-common`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-04-20 11:41:33
+
+### [CVE-2026-4775](https://nvd.nist.gov/vuln/detail/CVE-2026-4775)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** fleetctl does not do TIFF processing when using fleetdm/wix.
+- **Products:**: `wix`,`pkg:deb/debian/libtiff6`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-04-20 11:42:37
+
 ### [CVE-2026-33636](https://nvd.nist.gov/vuln/detail/CVE-2026-33636)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
@ -461,6 +477,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2026-03-24 12:23:52

+### [CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** fleetdm/wix does not connect to TLS servers using OpenSSL.
+- **Products:**: `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-04-20 11:44:34
+
 ### [CVE-2026-0861](https://nvd.nist.gov/vuln/detail/CVE-2026-0861)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
--- a/security/vex/wix/CVE-2026-28390.vex.json
+++ b/security/vex/wix/CVE-2026-28390.vex.json
@ -0,0 +1,32 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-32e27c48173abc05afc33adfc0ef47451ddc668465f0992e0295e0413d63c1ab",
+  "author": "@lucasmrod",
+  "timestamp": "2026-04-20T11:44:34.615455-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-28390"
+      },
+      "timestamp": "2026-04-20T11:44:34.615456-03:00",
+      "products": [
+        {
+          "@id": "wix"
+        },
+        {
+          "@id": "pkg:deb/debian/libssl3t64"
+        },
+        {
+          "@id": "pkg:deb/debian/openssl"
+        },
+        {
+          "@id": "pkg:deb/debian/openssl-provider-legacy"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "fleetdm/wix does not connect to TLS servers using OpenSSL",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}
--- a/security/vex/wix/CVE-2026-4775.vex.json
+++ b/security/vex/wix/CVE-2026-4775.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-5970d88daf7527bafeb72f403c96dd51b792d370bbcaba1d89e9b45cf83c0e21",
+  "author": "@lucasmrod",
+  "timestamp": "2026-04-20T11:42:37.119015-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-4775"
+      },
+      "timestamp": "2026-04-20T11:42:37.119016-03:00",
+      "products": [
+        {
+          "@id": "wix"
+        },
+        {
+          "@id": "pkg:deb/debian/libtiff6"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "fleetctl does not do TIFF processing when using fleetdm/wix",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}
--- a/security/vex/wix/CVE-2026-5201.vex.json
+++ b/security/vex/wix/CVE-2026-5201.vex.json
@ -0,0 +1,29 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-89fd84110d3f3437ec168e4ac05e3519ff900eb5510dfc3153c66769be2c7f55",
+  "author": "@lucasmrod",
+  "timestamp": "2026-04-20T11:41:33.645273-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-5201"
+      },
+      "timestamp": "2026-04-20T11:41:33.645274-03:00",
+      "products": [
+        {
+          "@id": "wix"
+        },
+        {
+          "@id": "pkg:deb/debian/libgdk-pixbuf-2.0-0"
+        },
+        {
+          "@id": "pkg:deb/debian/libgdk-pixbuf2.0-common"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "fleetctl does not do JPEG processing when using fleetdm/wix",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}