Sync fork 11 by kkochel · Pull Request #23 · BiobankLab/sensitive-data-archive

kkochel · 2026-05-08T21:45:43Z

Related issue(s) and PR(s)

This PR closes [issue number].

Description

How to test

…da-doa/all-modules-833b1a4a74 build(deps): bump the all-modules group in /sda-doa with 4 updates

…endabot-package-managers docs(adr): add ADR-0002 merge dependabot package managers

…les/sda-validator/orchestrator/all-modules-f80ec1a409 build(deps): bump the all-modules group in /sda-validator/orchestrator with 2 updates

… such that release_sda will trigger on the created tag as github ignores events from secrets.GITHUB_TOKEN

Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.34.2 to 0.35.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@0.34.2...0.35.0) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the all-modules group in /sda-download with 2 updates: [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) and [golang.org/x/crypto](https://github.com/golang/crypto). Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.96.4 to 1.97.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.96.4...service/s3/v1.97.0) Updates `golang.org/x/crypto` from 0.48.0 to 0.49.0 - [Commits](golang/crypto@v0.48.0...v0.49.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.97.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-modules - dependency-name: golang.org/x/crypto dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-modules ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the all-modules group in /sda with 3 updates: [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2), [golang.org/x/crypto](https://github.com/golang/crypto) and [golang.org/x/oauth2](https://github.com/golang/oauth2). Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.96.4 to 1.97.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.96.4...service/s3/v1.97.0) Updates `golang.org/x/crypto` from 0.48.0 to 0.49.0 - [Commits](golang/crypto@v0.48.0...v0.49.0) Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0 - [Commits](golang/oauth2@v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.97.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-modules - dependency-name: golang.org/x/crypto dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-modules - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-modules ... Signed-off-by: dependabot[bot] <support@github.com>

- Fix "Dependapot" → "Dependabot" typo in title heading - Rename file from underscores to dashes per NNNN-title-with-dashes.md convention - Add ADR-0002 to README.md index table - Add index table checklist item to PR template to prevent this gap recurring

…rigger_by_github Fix/workflow tag trigger by GitHub

…and-naming docs(adr): fix ADR-0002 typo, naming, and missing index entry

…les/sda/all-modules-72042dfc76 build(deps): bump the all-modules group in /sda with 3 updates

…actions/aquasecurity/trivy-action-0.35.0 build(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0

…systems in same PRs (except sda-doa and sda-stfp-inbox)

…add groups to all for all dependencies within to be updated in same PR, and reorder settings to be aligned

…les/sda-download/all-modules-b72820bfe6 build(deps): bump the all-modules group in /sda-download with 2 updates

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.79.2 to 1.79.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.79.2...v1.79.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.79.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

…les/sda/google.golang.org/grpc-1.79.3 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /sda

…les/sda-validator/orchestrator/google.golang.org/grpc-1.79.3 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /sda-validator/orchestrator

…les/sda-download/google.golang.org/grpc-1.79.3 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /sda-download

[charts] Bump version

Bumps [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment) from 2 to 3. - [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases) - [Commits](marocchino/sticky-pull-request-comment@v2...v3) --- updated-dependencies: - dependency-name: marocchino/sticky-pull-request-comment dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.2 to 5.5.3. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v5.5.2...v5.5.3) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 5.5.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 3 to 4. - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](dorny/paths-filter@v3...v4) --- updated-dependencies: - dependency-name: dorny/paths-filter dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the all-modules group in /sda-validator/orchestrator with 1 update: [github.com/lib/pq](https://github.com/lib/pq). Updates `github.com/lib/pq` from 1.11.2 to 1.12.0 - [Release notes](https://github.com/lib/pq/releases) - [Changelog](https://github.com/lib/pq/blob/master/CHANGELOG.md) - [Commits](lib/pq@v1.11.2...v1.12.0) --- updated-dependencies: - dependency-name: github.com/lib/pq dependency-version: 1.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-modules ... Signed-off-by: dependabot[bot] <support@github.com>

Self-contained script that spins up a k3d cluster, deploys postgres, rabbitmq, and minio, then renders and applies only the download-v2 chart templates. Runs 6 smoke tests against the running service: health/ready (DB, storage, gRPC), service-info, and auth rejection. Usage: ./dev-tools/chart-smoke-test/test-download-v2.sh # full run ./dev-tools/chart-smoke-test/test-download-v2.sh --no-build # skip image build ./dev-tools/chart-smoke-test/test-download-v2.sh --cleanup # tear down Refs: neicnordic#2345, neicnordic#2353

@jbygdell

Changes based on review by @jbygdell: - Hardcode container/service port to 8080 (TLS terminates at ingress, not at the application — removes unnecessary ternary logic) - Remove api.server-cert/server-key from config (not needed when TLS is handled by ingress) - Default grpc.host to {{ sda.fullname }}-reencrypt instead of requiring it (only needed when reencrypt is in another namespace) - Remove extra ports (8443, 443) from network policy ingress rules - Todo multi-endpoint Refs: neicnordic#2345

@jbygdell

Address review feedback from @jbygdell: - Service exposes standard port 80 mapping to targetPort 8080 so clients do not need to specify a non-standard port - Ingress backend port updated to match service port 80 - Smoke test uses --set downloadV2.replicaCount=1 instead of a separate kubectl scale call, and drops the :80 suffix from the test service URL

@jbygdell

Apply review feedback from @jbygdell to reuse the OIDC definition for JWT key material instead of a separate downloadV2.jwt.pubkeyPath knob: - Add global.oidc.jwtSecret as the canonical reference to a k8s secret containing JWT public keys - When set, the v2 download deployment mounts the secret at jwtPath and the config sets jwt.pubkey-path to that mount - Remove the unused global.downloadV2.jwt.pubkeyPath value (it was rendered into config but no volume was mounted, so it could never resolve to a real file) - Keep global.downloadV2.jwt.pubkeyURL as the JWKS-endpoint alternative Also fixes the related Copilot reviewer finding about pubkeyPath pointing at a non-existent file.

- Probe scheme: hardcode to HTTP since the v2 API binary serves plain HTTP on 8080 (TLS terminates at the ingress). Previously the probes used HTTPS when global.tls.enabled=true, which would fail every default deployment. - NetworkPolicy: match the grpc.port logic from the secrets template so egress to reencrypt is allowed on 50443 when TLS is enabled (was hardcoded to global.reencrypt.port, blocking TLS deploys). - Secrets: add required guards for global.archive.s3Url and the service.org-name/org-url values to fail fast at helm install/upgrade rather than at pod startup. - Secrets: render s3 endpoint with the legacy pattern (append :port only when s3Port is set) so URLs already containing the port don't get a trailing :0. - Secrets: fail rendering when visa.enabled=true but trustedIssuers is empty — would otherwise produce a config pointing at a file that the chart never creates. - Smoke test: fix stale dev-tools/k3d/ paths in the header usage block after the rename to dev-tools/chart-smoke-test/.

@jbygdell

Match the pattern used by the other services in the chart (api, auth, download, etc.) — render the liveness/readiness probe from values via toYaml instead of hand-assembling fields in the template. This fixes a drift between values and template: the httpGet.path, port, and scheme fields in values weren't actually wired into the rendered manifest. Now values.yaml is the single source of truth for the probe definitions. Scheme stays HTTP since the v2 API binary always serves plain HTTP on 8080 (TLS terminates at the ingress). Addresses review feedback from @jbygdell.

Match the legacy download-secrets hardening pattern: require access_key, secret_key, and bucket_prefix in addition to the endpoint URL, so that an incomplete S3 config fails fast at helm install/upgrade rather than at pod startup. Addresses partial hardening noted in Codex final review.

The v2 binary warns (and production-mode forbids) running multiple replicas without a shared pagination.hmac-secret — page tokens are signed with a per-pod random key otherwise, so pagination silently breaks when requests hit different pods. Fail the chart render when downloadV2.replicaCount > 1 but the secret is empty, matching the binary's own production guard. Single-replica deployments still work with an empty secret. Addresses Codex final review concern about unsafe multi-replica defaults.

Adds a render_matrix step that runs helm template across all 16 combinations of TLS on/off, S3/POSIX storage, ingress on/off, and networkPolicy on/off. Runs before any cluster work so regressions in ingress, certificate, or networkpolicy templates are caught without needing a full k3d deploy. The deploy + HTTP smoke tests still cover the one slice that k3d can realistically run (no cert-manager, no ingress controller). Addresses the Codex review nit about only covering a single matrix slice.

Extract config.yaml via yq (.service.org-name, .api.port, storage endpoint, .db.host) and iss.json via base64+jq, so the smoke test catches template regressions that HTTP-level checks would miss. Also switch wait_for_pod to rollout status (avoids race where kubectl wait matched the old pod before it terminated) and bump the wait to 120s to accommodate the ~17s cold-start plus probe delay.

Match the legacy download deploy and other services which pass the config path via env var rather than --config-file flag. The v2 binary accepts both (viper.AutomaticEnv with a '-' to '_' replacer), so this is a consistency change, not a behavior change.

Moves the production-guard toggle from global.downloadV2.app.environment to global.environment so other services can adopt the same flag without each carrying its own per-service 'app' sub-block. The v2 binary still reads it as app.environment in the rendered config; only the values.yaml shape changes. Per Karl's review feedback on PR neicnordic#2384.

Minor bump for the new opt-in v2 download service. Main already shipped 3.3.0 (the previous bump in this branch was dropped during rebase since main caught up), so the v2 feature lands as a minor on top of that.

Bumps rabbitmq from 3.12.13-management-alpine to 4.2.4-management-alpine. --- updated-dependencies: - dependency-name: rabbitmq dependency-version: 4.2.4-management-alpine dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps postgres from 15.16-alpine3.23 to 18.3-alpine3.23. --- updated-dependencies: - dependency-name: postgres dependency-version: 18.3-alpine3.23 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the go group with 5 updates in the /sda directory: | Package | From | To | | --- | --- | --- | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.41.5` | `1.41.7` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.14` | `1.32.17` | | [github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager](https://github.com/aws/aws-sdk-go-v2) | `0.1.15` | `0.1.21` | | [github.com/rabbitmq/amqp091-go](https://github.com/rabbitmq/amqp091-go) | `1.10.0` | `1.11.0` | | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `1.80.0` | `1.81.0` | Bumps the go group with 5 updates in the /sda-download directory: | Package | From | To | | --- | --- | --- | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.41.5` | `1.41.7` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.14` | `1.32.17` | | [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.99.0` | `1.101.0` | | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `1.80.0` | `1.81.0` | | [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver) | `3.4.0` | `3.5.0` | Bumps the go group with 2 updates in the /sda-validator/orchestrator directory: [github.com/rabbitmq/amqp091-go](https://github.com/rabbitmq/amqp091-go) and [google.golang.org/grpc](https://github.com/grpc/grpc-go). Updates `github.com/aws/aws-sdk-go-v2` from 1.41.5 to 1.41.7 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@v1.41.5...v1.41.7) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.14 to 1.32.17 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.14...config/v1.32.17) Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.19.14 to 1.19.16 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@credentials/v1.19.14...credentials/v1.19.16) Updates `github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager` from 0.1.15 to 0.1.21 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@feature/s3/transfermanager/v0.1.15...feature/s3/transfermanager/v0.1.21) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.99.0 to 1.101.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.99.0...service/s3/v1.101.0) Updates `github.com/aws/smithy-go` from 1.24.3 to 1.25.1 - [Release notes](https://github.com/aws/smithy-go/releases) - [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md) - [Commits](aws/smithy-go@v1.24.3...v1.25.1) Updates `github.com/rabbitmq/amqp091-go` from 1.10.0 to 1.11.0 - [Release notes](https://github.com/rabbitmq/amqp091-go/releases) - [Changelog](https://github.com/rabbitmq/amqp091-go/blob/main/CHANGELOG.md) - [Commits](rabbitmq/amqp091-go@v1.10.0...v1.11.0) Updates `google.golang.org/grpc` from 1.80.0 to 1.81.0 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.80.0...v1.81.0) Updates `github.com/aws/aws-sdk-go-v2` from 1.41.5 to 1.41.7 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@v1.41.5...v1.41.7) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.14 to 1.32.17 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.14...config/v1.32.17) Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.19.14 to 1.19.16 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@credentials/v1.19.14...credentials/v1.19.16) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.99.0 to 1.101.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.99.0...service/s3/v1.101.0) Updates `github.com/aws/smithy-go` from 1.24.3 to 1.25.1 - [Release notes](https://github.com/aws/smithy-go/releases) - [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md) - [Commits](aws/smithy-go@v1.24.3...v1.25.1) Updates `google.golang.org/grpc` from 1.80.0 to 1.81.0 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.80.0...v1.81.0) Updates `github.com/Masterminds/semver/v3` from 3.4.0 to 3.5.0 - [Release notes](https://github.com/Masterminds/semver/releases) - [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md) - [Commits](Masterminds/semver@v3.4.0...v3.5.0) Updates `github.com/rabbitmq/amqp091-go` from 1.10.0 to 1.11.0 - [Release notes](https://github.com/rabbitmq/amqp091-go/releases) - [Changelog](https://github.com/rabbitmq/amqp091-go/blob/main/CHANGELOG.md) - [Commits](rabbitmq/amqp091-go@v1.10.0...v1.11.0) Updates `google.golang.org/grpc` from 1.80.0 to 1.81.0 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.80.0...v1.81.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.41.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.17 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/credentials dependency-version: 1.19.16 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager dependency-version: 0.1.21 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.101.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/smithy-go dependency-version: 1.25.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/rabbitmq/amqp091-go dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/grpc dependency-version: 1.81.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.41.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.17 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/credentials dependency-version: 1.19.16 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.101.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/smithy-go dependency-version: 1.25.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/grpc dependency-version: 1.81.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/Masterminds/semver/v3 dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/rabbitmq/amqp091-go dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/grpc dependency-version: 1.81.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] <support@github.com>

Fork-specific changes preserved: - rabbitmq/definitions.json: FOAM/FEGA queues retained - sda/cmd/intercept/intercept.go: unknown_schema routing retained - sda/cmd/mapper/mapper.go: foam_integration forwarding adapted to upstream refactor - .github/workflows/: BiobankLab CI/CD workflows preserved (HEAD) Conflict resolutions: - Charts: upstream versions (sda-db 2.0.28, sda-mq 2.1.3, sda-svc 3.4.0 / appVersion v3.1.37) - Dockerfiles: upstream (removed deprecated LABEL directives, sda uses distroless-debian13) - dependabot.yaml: kept deleted (fork intentionally removed) - compose-no-tls.yml: kept biobanklab image reference Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

github-actions · 2026-05-08T22:13:31Z

🔍 Trivy Scan - PostgresSQL 🔍

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23-postgres (alpine 3.23.4)`

Vulnerabilities (2)

Package	ID	Severity	Installed Version	Fixed Version	Title
`nghttp2-libs`	CVE-2026-27135	HIGH	1.68.0-r0	1.68.1	nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination
`xz-libs`	CVE-2026-34743	MEDIUM	5.8.2-r0	5.8.3-r0	xz: XZ Utils: Denial of Service via buffer overflow in index decoding

Target `usr/local/bin/gosu`

Vulnerabilities (33)

Package	ID	Severity	Installed Version	Fixed Version	Title
`stdlib`	CVE-2025-68121	CRITICAL	v1.24.6	1.24.13, 1.25.7, 1.26.0-rc.3	crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption
`stdlib`	CVE-2025-58183	HIGH	v1.24.6	1.24.8, 1.25.2	golang: archive/tar: Unbounded allocation when parsing GNU sparse map
`stdlib`	CVE-2025-61726	HIGH	v1.24.6	1.24.12, 1.25.6	golang: net/url: Memory exhaustion in query parameter parsing in net/url
`stdlib`	CVE-2025-61728	HIGH	v1.24.6	1.24.12, 1.25.6	golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
`stdlib`	CVE-2025-61729	HIGH	v1.24.6	1.24.11, 1.25.5	crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
`stdlib`	CVE-2026-25679	HIGH	v1.24.6	1.25.8, 1.26.1	net/url: Incorrect parsing of IPv6 host literals in net/url
`stdlib`	CVE-2026-32280	HIGH	v1.24.6	1.25.9, 1.26.2	crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
`stdlib`	CVE-2026-32281	HIGH	v1.24.6	1.25.9, 1.26.2	crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
`stdlib`	CVE-2026-32283	HIGH	v1.24.6	1.25.9, 1.26.2	crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
`stdlib`	CVE-2025-47912	MEDIUM	v1.24.6	1.24.8, 1.25.2	net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
`stdlib`	CVE-2025-58185	MEDIUM	v1.24.6	1.24.8, 1.25.2	encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1
`stdlib`	CVE-2025-58186	MEDIUM	v1.24.6	1.24.8, 1.25.2	golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http
`stdlib`	CVE-2025-58187	MEDIUM	v1.24.6	1.24.9, 1.25.3	crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
`stdlib`	CVE-2025-58188	MEDIUM	v1.24.6	1.24.8, 1.25.2	crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509
`stdlib`	CVE-2025-58189	MEDIUM	v1.24.6	1.24.8, 1.25.2	crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information
`stdlib`	CVE-2025-61723	MEDIUM	v1.24.6	1.24.8, 1.25.2	encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem
`stdlib`	CVE-2025-61724	MEDIUM	v1.24.6	1.24.8, 1.25.2	net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto
`stdlib`	CVE-2025-61725	MEDIUM	v1.24.6	1.24.8, 1.25.2	net/mail: Excessive CPU consumption in ParseAddress in net/mail
`stdlib`	CVE-2025-61727	MEDIUM	v1.24.6	1.24.11, 1.25.5	golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
`stdlib`	CVE-2025-61730	MEDIUM	v1.24.6	1.24.12, 1.25.6	During the TLS 1.3 handshake if multiple messages are sent in records ...
`stdlib`	CVE-2026-27142	MEDIUM	v1.24.6	1.25.8, 1.26.1	html/template: URLs in meta content attribute actions are not escaped in html/template
`stdlib`	CVE-2026-32282	MEDIUM	v1.24.6	1.25.9, 1.26.2	golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
`stdlib`	CVE-2026-32288	MEDIUM	v1.24.6	1.25.9, 1.26.2	archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive
`stdlib`	CVE-2026-32289	MEDIUM	v1.24.6	1.25.9, 1.26.2	html/template: golang: html/template: Cross-Site Scripting (XSS) via improper context and brace depth tracking in JS template literals
`stdlib`	CVE-2026-27139	LOW	v1.24.6	1.25.8, 1.26.1	os: FileInfo can escape from a Root in golang os module
`stdlib`	CVE-2026-33811	UNKNOWN	v1.24.6	1.25.10, 1.26.3	When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ...
`stdlib`	CVE-2026-33814	UNKNOWN	v1.24.6	1.25.10, 1.26.3	When processing HTTP/2 SETTINGS frames, transport will enter an infini ...
`stdlib`	CVE-2026-39820	UNKNOWN	v1.24.6	1.25.10, 1.26.3	Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ...
`stdlib`	CVE-2026-39823	UNKNOWN	v1.24.6	1.25.10, 1.26.3	CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ...
`stdlib`	CVE-2026-39825	UNKNOWN	v1.24.6	1.25.10, 1.26.3	ReverseProxy can forward queries containing parameters not visible to ...
`stdlib`	CVE-2026-39826	UNKNOWN	v1.24.6	1.25.10, 1.26.3	If a trusted template author were to write a <script> tag containing a ...
`stdlib`	CVE-2026-39836	UNKNOWN	v1.24.6	1.25.10, 1.26.3	Panic in Dial and LookupPort when handling NUL byte on Windows in net
`stdlib`	CVE-2026-42499	UNKNOWN	v1.24.6	1.25.10, 1.26.3	Pathological inputs could cause DoS through consumePhrase when parsing ...

github-actions · 2026-05-08T22:13:38Z

🔍 Trivy Scan - Rabbitmq 🔍

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23-rabbitmq (alpine 3.23.3)`

Vulnerabilities (20)

Package	ID	Severity	Installed Version	Fixed Version	Title
`libcrypto3`	CVE-2026-31789	CRITICAL	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Heap buffer overflow on 32-bit systems from large X.509 certificate processing
`libcrypto3`	CVE-2026-28387	HIGH	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Arbitrary code execution due to use-after-free in DANE TLSA authentication
`libcrypto3`	CVE-2026-28388	HIGH	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL processing
`libcrypto3`	CVE-2026-28389	HIGH	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Denial of Service vulnerability in CMS processing
`libcrypto3`	CVE-2026-28390	HIGH	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
`libcrypto3`	CVE-2026-2673	MEDIUM	3.5.5-r0	3.5.6-r0	openssl: OpenSSL TLS 1.3 server may choose unexpected key agreement group
`libcrypto3`	CVE-2026-31790	MEDIUM	3.5.5-r0	3.5.6-r0	openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key
`libssl3`	CVE-2026-31789	CRITICAL	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Heap buffer overflow on 32-bit systems from large X.509 certificate processing
`libssl3`	CVE-2026-28387	HIGH	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Arbitrary code execution due to use-after-free in DANE TLSA authentication
`libssl3`	CVE-2026-28388	HIGH	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL processing
`libssl3`	CVE-2026-28389	HIGH	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Denial of Service vulnerability in CMS processing
`libssl3`	CVE-2026-28390	HIGH	3.5.5-r0	3.5.6-r0	openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
`libssl3`	CVE-2026-2673	MEDIUM	3.5.5-r0	3.5.6-r0	openssl: OpenSSL TLS 1.3 server may choose unexpected key agreement group
`libssl3`	CVE-2026-31790	MEDIUM	3.5.5-r0	3.5.6-r0	openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key
`musl`	CVE-2026-40200	HIGH	1.2.5-r21	1.2.5-r23	musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort
`musl`	CVE-2026-6042	MEDIUM	1.2.5-r21	1.2.5-r22	musl libc: GB18030 4-byte Decoder: musl libc: Denial of Service via inefficient algorithmic complexity in iconv
`musl-utils`	CVE-2026-40200	HIGH	1.2.5-r21	1.2.5-r23	musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort
`musl-utils`	CVE-2026-6042	MEDIUM	1.2.5-r21	1.2.5-r22	musl libc: GB18030 4-byte Decoder: musl libc: Denial of Service via inefficient algorithmic complexity in iconv
`zlib`	CVE-2026-22184	HIGH	1.3.1-r2	1.3.2-r0	zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility
`zlib`	CVE-2026-27171	MEDIUM	1.3.1-r2	1.3.2-r0	zlib: zlib: Denial of Service via infinite loop in CRC32 combine functions

github-actions · 2026-05-08T22:21:35Z

🔍 Trivy Scan - Validator Orchestrator 🔍

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23-validator-orchestrator (debian 12.13)`

No Vulnerabilities found

Target `bin/apptainer`

Vulnerabilities (59)

Package	ID	Severity	Installed Version	Fixed Version	Title
`github.com/cloudflare/circl`	CVE-2025-8556	LOW	v1.3.7	1.6.1	github.com/cloudflare/circl: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results
`github.com/cloudflare/circl`	CVE-2026-1229	LOW	v1.3.7	1.6.3	CIRCL has an incorrect calculation in secp384r1 CombinedMult
`github.com/docker/cli`	CVE-2025-15558	HIGH	v27.5.1+incompatible	29.2.0	docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries
`github.com/docker/docker`	CVE-2026-34040	HIGH	v27.5.1+incompatible	29.3.1	Moby: Moby: Authorization bypass vulnerability
`github.com/docker/docker`	CVE-2026-33997	MEDIUM	v27.5.1+incompatible	29.3.1	moby: docker: github.com/moby/moby: Moby: Privilege validation bypass during plugin installation
`github.com/docker/docker`	CVE-2025-54410	LOW	v27.5.1+incompatible	25.0.13, 28.0.0	github.com/moby/moby: Moby's Firewalld reload removes bridge network isolation
`github.com/go-jose/go-jose/v4`	CVE-2026-34986	HIGH	v4.0.4	4.1.4	github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object
`github.com/go-jose/go-jose/v4`	CVE-2025-27144	MEDIUM	v4.0.4	4.0.5	go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
`github.com/sigstore/fulcio`	CVE-2025-66506	HIGH	v1.6.4	1.8.3	github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token
`github.com/sigstore/fulcio`	CVE-2026-22772	MEDIUM	v1.6.4	1.8.5	fulcio: Fulcio: Server-Side Request Forgery (SSRF) via unanchored regex in MetaIssuer URL validation
`github.com/sigstore/rekor`	CVE-2026-23831	MEDIUM	v1.3.6	1.5.0	github.com/sigstore/rekor: Rekor denial of service
`github.com/sigstore/rekor`	CVE-2026-24117	MEDIUM	v1.3.6	1.5.0	github.com/sigstore/rekor: Rekor Server-Side Request Forgery (SSRF)
`github.com/sigstore/sigstore`	CVE-2026-24137	MEDIUM	v1.8.14	1.10.4	github.com/sigstore/sigstore: sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal
`golang.org/x/crypto`	CVE-2025-22869	HIGH	v0.33.0	0.35.0	golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
`golang.org/x/crypto`	CVE-2025-47914	MEDIUM	v0.33.0	0.45.0	golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
`golang.org/x/crypto`	CVE-2025-58181	MEDIUM	v0.33.0	0.45.0	golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
`golang.org/x/net`	CVE-2025-22870	MEDIUM	v0.33.0	0.36.0	golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
`golang.org/x/net`	CVE-2025-22872	MEDIUM	v0.33.0	0.38.0	golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
`google.golang.org/grpc`	CVE-2026-33186	CRITICAL	v1.67.0	1.79.3	google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
`stdlib`	CVE-2025-68121	CRITICAL	v1.23.6	1.24.13, 1.25.7, 1.26.0-rc.3	crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption
`stdlib`	CVE-2025-47907	HIGH	v1.23.6	1.23.12, 1.24.6	database/sql: Postgres Scan Race Condition
`stdlib`	CVE-2025-58183	HIGH	v1.23.6	1.24.8, 1.25.2	golang: archive/tar: Unbounded allocation when parsing GNU sparse map
`stdlib`	CVE-2025-61726	HIGH	v1.23.6	1.24.12, 1.25.6	golang: net/url: Memory exhaustion in query parameter parsing in net/url
`stdlib`	CVE-2025-61728	HIGH	v1.23.6	1.24.12, 1.25.6	golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
`stdlib`	CVE-2025-61729	HIGH	v1.23.6	1.24.11, 1.25.5	crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
`stdlib`	CVE-2026-25679	HIGH	v1.23.6	1.25.8, 1.26.1	net/url: Incorrect parsing of IPv6 host literals in net/url
`stdlib`	CVE-2026-32280	HIGH	v1.23.6	1.25.9, 1.26.2	crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
`stdlib`	CVE-2026-32281	HIGH	v1.23.6	1.25.9, 1.26.2	crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
`stdlib`	CVE-2026-32283	HIGH	v1.23.6	1.25.9, 1.26.2	crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
`stdlib`	CVE-2025-0913	MEDIUM	v1.23.6	1.23.10, 1.24.4	Inconsistent handling of O_CREATE
`stdlib`	CVE-2025-22870	MEDIUM	v1.23.6	1.23.7, 1.24.1	golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
`stdlib`	CVE-2025-22871	MEDIUM	v1.23.6	1.23.8, 1.24.2	net/http: Request smuggling due to acceptance of invalid chunked data in net/http
`stdlib`	CVE-2025-22873	MEDIUM	v1.23.6	1.23.9, 1.24.3	os: os: Information disclosure via path traversal using specially crafted filenames
`stdlib`	CVE-2025-4673	MEDIUM	v1.23.6	1.23.10, 1.24.4	net/http: Sensitive headers not cleared on cross-origin redirect in net/http
`stdlib`	CVE-2025-47906	MEDIUM	v1.23.6	1.23.12, 1.24.6	os/exec: Unexpected paths returned from LookPath in os/exec
`stdlib`	CVE-2025-47912	MEDIUM	v1.23.6	1.24.8, 1.25.2	net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
`stdlib`	CVE-2025-58185	MEDIUM	v1.23.6	1.24.8, 1.25.2	encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1
`stdlib`	CVE-2025-58186	MEDIUM	v1.23.6	1.24.8, 1.25.2	golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http
`stdlib`	CVE-2025-58187	MEDIUM	v1.23.6	1.24.9, 1.25.3	crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
`stdlib`	CVE-2025-58188	MEDIUM	v1.23.6	1.24.8, 1.25.2	crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509
`stdlib`	CVE-2025-58189	MEDIUM	v1.23.6	1.24.8, 1.25.2	crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information
`stdlib`	CVE-2025-61723	MEDIUM	v1.23.6	1.24.8, 1.25.2	encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem
`stdlib`	CVE-2025-61724	MEDIUM	v1.23.6	1.24.8, 1.25.2	net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto
`stdlib`	CVE-2025-61725	MEDIUM	v1.23.6	1.24.8, 1.25.2	net/mail: Excessive CPU consumption in ParseAddress in net/mail
`stdlib`	CVE-2025-61727	MEDIUM	v1.23.6	1.24.11, 1.25.5	golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
`stdlib`	CVE-2025-61730	MEDIUM	v1.23.6	1.24.12, 1.25.6	During the TLS 1.3 handshake if multiple messages are sent in records ...
`stdlib`	CVE-2026-27142	MEDIUM	v1.23.6	1.25.8, 1.26.1	html/template: URLs in meta content attribute actions are not escaped in html/template
`stdlib`	CVE-2026-32282	MEDIUM	v1.23.6	1.25.9, 1.26.2	golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
`stdlib`	CVE-2026-32288	MEDIUM	v1.23.6	1.25.9, 1.26.2	archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive
`stdlib`	CVE-2026-32289	MEDIUM	v1.23.6	1.25.9, 1.26.2	html/template: golang: html/template: Cross-Site Scripting (XSS) via improper context and brace depth tracking in JS template literals
`stdlib`	CVE-2026-27139	LOW	v1.23.6	1.25.8, 1.26.1	os: FileInfo can escape from a Root in golang os module
`stdlib`	CVE-2026-33811	UNKNOWN	v1.23.6	1.25.10, 1.26.3	When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ...
`stdlib`	CVE-2026-33814	UNKNOWN	v1.23.6	1.25.10, 1.26.3	When processing HTTP/2 SETTINGS frames, transport will enter an infini ...
`stdlib`	CVE-2026-39820	UNKNOWN	v1.23.6	1.25.10, 1.26.3	Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ...
`stdlib`	CVE-2026-39823	UNKNOWN	v1.23.6	1.25.10, 1.26.3	CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ...
`stdlib`	CVE-2026-39825	UNKNOWN	v1.23.6	1.25.10, 1.26.3	ReverseProxy can forward queries containing parameters not visible to ...
`stdlib`	CVE-2026-39826	UNKNOWN	v1.23.6	1.25.10, 1.26.3	If a trusted template author were to write a <script> tag containing a ...
`stdlib`	CVE-2026-39836	UNKNOWN	v1.23.6	1.25.10, 1.26.3	Panic in Dial and LookupPort when handling NUL byte on Windows in net
`stdlib`	CVE-2026-42499	UNKNOWN	v1.23.6	1.25.10, 1.26.3	Pathological inputs could cause DoS through consumePhrase when parsing ...

Target `bin/grpc_health_probe`

Vulnerabilities (19)

Package	ID	Severity	Installed Version	Fixed Version	Title
`github.com/go-jose/go-jose/v4`	CVE-2026-34986	HIGH	v4.1.3	4.1.4	github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object
`google.golang.org/grpc`	CVE-2026-33186	CRITICAL	v1.78.0	1.79.3	google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
`stdlib`	CVE-2026-25679	HIGH	v1.24.13	1.25.8, 1.26.1	net/url: Incorrect parsing of IPv6 host literals in net/url
`stdlib`	CVE-2026-32280	HIGH	v1.24.13	1.25.9, 1.26.2	crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
`stdlib`	CVE-2026-32281	HIGH	v1.24.13	1.25.9, 1.26.2	crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
`stdlib`	CVE-2026-32283	HIGH	v1.24.13	1.25.9, 1.26.2	crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
`stdlib`	CVE-2026-27142	MEDIUM	v1.24.13	1.25.8, 1.26.1	html/template: URLs in meta content attribute actions are not escaped in html/template
`stdlib`	CVE-2026-32282	MEDIUM	v1.24.13	1.25.9, 1.26.2	golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
`stdlib`	CVE-2026-32288	MEDIUM	v1.24.13	1.25.9, 1.26.2	archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive
`stdlib`	CVE-2026-32289	MEDIUM	v1.24.13	1.25.9, 1.26.2	html/template: golang: html/template: Cross-Site Scripting (XSS) via improper context and brace depth tracking in JS template literals
`stdlib`	CVE-2026-27139	LOW	v1.24.13	1.25.8, 1.26.1	os: FileInfo can escape from a Root in golang os module
`stdlib`	CVE-2026-33811	UNKNOWN	v1.24.13	1.25.10, 1.26.3	When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ...
`stdlib`	CVE-2026-33814	UNKNOWN	v1.24.13	1.25.10, 1.26.3	When processing HTTP/2 SETTINGS frames, transport will enter an infini ...
`stdlib`	CVE-2026-39820	UNKNOWN	v1.24.13	1.25.10, 1.26.3	Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ...
`stdlib`	CVE-2026-39823	UNKNOWN	v1.24.13	1.25.10, 1.26.3	CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ...
`stdlib`	CVE-2026-39825	UNKNOWN	v1.24.13	1.25.10, 1.26.3	ReverseProxy can forward queries containing parameters not visible to ...
`stdlib`	CVE-2026-39826	UNKNOWN	v1.24.13	1.25.10, 1.26.3	If a trusted template author were to write a <script> tag containing a ...
`stdlib`	CVE-2026-39836	UNKNOWN	v1.24.13	1.25.10, 1.26.3	Panic in Dial and LookupPort when handling NUL byte on Windows in net
`stdlib`	CVE-2026-42499	UNKNOWN	v1.24.13	1.25.10, 1.26.3	Pathological inputs could cause DoS through consumePhrase when parsing ...

Target `libexec/apptainer/bin/starter`

Vulnerabilities (51)

Package	ID	Severity	Installed Version	Fixed Version	Title
`github.com/cloudflare/circl`	CVE-2025-8556	LOW	v1.3.7	1.6.1	github.com/cloudflare/circl: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results
`github.com/cloudflare/circl`	CVE-2026-1229	LOW	v1.3.7	1.6.3	CIRCL has an incorrect calculation in secp384r1 CombinedMult
`github.com/docker/cli`	CVE-2025-15558	HIGH	v27.5.1+incompatible	29.2.0	docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries
`github.com/go-jose/go-jose/v4`	CVE-2026-34986	HIGH	v4.0.4	4.1.4	github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object
`github.com/go-jose/go-jose/v4`	CVE-2025-27144	MEDIUM	v4.0.4	4.0.5	go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
`github.com/sigstore/sigstore`	CVE-2026-24137	MEDIUM	v1.8.14	1.10.4	github.com/sigstore/sigstore: sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal
`golang.org/x/crypto`	CVE-2025-22869	HIGH	v0.33.0	0.35.0	golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
`golang.org/x/crypto`	CVE-2025-47914	MEDIUM	v0.33.0	0.45.0	golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
`golang.org/x/crypto`	CVE-2025-58181	MEDIUM	v0.33.0	0.45.0	golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
`golang.org/x/net`	CVE-2025-22870	MEDIUM	v0.33.0	0.36.0	golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
`golang.org/x/net`	CVE-2025-22872	MEDIUM	v0.33.0	0.38.0	golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
`stdlib`	CVE-2025-68121	CRITICAL	v1.23.6	1.24.13, 1.25.7, 1.26.0-rc.3	crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption
`stdlib`	CVE-2025-47907	HIGH	v1.23.6	1.23.12, 1.24.6	database/sql: Postgres Scan Race Condition
`stdlib`	CVE-2025-58183	HIGH	v1.23.6	1.24.8, 1.25.2	golang: archive/tar: Unbounded allocation when parsing GNU sparse map
`stdlib`	CVE-2025-61726	HIGH	v1.23.6	1.24.12, 1.25.6	golang: net/url: Memory exhaustion in query parameter parsing in net/url
`stdlib`	CVE-2025-61728	HIGH	v1.23.6	1.24.12, 1.25.6	golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
`stdlib`	CVE-2025-61729	HIGH	v1.23.6	1.24.11, 1.25.5	crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
`stdlib`	CVE-2026-25679	HIGH	v1.23.6	1.25.8, 1.26.1	net/url: Incorrect parsing of IPv6 host literals in net/url
`stdlib`	CVE-2026-32280	HIGH	v1.23.6	1.25.9, 1.26.2	crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building
`stdlib`	CVE-2026-32281	HIGH	v1.23.6	1.25.9, 1.26.2	crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
`stdlib`	CVE-2026-32283	HIGH	v1.23.6	1.25.9, 1.26.2	crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
`stdlib`	CVE-2025-0913	MEDIUM	v1.23.6	1.23.10, 1.24.4	Inconsistent handling of O_CREATE
`stdlib`	CVE-2025-22870	MEDIUM	v1.23.6	1.23.7, 1.24.1	golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
`stdlib`	CVE-2025-22871	MEDIUM	v1.23.6	1.23.8, 1.24.2	net/http: Request smuggling due to acceptance of invalid chunked data in net/http
`stdlib`	CVE-2025-22873	MEDIUM	v1.23.6	1.23.9, 1.24.3	os: os: Information disclosure via path traversal using specially crafted filenames
`stdlib`	CVE-2025-4673	MEDIUM	v1.23.6	1.23.10, 1.24.4	net/http: Sensitive headers not cleared on cross-origin redirect in net/http
`stdlib`	CVE-2025-47906	MEDIUM	v1.23.6	1.23.12, 1.24.6	os/exec: Unexpected paths returned from LookPath in os/exec
`stdlib`	CVE-2025-47912	MEDIUM	v1.23.6	1.24.8, 1.25.2	net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
`stdlib`	CVE-2025-58185	MEDIUM	v1.23.6	1.24.8, 1.25.2	encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1
`stdlib`	CVE-2025-58186	MEDIUM	v1.23.6	1.24.8, 1.25.2	golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http
`stdlib`	CVE-2025-58187	MEDIUM	v1.23.6	1.24.9, 1.25.3	crypto/x509: Quadratic complexity when checking name constraints in crypto/x509
`stdlib`	CVE-2025-58188	MEDIUM	v1.23.6	1.24.8, 1.25.2	crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509
`stdlib`	CVE-2025-58189	MEDIUM	v1.23.6	1.24.8, 1.25.2	crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information
`stdlib`	CVE-2025-61723	MEDIUM	v1.23.6	1.24.8, 1.25.2	encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem
`stdlib`	CVE-2025-61724	MEDIUM	v1.23.6	1.24.8, 1.25.2	net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto
`stdlib`	CVE-2025-61725	MEDIUM	v1.23.6	1.24.8, 1.25.2	net/mail: Excessive CPU consumption in ParseAddress in net/mail
`stdlib`	CVE-2025-61727	MEDIUM	v1.23.6	1.24.11, 1.25.5	golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
`stdlib`	CVE-2025-61730	MEDIUM	v1.23.6	1.24.12, 1.25.6	During the TLS 1.3 handshake if multiple messages are sent in records ...
`stdlib`	CVE-2026-27142	MEDIUM	v1.23.6	1.25.8, 1.26.1	html/template: URLs in meta content attribute actions are not escaped in html/template
`stdlib`	CVE-2026-32282	MEDIUM	v1.23.6	1.25.9, 1.26.2	golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
`stdlib`	CVE-2026-32288	MEDIUM	v1.23.6	1.25.9, 1.26.2	archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive
`stdlib`	CVE-2026-32289	MEDIUM	v1.23.6	1.25.9, 1.26.2	html/template: golang: html/template: Cross-Site Scripting (XSS) via improper context and brace depth tracking in JS template literals
`stdlib`	CVE-2026-27139	LOW	v1.23.6	1.25.8, 1.26.1	os: FileInfo can escape from a Root in golang os module
`stdlib`	CVE-2026-33811	UNKNOWN	v1.23.6	1.25.10, 1.26.3	When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ...
`stdlib`	CVE-2026-33814	UNKNOWN	v1.23.6	1.25.10, 1.26.3	When processing HTTP/2 SETTINGS frames, transport will enter an infini ...
`stdlib`	CVE-2026-39820	UNKNOWN	v1.23.6	1.25.10, 1.26.3	Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ...
`stdlib`	CVE-2026-39823	UNKNOWN	v1.23.6	1.25.10, 1.26.3	CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ...
`stdlib`	CVE-2026-39825	UNKNOWN	v1.23.6	1.25.10, 1.26.3	ReverseProxy can forward queries containing parameters not visible to ...
`stdlib`	CVE-2026-39826	UNKNOWN	v1.23.6	1.25.10, 1.26.3	If a trusted template author were to write a <script> tag containing a ...
`stdlib`	CVE-2026-39836	UNKNOWN	v1.23.6	1.25.10, 1.26.3	Panic in Dial and LookupPort when handling NUL byte on Windows in net
`stdlib`	CVE-2026-42499	UNKNOWN	v1.23.6	1.25.10, 1.26.3	Pathological inputs could cause DoS through consumePhrase when parsing ...

Target `usr/bin/sda-validator-orchestrator`

No Vulnerabilities found

github-actions · 2026-05-08T22:22:23Z

🔍 Trivy Scan - Doa 🔍

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23-doa (alpine 3.23.4)`

No Vulnerabilities found

Target `Java`

Vulnerabilities (21)

Package	ID	Severity	Installed Version	Fixed Version	Title
`com.fasterxml.jackson.core:jackson-core`	GHSA-72hv-8253-57qq	MEDIUM	2.20.2	2.21.1, 2.18.6	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
`io.netty:netty-codec-compression`	CVE-2026-42583	HIGH	4.2.10.Final	4.2.13.Final	Netty Lz4FrameDecoder is vulnerable to resource exhaustion
`org.apache.tomcat.embed:tomcat-embed-core`	CVE-2026-29145	CRITICAL	11.0.18	9.0.116, 10.1.53, 11.0.20	Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration
`org.apache.tomcat.embed:tomcat-embed-core`	CVE-2026-29129	HIGH	11.0.18	9.0.116, 10.1.53, 11.0.20	Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved
`org.apache.tomcat.embed:tomcat-embed-core`	CVE-2026-34483	HIGH	11.0.18	9.0.116, 10.1.54, 11.0.21	Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve
`org.apache.tomcat.embed:tomcat-embed-core`	CVE-2026-34487	HIGH	11.0.18	9.0.117, 10.1.54, 11.0.21	Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files
`org.apache.tomcat.embed:tomcat-embed-core`	CVE-2026-25854	MEDIUM	11.0.18	9.0.116, 10.1.53, 11.0.20	Apache Tomcat: Apache Tomcat: Open Redirect vulnerability via LoadBalancerDrainingValve
`org.apache.tomcat.embed:tomcat-embed-core`	CVE-2026-32990	MEDIUM	11.0.18	9.0.116, 10.1.53, 11.0.20	Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix
`org.apache.tomcat.embed:tomcat-embed-core`	CVE-2026-34500	MEDIUM	11.0.18	9.0.117, 10.1.54, 11.0.21	Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration
`org.bouncycastle:bcprov-jdk18on`	CVE-2026-5598	HIGH	1.81	1.84	bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons
`org.bouncycastle:bcprov-jdk18on`	CVE-2026-0636	MEDIUM	1.81	1.84	bouncycastle: BC-JAVA: LDAP injection vulnerability in LDAPStoreHelper.java
`org.postgresql:postgresql`	CVE-2026-42198	HIGH	42.7.10	42.7.11	jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
`org.springframework.boot:spring-boot`	CVE-2026-40976	CRITICAL	4.0.3	4.0.6	Spring Boot's default security filter chain has no authorization rule with Actuator but without Health
`org.springframework.boot:spring-boot`	CVE-2026-40973	HIGH	4.0.3	4.0.6, 3.5.14	Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
`org.springframework:spring-webmvc`	CVE-2026-22737	MEDIUM	7.0.5	7.0.6, 6.2.17	Spring Framework: Spring Framework: Information disclosure via Java scripting engine enabled template views
`org.springframework:spring-webmvc`	CVE-2026-22745	MEDIUM	7.0.5	7.0.7, 6.2.18	spring-webflux: Spring MVC and Spring WebFlux: Denial of Service via slow static resource resolution on Windows
`org.springframework:spring-webmvc`	CVE-2026-22735	LOW	7.0.5	7.0.6, 6.2.17	org.springframework/spring-webmvc: org.springframework/spring-webflux: Spring MVC and WebFlux: Stream corruption vulnerability when using Server-Sent Events
`org.springframework:spring-webmvc`	CVE-2026-22741	LOW	7.0.5	7.0.7, 6.2.18	Spring MVC: Spring WebFlux: Spring MVC and Spring WebFlux: Denial of Service via cache poisoning
`tools.jackson.core:jackson-core`	CVE-2026-29062	HIGH	3.0.4	3.1.0	jackson-core: jackson-core: Denial of Service via excessive JSON nesting
`tools.jackson.core:jackson-core`	GHSA-2m67-wjpj-xhg9	HIGH	3.0.4	3.1.1	Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers
`tools.jackson.core:jackson-core`	GHSA-72hv-8253-57qq	MEDIUM	3.0.4	3.1.0	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition

github-actions · 2026-05-08T22:22:53Z

🔍 Trivy Scan - Download 🔍

Target `usr/bin/sda-download`

No Vulnerabilities found

github-actions · 2026-05-08T22:24:25Z

🔍 Trivy Scan - SDA Services 🔍

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23 (debian 13.4)`

No Vulnerabilities found

Target `usr/local/bin/sda-api`

No Vulnerabilities found

Target `usr/local/bin/sda-auth`

Vulnerabilities (1)

Package	ID	Severity	Installed Version	Fixed Version	Title
`github.com/gomarkdown/markdown`	CVE-2026-40890	HIGH	v0.0.0-20260217112301-37c66b85d6ab	0.0.0-20260411013819-759bbc3e3207	github.com/gomarkdown/markdown: github.com/gomarkdown/markdown: Denial of Service via malformed Markdown input

Target `usr/local/bin/sda-download`

No Vulnerabilities found

Target `usr/local/bin/sda-finalize`

No Vulnerabilities found

Target `usr/local/bin/sda-ingest`

No Vulnerabilities found

Target `usr/local/bin/sda-intercept`

No Vulnerabilities found

Target `usr/local/bin/sda-mapper`

No Vulnerabilities found

Target `usr/local/bin/sda-notify`

No Vulnerabilities found

Target `usr/local/bin/sda-orchestrate`

No Vulnerabilities found

Target `usr/local/bin/sda-reencrypt`

No Vulnerabilities found

Target `usr/local/bin/sda-rotatekey`

No Vulnerabilities found

Target `usr/local/bin/sda-s3inbox`

No Vulnerabilities found

Target `usr/local/bin/sda-sync`

No Vulnerabilities found

Target `usr/local/bin/sda-syncapi`

No Vulnerabilities found

Target `usr/local/bin/sda-verify`

No Vulnerabilities found

jbygdell and others added 30 commits March 9, 2026 09:17

Merge pull request neicnordic#2303 from neicnordic/dependabot/maven/s…

e8bedf3

…da-doa/all-modules-833b1a4a74 build(deps): bump the all-modules group in /sda-doa with 4 updates

docs(adr): add ADR-0002 merge dependabot package managers

f502cb1

docs(adr): add ADR-0002 add mentioning of dependabot groups

6edce85

Merge pull request neicnordic#2293 from neicnordic/adr/0002-merge-dep…

9a40003

…endabot-package-managers docs(adr): add ADR-0002 merge dependabot package managers

Merge pull request neicnordic#2302 from neicnordic/dependabot/go_modu…

1001e97

…les/sda-validator/orchestrator/all-modules-f80ec1a409 build(deps): bump the all-modules group in /sda-validator/orchestrator with 2 updates

fix(github actions): use secrets.GHCR_TOKEN when tagging sda releases…

598e70f

… such that release_sda will trigger on the created tag as github ignores events from secrets.GITHUB_TOKEN

Merge pull request neicnordic#2309 from neicnordic/fix/workflow_tag_t…

9997179

…rigger_by_github Fix/workflow tag trigger by GitHub

Merge pull request neicnordic#2315 from neicnordic/fix/adr-0002-typo-…

b118ade

…and-naming docs(adr): fix ADR-0002 typo, naming, and missing index entry

Merge pull request neicnordic#2314 from neicnordic/dependabot/go_modu…

1277871

…les/sda/all-modules-72042dfc76 build(deps): bump the all-modules group in /sda with 3 updates

Merge pull request neicnordic#2311 from neicnordic/dependabot/github_…

7316e05

…actions/aquasecurity/trivy-action-0.35.0 build(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0

feat(dependabot): group dependabot package managers to group same eco…

2ea59cf

…systems in same PRs (except sda-doa and sda-stfp-inbox)

feat(dependabot): add missing schedule in docker package-ecosystems, …

087babc

…add groups to all for all dependencies within to be updated in same PR, and reorder settings to be aligned

feat(dependabot): update open-pull-requests-limit for all to 1

e2746c0

Merge pull request neicnordic#2312 from neicnordic/dependabot/go_modu…

1853990

…les/sda-download/all-modules-b72820bfe6 build(deps): bump the all-modules group in /sda-download with 2 updates

Merge pull request neicnordic#2323 from neicnordic/dependabot/go_modu…

d76ce75

…les/sda/google.golang.org/grpc-1.79.3 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /sda

Merge pull request neicnordic#2322 from neicnordic/dependabot/go_modu…

4fc0cf3

…les/sda-validator/orchestrator/google.golang.org/grpc-1.79.3 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /sda-validator/orchestrator

Merge pull request neicnordic#2321 from neicnordic/dependabot/go_modu…

3649fa8

…les/sda-download/google.golang.org/grpc-1.79.3 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /sda-download

Bump chart version

45a6f24

Merge pull request neicnordic#2256 from neicnordic/bump

459ad2e

[charts] Bump version

jhagberg and others added 20 commits May 7, 2026 08:42

chore(chart): bump sda-svc chart version to 3.4.0

801db56

Minor bump for the new opt-in v2 download service. Main already shipped 3.3.0 (the previous bump in this branch was dropped during rebase since main caught up), so the v2 feature lands as a minor on top of that.

Change ssl to tls in command arguments

e1000c0

Fix rabbitmqadmin command syntax

2e94857

build(deps): bump postgres in /postgresql

7f51ba5

Bumps postgres from 15.16-alpine3.23 to 18.3-alpine3.23. --- updated-dependencies: - dependency-name: postgres dependency-version: 18.3-alpine3.23 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

Fix test suite

de4c2b4

github-advanced-security AI found potential problems May 8, 2026

View reviewed changes

Comment thread sda/cmd/download/benchmark/benchmark.go Dismissed

Comment thread sda/cmd/download/benchmark/benchmark.go Dismissed

fix: use biobank registry

e423d1f

kkochel force-pushed the sync-fork-11 branch from 148b214 to e423d1f Compare May 10, 2026 21:26

kkochel merged commit 4785949 into main May 10, 2026
111 of 113 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync fork 11#23

Sync fork 11#23
kkochel merged 598 commits into
mainfrom
sync-fork-11

kkochel commented May 8, 2026

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented May 8, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 8, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 8, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 8, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 8, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 8, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Conversation

kkochel commented May 8, 2026

Related issue(s) and PR(s)

Description

How to test

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented May 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Trivy Scan - PostgresSQL 🔍

Target ghcr.io/biobanklab/sensitive-data-archive:PR23-postgres (alpine 3.23.4)

Vulnerabilities (2)

Target usr/local/bin/gosu

Vulnerabilities (33)

Uh oh!

github-actions Bot commented May 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Trivy Scan - Rabbitmq 🔍

Target ghcr.io/biobanklab/sensitive-data-archive:PR23-rabbitmq (alpine 3.23.3)

Vulnerabilities (20)

Uh oh!

github-actions Bot commented May 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Trivy Scan - Validator Orchestrator 🔍

Target ghcr.io/biobanklab/sensitive-data-archive:PR23-validator-orchestrator (debian 12.13)

No Vulnerabilities found

Target bin/apptainer

Vulnerabilities (59)

Target bin/grpc_health_probe

Vulnerabilities (19)

Target libexec/apptainer/bin/starter

Vulnerabilities (51)

Target usr/bin/sda-validator-orchestrator

No Vulnerabilities found

Uh oh!

github-actions Bot commented May 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Trivy Scan - Doa 🔍

Target ghcr.io/biobanklab/sensitive-data-archive:PR23-doa (alpine 3.23.4)

No Vulnerabilities found

Target Java

Vulnerabilities (21)

Uh oh!

github-actions Bot commented May 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Trivy Scan - Download 🔍

Target usr/bin/sda-download

No Vulnerabilities found

Uh oh!

github-actions Bot commented May 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Trivy Scan - SDA Services 🔍

Target ghcr.io/biobanklab/sensitive-data-archive:PR23 (debian 13.4)

No Vulnerabilities found

Target usr/local/bin/sda-api

No Vulnerabilities found

Target usr/local/bin/sda-auth

Vulnerabilities (1)

Target usr/local/bin/sda-download

No Vulnerabilities found

Target usr/local/bin/sda-finalize

No Vulnerabilities found

Target usr/local/bin/sda-ingest

No Vulnerabilities found

Target usr/local/bin/sda-intercept

No Vulnerabilities found

Target usr/local/bin/sda-mapper

No Vulnerabilities found

Target usr/local/bin/sda-notify

No Vulnerabilities found

Target usr/local/bin/sda-orchestrate

No Vulnerabilities found

Target usr/local/bin/sda-reencrypt

No Vulnerabilities found

Target usr/local/bin/sda-rotatekey

No Vulnerabilities found

Target usr/local/bin/sda-s3inbox

No Vulnerabilities found

Target usr/local/bin/sda-sync

github-actions Bot commented May 8, 2026 •

edited

Loading

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23-postgres (alpine 3.23.4)`

Target `usr/local/bin/gosu`

github-actions Bot commented May 8, 2026 •

edited

Loading

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23-rabbitmq (alpine 3.23.3)`

github-actions Bot commented May 8, 2026 •

edited

Loading

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23-validator-orchestrator (debian 12.13)`

Target `bin/apptainer`

Target `bin/grpc_health_probe`

Target `libexec/apptainer/bin/starter`

Target `usr/bin/sda-validator-orchestrator`

github-actions Bot commented May 8, 2026 •

edited

Loading

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23-doa (alpine 3.23.4)`

Target `Java`

github-actions Bot commented May 8, 2026 •

edited

Loading

Target `usr/bin/sda-download`

github-actions Bot commented May 8, 2026 •

edited

Loading

Target `ghcr.io/biobanklab/sensitive-data-archive:PR23 (debian 13.4)`

Target `usr/local/bin/sda-api`

Target `usr/local/bin/sda-auth`

Target `usr/local/bin/sda-download`

Target `usr/local/bin/sda-finalize`

Target `usr/local/bin/sda-ingest`

Target `usr/local/bin/sda-intercept`

Target `usr/local/bin/sda-mapper`

Target `usr/local/bin/sda-notify`

Target `usr/local/bin/sda-orchestrate`

Target `usr/local/bin/sda-reencrypt`

Target `usr/local/bin/sda-rotatekey`

Target `usr/local/bin/sda-s3inbox`

Target `usr/local/bin/sda-sync`

Target `usr/local/bin/sda-syncapi`

Target `usr/local/bin/sda-verify`