From a39e17ef603fd463152ef0d8746714e958584948 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 11:39:21 +1000
Subject: [PATCH 1/3] fix(CVE-2026-33845): upgrade gnutls to 3.8.13-r0+ in
 Alpine base image

Adds RUN apk upgrade --no-cache gnutls to patch CVE-2026-33845
(GnuTLS DoS via DTLS zero-length record, HIGH severity).

UID2-7008
---
 Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 6a8086d54..4566cccfe 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,9 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a
 FROM eclipse-temurin@sha256:ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a
 
+# CVE-2026-33845: upgrade gnutls to 3.8.13-r0+
+RUN apk upgrade --no-cache gnutls
+
 # For Amazon Corretto Crypto Provider
 RUN apk add --no-cache gcompat
 

From 578a830e5dfea9bb63a598e37d41445b471b120c Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 13:28:47 +1000
Subject: [PATCH 2/3] fix: pin gnutls=3.8.13-r0 instead of open-ended upgrade

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 4566cccfe..7dfde0844 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,8 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a
 FROM eclipse-temurin@sha256:ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a
 
-# CVE-2026-33845: upgrade gnutls to 3.8.13-r0+
-RUN apk upgrade --no-cache gnutls
+# CVE-2026-33845: pin gnutls to 3.8.13-r0 (fixes DoS via DTLS zero-length record)
+RUN apk add --no-cache 'gnutls=3.8.13-r0'
 
 # For Amazon Corretto Crypto Provider
 RUN apk add --no-cache gcompat

From 0609c6986cbb7c02c9e402ff265be1d4359368c6 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Mon, 4 May 2026 13:38:18 +1000
Subject: [PATCH 3/3] fix: suppress CVE-2026-33845 in trivyignore; gnutls not
 used by service

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 3 +++
 Dockerfile   | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index a4acafd48..fc7effd2b 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -11,6 +11,9 @@ CVE-2025-68973 exp:2026-06-15
 # gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
 # See: UID2-6655
 CVE-2026-1584 exp:2026-08-27
+# gnutls DoS vulnerability via DTLS zero-length record - not impactful as gnutls is not used by our Java service
+# See: UID2-7008
+CVE-2026-33845 exp:2026-11-04
 
 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
 # See: UID2-6670
diff --git a/Dockerfile b/Dockerfile
index 7dfde0844..6a8086d54 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,6 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a
 FROM eclipse-temurin@sha256:ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a
 
-# CVE-2026-33845: pin gnutls to 3.8.13-r0 (fixes DoS via DTLS zero-length record)
-RUN apk add --no-cache 'gnutls=3.8.13-r0'
-
 # For Amazon Corretto Crypto Provider
 RUN apk add --no-cache gcompat