starrocks/trivy.yaml at main · StarRocks/starrocks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
severity:
  - HIGH
  - CRITICAL
scan:
  skip-dirs:
    # ignore broker's cve
    - apache_hdfs_broker/
  skip-files:
    # SHOULD ONLY skip jar in bundle format that can't be excluded via maven dependency management
    # hdfs required
    - "**/hadoop-client-runtime-3.4.3.jar"
    # kudu required
    - "**/kudu-client-1.17.1.jar"
    # paimon required
    - "**/paimon-bundle-1.3.1.jar"
    - "**/paimon-bundle-1.2.0.jar"
    # aws sdk bundle
    - "**/bundle-2.29.52.jar"
    # spark core
    - "**/spark-core_2.12-3.5.7.jar"
    # tencent cos_api
    - "**/cos_api-bundle-5.6.137.2.jar"
    # gcs connector hadoop3
    - "**/gcs-connector-hadoop3-2.2.26-shaded.jar"
    # parquet hadoop bundle
    - "**/parquet-hadoop-bundle-1.15.2.jar"
    # io.grpc:grpc-netty-shaded (grpc-netty-shaded-1.63.0.jar) CVE-2025-55163
    - "**/grpc-netty-shaded-1.63.0.jar"
    # from java extension
    - "**/parquet-jackson-1.15.2.jar"
    # from fe
    - "**/parquet-jackson-1.16.0.jar"