Problem
The Grype supply chain scan is failing on PR #250 due to new high/critical CVEs in the Docker base image's Go stdlib and Python 3.13 runtime. These are upstream dependencies not exploitable in our deployment context.
CVEs requiring suppression
Critical
- CVE-2025-68121 — Go stdlib go1.23.12 (fixed in 1.26.0-rc.3). From embedded Go tooling in the Wolfi base image, not our application code.
High (Go stdlib go1.23.12)
High (Python 3.13)
- CVE-2026-4786 — Python 3.13.13-r0 (no fix available in Wolfi/Alpine yet)
Context
- All Go stdlib CVEs come from the Wolfi base image's embedded Go runtime, not from Distillery code. Distillery is a pure Python application — no Go code is compiled or executed.
- The Python CVE affects the CPython runtime. Needs review to determine if the specific vulnerability surface is exercised by Distillery.
- The existing
.grype.yaml already suppresses 6 CVEs with documented rationale.
Fix
Add suppression entries to .grype.yaml with rationale for each CVE. Review whether updating the Dockerfile base image to a newer Wolfi/Python tag resolves any of these.
Problem
The Grype supply chain scan is failing on PR #250 due to new high/critical CVEs in the Docker base image's Go stdlib and Python 3.13 runtime. These are upstream dependencies not exploitable in our deployment context.
CVEs requiring suppression
Critical
High (Go stdlib go1.23.12)
High (Python 3.13)
Context
.grype.yamlalready suppresses 6 CVEs with documented rationale.Fix
Add suppression entries to
.grype.yamlwith rationale for each CVE. Review whether updating the Dockerfile base image to a newer Wolfi/Python tag resolves any of these.