From 221bedd1137f3011828196d988ccb8e0ffb9d6d9 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Thu, 25 Jun 2026 11:03:36 +1000
Subject: [PATCH] UID2-7364: Suppress jackson-databind CVE-2026-54512 /
 CVE-2026-54513

jackson-databind is transitive via uid2-shared; version fix tracked in
uid2-shared PR #631 and flows here on the next uid2-shared release.
Suppress both CVEs (exp 2026-07-25) in the interim.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .trivyignore | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.trivyignore b/.trivyignore
index 82c56b9c..92de5f0e 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -22,3 +22,11 @@ GHSA-72hv-8253-57qq exp:2026-09-01
 # LB-level connection limits and idle timeouts further cap the blast radius. CVSS impact is
 # Availability only (C:N/I:N/A:H). Tracking via UID2-7035; revisit on vert.x 5 migration.
 CVE-2026-42577 exp:2026-09-11
+
+# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4)
+# jackson-databind is pulled in transitively via uid2-shared; the version fix is tracked in
+# uid2-shared (https://github.com/IABTechLab/uid2-shared/pull/631) and will flow here on the
+# next uid2-shared release. Suppressing in the interim.
+# See: UID2-7364
+CVE-2026-54512 exp:2026-07-25
+CVE-2026-54513 exp:2026-07-25