From 35ca029a3a2ec4a991c54a2b97cac9cda8a07d94 Mon Sep 17 00:00:00 2001
From: David Jumani <dj.davidjumani1994@gmail.com>
Date: Mon, 4 Mar 2024 11:31:29 -0500
Subject: [PATCH] trivy: Ignore CVE-2024-26147 (helm)

---
 .trivyignore                            | 10 +++++++++-
 changelog/v1.14.30/ignore-helm-114.yaml |  8 ++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 changelog/v1.14.30/ignore-helm-114.yaml

diff --git a/.trivyignore b/.trivyignore
index 58488007a8b..e3695d7c9c5 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -30,4 +30,12 @@ CVE-2022-41721
 # This CVE has not yet been patched in the kubectl version we are using, however it should not
 # affect us as kubernetes does not use the affected code path (see description in
 # https://github.com/kubernetes/kubernetes/pull/118036).
-CVE-2023-2253
\ No newline at end of file
+CVE-2023-2253
+
+# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
+# It only leads to a panic if there is a misconfigured / malicious helm plugin installed
+# and can be easily resolved by removing the misconfigured / malicious plugin
+# The helm bump will require bumping the k8s dependencies by +2 minor versions that can cause issues.
+# https://github.com/solo-io/gloo/issues/9186
+# https://github.com/advisories/GHSA-r53h-jv2g-vpx6
+CVE-2024-26147
diff --git a/changelog/v1.14.30/ignore-helm-114.yaml b/changelog/v1.14.30/ignore-helm-114.yaml
new file mode 100644
index 00000000000..d8a70cf963d
--- /dev/null
+++ b/changelog/v1.14.30/ignore-helm-114.yaml
@@ -0,0 +1,8 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/solo-io/gloo/issues/9187
+  resolvesIssue: true
+  description: >
+    Choosing to ignore helm upgrade, as it does not impact the data and control planes of Gloo Edge. This only impacts glooctl and panics will not affect future uses of glooclt. The fix to bump helm will also require bumping the k8s dependencies by several minor versions that can cause issues. As it also has a simple resolution on the client side, it is therefore deemed to have little to no impact.
+      skipCI-kube-tests:true
+      skipCI-docs-build:true