trivy: Ignore CVE-2024-26147 (helm)

.trivyignore

@@ -30,4 +30,12 @@ CVE-2022-41721
 # This CVE has not yet been patched in the kubectl version we are using, however it should not
 # affect us as kubernetes does not use the affected code path (see description in
 # https://github.com/kubernetes/kubernetes/pull/118036).
-CVE-2023-2253
+CVE-2023-2253
+
+# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
+# It only leads to a panic if there is a misconfigured / malicious helm plugin installed
+# and can be easily resolved by removing the misconfigured / malicious plugin
+# The helm bump will require bumping the k8s dependencies by +2 minor versions that can cause issues.
+# https://github.com/solo-io/gloo/issues/9186
+# https://github.com/advisories/GHSA-r53h-jv2g-vpx6
+CVE-2024-26147

changelog/v1.14.30/ignore-helm-114.yaml

@@ -0,0 +1,8 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/solo-io/gloo/issues/9187
+  resolvesIssue: true
+  description: >
+    Choosing to ignore helm upgrade, as it does not impact the data and control planes of Gloo Edge. This only impacts glooctl and panics will not affect future uses of glooclt. The fix to bump helm will also require bumping the k8s dependencies by several minor versions that can cause issues. As it also has a simple resolution on the client side, it is therefore deemed to have little to no impact.
+      skipCI-kube-tests:true
+      skipCI-docs-build:true