From 7d7b836665d0080e6947d0a0d2c5fce8ae9bd987 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <dmitriy.lewen@smartforce.io>
Date: Mon, 16 Sep 2024 12:44:08 +0600
Subject: [PATCH 1/4] chore(vex): add CVE-2024-34156 in trivy.openvex.json

---
 .vex/trivy.openvex.json | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/.vex/trivy.openvex.json b/.vex/trivy.openvex.json
index 21af61db7d76..113a8864f202 100644
--- a/.vex/trivy.openvex.json
+++ b/.vex/trivy.openvex.json
@@ -453,6 +453,35 @@
       "status": "not_affected",
       "justification": "vulnerable_code_not_in_execute_path",
       "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3106",
+        "name": "GO-2024-3106",
+        "description": "Stack exhaustion in Decoder.Decode in encoding/gob",
+        "aliases": [
+          "CVE-2024-34156"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/golang/go/issues/69446"
     }
   ]
 }

From ff5bfd07d1077c28efa509bcdac4cd9745561e8b Mon Sep 17 00:00:00 2001
From: DmitriyLewen <dmitriy.lewen@smartforce.io>
Date: Mon, 16 Sep 2024 12:50:59 +0600
Subject: [PATCH 2/4] refactor: update link

---
 .vex/trivy.openvex.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.vex/trivy.openvex.json b/.vex/trivy.openvex.json
index 113a8864f202..4f857255ab0b 100644
--- a/.vex/trivy.openvex.json
+++ b/.vex/trivy.openvex.json
@@ -481,7 +481,7 @@
       ],
       "status": "not_affected",
       "justification": "vulnerable_code_not_in_execute_path",
-      "impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/golang/go/issues/69446"
+      "impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/aquasecurity/trivy/issues/7478"
     }
   ]
 }

From 48e459015d0fbc8a187ed92e721eb21f5531e9d1 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <dmitriy.lewen@smartforce.io>
Date: Mon, 16 Sep 2024 13:05:40 +0600
Subject: [PATCH 3/4] chore(vex): add CVE-2024-34158 in trivy.openvex.json

---
 .vex/trivy.openvex.json | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/.vex/trivy.openvex.json b/.vex/trivy.openvex.json
index 4f857255ab0b..7a4bc2a47313 100644
--- a/.vex/trivy.openvex.json
+++ b/.vex/trivy.openvex.json
@@ -482,6 +482,35 @@
       "status": "not_affected",
       "justification": "vulnerable_code_not_in_execute_path",
       "impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/aquasecurity/trivy/issues/7478"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3107",
+        "name": "GO-2024-3107",
+        "description": "Stack exhaustion in Parse in go/build/constraint",
+        "aliases": [
+          "CVE-2024-34158"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
     }
   ]
 }

From 9a6e906d80d1a330b3d1886a71fb54b9e37ab249 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <dmitriy.lewen@smartforce.io>
Date: Mon, 16 Sep 2024 13:06:32 +0600
Subject: [PATCH 4/4] chore(vex): add CVE-2024-34155 in trivy.openvex.json

---
 .vex/trivy.openvex.json | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/.vex/trivy.openvex.json b/.vex/trivy.openvex.json
index 7a4bc2a47313..2dd1629ecc89 100644
--- a/.vex/trivy.openvex.json
+++ b/.vex/trivy.openvex.json
@@ -454,6 +454,35 @@
       "justification": "vulnerable_code_not_in_execute_path",
       "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
     },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3105",
+        "name": "GO-2024-3105",
+        "description": "Stack exhaustion in all Parse functions in go/parser",
+        "aliases": [
+          "CVE-2024-34155"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
     {
       "vulnerability": {
         "@id": "https://pkg.go.dev/vuln/GO-2024-3106",