From d02f6ab77d533c4b6306ae2b2ed37958e30912bf Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Fri, 20 Mar 2026 14:11:23 +0000
Subject: [PATCH 1/5] install chrome

---
 src/common/.trivyignore.yaml                          |  7 +++++++
 .../regression_tests/.devcontainer/.tool-versions     |  2 +-
 .../.devcontainer/scripts/root_install.sh             | 11 +++++++++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml
index 6e434c8..2fa09b9 100644
--- a/src/common/.trivyignore.yaml
+++ b/src/common/.trivyignore.yaml
@@ -432,3 +432,10 @@ vulnerabilities:
     purls:
       - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-09-16
+  - id: CVE-2026-33186
+    statement: "gRPC-Go has an authorization bypass via missing leading slash in :path"
+    purls:
+      - "pkg:golang/google.golang.org/grpc@v1.74.2"
+      - "pkg:golang/google.golang.org/grpc@v1.78.0"
+      - "pkg:golang/google.golang.org/grpc@v1.79.2"
+    expired_at: 2026-09-20
diff --git a/src/projects/regression_tests/.devcontainer/.tool-versions b/src/projects/regression_tests/.devcontainer/.tool-versions
index edb8359..0cf1997 100644
--- a/src/projects/regression_tests/.devcontainer/.tool-versions
+++ b/src/projects/regression_tests/.devcontainer/.tool-versions
@@ -1 +1 @@
-allure 2.37.0
+allure 2.38.0
diff --git a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
index 474c45b..8871df3 100755
--- a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
+++ b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
@@ -2,6 +2,17 @@
 
 set -e
 
+# install chrome
+mkdir -p /etc/apt/keyrings
+wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo tee /etc/apt/keyrings/google.asc >/dev/null
+if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then
+    sudo sh -c 'echo "deb [arch=arm64 signed-by=/etc/apt/keyrings/google.asc] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
+else
+    sudo sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
+fi
+sudo apt-get update 
+sudo apt-get install -y google-chrome-stable
+
 # clean up
 apt-get clean
 rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

From 394ce782021259b221b25aa6f2675d4f5e76bf6e Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Fri, 20 Mar 2026 14:19:03 +0000
Subject: [PATCH 2/5] no sudo

---
 .../.devcontainer/scripts/root_install.sh                 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
index 8871df3..5e636e3 100755
--- a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
+++ b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
@@ -6,12 +6,12 @@ set -e
 mkdir -p /etc/apt/keyrings
 wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo tee /etc/apt/keyrings/google.asc >/dev/null
 if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then
-    sudo sh -c 'echo "deb [arch=arm64 signed-by=/etc/apt/keyrings/google.asc] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
+    sh -c 'echo "deb [arch=arm64 signed-by=/etc/apt/keyrings/google.asc] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
 else
-    sudo sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
+    sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
 fi
-sudo apt-get update 
-sudo apt-get install -y google-chrome-stable
+apt-get update 
+apt-get install -y google-chrome-stable
 
 # clean up
 apt-get clean

From 011d41e39da0c59150e32ce50afa308b3789feab Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Fri, 20 Mar 2026 14:19:33 +0000
Subject: [PATCH 3/5] pipefail

---
 .../regression_tests/.devcontainer/scripts/root_install.sh      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
index 5e636e3..c0799f3 100755
--- a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
+++ b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 
 # install chrome
 mkdir -p /etc/apt/keyrings

From 3270814c340ef29d059aa3df9c8b03df2e32eff0 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Fri, 20 Mar 2026 14:22:23 +0000
Subject: [PATCH 4/5] better

---
 .../regression_tests/.devcontainer/scripts/root_install.sh    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
index c0799f3..05d772a 100755
--- a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
+++ b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
@@ -6,9 +6,9 @@ set -euo pipefail
 mkdir -p /etc/apt/keyrings
 wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo tee /etc/apt/keyrings/google.asc >/dev/null
 if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then
-    sh -c 'echo "deb [arch=arm64 signed-by=/etc/apt/keyrings/google.asc] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
+    sh -c 'echo "deb [arch=arm64 signed-by=/etc/apt/keyrings/google.asc] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list'
 else
-    sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
+    sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list'
 fi
 apt-get update 
 apt-get install -y google-chrome-stable

From 8f5e153078ec34b1605dfe8c349671ca1b3032c3 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Fri, 20 Mar 2026 15:23:37 +0000
Subject: [PATCH 5/5] try not using different arch for chrome

---
 src/projects/eps-storage-terraform/.trivyignore.yaml        | 5 +++++
 .../regression_tests/.devcontainer/scripts/root_install.sh  | 6 +-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml
index 79605cd..6fa00f4 100644
--- a/src/projects/eps-storage-terraform/.trivyignore.yaml
+++ b/src/projects/eps-storage-terraform/.trivyignore.yaml
@@ -110,3 +110,8 @@ vulnerabilities:
     purls:
       - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0"
     expired_at: 2026-09-10
+  - id: CVE-2026-33186
+    statement: "gRPC-Go has an authorization bypass via missing leading slash in :path"
+    purls:
+      - "pkg:golang/google.golang.org/grpc@v1.69.4"
+    expired_at: 2026-09-20
diff --git a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
index 05d772a..97d3b80 100755
--- a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
+++ b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh
@@ -5,11 +5,7 @@ set -euo pipefail
 # install chrome
 mkdir -p /etc/apt/keyrings
 wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo tee /etc/apt/keyrings/google.asc >/dev/null
-if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then
-    sh -c 'echo "deb [arch=arm64 signed-by=/etc/apt/keyrings/google.asc] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list'
-else
-    sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list'
-fi
+sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list'
 apt-get update 
 apt-get install -y google-chrome-stable