From 6d80f8c1d7149429b9a79080c5e646d5bc3765e5 Mon Sep 17 00:00:00 2001
From: Zhe Sun <31067185+ZheSun88@users.noreply.github.com>
Date: Tue, 16 Jun 2026 13:52:58 +0300
Subject: [PATCH] chore: update cve list for opentelemetry (#9027)

---
 scripts/generateAndCheckSBOM.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scripts/generateAndCheckSBOM.js b/scripts/generateAndCheckSBOM.js
index c6666ad89..061507eb6 100755
--- a/scripts/generateAndCheckSBOM.js
+++ b/scripts/generateAndCheckSBOM.js
@@ -129,6 +129,18 @@ const cveWhiteList = {
     cves: ['CVE-2025-15104'],
     description: 'FP: The CVE belongs to Nu Html Checker which produce a false positive on Networknt JSON Schema Validator due to the overlapping keyword or an overly broad CPE mapping rule.'
   },
+  'pkg:npm/%40opentelemetry%2Fcore@1.9.0' : {
+    cves: ['CVE-2026-54285'],
+    description: 'Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.'
+  },
+  'pkg:npm/%40opentelemetry%2Fcore@1.8.0' : {
+    cves: ['CVE-2026-54285'],
+    description: 'Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.'
+  },
+  'pkg:npm/%40opentelemetry/core@1.9.0' : {
+    cves: ['CVE-2026-54285'],
+    description: 'Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.'
+  },
 }
 
 const STYLE = `<style>