From b87013db7837fcbb98ae22974ed205d1bd13a241 Mon Sep 17 00:00:00 2001
From: Zhe Sun <31067185+ZheSun88@users.noreply.github.com>
Date: Tue, 16 Jun 2026 13:52:58 +0300
Subject: [PATCH] chore: update cve list for opentelemetry (#9027)

---
 scripts/generateAndCheckSBOM.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scripts/generateAndCheckSBOM.js b/scripts/generateAndCheckSBOM.js
index faf3b68f9..1692b31db 100755
--- a/scripts/generateAndCheckSBOM.js
+++ b/scripts/generateAndCheckSBOM.js
@@ -109,6 +109,18 @@ const cveWhiteList = {
     cves: ['CVE-2025-15104'],
     description: 'FP: The CVE belongs to Nu Html Checker which produce a false positive on Networknt JSON Schema Validator due to the overlapping keyword or an overly broad CPE mapping rule.'
   },
+  'pkg:npm/%40opentelemetry%2Fcore@1.9.0' : {
+    cves: ['CVE-2026-54285'],
+    description: 'Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.'
+  },
+  'pkg:npm/%40opentelemetry%2Fcore@1.8.0' : {
+    cves: ['CVE-2026-54285'],
+    description: 'Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.'
+  },
+  'pkg:npm/%40opentelemetry/core@1.9.0' : {
+    cves: ['CVE-2026-54285'],
+    description: 'Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.'
+  },
 }
 
 const STYLE = `<style>