CGA-8qv2-64q9-wx5x

This vulnerability is not applicable to the reports-server package because the binary does not load, evaluate, or process Kyverno policies, does not perform JMESPath variable substitution, and does not execute the wildcard expansion logic affected by this issue. The reports-server package only imports and uses Kyverno report API types and the generated typed client to list and inspect PolicyReport and ClusterPolicyReport resources. The Kyverno client usage is limited to the ReportsV1 API group only. All runtime interactions with the Kyverno client are restricted to operations on policy reports performed via kyvernoClient.ReportsV1() in the server configuration code. Verified by static analysis of the reports-server source confirming that kyverno imports are limited to reports API and client packages. The Kyverno client is imported in a single file, all the kyverno client usage in that file is limited to calling the ReportsV1 method on it. Can be checked with: grep -RIn "github.com/kyverno/kyverno" pkg/
| grep -v "github.com/kyverno/kyverno/api/reports/v1"
| grep -v "github.com/kyverno/kyverno/api/policyreport"
| grep -v "github.com/kyverno/kyverno/pkg/clients/kyverno" For the client usage confirmation: grep -RIn "kyverno" pkg/server/config.go Govulncheck found no affected symbols in the scanned Go binaries.