chore(security): suppress CVE-2026-8328 (ftplib.ftpcp SSRF) until 3.14.6 (#4072)

Grype alerts on CVE-2026-8328 against python:3.14.5-slim. The
vulnerability is an SSRF in the undocumented ftplib.ftpcp() helper —
the same PASV-trust class as CVE-2021-4189, whose original 2021 fix
only patched ftplib.FTP and left ftpcp() unprotected.

Upstream merged the fix to the CPython 3.14 branch on 2026-05-13
(python/cpython#149793), three days after Python 3.14.5 was tagged.
No 3.14.6 release exists yet, so a base-image bump isn't an option.

Not exploitable here: `grep -rn "ftplib\|ftpcp" src/` returns zero
hits, and no transitive dependency imports ftplib either, so
ftpcp() is unreachable from this image.

Added to .grype.yaml in the existing python3.14 block alongside the
other CPython CVEs awaiting the next 3.14.x point release. The
suppression auto-cleans when the next Python bump picks up 3.14.6+.

.grype.yaml

@@ -311,6 +311,8 @@ ignore:
     reason: "Medium CR/LF bytes not rejected in http.client proxy tunnel headers. Not fixed in 3.14.4. Container does not use http.client CONNECT tunneling; outbound requests go through requests/httpx which validate headers separately."
   - vulnerability: CVE-2026-6019
     reason: "Low CVSS 2.1 XSS in http.cookies.Morsel.js_output() — fails to neutralize </script> in cookie values when generating the <script> snippet. Not fixed in 3.14.4. No usage of http.cookies/SimpleCookie/Morsel/js_output anywhere in the codebase; cookies are handled by Flask/Werkzeug."
+  - vulnerability: CVE-2026-8328
+    reason: "Medium CVSS 5.9 SSRF in undocumented ftplib.ftpcp() — completes CVE-2021-4189 PASV-trust fix (python/cpython#149793, merged 2026-05-13 to 3.14 branch). No 3.14.6 release yet (3.14.5 tagged 2026-05-10). Not exploitable: nothing in src/ or transitive deps imports ftplib. Resolves on next Python bump."
 
   # --- coreutils ---
   - vulnerability: CVE-2025-5278