Vulnerabilities fixes (AST-123981,AST-123980,AST-123302,AST-123300,AST-123298,AST-120967,AST-116271,AST-108828) #35
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- containerd/v2: v2.1.4 -> v2.1.5 (fixes CVE-2025-64329, CVE-2024-25621) - open-policy-agent/opa: v0.70.0 -> v1.4.2 (fixes CVE-2025-46569) - runc: already at v1.3.3 (fixes CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) Jira tickets: AST-123981, AST-123980, AST-123302, AST-123300, AST-123298, AST-120967, AST-116271, AST-108828 Note: CVE-2019-25210 (helm) is disputed by vendor as intentional behavior. Note: CVE-2025-27144 (go-jose v2) has no fix available for v2 branch - dependency is pulled by k8s.io/apiserver.
Contributor
|
Great job! No new security vulnerabilities introduced in this pull requestUse @Checkmarx to interact with Checkmarx PR Assistant. |
- Upgraded Microsoft/hcsshim from v0.13.1-0.20250731174403 to v0.14.0-rc.1 - This helps SCA scanners better detect the replaced versions - Also upgraded spf13/viper to v1.20.1 Note: The vulnerable packages (containerd/v2, runc, opa) are transitive dependencies from hcsshim. The replace directives override these at build time, but SCA scanners may still report the declared versions from hcsshim's go.mod. Configure your SCA scanner to respect Go replace directives or use govulncheck for accurate vulnerability detection.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes security vulnerabilities identified in the following Jira tickets:
Changes
replacedirective forgithub.com/containerd/containerd/v2from v2.1.4 to v2.1.5replacedirective forgithub.com/open-policy-agent/opato v1.4.2github.com/opencontainers/runcwas already at v1.3.3 (patched version)Notes
CVE-2019-25210 (helm): This is a disputed CVE. The vendor's position is that the behavior was introduced intentionally and cannot be removed without breaking backwards compatibility.
CVE-2025-27144 (go-jose v2): There is no patch available for the v2 branch of go-jose. The v2 package is pulled as a transitive dependency from
k8s.io/apiserver. The fix would require kubernetes to update their dependencies to go-jose v3 or v4.Testing
go build ./...- Build successfulgo test ./...- All tests passPull Request opened by Augment Code with guidance from the PR author