Skip to content

fix(ci): suppress chainsaw CVEs + apply VEX on release scan#1366

Merged
mchmarny merged 2 commits into
mainfrom
fix/rc-vuln-scan-vex
Jun 15, 2026
Merged

fix(ci): suppress chainsaw CVEs + apply VEX on release scan#1366
mchmarny merged 2 commits into
mainfrom
fix/rc-vuln-scan-vex

Conversation

@mchmarny

Copy link
Copy Markdown
Member

Summary

Unblock the RC release vulnerability scan, which failed on two images, and pick up routine Go dependency patch releases.

Motivation / Context

The Publish / on-tag release run reported HIGH+ findings on two images:

  • aiperf-bench — the release scan step in on-tag.yaml omitted the vex: .openvex.json input that the daily vuln-scan-images.yaml already passes, so the three pillow/python CVEs already declared not_affected re-fired.
  • aicr-gate — all 39 HIGH+ findings live in the embedded, prebuilt kyverno/chainsaw binary (v0.2.15, the latest release), not the AICR gate binary, which already ships Go 1.26.4, x/crypto v0.53.0, x/net v0.56.0. No newer chainsaw release exists to bump to.

Fixes: N/A
Related: https://github.com/NVIDIA/aicr/actions/runs/27553891861

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Build/CI/tooling

Component(s) Affected

  • Other: release CI (on-tag.yaml), supply-chain (.openvex.json), dependencies

Implementation Notes

Commit 1 — fix(ci):

  • Add vex: .openvex.json to the on-tag.yaml image scan step (mirrors vuln-scan-images.yaml).
  • Add 38 OpenVEX statements for the chainsaw CVEs under product pkg:oci/aicr-gate (title label == registry basename, so one PURL suffices):
    • 9 golang.org/x/crypto/ssh* — chainsaw never establishes SSH connections.
    • 4 cmd/compile / cmd/go — build-toolchain only, vulnerable_code_not_present in the runtime binary.
    • remainder crypto/x509, crypto/tls, net, net/url, net/mail, mime, x/net/idna, HTTP/2 client — reachable only with attacker-controlled input; chainsaw runs as an ephemeral, cluster-internal readiness-gate Job talking only to the trusted in-cluster API server.

Commit 2 — chore(deps): make upgrade (k8s 1.36.2, go-openapi/spec, httpsnoop, x/exp, x/tools). Independent of the scan fix; included here for convenience.

Testing

# grype v0.110.0 (the scan-action pin), CI-equivalent flags
grype <image> --only-fixed -c .grype.yaml --vex .openvex.json -o json
#   aicr-gate:     39 high+ without VEX -> 0 with VEX (39 suppressed, namespace=vex)
#   aiperf-bench:  0 high+

GOFLAGS="-mod=vendor" go build ./...   # ok
go mod verify                          # all modules verified

Risk Assessment

  • Low — CI/supply-chain config + VEX evidence; dep bump is patch-level and builds clean. Easy to revert.

Rollout notes: The published aicr-gate:v0.15.0-rc1 image is unchanged; this only affects how the scan evaluates it. The VEX statements should be revisited (and dropped) once kyverno ships a chainsaw release rebuilt against patched deps.

Checklist

  • Tests pass locally — go build ./... + go mod verify clean (no AICR source changed)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I updated docs if user-facing behavior changed — N/A
  • Changes follow existing patterns in the codebase (.openvex.json schema, vuln-scan-images.yaml)
  • Commits are cryptographically signed (git commit -S)

mchmarny added 2 commits June 15, 2026 08:21
The on-tag release vuln scan failed for two images:

- aiperf-bench: the release scan omitted the `vex: .openvex.json` input
  that the daily vuln-scan-images.yaml already passes, so the three
  pillow/python CVEs already declared not_affected re-fired. Add the
  input so the release path applies the same reachability evidence.

- aicr-gate: all 39 high+ findings are in the embedded, prebuilt
  kyverno/chainsaw binary (v0.2.15, the latest release), not the AICR
  gate binary (which already ships Go 1.26.4, x/crypto v0.53.0,
  x/net v0.56.0). Add OpenVEX statements for the chainsaw CVEs: 9
  x/crypto/ssh* (chainsaw does no SSH), 4 cmd/* build-toolchain
  (vulnerable_code_not_present in the runtime binary), and the
  remaining x509/tls/net/mail/mime/idna/http2 (trusted-input-only,
  cluster-internal readiness-gate usage).

Verified with grype v0.110.0 --only-fixed -c .grype.yaml
--vex .openvex.json: both images report 0 surviving high+ findings.
Run `make upgrade` to pick up patch releases:
- k8s.io/{kubernetes,apiserver,component-base} v1.36.1/v0.36.1 => v0.36.2
- github.com/go-openapi/spec v0.22.5 => v0.22.6
- github.com/felixge/httpsnoop v1.0.4 => v1.1.0
- golang.org/x/exp, golang.org/x/tools

Build and `go mod verify` pass; vendor refreshed.
@mchmarny mchmarny requested review from a team as code owners June 15, 2026 15:22
@mchmarny mchmarny added the theme/supply-chain SLSA, SBOM, Sigstore, and provenance verification label Jun 15, 2026
@mchmarny mchmarny self-assigned this Jun 15, 2026
@mchmarny mchmarny enabled auto-merge (squash) June 15, 2026 15:23

@yuanchen8911 yuanchen8911 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@mchmarny mchmarny disabled auto-merge June 15, 2026 15:24
@mchmarny mchmarny enabled auto-merge (squash) June 15, 2026 15:25
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The CI tag workflow is updated to pass .openvex.json to the anchore/scan-action via the vex input, enabling OpenVEX-based CVE suppression during container image vulnerability scanning. The .openvex.json document is updated to version 4 with a new timestamp and expanded tooling description; the existing CVE-2026-7210 statement's description and impact text are revised; and roughly 645 lines of new not_affected statements are appended for pkg:oci/aicr-gate, covering numerous Go/CVE advisories associated with the embedded kyverno/chainsaw binary. Separately, several indirect Go module versions in go.mod are bumped to newer patch releases.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: suppressing chainsaw CVEs via VEX on the release scan, which directly addresses the vulnerability scanning failure blocking the RC release.
Description check ✅ Passed The description is well-detailed and directly related to all changeset components: explaining the scan failure context, VEX statement additions for aicr-gate and aiperf-bench, and the accompanying dependency updates.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/rc-vuln-scan-vex

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]

This comment was marked as resolved.

@mchmarny mchmarny merged commit 85daf65 into main Jun 15, 2026
34 of 35 checks passed
@mchmarny mchmarny deleted the fix/rc-vuln-scan-vex branch June 15, 2026 15:33
@github-actions

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 77.1%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-77.1%25-green)

No Go source files changed in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci size/XL theme/supply-chain SLSA, SBOM, Sigstore, and provenance verification

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants