fix(ci): suppress chainsaw CVEs + apply VEX on release scan#1366
Conversation
The on-tag release vuln scan failed for two images: - aiperf-bench: the release scan omitted the `vex: .openvex.json` input that the daily vuln-scan-images.yaml already passes, so the three pillow/python CVEs already declared not_affected re-fired. Add the input so the release path applies the same reachability evidence. - aicr-gate: all 39 high+ findings are in the embedded, prebuilt kyverno/chainsaw binary (v0.2.15, the latest release), not the AICR gate binary (which already ships Go 1.26.4, x/crypto v0.53.0, x/net v0.56.0). Add OpenVEX statements for the chainsaw CVEs: 9 x/crypto/ssh* (chainsaw does no SSH), 4 cmd/* build-toolchain (vulnerable_code_not_present in the runtime binary), and the remaining x509/tls/net/mail/mime/idna/http2 (trusted-input-only, cluster-internal readiness-gate usage). Verified with grype v0.110.0 --only-fixed -c .grype.yaml --vex .openvex.json: both images report 0 surviving high+ findings.
Run `make upgrade` to pick up patch releases:
- k8s.io/{kubernetes,apiserver,component-base} v1.36.1/v0.36.1 => v0.36.2
- github.com/go-openapi/spec v0.22.5 => v0.22.6
- github.com/felixge/httpsnoop v1.0.4 => v1.1.0
- golang.org/x/exp, golang.org/x/tools
Build and `go mod verify` pass; vendor refreshed.
📝 WalkthroughWalkthroughThe CI tag workflow is updated to pass Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
Summary
Unblock the RC release vulnerability scan, which failed on two images, and pick up routine Go dependency patch releases.
Motivation / Context
The
Publish/ on-tag release run reported HIGH+ findings on two images:on-tag.yamlomitted thevex: .openvex.jsoninput that the dailyvuln-scan-images.yamlalready passes, so the three pillow/python CVEs already declarednot_affectedre-fired.kyverno/chainsawbinary (v0.2.15, the latest release), not the AICR gate binary, which already ships Go 1.26.4,x/crypto v0.53.0,x/net v0.56.0. No newer chainsaw release exists to bump to.Fixes: N/A
Related: https://github.com/NVIDIA/aicr/actions/runs/27553891861
Type of Change
Component(s) Affected
on-tag.yaml), supply-chain (.openvex.json), dependenciesImplementation Notes
Commit 1 —
fix(ci):vex: .openvex.jsonto theon-tag.yamlimage scan step (mirrorsvuln-scan-images.yaml).pkg:oci/aicr-gate(title label == registry basename, so one PURL suffices):golang.org/x/crypto/ssh*— chainsaw never establishes SSH connections.cmd/compile/cmd/go— build-toolchain only,vulnerable_code_not_presentin the runtime binary.crypto/x509,crypto/tls,net,net/url,net/mail,mime,x/net/idna, HTTP/2 client — reachable only with attacker-controlled input; chainsaw runs as an ephemeral, cluster-internal readiness-gate Job talking only to the trusted in-cluster API server.Commit 2 —
chore(deps):make upgrade(k8s 1.36.2, go-openapi/spec, httpsnoop, x/exp, x/tools). Independent of the scan fix; included here for convenience.Testing
Risk Assessment
Rollout notes: The published
aicr-gate:v0.15.0-rc1image is unchanged; this only affects how the scan evaluates it. The VEX statements should be revisited (and dropped) once kyverno ships a chainsaw release rebuilt against patched deps.Checklist
go build ./...+go mod verifyclean (no AICR source changed)make lint).openvex.jsonschema, vuln-scan-images.yaml)git commit -S)