Skip to content

MOB-51315: CVE fixes - 2026-06-25#1999

Merged
RafaelGuevaraCA merged 2 commits into
masterfrom
CVE-fixes_2026-06-25
Jun 25, 2026
Merged

MOB-51315: CVE fixes - 2026-06-25#1999
RafaelGuevaraCA merged 2 commits into
masterfrom
CVE-fixes_2026-06-25

Conversation

@RafaelGuevaraCA

Copy link
Copy Markdown
Collaborator

Jira: MOB-51315

Summary

Automated CVE remediation for blazemeter/taurus:unstable, applied by the prisma-taurus skill and verified in the built image before opening this PR via taurus-branch-builder #570 (build + integration + Prisma scan).

Fixes (apt --only-upgrade, non-ESM standard updates — Dockerfile system-deps stage)

CVE Severity CVSS Package Old → New
CVE-2026-8376 medium 9.8 perl 5.38.2-3.2ubuntu0.2 → 5.38.2-3.2ubuntu0.3
CVE-2026-42496 medium 9.1 perl 5.38.2-3.2ubuntu0.2 → 5.38.2-3.2ubuntu0.3
CVE-2026-6653 medium 7.0 libxml2 2.9.14+dfsg-1.3ubuntu3.7 → 2.9.14+dfsg-1.3ubuntu3.8

All three are verified absent (0 occurrences) in the branch image scan.

Branch-image scan comparison

Verified against the taurus-branch-builder image scan (build #570) before opening — integration passed and vulnerabilities dropped:

baseline (#155) branch image (#570)
total 273 271
critical 4 4
high 48 48
medium 169 167
low (incl. negligible/unassigned) 52 52

Critical stays at 4 — all four are Apache Tika jars bundled in JMeter (out of scope; not remediated by jar repin or JMeter/Gatling version bump).

Also in this PR

vulnerability_history.md: recorded that npm-bundled deps (undici/glob/cross-spawn) must be version-checked at the npm/cli tag before assuming a global npm bump fixes them — undici stayed at 6.26.0 even in npm 11.17.0.

NOT fixed — require manual intervention or are out of scope

  • JMeter/Gatling bundled jars (102 findings, incl. all 4 criticals) — monitor only.
  • Ubuntu Pro ESM packages (~50: ffmpeg, gnuplot, openexr, qtbase, gst-plugins-bad, fonttools, apt python-pip) — not installable without a Pro subscription.
  • undici bundled in npm (1 high + 3) — undici 6.27.0 is the fix, but the latest npm (11.17.0) still bundles 6.26.0; clears when npm bumps its bundled undici.
  • k6 Go libs (x/net, crypto/x509, otel) — compiled into the apt-latest k6 binary; not pinnable.
  • setuptools _vendor (wheel, jaraco.context) — already pin latest-compatible setuptools 79.0.1.
  • Newman file-type (breaking major jump), Mocha diff (pins ^7, no in-range fix), system distro pip, .NET asp.net-core 8.0.26 (CVSS 0, high SDK-bump churn).

🤖 Generated with Claude Code

RafaelGuevaraCA and others added 2 commits June 25, 2026 09:36
Auto-fixed by prisma-taurus skill.
CVEs fixed: CVE-2026-8376, CVE-2026-42496 (perl), CVE-2026-6653 (libxml2)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Verify npm's bundled dep version (undici/glob/cross-spawn) before assuming
a global npm bump fixes a CVE; undici stayed at 6.26.0 even in npm 11.17.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.08%. Comparing base (92b50d1) to head (2e96493).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #1999   +/-   ##
=======================================
  Coverage   88.08%   88.08%           
=======================================
  Files          73       73           
  Lines       20935    20935           
=======================================
  Hits        18439    18439           
  Misses       2496     2496           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR applies automated CVE remediation to the blazemeter/taurus:unstable image by upgrading specific Ubuntu packages in the Docker build, and it updates the internal vulnerability remediation playbook to avoid assuming an npm global upgrade fixes bundled transitive deps.

Changes:

  • Upgrade perl and libxml2 via apt-get install --only-upgrade in the Dockerfile’s system-deps stage to pick up patched Ubuntu builds.
  • Add/clarify guidance in vulnerability_history.md about verifying npm’s bundled dependency versions (e.g., undici) before treating an npm bump as a fix.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
Dockerfile Adds perl and libxml2 to the existing OS-package --only-upgrade CVE remediation step.
.claude/skills/prisma-taurus/vulnerability_history.md Documents a verification step for npm-bundled dependency versions to prevent ineffective “fixes”.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@RafaelGuevaraCA RafaelGuevaraCA merged commit eb4981e into master Jun 25, 2026
4 checks passed
@RafaelGuevaraCA RafaelGuevaraCA deleted the CVE-fixes_2026-06-25 branch June 25, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants