MOB-51413: CVE fixes - 2026-06-30#2001
Merged
Merged
Conversation
Auto-fixed by prisma-taurus skill. CVEs fixed: CVE-2026-11822, CVE-2026-11824, CVE-2026-12318, CVE-2026-5704 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… undici note in prisma-taurus history Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Taurus Docker image to remediate specific medium-severity CVEs by upgrading a small set of OS packages during the image build, and documents remediation learnings for future automated CVE runs.
Changes:
- Extend the Dockerfile’s
apt-get --only-upgradeblock to upgradelibsqlite3-0,libnss3, andtarto patched Ubuntu Noble security/updates versions. - Add guidance to
vulnerability_history.mdexplaining why setuptools-vendored findings are currently blocked bysetup.py’spkg_resourcesusage, plus an update on npm/undici cache-layer behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
Dockerfile |
Adds libsqlite3-0, libnss3, and tar to the existing OS package upgrade block to address targeted CVEs. |
.claude/skills/prisma-taurus/vulnerability_history.md |
Documents new remediation constraints/lessons learned (setuptools-vendored + npm cached layer behavior). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2001 +/- ##
==========================================
- Coverage 88.09% 88.08% -0.00%
==========================================
Files 73 73
Lines 20935 20935
==========================================
- Hits 18441 18439 -2
- Misses 2494 2496 +2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
…w scan total Reports, Jira tickets, and PRs now lead with "Fixed A of N addressable findings" instead of "fixed X of <raw total>". JMeter/Gatling jars, no-fix-available, and ESM/k6 findings move to a "Not counted (not ours to fix)" footnote with no leading numbers, so a complete run no longer reads as fixing almost nothing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The codecov/project gate used the default threshold 0% (target auto), so any negative delta -- including a phantom -0.00% on PRs that change no Python (Dockerfile/docs only) -- fails the Required check and blocks merge, even when codecov reports coverage is not affected. A 0.1% threshold absorbs that noise while still failing on any real coverage regression. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mykhaliev1
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira: MOB-51413
Automated CVE remediation for the
blazemeter/taurusDocker image, produced by theprisma-taurusskill and verified in the built image before opening this PR.Branch-scan comparison (baseline → branch image)
Verified against the
taurus-branch-builderimage scan (build #572,us.gcr.io/verdant-bulwark-278/taurus:cve-fixes_2026-06-30-572) before opening — integration passed and vulnerabilities dropped.prisma-cloud-ondemand-scan#170,unstable)taurus-branch-builder#572)* twistcli folds unassigned + negligible into "low".
Net medium is −3 rather than −4 because a newly disclosed medium —
CVE-2026-53655(npmtar7.5.15, fixed in 7.5.16) — surfaced after the baseline scan; it is unrelated to these fixes.Fixes confirmed in the image
All four target CVEs are confirmed no longer flagged in the branch scan.
Mechanism: added
libsqlite3-0,libnss3,tarto the existing Dockerfileapt-get --only-upgradeblock (noble-security/noble-updates, all non-ESM).This PR also folds two durable lessons into
vulnerability_history.md(setuptools-vendored findings are blocked bysetup.py'spkg_resourcesuse; the npm cached-layer / undici note).Not fixed — out of scope or requires manual intervention
tika-core/tika-parsers, and ~38 highs: netty, log4j, xstream, jackson-databind, dnsjava, batik, logback, xalan, json-smart) — out of scope (no individual jar repin, no JMeter/Gatling version bump).python-pip) — fixed versions end in+esmN/~esm1; not installable without an Ubuntu Pro subscription.golang.org/x/net,crypto/x509, etc. under/usr/bin/k6) — only changeable by upgrading the k6 binary.wheel(CVE-2026-24049) andjaraco.context(CVE-2026-23949) — clearing requires setuptools ≥ 82, which removespkg_resourcesthatsetup.pyimports to build the wheel; deferred (would break the build for one medium + one low).undici6.26.0 (4 low) — auto-clears on an uncached rebuild (npm 11.18.0 bundles the fixed undici 6.27.0); monitor.Fix Status= open / needed / deferred) — monitor.🤖 Generated with Claude Code