Skip to content

MOB-51648: CVE fixes - 2026-07-07#2002

Merged
RafaelGuevaraCA merged 2 commits into
masterfrom
CVE-fixes_2026-07-07
Jul 7, 2026
Merged

MOB-51648: CVE fixes - 2026-07-07#2002
RafaelGuevaraCA merged 2 commits into
masterfrom
CVE-fixes_2026-07-07

Conversation

@RafaelGuevaraCA

Copy link
Copy Markdown
Collaborator

Jira: MOB-51648

Fixed 20 of 26 addressable findings (1 self-resolves on rebuild, 5 deferred/skipped for cause).

Verified against the taurus-branch-builder image scan (build #573) before opening — integration passed and every fixed package's vulnerable version is confirmed gone from the branch image.

Fixes confirmed in the image

CVE(s) Package Old → New Severity
CVE-2026-6100, 9669, CVE-2025-69534, CVE-2026-4786/4519/7774/3276/4224/3644/1299/8328/2297/1502/6019, CVE-2025-13462 python3.12 (apt) 3.12.3-1ubuntu0.13 → 0.15 medium (up to CVSS 9.1)
CVE-2026-41992, CVE-2026-41991 gzip (apt) 1.12-1ubuntu3.1 → 3.2 medium
CVE-2026-58055 libnghttp2-14 (apt) 1.59.0-1ubuntu0.3 → 0.4 medium
CVE-2025-69720 ncurses libs (apt) 6.4+20240113-1ubuntu2 → 2.1 low
CVE-2026-54696 json (Ruby default gem) 2.9.1 → 2.19.9 low

Branch-scan comparison (build #573)

Baseline (unstable, scan #172) 290 → 269 (−21). Critical 4→4, high 44→44 (all out of scope), medium 179→160, low 63→61. All 21 targeted findings gone; no fixed package flagged at its old version.

Self-resolves on next clean build (no change needed)

  • CVE-2025-45582tar → 1.35+dfsg-3ubuntu0.2 (existing unpinned apt --only-upgrade tar picks up the newer version).

Addressable but deferred/skipped for cause (NOT in this PR)

  • CVE-2022-36313file-type (Newman): breaking 3.9.0 → 16/17 major jump would break Newman's dep tree.
  • CVE-2026-24001diff (Mocha): mocha@11 pins diff ^7; the fix crosses a major, low value (CVSS 2.7).
  • CVE-2026-24049 (wheel), CVE-2026-23949 (jaraco.context): vendored inside setuptools, low value.
  • CVE-2026-45591asp.net-core: CVSS 0; a full .NET SDK bump is not warranted for a zero-severity finding.

Not counted (not ours to fix)

  • JMeter/Gatling bundled jars (policy — never remediated here): 103
  • No released patch (open/needed/deferred): 101
  • Ubuntu Pro ESM: 50; k6 Go binary internals: 9; system pip (apt can't reach 26.1.2): 1
  • Raw scan total for reference only: baseline 290 → branch 269.

Also documents a new operational lesson in vulnerability_history.md: the prisma-cloud-ondemand-scan job can report FAILURE after twistcli succeeds (its write_to_csv post-step crashed on build #172), leaving no taurus.csv — fall back to the archived taurus.json.

🤖 Generated with Claude Code

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces Prisma Cloud image-scan findings by upgrading a set of OS (apt) packages and patching Ruby default/bundled gems inside the Docker image, and documents a scan-job failure mode and recovery steps for future remediation work.

Changes:

  • Extend the Docker image’s apt-get install --only-upgrade list to include additional packages tied to the targeted CVEs (Python 3.12, gzip, nghttp2, ncurses, etc.).
  • Patch the vulnerable Ruby default gem json alongside the existing net-imap and erb remediation and cleanup logic.
  • Document an operational workaround when the baseline scan job fails after twistcli succeeds (use archived taurus.json and how to reconstruct “Path”).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Dockerfile Adds more --only-upgrade apt targets for CVE remediation and extends Ruby default-gem patching to include json.
.claude/skills/prisma-taurus/vulnerability_history.md Documents a Jenkins/scan artifact failure mode and the correct fallback procedure using taurus.json.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Dockerfile
Comment thread Dockerfile
@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.08%. Comparing base (1d63708) to head (ac819f3).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2002   +/-   ##
=======================================
  Coverage   88.08%   88.08%           
=======================================
  Files          73       73           
  Lines       20935    20935           
=======================================
  Hits        18439    18439           
  Misses       2496     2496           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@RafaelGuevaraCA RafaelGuevaraCA merged commit fcac92b into master Jul 7, 2026
4 checks passed
@RafaelGuevaraCA RafaelGuevaraCA deleted the CVE-fixes_2026-07-07 branch July 7, 2026 11:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants