Skip to content

Security: 5 CVE recommendations for NSPECT-S62Q-PZUD (UNVERIFIED)#685

Draft
nv-rag-cve-bot[bot] wants to merge 1 commit into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260616-000000
Draft

Security: 5 CVE recommendations for NSPECT-S62Q-PZUD (UNVERIFIED)#685
nv-rag-cve-bot[bot] wants to merge 1 commit into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260616-000000

Conversation

@nv-rag-cve-bot

@nv-rag-cve-bot nv-rag-cve-bot Bot commented Jun 16, 2026

Copy link
Copy Markdown

Summary

  • Program: NSPECT-S62Q-PZUD — Foundational RAG Downloadable NIM Agent Blueprint (collection)
  • Track: B — Recommendation-Only (UNVERIFIED — scanner not run in venv)
  • 5 CVEs addressed via dependency version bumps in pyproject.toml + lockfile regeneration
GHSA / CVE Package Fix
GHSA-537c-gmf6-5ccf cryptography >=48.0.1 (was >=46.0.6)
GHSA-5rvq-cxj2-64vf python-multipart >=0.0.30 (was >=0.0.27)
GHSA-82w8-qh3p-5jfq starlette >=1.3.1 via fastapi bump + override
GHSA-wqp7-x3pw-xc5r starlette same — satisfied by >=1.3.1
GHSA-rgxp-2hwp-jwgg pyarrow >=23.0.1,<24.0 (was >=21.0,<22.0)

Changes

  • pyproject.toml — 6 constraint changes (fastapi floor bump, python-multipart floor bump, pyarrow floor+ceiling bump ×3 extras, cryptography override bump, starlette override added)
  • uv.lock — regenerated; 5 packages bumped to patched versions
  • tests/unit/test_security_dependency_pins.py — 5 version-pin guardrail tests added (marked UNVERIFIED, Track B)

Validation

Step Status
§5a-repro (lockfile evidence) ✅ All 5 CVEs confirmed in pre-fix lockfile
§5a re-scan ⏭ Skipped (Track B — scanner unavailable)
uv lock ✅ Exit 0 — 5 packages resolved to patched versions
Phase 6 Expert Review ✅ R1–R5 PASS, R6 minor→fixed
§5b unit tests ⏳ pending CI
§5c lint / static analysis ⏳ pending CI
§5d smoke test ⏳ pending CI (--ci-wait-gpu: full docker-tests chain)

Gating CI jobs (Phase 9): unit-tests + frontend-unit-tests + static-analysis + full docker-tests chain (--ci-wait-gpu, 55 min timeout)

Pipeline validation results will be posted here once CI completes.

Notes

  • UNVERIFIED: Manifest bumps applied and lockfile regenerated. CVE clearance is not scanner-confirmed — verification occurs in CI.
  • Starlette fix chain: fastapi 0.128.0 imposed starlette<0.51.0; bumped fastapi to >=0.133.0 (which removes that cap) + added starlette>=1.3.1 override. fastapi 0.137.1 resolved; starlette 1.3.1 resolved.
  • pyarrow upper bound: Changed from <22.0 to <24.0 to accommodate the fix version. lancedb compat verified (requires pyarrow>=16, no upper bound).
  • Report: cve-fix-reports/NSPECT-S62Q-PZUD-20260616-000000/ (local, not committed)
  • cve-fix-reports/ not in .gitignore — add it if desired: echo 'cve-fix-reports/' >> .gitignore

🤖 Generated with agentic-cve-fix | Refs: NSPECT-S62Q-PZUD

chore(security): NSPECT-S62Q-PZUD recommendations — 5 dep bumps (UNVE…
3aa4943 
…RIFIED)

Bump cryptography>=48.0.1 (GHSA-537c-gmf6-5ccf), python-multipart>=0.0.30
(GHSA-5rvq-cxj2-64vf), starlette>=1.3.1 via fastapi>=0.133.0 override
(GHSA-82w8-qh3p-5jfq, GHSA-wqp7-x3pw-xc5r), pyarrow>=23.0.1 (GHSA-rgxp-2hwp-jwgg).

Scanner not run in venv (Track B). Version constraints satisfy advisory minima.
Lockfile regenerated; 5 packages resolved to patched versions. §5b/§5d deferred to CI.

Refs: NSPECT-S62Q-PZUD
Generated-by: agentic-cve-fix
@copy-pr-bot

copy-pr-bot Bot commented Jun 16, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants