Skip to content

Security: 6 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)#697

Draft
nv-rag-cve-bot[bot] wants to merge 2 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260627-022340
Draft

Security: 6 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)#697
nv-rag-cve-bot[bot] wants to merge 2 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260627-022340

Conversation

@nv-rag-cve-bot

Copy link
Copy Markdown

Summary

CVE Severity Surface Package Fix Track Validation
GHSA-537c-gmf6-5ccf High source cryptography 48.0.0→49.0.0 manifest+lockfile bump A re-scan clean; CI pending
GHSA-5rvq-cxj2-64vf High source python-multipart 0.0.29→0.0.32 manifest+lockfile bump A re-scan clean; CI pending
GHSA-82w8-qh3p-5jfq High source starlette 0.50.0→1.3.1 manifest+lockfile bump (fastapi floor + override) A re-scan clean; CI pending
GHSA-wqp7-x3pw-xc5r High source starlette 0.50.0→1.3.1 manifest+lockfile bump (shared fix with above) A re-scan clean; CI pending
GHSA-f4xh-w4cj-qxq8 High source langsmith 0.8.5→0.9.3 manifest+lockfile bump A re-scan clean; CI pending
GHSA-rgxp-2hwp-jwgg High source pyarrow 21.0.0→24.0.0 manifest+lockfile bump (cap change) A re-scan clean; CI pending

Addresses nSpect collection NSPECT-S62Q-PZUD (26.05.2), child program NSPECT-UV6I-R3V9 source surface. Helm chart child NSPECT-O8B9-SHZ8 inherits fixes from same repo — no additional changes needed.

Validation

Local validation

  • Re-scan (local manifest): pip-audit sweep clean — 0 packages with vulns after uv sync
  • Re-scan (nSpect source surface): pending nSpect re-ingest after merge
  • Full CVE sweep: 0 residual critical/high vulns in installed environment
  • Unit tests: see CI gating jobs below (pipeline validation mode)
  • Lint: see static-analysis below (pipeline validation mode)
  • 5d deployment smoke: see docker-tests chain below (pipeline validation mode; --ci-wait-gpu)

Pipeline validation (--validate pipeline)

  • Pipeline: ⏳ pending push to GitLab mirror (project chat-labs/OpenSource/rag)
  • Risk gating (Phase 9a): major/API-change (starlette 0.x→1.x, fastapi minor bump, pyarrow 3-step) — full gating set including docker-tests chain via --ci-wait-gpu
  • Fix-loop iterations: 0 of 3 (pipeline not yet run)

Gating jobs (block the loop):

Job Status
static-analysis ⏳ pending
unit-tests ⏳ pending
frontend-unit-tests — not triggered (diff doesn't touch frontend/)
deploy ⏳ pending (major/API risk profile)
basic-tests ⏳ pending (major/API risk profile)

🔴 GPU docker-tests chain: ⏳ pending — gated via --ci-wait-gpu

Not addressed in this MR

  • 5 source-surface CVEs (langchain-core, langchain-community, langsmith) — already-patched; installed versions exceed fixed versions; verified by pip-audit and installed-version check
  • CVE-2026-6100, CVE-2026-9669 (Python 3.12 interpreter) — container base-image level; deferred; requires --include-base-image for Track C remediation
  • CVE-2026-45447 (OpenSSL) — container base-image level; deferred
  • Additional rag-playground frontend container Critical/High — OS packages, base-image level; deferred

Audit trail

The full per-CVE analysis, expert-review verdicts, and Phase 5 validation logs live in the agentic workspace:

cve-fix-reports/NSPECT-S62Q-PZUD-20260627-022340/
  ├── _summary.md                      (collection rollup)
  ├── NSPECT-UV6I-R3V9/
  │   ├── _summary.md
  │   ├── _by-repo/rag-repo.md
  │   └── GHSA-*-fixed.md              (6 per-CVE files)
  └── NSPECT-O8B9-SHZ8/
      └── NO-ARTIFACTS.md

This directory is not committed to the repository. Reviewers who need it can request the snapshot from the operator.


Refs: NSPECT-S62Q-PZUD (collection) / NSPECT-UV6I-R3V9 (child)
Generated by: agentic-cve-fix

agentic-cve-fix added 2 commits June 27, 2026 02:27
…lette, langsmith, pyarrow

Addresses 6 source-surface High CVEs from NSPECT-S62Q-PZUD (NSPECT-UV6I-R3V9):
  GHSA-537c-gmf6-5ccf: cryptography 48.0.0 → 49.0.0 (override floor >=48.0.1)
  GHSA-5rvq-cxj2-64vf: python-multipart 0.0.29 → 0.0.32 (direct dep floor >=0.0.30)
  GHSA-82w8-qh3p-5jfq + GHSA-wqp7-x3pw-xc5r: starlette 0.50.0 → 1.3.1
    (fastapi floor >=0.133.0 + override starlette >=1.3.1)
  GHSA-f4xh-w4cj-qxq8: langsmith 0.8.5 → 0.9.3 (override floor >=0.8.18)
  GHSA-rgxp-2hwp-jwgg: pyarrow 21.0.0 → 24.0.0 (cap change >=23.0.1,<25.0)
Re-scan: pip-audit sweep 0 vulns; all 5 packages above fix floors confirmed.

Refs: NSPECT-S62Q-PZUD (collection)
Refs: NSPECT-UV6I-R3V9 (child)
Generated-by: agentic-cve-fix
Regression tests asserting installed package floors for:
  cryptography >=48.0.1  (GHSA-537c-gmf6-5ccf)
  python-multipart >=0.0.30  (GHSA-5rvq-cxj2-64vf)
  starlette >=1.3.1  (GHSA-82w8-qh3p-5jfq + GHSA-wqp7-x3pw-xc5r)
  langsmith >=0.8.18  (GHSA-f4xh-w4cj-qxq8)
  pyarrow >=23.0.1  (GHSA-rgxp-2hwp-jwgg)
Guards against regression to a vulnerable version via future dep changes.

Refs: NSPECT-S62Q-PZUD (collection)
Refs: NSPECT-UV6I-R3V9 (child)
Generated-by: agentic-cve-fix
@copy-pr-bot

copy-pr-bot Bot commented Jun 27, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants