Skip to content

fix(module): fix CVE-2025-54410 and CVE-2025-54410 #1557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(module): fix CVE-2025-54410 and CVE-2025-54410 #1557

wants to merge 1 commit into from
+11 −10

Conversation

Isteb4k
Copy link
Contributor

@Isteb4k Isteb4k commented Oct 9, 2025
edited
Loading

Description

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: fix
summary: fix cve CVE-2025-58058

@Isteb4k Isteb4k marked this pull request as draft October 9, 2025 21:09
@sourcery-ai Sourcery AI
Copy link
Contributor

sourcery-ai bot commented Oct 9, 2025
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Patch CVE-2025-58058 by enhancing the CDI artifact build to use a timestamped cache version and the correct branch, and by bumping the xz library to v0.5.15.

File-Level Changes

Change Details Files
Add cache-busting timestamp and correct git branch to CDI build script
  • Insert installCacheVersion shell variable using current timestamp
  • Update git clone command to use the fix/module/fix-cve branch
 images/cdi-artifact/werf.inc.yaml
Upgrade xz dependency to mitigate CVE-2025-58058
  • Bump github.com/ulikunitz/xz from v0.5.12 to v0.5.15
  • Regenerate go.sum to reflect the updated dependency
 images/dvcr-artifact/go.mod
images/dvcr-artifact/go.sum
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Oct 9, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents 
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `images/cdi-artifact/werf.inc.yaml:36` </location>
<code_context>
 - id: SOURCE_REPO
   value: {{ $.SOURCE_REPO }}
 shell:
+  installCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
   install:
   - |
</code_context>

<issue_to_address>
**question (performance):** Consider the impact of using a dynamic timestamp for installCacheVersion.

Using a timestamp as the cache version will cause the cache to be invalidated on every build, increasing build times. If this isn't intentional, consider using a stable cache key instead.
</issue_to_address>

### Comment 2
<location> `images/cdi-artifact/werf.inc.yaml:39-40` </location>
<code_context>
   install:
   - |
     echo "Git clone CDI repository..."
-    git clone --depth 1 --branch {{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer
+    git clone --depth 1 --branch fix/module/fix-cve $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer

     rm -rf /src/containerized-data-importer/.git
</code_context>

<issue_to_address>
**suggestion:** Hardcoding the branch name may reduce flexibility for future updates.

If this is a temporary change, consider parameterizing the branch name or adding documentation to simplify future maintenance.

Suggested implementation:

```
    # NOTE: Temporary override for CVE fix. Update/remove BRANCH_NAME as needed.
    BRANCH_NAME="{{ $.CDI_BRANCH_NAME | default 'fix/module/fix-cve' }}"
    git clone --depth 1 --branch $BRANCH_NAME $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer

    rm -rf /src/containerized-data-importer/.git

```

To fully implement this, you should:
1. Add `CDI_BRANCH_NAME` to your values file or pipeline configuration if you want to override the branch name.
2. Document this environment variable for future maintainers.
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

images/cdi-artifact/werf.inc.yaml
- id: SOURCE_REPO
value: {{ $.SOURCE_REPO }}
shell:
installCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question (performance): Consider the impact of using a dynamic timestamp for installCacheVersion.

Using a timestamp as the cache version will cause the cache to be invalidated on every build, increasing build times. If this isn't intentional, consider using a stable cache key instead.

images/cdi-artifact/werf.inc.yaml
Comment on lines -39 to 40
echo "Git clone CDI repository..."
git clone --depth 1 --branch {{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer
git clone --depth 1 --branch fix/module/fix-cve $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Hardcoding the branch name may reduce flexibility for future updates.

If this is a temporary change, consider parameterizing the branch name or adding documentation to simplify future maintenance.

Suggested implementation:

    # NOTE: Temporary override for CVE fix. Update/remove BRANCH_NAME as needed.
    BRANCH_NAME="{{ $.CDI_BRANCH_NAME | default 'fix/module/fix-cve' }}"
    git clone --depth 1 --branch $BRANCH_NAME $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer

    rm -rf /src/containerized-data-importer/.git

To fully implement this, you should:

  1. Add CDI_BRANCH_NAME to your values file or pipeline configuration if you want to override the branch name.
  2. Document this environment variable for future maintainers.

@Isteb4k Isteb4k added this to the v1.2.0 milestone Oct 9, 2025
@Isteb4k Isteb4k changed the title fix(vm): fix cve CVE-2025-58058 fix(vm): fix cve CVE-2025-54410 and CVE-2025-54410 Oct 9, 2025
@Isteb4k Isteb4k changed the title fix(vm): fix cve CVE-2025-54410 and CVE-2025-54410 fix(module): fix CVE-2025-54410 and CVE-2025-54410 Oct 9, 2025
@Isteb4k Isteb4k modified the milestones: v1.2.0, v1.1.1 Oct 14, 2025
@nevermarine nevermarine modified the milestones: v1.1.1, v1.2.0 Oct 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@universal-itengineer universal-itengineer Awaiting requested review from universal-itengineer universal-itengineer is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@Isteb4k Isteb4k

Labels

None yet

Projects

None yet

Milestone

v1.2.0

Development

Successfully merging this pull request may close these issues.

2 participants

@Isteb4k @nevermarine