You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Harden OSV gate (fail-closed) + refresh lockfile to clear all CVEs
Port the fail-closed hardening from the Go (#362) and Node (#388) OSV
workflows, and refresh poetry.lock so the gate passes with zero
suppressions.
securityScan.yml hardening (was fail-open in three places):
- Capture osv-scanner's exit code; tolerate only 0/1 and fail closed on
any other code (network error, corrupt binary) instead of masking it
with `|| true`.
- Validate the output is well-formed JSON with a .results array before
parsing, so a truncated/partial scan fails closed rather than parsing
to zero findings.
- Resolve empty group max_severity via a cvss_num fallback to an
UNKNOWN sentinel (using `try (x|tonumber) catch null`, not
`tonumber?`), so a scoreless finding can never sort to 0 and sail past
the CVSS>=7 gate. UNKNOWN always blocks (PyPA advisories carry CVSS; a
scoreless finding is a GHSA-only/malware advisory).
- Integer-count guards fail closed on parse failure.
- Drop per-repo SMTP email in favor of artifact upload for the planned
cross-repo collator (parity with Go/Node).
CVE clearing WITHOUT forcing dependency floors:
- Bump the Python floor to ^3.10. The CVE-fixed cryptography (>=46) and
pyjwt (>=2.12) require Python >=3.10 upstream, so a single CVE-clean
lockfile cannot span 3.8/3.9. This is the only breaking change.
- All runtime dependency pins are UNCHANGED (thrift ~=0.22.0,
urllib3 >=1.26, requests ^2.18.1, pyjwt ^2.0.0, pyarrow floors). The
existing constraints already ALLOW the CVE-free versions; the refreshed
lock simply resolves to them (urllib3 2.7.0, cryptography 49.0.0,
pyarrow 23.0.1, requests 2.34.2, pyjwt 2.13.0, idna 3.18,
python-dotenv 1.2.2). Customers do not need us to relax or raise any
pin to become CVE-free.
- thrift stays ~=0.22.0 (no known advisory; the <0.23 cap avoids the
ES-1960554 DBR-LTS install break).
- Bump dev-only black ^22 -> ^26 and pytest ^7 -> ^9 to clear their
advisories (never shipped in the wheel); reformat src with black 26.
Result: OSV-Scanner v2.3.8 reports 0 findings on the refreshed lock;
osv-scanner.toml needs no suppressions.
Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
0 commit comments