[DRAFT] preview changes from upcoming SDK upgrade#359
Conversation
Signed-off-by: Eddie Knight <knight@linux.com>
Kusari Analysis Results:Caution Flagged Issues Detected While the code security analysis found zero issues across all 5 scanned files (no secrets, no workflow issues, no code-level vulnerabilities), the dependency analysis identified a high-severity, actively exploitable vulnerability that warrants serious attention before merging. The upgrade of github.com/gemaraproj/go-gemara from v0.5.0 to v0.7.0 transitively introduces oras.land/oras-go/v2 v2.6.1, which carries CVE-2026-50163 (CVSS High: AV:N/AC:L/PR:N/UI:R/C:H/I:L/A:N). This vulnerability allows an attacker-controlled OCI artifact to create hardlinks inside an extraction tree that point to arbitrary files in the process CWD (e.g., .env, .git/config, AWS credentials, SSH keys), enabling unauthorized file read and potential write/tampering. Running as root exposes the entire host filesystem. Critically, no patched version of oras-go exists at this time. Recommended actions: (1) Revert github.com/gemaraproj/go-gemara to v0.5.0 if that version does not pull in the vulnerable oras-go dependency, until a patch is released. (2) Monitor the oras-project/oras-go repository for a fix addressing CVE-2026-50163 and upgrade as soon as one is available. (3) If the v0.7.0 upgrade is strictly required, ensure sensitive files and credentials are never present in the process CWD during execution as a compensating control. We strongly recommend addressing this before merging. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Severity: High (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) Summary: The tar extraction path in oras-go v2.6.1 incorrectly resolves relative hardlink targets against the process current working directory (CWD) rather than the extraction base. An attacker-controlled OCI artifact can create a hardlink inside the extract tree pointing to an arbitrary file in the process CWD (e.g., .env, .git/config, AWS credentials, SSH keys), enabling file read and potential write/tampering primitives. Running as root exposes the entire host filesystem. Dependency Path: github.com/gemaraproj/go-gemara (direct) → oras.land/oras-go/v2 (vulnerable) Fix Status: NO_FIX available. v2.6.1 is the latest version and no patched release exists at this time. Recommended Actions:
Found this helpful? Give it a 👍 or 👎 reaction! |
No description provided.