Skip to content

[DRAFT] preview changes from upcoming SDK upgrade#359

Draft
eddie-knight wants to merge 1 commit into
mainfrom
feat/ai-integration
Draft

[DRAFT] preview changes from upcoming SDK upgrade#359
eddie-knight wants to merge 1 commit into
mainfrom
feat/ai-integration

Conversation

@eddie-knight

Copy link
Copy Markdown
Collaborator

No description provided.

Signed-off-by: Eddie Knight <knight@linux.com>
@kusari-inspector

Copy link
Copy Markdown

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the code security analysis found zero issues across all 5 scanned files (no secrets, no workflow issues, no code-level vulnerabilities), the dependency analysis identified a high-severity, actively exploitable vulnerability that warrants serious attention before merging. The upgrade of github.com/gemaraproj/go-gemara from v0.5.0 to v0.7.0 transitively introduces oras.land/oras-go/v2 v2.6.1, which carries CVE-2026-50163 (CVSS High: AV:N/AC:L/PR:N/UI:R/C:H/I:L/A:N). This vulnerability allows an attacker-controlled OCI artifact to create hardlinks inside an extraction tree that point to arbitrary files in the process CWD (e.g., .env, .git/config, AWS credentials, SSH keys), enabling unauthorized file read and potential write/tampering. Running as root exposes the entire host filesystem. Critically, no patched version of oras-go exists at this time. Recommended actions: (1) Revert github.com/gemaraproj/go-gemara to v0.5.0 if that version does not pull in the vulnerable oras-go dependency, until a patch is released. (2) Monitor the oras-project/oras-go repository for a fix addressing CVE-2026-50163 and upgrade as soon as one is available. (3) If the v0.7.0 upgrade is strictly required, ensure sensitive files and credentials are never present in the process CWD during execution as a compensating control. We strongly recommend addressing this before merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

Severity: High (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

Summary: The tar extraction path in oras-go v2.6.1 incorrectly resolves relative hardlink targets against the process current working directory (CWD) rather than the extraction base. An attacker-controlled OCI artifact can create a hardlink inside the extract tree pointing to an arbitrary file in the process CWD (e.g., .env, .git/config, AWS credentials, SSH keys), enabling file read and potential write/tampering primitives. Running as root exposes the entire host filesystem.

Dependency Path: github.com/gemaraproj/go-gemara (direct) → oras.land/oras-go/v2 (vulnerable)

Fix Status: NO_FIX available. v2.6.1 is the latest version and no patched release exists at this time.

Recommended Actions:

  1. Consider reverting github.com/gemaraproj/go-gemara from v0.7.0 back to v0.5.0 if that version does not pull in oras-go, until a patched oras-go release is available.
  2. Monitor the oras-project/oras-go repository for a patch release that addresses CVE-2026-50163 and upgrade as soon as one is published.
  3. If the upgrade to go-gemara v0.7.0 is critical, restrict the environments where this scanner runs so that sensitive files (credentials, keys) are not present in the process CWD during execution as a compensating control.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: ddb5161, performed at: 2026-07-07T23:36:45Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant