[docs] add vex templates and current CVE decription (#134)

duckhawk · web-flow · commit 53f588c97a9b · 2025-10-31T13:37:34.000+03:00
Signed-off-by: v.oleynikov &lt;vasily.oleynikov@flant.com&gt;
diff --git a/.werf/defines/vex.tmpl b/.werf/defines/vex.tmpl
@@ -0,0 +1,2 @@
+{{- define "vex mitigation" }}
+{{- end }}
diff --git a/images/csi-nfs/known_vulnerabilities.vex b/images/csi-nfs/known_vulnerabilities.vex
@@ -0,0 +1,23 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-9c5387d957d88b47252b3f199c5cfd6eebcbceefb6e6bc13790149db4ffaa9e6",
+  "author": "Deckhouse \u003ccontact@deckhouse.io\u003e",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2025-1767"
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/k8s.io/kubernetes@v1.31.12"
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Уязвимость затрагивает устаревший механизм in-tree gitRepo volume. В рамках csi-nfs создание таких томов невозможно, прав на создание таких томов у пользователя нет и уязвимость использоваться не может",
+      "timestamp": "2025-10-30T13:13:05.237532425Z"
+    }
+  ],
+  "timestamp": "2025-10-30T13:13:05Z"
+}
diff --git a/images/csi-nfs/werf.inc.yaml b/images/csi-nfs/werf.inc.yaml
@@ -132,3 +132,5 @@ git:
 imageSpec:
   config:
     entrypoint: ["/{{ $.ImageName }}"]
+---
+{{- include "vex mitigation" (list $ (printf "%s/%s" $.ModuleName $.ImageName )) }}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+{{- define "vex mitigation" }}`
	`2`	`+{{- end }}`