Skip to content

fix(module): fix CVE-2025-54410 and CVE-2025-54410#1557

Draft
Isteb4k wants to merge 1 commit intomainfrom
fix/module/test
Draft

fix(module): fix CVE-2025-54410 and CVE-2025-54410#1557
Isteb4k wants to merge 1 commit intomainfrom
fix/module/test

Conversation

@Isteb4k
Copy link
Contributor

@Isteb4k Isteb4k commented Oct 9, 2025
edited
Loading

Description

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: fix
summary: fix cve CVE-2025-58058

@Isteb4k Isteb4k marked this pull request as draft October 9, 2025 21:09
@sourcery-ai
Copy link
Contributor

sourcery-ai bot commented Oct 9, 2025
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Patch CVE-2025-58058 by enhancing the CDI artifact build to use a timestamped cache version and the correct branch, and by bumping the xz library to v0.5.15.

File-Level Changes

Change Details Files
Add cache-busting timestamp and correct git branch to CDI build script
  • Insert installCacheVersion shell variable using current timestamp
  • Update git clone command to use the fix/module/fix-cve branch
 images/cdi-artifact/werf.inc.yaml
Upgrade xz dependency to mitigate CVE-2025-58058
  • Bump github.com/ulikunitz/xz from v0.5.12 to v0.5.15
  • Regenerate go.sum to reflect the updated dependency
 images/dvcr-artifact/go.mod
images/dvcr-artifact/go.sum
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Oct 9, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents 
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `images/cdi-artifact/werf.inc.yaml:36` </location>
<code_context>
 - id: SOURCE_REPO
   value: {{ $.SOURCE_REPO }}
 shell:
+  installCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
   install:
   - |
</code_context>

<issue_to_address>
**question (performance):** Consider the impact of using a dynamic timestamp for installCacheVersion.

Using a timestamp as the cache version will cause the cache to be invalidated on every build, increasing build times. If this isn't intentional, consider using a stable cache key instead.
</issue_to_address>

### Comment 2
<location> `images/cdi-artifact/werf.inc.yaml:39-40` </location>
<code_context>
   install:
   - |
     echo "Git clone CDI repository..."
-    git clone --depth 1 --branch {{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer
+    git clone --depth 1 --branch fix/module/fix-cve $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer

     rm -rf /src/containerized-data-importer/.git
</code_context>

<issue_to_address>
**suggestion:** Hardcoding the branch name may reduce flexibility for future updates.

If this is a temporary change, consider parameterizing the branch name or adding documentation to simplify future maintenance.

Suggested implementation:

```
    # NOTE: Temporary override for CVE fix. Update/remove BRANCH_NAME as needed.
    BRANCH_NAME="{{ $.CDI_BRANCH_NAME | default 'fix/module/fix-cve' }}"
    git clone --depth 1 --branch $BRANCH_NAME $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer

    rm -rf /src/containerized-data-importer/.git

```

To fully implement this, you should:
1. Add `CDI_BRANCH_NAME` to your values file or pipeline configuration if you want to override the branch name.
2. Document this environment variable for future maintainers.
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

images/cdi-artifact/werf.inc.yaml
- id: SOURCE_REPO
value: {{ $.SOURCE_REPO }}
shell:
installCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
Copy link
Contributor

@sourcery-ai sourcery-ai bot Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question (performance): Consider the impact of using a dynamic timestamp for installCacheVersion.

Using a timestamp as the cache version will cause the cache to be invalidated on every build, increasing build times. If this isn't intentional, consider using a stable cache key instead.

images/cdi-artifact/werf.inc.yaml
Comment on lines -39 to 41
echo "Git clone CDI repository..."
git clone --depth 1 --branch {{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer
git clone --depth 1 --branch fix/module/fix-cve $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer

Copy link
Contributor

@sourcery-ai sourcery-ai bot Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Hardcoding the branch name may reduce flexibility for future updates.

If this is a temporary change, consider parameterizing the branch name or adding documentation to simplify future maintenance.

Suggested implementation:

    # NOTE: Temporary override for CVE fix. Update/remove BRANCH_NAME as needed.
    BRANCH_NAME="{{ $.CDI_BRANCH_NAME | default 'fix/module/fix-cve' }}"
    git clone --depth 1 --branch $BRANCH_NAME $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer

    rm -rf /src/containerized-data-importer/.git

To fully implement this, you should:

  1. Add CDI_BRANCH_NAME to your values file or pipeline configuration if you want to override the branch name.
  2. Document this environment variable for future maintainers.

@Isteb4k Isteb4k added this to the v1.2.0 milestone Oct 9, 2025
@Isteb4k
fix(vm): fix cve CVE-2025-54410 and CVE-2025-54410
3d062ef 
Signed-off-by: Isteb4k <dmitry.rakitin@flant.com>
@Isteb4k Isteb4k changed the title fix(vm): fix cve CVE-2025-58058 fix(vm): fix cve CVE-2025-54410 and CVE-2025-54410 Oct 9, 2025
@Isteb4k Isteb4k changed the title fix(vm): fix cve CVE-2025-54410 and CVE-2025-54410 fix(module): fix CVE-2025-54410 and CVE-2025-54410 Oct 9, 2025
@Isteb4k Isteb4k modified the milestones: v1.2.0, v1.1.1 Oct 14, 2025
@nevermarine nevermarine modified the milestones: v1.1.1, v1.2.0 Oct 16, 2025
@Isteb4k Isteb4k modified the milestones: v1.2.0, v1.3.0 Nov 26, 2025
@nevermarine nevermarine modified the milestones: v1.3.0, v1.4.0 Dec 16, 2025
@nevermarine nevermarine modified the milestones: v1.4.0, v1.5.0 Jan 23, 2026
@nevermarine nevermarine modified the milestones: v1.5.0, v1.6.0 Feb 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@universal-itengineer universal-itengineer Awaiting requested review from universal-itengineer universal-itengineer is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@Isteb4k Isteb4k

Labels

None yet

Projects

None yet

Milestone

v1.6.0

Development

Successfully merging this pull request may close these issues.

2 participants

@Isteb4k @nevermarine