Skip to content

fix CVE for tink-worker #618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cheeyanglee merged 4 commits into from
Dec 9, 2025
Merged

fix CVE for tink-worker #618

cheeyanglee merged 4 commits into from
Dec 9, 2025

Conversation

@andy-vm
Copy link
Contributor

@andy-vm andy-vm commented Dec 4, 2025
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR

  • The changes in the PR have been built and tested
  • cgmanifest file has been updated if required
  • Ready to merge

Description

upgrade tink worker for CVE fix
https://jira.devtools.intel.com/browse/ITEP-81743

Any Newly Introduced Dependencies

How Has This Been Tested?

tested by Piyush

@andy-vm andy-vm requested a review from a team as a code owner December 4, 2025 02:58
aaroncyew
aaroncyew reviewed Dec 5, 2025
View reviewed changes
@aaroncyew
Copy link
Member

aaroncyew commented Dec 5, 2025

Automated Messages: Label 'tink-worker' has been added to this Pull Request.

@aaroncyew aaroncyew added containerd: v1.7.29: CVE-2024-40635 Component containerd labelled for run 7978868 containerd: v1.7.29: CVE-2024-25621 Component containerd labelled for run 7978868 containerd: v1.7.29: CVE-2025-64329 Component containerd labelled for run 7978868 x-crypto: v0.36.0: CVE-2025-47913 Component x-crypto labelled for run 7936573 x-crypto: v0.36.0: CVE-2025-47914 Component x-crypto labelled for run 7936573 x-crypto: v0.36.0: CVE-2025-58181 Component x-crypto labelled for run 7936573 labels Dec 5, 2025
aaroncyew
aaroncyew previously approved these changes Dec 5, 2025
View reviewed changes
Copy link
Member

@aaroncyew aaroncyew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1
this PR only resolves Go module github.com/opencontainers/selinux CVE-2025-52881

there are other CVE's detected for x-crypto and containerd2, and mark for label.
this was tested in
buildID: 1344
scanID: 7978868

@andy-vm
Copy link
Contributor Author

andy-vm commented Dec 8, 2025

+1 this PR only resolves Go module github.com/opencontainers/selinux CVE-2025-52881

there are other CVE's detected for x-crypto and containerd2, and mark for label. this was tested in buildID: 1344 scanID: 7978868

this PR fixed all reported CVEs in tink-worker, see scan result https://bdba001.icloud.intel.com/#/product/7979383/analysis
other CVEs are false positive

@aaroncyew aaroncyew removed x-crypto: v0.36.0: CVE-2025-47913 Component x-crypto labelled for run 7936573 x-crypto: v0.36.0: CVE-2025-47914 Component x-crypto labelled for run 7936573 x-crypto: v0.36.0: CVE-2025-58181 Component x-crypto labelled for run 7936573 containerd: v1.7.29: CVE-2024-40635 Component containerd labelled for run 7978868 containerd: v1.7.29: CVE-2024-25621 Component containerd labelled for run 7978868 containerd: v1.7.29: CVE-2025-64329 Component containerd labelled for run 7978868 labels Dec 8, 2025
@aaroncyew
Copy link
Member

aaroncyew commented Dec 8, 2025

+1 this PR only resolves Go module github.com/opencontainers/selinux CVE-2025-52881
there are other CVE's detected for x-crypto and containerd2, and mark for label. this was tested in buildID: 1344 scanID: 7978868

this PR fixed all reported CVEs in tink-worker, see scan result https://bdba001.icloud.intel.com/#/product/7979383/analysis other CVEs are false positive

update all the required components matching the new release tink-worker .yaml, as this may cause false positives on the analysis scan results.

cheeyanglee
cheeyanglee reviewed Dec 8, 2025
View reviewed changes
@andy-vm
Copy link
Contributor Author

andy-vm commented Dec 8, 2025

+1 this PR only resolves Go module github.com/opencontainers/selinux CVE-2025-52881
there are other CVE's detected for x-crypto and containerd2, and mark for label. this was tested in buildID: 1344 scanID: 7978868

this PR fixed all reported CVEs in tink-worker, see scan result https://bdba001.icloud.intel.com/#/product/7979383/analysis other CVEs are false positive

update all the required components matching the new release tink-worker .yaml, as this may cause false positives on the analysis scan results.

one false positive is about Rust, we are not using it
the other 2 are reporting CVEs in 1.7.27, but we already upgraded to 1.7.29

@cheeyanglee cheeyanglee merged commit 11a207f into open-edge-platform:3.0-dev Dec 9, 2025
15 of 18 checks passed
@andy-vm andy-vm deleted the tink-worker-CVE-ITEP-81743 branch December 9, 2025 02:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cheeyanglee cheeyanglee cheeyanglee approved these changes

@liulis-sg liulis-sg liulis-sg approved these changes

@aaroncyew aaroncyew aaroncyew left review comments

@jinghuitham jinghuitham Awaiting requested review from jinghuitham

@JiayongT JiayongT Awaiting requested review from JiayongT

Assignees

@andy-vm andy-vm

Labels

ITEP-82066 tink-worker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@andy-vm @aaroncyew @cheeyanglee @liulis-sg