fix(supply-chain): ignore 10 no-fix CVEs that broke nightly 2026-05-21#59
Merged
Conversation
The 2026-05-21 nightly (run 26210539455) failed on `pip-audit` because the OSV / GHSA databases published 9 new torch advisories and 1 markdown advisory overnight, none of which have an upstream fix. Without an ignore, `tools/check_pip_audit.py` fails closed on UNKNOWN severity (pip-audit's JSON does not serialise OSV severity) and the nightly stays red, masking real future breakage. Triage (issue #58): - torch PYSEC-2025-191..197, PYSEC-2025-210, PYSEC-2026-139: all require a LOCAL attacker passing malformed inputs to specific torch APIs (`jit.script`, `lstm_cell`, `cuda.memory.*`, `pt2` loader, etc.). ForgeLM is a local-CLI tool; an attacker with that access is already inside the trust boundary. None of the affected APIs are called with attacker-controlled arguments in `forgelm/`. - markdown PYSEC-2026-89: OSV affected-range misclassification — the advisory description states the fix shipped in markdown==3.8.1 but the range record has no `fixed` event, so every version is flagged. Installed 3.10.2 is post-fix. Each ignore is documented inline in `.github/workflows/nightly.yml` with the surface, the threat-model carve-out, and the condition for re-evaluating (per `docs/reference/supply_chain_security.md`). Also drops the stale "Issue #37 tracks the active set" reference — #37 was a closed nightly-failure issue, not a tracker. Refs: #58 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Reviewer's GuideExtends the nightly supply-chain audit step to explicitly ignore 10 newly published, no-fix CVEs (9 in torch, 1 in markdown), with detailed inline justification and reevaluation guidance, and cleans up an outdated tracking comment in the nightly workflow. Flow diagram for updated nightly pip-audit ignore handlingflowchart TD
NightlyJob[Nightly workflow: supply_chain job]
PipAudit[pip-audit --ignore-vuln
CVE-2026-1839
PYSEC-2025-191..197
PYSEC-2025-210
PYSEC-2026-139
PYSEC-2026-89]
JsonOut[/pip-audit JSON output
/tmp/pip-audit.json/]
CheckScript[tools/check_pip_audit.py
applies severity policy]
Policy[Fail on any non-ignored
UNKNOWN-severity finding]
NightlyJob --> PipAudit
PipAudit --> JsonOut
JsonOut --> CheckScript
CheckScript --> Policy
File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- Consider moving the growing
--ignore-vulnlist into a separate config (e.g., a checked-in JSON/YAML consumed bytools/check_pip_audit.py) so new CVE suppressions don’t require editing the workflow and can be managed/validated in one place.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider moving the growing `--ignore-vuln` list into a separate config (e.g., a checked-in JSON/YAML consumed by `tools/check_pip_audit.py`) so new CVE suppressions don’t require editing the workflow and can be managed/validated in one place.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 37 |
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
Address PR #59 review comment: extract the growing --ignore-vuln list from .github/workflows/nightly.yml into tools/pip_audit_ignores.yaml, consumed by tools/check_pip_audit.py via a new opt-in --ignores flag. New CVE suppressions no longer require editing the workflow. Design — opt-in, not opt-out ============================ docs/reference/supply_chain_security.md explicitly tells deployers that ForgeLM does NOT ship a default project-level ignore list. The new flag preserves that contract: without --ignores PATH, check_pip_audit.py applies no suppressions, so a deployer running pip install forgelm[security] python3 tools/check_pip_audit.py /tmp/pip-audit.json still sees the full unfiltered severity gate. The project's own nightly opts in explicitly: python3 tools/check_pip_audit.py /tmp/pip-audit.json \ --ignores tools/pip_audit_ignores.yaml Schema enforcement ================== Every entry in pip_audit_ignores.yaml must carry six required fields (id, package, reason, threat_model, verified_at, reevaluate_after); missing any one fails the gate with an ::error:: that names the gap. This blocks the "stick a bare id: in and forget" pattern — every suppression now carries a written justification + re-evaluate trigger as required by docs/reference/supply_chain_security.md. Matching uses {id} ∪ aliases on both sides, so an ignore listing the CVE alias still matches a pip-audit finding emitted under its PYSEC primary id (and vice versa). Each match is logged as a ::notice:: annotation so the run summary surfaces the audit trail; suppressions don't disappear into the workflow log silently. Migrations ========== All 11 ignores in nightly.yml (CVE-2026-1839 transformers + 9 torch PYSEC-2025-191..197/210 + PYSEC-2026-139 + 1 markdown PYSEC-2026-89) moved verbatim into the YAML file with the justifications expanded into structured fields. The workflow's pip-audit step shrinks from ~95 lines of inline comments + per-CVE --ignore-vuln args to a ~12-line block pointing at the YAML. Tests ===== Extends tests/test_check_pip_audit.py with 9 new cases covering: - suppression by primary id and by alias - no false-positive match on unrelated CVEs - schema validation (each required field individually named on failure) - missing / invalid YAML files fail closed - default (no --ignores) is unchanged — deployer-safe - the checked-in tools/pip_audit_ignores.yaml itself passes schema validation (regression guard so the workflow never breaks on its own ignore file) Docs ==== Updates docs/reference/supply_chain_security.md and the TR mirror plus docs/usermanuals/{en,tr}/operations/supply-chain.md with the new deployer workflow (write your own ignores.yaml, pass via --ignores). Bilingual parity verified by tools/check_bilingual_parity.py --strict. Refs: #58, #59 (review comment) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
cemililik
added a commit
that referenced
this pull request
May 22, 2026
…view) Address review feedback on the pip_audit_ignores.yaml loader: - Validate `aliases` is a list of strings before unpacking it into the id index. Previously `aliases: CVE-2025-2953` (a bare string) would be iterated character-by-character, polluting the index with single-char "ids" and silently breaking matching; a non-iterable would crash. Now fails closed with a clear ::error::. - Validate value shape of required fields, not just presence: id, package, reason, threat_model, reevaluate_after must be non-empty strings, and verified_at must be a 'YYYY-MM-DD' string (quote it in YAML so it is not parsed as a datetime.date). An empty reason was a documented-justification gap the old presence-only check let through. Note: reevaluate_after is deliberately NOT date-validated — it is a free-text retirement condition ("Each release cycle, or when …"), so the review's suggested date-regex on it would have rejected every real entry. Date validation applies to verified_at only. - Hoist `ignore_ids = set(ignores)` once in _bucket_findings instead of intersecting against `ignores.keys()` per finding. - Doc grammar: "fails the gate closed" -> "causes the gate to fail closed" in both EN mirrors, and document the new malformed-value rejection in the reference + user-manual (EN + TR). Adds 7 tests: aliases-as-string, aliases-with-non-string-element, null-aliases-accepted, empty-required-string, malformed verified_at, unquoted-YAML-date rejection, and free-text reevaluate_after accepted. 23 tests pass. Refs: #59 (review) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cemililik
added a commit
that referenced
this pull request
May 24, 2026
…5-24) The nightly on main is green through the new --ignores mechanism (the run log shows CVE-2026-1839 correctly suppressed), but a new no-fix advisory dropped: transformers PYSEC-2025-217 (CVE-2025-14929), X-CLIP checkpoint-conversion deserialization RCE. CVSS is AV:L/UI:R (local + user must open a malicious checkpoint), affected through 5.0.0rc0 with no fix in the pinned 4.x line. Same threat-model carve-out as the existing transformers/torch deserialization ignores: operators are documented as required to load only trusted checkpoints, and ForgeLM does not invoke X-CLIP checkpoint conversion. With the Phase-refactored ignore file this is a one-line data change, no workflow edit — exactly the maintainability win the PR #59 review asked for. Refs: #58 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pip-auditstep because OSV / GHSA published 10 new no-fix advisories overnight (9 torch + 1 markdown).--ignore-vulnin.github/workflows/nightly.ymlwith an inline justification, threat-model carve-out, and re-evaluation condition, matching the existingCVE-2026-1839(transformers) pattern.Issue #37 tracks the active setcomment — Nightly CI failure — 2026-05-07 #37 was a closed nightly-failure issue, not a tracker.Triage detail
torch (9 CVEs, all local attack vector)
torch.mkldnn_max_pool2d— local DoStorch.nn.utils.rnn.pad_packed_sequence— local memory corruptiontorch.nn.utils.rnn.unpack_sequence— local memory corruptiontorch.jit.script— local memory corruptiontorch.lstm_cell— local memory corruptiontorch.jit.jit_module_from_flatbuffer— local memory corruptiontorch.cuda.memory.caching_allocator_delete— local memory corruptiontorch.profiler.profile— local DoS via missingprofiler.stop()pt2Loading Handler — local deserialization (same trust model astorch.load(pickle))All require a local attacker passing malformed inputs to a specific torch API. ForgeLM is a local-CLI training tool; an attacker with that access is already inside the trust boundary. None of the affected APIs are called with attacker-controlled arguments in
forgelm/. Verified againstpypa/advisory-database/vulns/torch/*.yamlon 2026-05-21.markdown (1 CVE, OSV range misclassification)
fixedevent, so every version is flagged; the advisory description says the fix shipped inmarkdown==3.8.1. Installed 3.10.2 is post-fix. Re-evaluate when the OSV record gains afixed: 3.8.1event.Why this isn't
|| truepip-auditruns with|| true(sanctioned carve-out indocs/standards/testing.md) becausetools/check_pip_audit.pythen applies the project's severity policy on the captured JSON. The script fails closed on every UNKNOWN-severity finding — which is every finding in practice, since pip-audit's JSON does not carry OSV severity. Adding documented ignores for accepted-risk CVEs is the prescribed escape hatch (seedocs/reference/supply_chain_security.md— "Suppression").Re-evaluation
Each release cycle: re-run nightly without the ignore set and drop any CVE that:
Test plan
python3 -c "import yaml; yaml.safe_load(open('.github/workflows/nightly.yml'))"— YAML parsespython3 tools/check_anchor_resolution.py --strict— passespython3 tools/check_bilingual_parity.py --strict— passespython3 tools/check_no_analysis_refs.py— passeshas_any_idmatches against{id} | aliases, so PYSEC IDs in--ignore-vulnare honoured (verified by readingpip_audit/_service/interface.py)Nightly Compatibilityworkflow on this branch to confirm the supply-chain job goes greenCloses #58
🤖 Generated with Claude Code
Summary by Sourcery
Update nightly supply-chain workflow to suppress specific no-fix CVEs while documenting risk and reevaluation policy.
Bug Fixes:
Enhancements: