fix: complete console image oras remediation#778
Conversation
There was a problem hiding this comment.
This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:
| Name | Details |
|---|---|
| 💬 Prompt | Update the existing open PR branch agent/remediate-console-image-vulns-1752056400000 in https://github.com/pluralsh/plural-cli so that the remediation for the console image is actually complete.... |
| 🔗 Run history | View run history |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Greptile SummaryThis PR attempts to remediate console image vulnerabilities by downgrading
Confidence Score: 3/5The PR should not be merged as-is: the oras pseudo-version it introduces is a pre-release commit that predates the v2.6.1 security release and lacks fixes for two credential-exfiltration CVEs that v2.6.1 addresses. The oras pseudo-version go.mod — specifically the oras pseudo-version pin and the helm downgrade need a clear security rationale confirming which CVEs are being traded off.
|
| Filename | Overview |
|---|---|
| go.mod | Downgrades helm v3.21.2→v3.21.0 and pins oras to a November 2025 pseudo-version that predates the v2.6.1 security release, potentially reintroducing CVE-2026-50151 and CVE-2026-48978 |
| go.sum | Adds hashes for helm v3.21.0 and the oras pseudo-version; retains old v3.21.2/v2.6.1 entries (expected go.sum accumulation); reorders some entries alphabetically |
Reviews (1): Last reviewed commit: "fix: complete console image oras remedia..." | Re-trigger Greptile
| gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect | ||
| k8s.io/kube-openapi v0.0.0-20260706235625-cdb1db5517a0 // indirect | ||
| oras.land/oras-go/v2 v2.6.1 // indirect | ||
| oras.land/oras-go/v2 v2.6.1-0.20251112024309-71beefaff46c // indirect |
There was a problem hiding this comment.
Pseudo-version predates v2.6.1 security patches
The commit 71beefaff46c (2025-11-12) predates the official oras.land/oras-go/v2 v2.6.1 release (June 3, 2026), which was a security patch release fixing multiple CVEs. Per advisory databases, this pseudo-version falls in the affected range for CVE-2026-50151 ("credential forwarding via unvalidated Location header", fix: upgrade to v2.6.1+) and CVE-2026-48978 / GHSA-xf85-363p-868w ("Bearer token realm hijack", affects <= v2.6.0). Independent research confirms the pseudo-version "contained the vulnerabilities that were eventually addressed in the official v2.6.1 release."
If this downgrade is intentional to avoid GHSA-fxhp-mv3v-67qp ("tar extraction hardlink escape", affects <= v2.6.1, no upstream patch), the trade-off is reintroducing two credential-exfiltration CVEs that v2.6.1 actually fixes. It is worth explicitly evaluating whether accepting the unpatched GHSA-fxhp-mv3v-67qp is preferable to removing CVE-2026-50151 and CVE-2026-48978 mitigations.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Summary
v2.6.11.26.5Docker image remediation already present on the base branchDependency changes
helm.sh/helm/v3:v3.21.2->v3.21.0oras.land/oras-go/v2:v2.6.1->v2.6.1-0.20251112024309-71beefaff46cgithub.com/google/go-containerregistry: unchanged atv0.21.8-0.20260624172245-e8b2b9e51df6Evidence
go mod why -m oras.land/oras-go/v2:github.com/pluralsh/plural-cli/pkg/prhelm.sh/helm/v3/pkg/registryoras.land/oras-go/v2go mod graphnow resolves:helm.sh/helm/[email protected]oras.land/oras-go/[email protected]Dockerfilebuilder/final stages still usegolang:1.26.5-alpinedocker build --no-cache -t plural-cli-remediation:test .exercised the actual image build path through the Go 1.26.5 builder and reached the compile stageFiles changed
go.modgo.sum