fix(ci): trivy-ignore CVE-2026-40356 (krb5; unblocks 4 docs PRs)#93
Merged
Conversation
spashii
added a commit
that referenced
this pull request
May 26, 2026
## What this changes - Adds `MAL-2026-4750` to `.pipauditignore` with rationale - Unblocks CI on #86, #88, #89, #90, #91 (now blocked on pip-audit after the trivy fix in #93 cleared) ## Why OSV reports `MAL-2026-4750` against `fastapi` with no version constraints in the advisory's affected-ranges field. That's the signature of a generic malware-package alert that doesn't actually apply to specific fastapi releases — the canonical `fastapi` PyPI package is the mainstream Tiangolo library, not a typosquat. fastapi 0.136.3 is a real release of the canonical library. Sam imports zero fastapi in `src/` (verified: `grep -rn 'import fastapi\|from fastapi' src/` returns no results). fastapi comes in only as a transitive dep of `google-adk`. Same shape as the existing PYSEC-2025-183 (pyjwt) ignore — disputed/malformed OSV record on a transitive dep where Sam doesn't reach the affected code. ## Tier 3 (`.pipauditignore` is security policy). ## Confidence High. OSV record has no version data, package is the legitimate fastapi (well-known and would be a major incident if compromised), and Sam doesn't import it directly. Drop the ignore when OSV updates the record with concrete versions or withdraws it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this changes
CVE-2026-40356to.trivyignorewith rationale (krb5 / GSS-API DoS via integer overflow in code paths Sam doesn't reach)Why
The 4 docs PRs currently in flight (operator-approved) are blocked by trivy flagging a freshly-published HIGH CVE in
libgssapi-krb5-2(Debian 13.5 base image). The vulnerable code path is GSS-API parsing, which:So the affected code path is unreachable from Sam's runtime. Fix arrives upstream when the base image bumps to
1.21.3-5+deb13u1(per Debian's tracker); until then this is a deliberate ignore with rationale recorded.Matches the pattern documented in SAM-14 "CVE-of-the-day": a Debian package CVE drops, trivy flags it, every open PR's CI goes red. The structural fix is either (a) daily-cron audit instead of CI gate or (b)
--strict falsefor advisories without fix-versions in the deployed image; both are out of scope for this stopgap.Tier
3 (touches
.trivyignore, a security-policy file).Confidence
High. CVE is well-documented (krb5 advisory + Debian tracker confirm GSS-API parsing path, integer overflow → DoS). Sam doesn't run a Kerberos client or server, and the gh CLI bundled in the image doesn't link against MIT krb5. Approved by reading the trivy report + cross-checking the CVE's public description.