Skip to content

csi: fix Trivy security scan failures#334

Open
boddumanohar wants to merge 1 commit into
mainfrom
fix/csi-trivy-scan
Open

csi: fix Trivy security scan failures#334
boddumanohar wants to merge 1 commit into
mainfrom
fix/csi-trivy-scan

Conversation

@boddumanohar

Copy link
Copy Markdown
Member

Summary

Fixes the failing CSI: Security Scan job (run: https://github.com/simplyblock/simplyblock-operator/actions/runs/29423907459/job/87381207613).

Trivy's SARIF scan of simplyblock/spdkcsi:scan reported:

  • CVE-2026-56852 (golang.org/x/text v0.38.0, indirect dep of csi-driver) — infinite loop on invalid input.

  • CVE-2026-52858 / CVE-2026-47167 / CVE-2026-47162 / CVE-2026-46483 (HIGH, vim-minimal) — arbitrary code execution / command injection vulnerabilities in the vim package shipped in the base image (Dockerfile_base), unused at runtime.

  • Bump golang.org/x/text to v0.39.0 in csi-driver/go.mod/go.sum (go get golang.org/x/text@v0.39.0 && go mod tidy, transitively bumped x/mod/x/tools).

  • Remove vim-minimal from the CSI base image alongside the existing python3-urllib3/python3-requests/python3-idna removals — it isn't needed by the CSI driver at runtime.

Note: the vim-minimal fix only takes effect once simplyblock/spdkcsi:base_image_e2fsprogs is rebuilt — either via the weekly CSI: Docker Base Image cron (Sundays 05:00 UTC) or by manually dispatching that workflow after this merges.

Test plan

  • go build ./... in csi-driver succeeds
  • go vet ./... clean
  • go mod verify passes
  • CI: CSI: Security Scan job passes on this branch
  • Manually dispatch CSI: Docker Base Image after merge to pick up the vim-minimal removal

🤖 Generated with Claude Code

…026-56852)

Bump golang.org/x/text to v0.39.0 to fix CVE-2026-56852 (infinite loop
on invalid input). Remove vim-minimal from the CSI base image, which
carried several HIGH-severity vim CVEs (CVE-2026-52858, CVE-2026-47167,
CVE-2026-47162, CVE-2026-46483) and isn't needed at runtime.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant