Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kserve/0.14.1-r0: cve remediation #40969

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

kserve/0.14.1-r0: cve remediation #40969

wants to merge 2 commits into from

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Jan 31, 2025

kserve/0.14.1-r0: fix CVE-2024-45341

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kserve.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

@jamie-albert jamie-albert self-assigned this Jan 31, 2025
@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Jan 31, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error: [Build fails during Poetry dependency installation]

• Error Category: Dependency/Version

• Failure Point: Poetry dependency resolution during the storage-controller build step

• Root Cause Analysis:
The build is failing due to version conflicts and incompatible dependencies in the Python packages. The issue appears after removing multiple dependencies that are likely required by Ray or other core components.

• Suggested Fix:

  1. Modify the poetry-build-storage-controller step to explicitly pin key dependencies:
poetry add "ray==2.24.0" \
          "aiohttp==3.10.11" \
          "setuptools==70.0.0" \
          "starlette==0.40.0" \
          "jinja2==3.1.5" \
          --no-interaction
  1. Add explicit dependencies that were being removed:
poetry add "aiohappyeyeballs>=2.4.0" \
          "aiohttp-cors>=0.7.0" \
          "wrapt>=1.16.0" \
          "opencensus>=0.11.4" \
          "opencensus-context>=0.1.3" \
          --no-interaction

• Explanation:
The dependency resolution is removing required packages because of version conflicts. By explicitly pinning versions and adding back required dependencies, we ensure the build environment has all necessary components while maintaining security fixes.

• Additional Notes:

  • Consider using poetry.lock file to ensure reproducible builds
  • Monitor CVE updates for Ray and its dependencies
  • May need to add more explicit dependencies if build still fails

• References:

Would you like me to provide a complete updated version of the poetry-build-storage-controller step?

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jan 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jamie-albert jamie-albert

Labels
ai/skip-comment Stop AI from commenting on PR automated pr CVE-2024-45341 go/bump kserve/0.14.1-r0 request-cve-remediation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jamie-albert @imjasonh