Update Tekton Pipelines advisories with multi-branch patch ranges#7575
Open
waveywaves wants to merge 3 commits intogithub:waveywaves/advisory-improvement-7575from
Conversation
The five advisories below were each patched on April 21, 2026 across five maintained release branches (v1.0.x, v1.3.x, v1.6.x, v1.9.x, v1.11.x). The repository-level advisories list all five patched versions, but the entries here collapse them into a single "fixed in v1.11.1" range, which incorrectly tells dependency tools that users on older LTS branches (e.g., v1.6.2, v1.9.3) are still vulnerable. Updated to use one OSV range per branch so each patched LTS version is recognized as fixed: - GHSA-wjxp-xrpv-xpff (CVE-2026-40161) — Git resolver API token leak - GHSA-94jr-7pqp-xhcq (CVE-2026-40938) — Git resolver argument injection RCE - GHSA-rx35-6rhx-7858 (CVE-2026-40923) — VolumeMount path bypass - GHSA-m2cx-gpqf-qf74 (CVE-2026-40924) — HTTP resolver DoS - GHSA-rmx9-2pp3-xhcr (CVE-2026-25542) — VerificationPolicy regex bypass Patched versions per branch: v1.0.2, v1.3.4, v1.6.2, v1.9.3, v1.11.1. Source of truth: tektoncd/pipeline repository advisories at https://github.com/tektoncd/pipeline/security/advisories
github-actions
Bot
changed the base branch from
main
to
waveywaves/advisory-improvement-7575
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates OSV advisory metadata for five Tekton Pipelines GHSA entries so that “fixed” versions are represented per maintained LTS branch rather than as a single collapsed fixed version, improving accuracy for downstream vulnerability tooling.
Changes:
- Split each advisory’s single affected range into multiple
ECOSYSTEMranges, one per maintained LTS branch, with distinctfixedversions. - Adjust
last_known_affected_version_rangemetadata where present to reflect the revised ranges (but see comments for inconsistencies that need correction).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| advisories/github-reviewed/2026/04/GHSA-wjxp-xrpv-xpff/GHSA-wjxp-xrpv-xpff.json | Adds multi-range per-branch fixed events and adds per-package last_known_affected_version_range. |
| advisories/github-reviewed/2026/04/GHSA-94jr-7pqp-xhcq/GHSA-94jr-7pqp-xhcq.json | Replaces the single range with multiple per-branch ranges. |
| advisories/github-reviewed/2026/04/GHSA-rx35-6rhx-7858/GHSA-rx35-6rhx-7858.json | Replaces the single range with multiple per-branch ranges and updates last_known_affected_version_range. |
| advisories/github-reviewed/2026/04/GHSA-m2cx-gpqf-qf74/GHSA-m2cx-gpqf-qf74.json | Replaces the single range with multiple per-branch ranges and updates last_known_affected_version_range. |
| advisories/github-reviewed/2026/04/GHSA-rmx9-2pp3-xhcr/GHSA-rmx9-2pp3-xhcr.json | Replaces the single range with multiple per-branch ranges (final fixed now 1.11.1). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "<= 1.11.0" | ||
| "last_known_affected_version_range": "<= 1.10.0" |
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "<= 1.11.0" | ||
| "last_known_affected_version_range": "<= 1.10.0" |
Comment on lines
+80
to
+82
| "database_specific": { | ||
| "last_known_affected_version_range": "<= 1.10.0" | ||
| } |
- GHSA-wjxp-xrpv-xpff, GHSA-rx35-6rhx-7858, GHSA-m2cx-gpqf-qf74: bump last_known_affected_version_range from <= 1.10.0 to <= 1.11.0 to match the final OSV range (introduced 1.10.0, fixed 1.11.1) which includes v1.11.0 as affected. - GHSA-rmx9-2pp3-xhcr: update release-tag reference from v1.11.0 to v1.11.1 so the cited patched release matches the revised fixed version in the v1.11.x range.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
27
to
+32
| { | ||
| "introduced": "1.0.0" | ||
| }, | ||
| { | ||
| "last_affected": "1.10.0" | ||
| "fixed": "1.0.2" | ||
| } |
Comment on lines
+69
to
+82
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "1.10.0" | ||
| }, | ||
| { | ||
| "fixed": "1.11.1" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "<= 1.11.0" | ||
| } |
Comment on lines
27
to
+32
| { | ||
| "introduced": "1.0.0" | ||
| }, | ||
| { | ||
| "fixed": "1.0.2" | ||
| } |
Comment on lines
27
to
+32
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.0.2" | ||
| } |
Comment on lines
27
to
+32
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.0.2" | ||
| } |
Comment on lines
27
to
+32
| { | ||
| "introduced": "0.43.0" | ||
| }, | ||
| { | ||
| "fixed": "1.11.0" | ||
| "fixed": "1.0.2" | ||
| } |
- All five advisories: bump 'modified' to 2026-05-04T16:00:00Z so downstream consumers (Dependabot, OSV mirrors, etc.) detect the multi-range update per OSV schema requirements. - GHSA-wjxp-xrpv-xpff: refresh the narrative 'details' field so it no longer contradicts the OSV ranges: * 'Patches' section now lists v1.0.2, v1.3.4, v1.6.2, v1.9.3, v1.11.1 (was 'to be filled in after fix is merged and released'). * 'Affected Versions' updated from 'v1.0.0 through v1.10.0' to 'v1.0.0 through v1.11.0' to match the v1.11.0-affected/v1.11.1-fixed range.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Five Tekton Pipelines advisories published April 21, 2026 are missing per-branch patch information in the global advisory database. Each was actually patched across five maintained LTS branches (v1.0.x, v1.3.x, v1.6.x, v1.9.x, v1.11.x), but the OSV entries here collapse the fix into a single `fixed: 1.11.1` event. This causes dependency tooling (Dependabot, Snyk, etc.) to incorrectly flag users on patched LTS releases (e.g., v1.6.2, v1.9.3) as still vulnerable.
Changes
For each of the five advisories, replaced the single OSV range with multiple ranges — one per maintained LTS branch — so each patched version is recognized as fixed:
Each advisory now has five ranges with the following patched versions:
Verification
The patched versions can be verified directly from the upstream tags. The fix commit `fix: limit HTTP resolver response body size to prevent OOM DoS` (and four similar same-day backport commits for the other CVEs) is present in all five tags:
```
v1.0.2: 0869f07e2
v1.3.4: 854515f61
v1.6.2: c9eef1179
v1.9.3: 87a401f74
v1.11.1: db61c71c6
```
Source of Truth
These changes match the patched_versions field on the corresponding repository-level advisories at https://github.com/tektoncd/pipeline/security/advisories — the global database simply hadn't synced the per-branch patch list.