Skip to content

STAC-25170 VEX agent Python 3.13.14 findings#22

Open
LouisLotter wants to merge 1 commit into
mainfrom
STAC-25170-vex-agent-python-31314
Open

STAC-25170 VEX agent Python 3.13.14 findings#22
LouisLotter wants to merge 1 commit into
mainfrom
STAC-25170-vex-agent-python-31314

Conversation

@LouisLotter

Copy link
Copy Markdown
Contributor

Summary

Fixes STAC-25170.

The latest cve-reporter dev chart run reports the agent image as:

  • quay.io/stackstate/stackstate-k8s-agent:5bc56023
  • embedded Python PURL: pkg:generic/python@3.13.14
  • path: /opt/stackstate-agent/embedded/bin/python3.13

main already had reviewed OpenVEX statements for the same Python CVEs, but those statements were scoped to pkg:generic/python@3.13.13, so Grype correctly did not apply them to the new 3.13.14 package version.

This PR:

  • adds pkg:generic/python@3.13.14 subcomponents to the ten Python statements still reported by the scan;
  • adds/revises revalidation notes for stackstate-k8s-agent:5bc56023;
  • refreshes index.json with the repo generator.

CVEs Covered

  • CVE-2026-6100
  • CVE-2026-11940
  • CVE-2026-11972
  • CVE-2026-3298
  • CVE-2026-4786
  • CVE-2026-0864
  • CVE-2026-12003
  • CVE-2026-1502
  • CVE-2025-15366
  • CVE-2025-15367

Validation

  • python3 tools/build_index.py
  • python3 tools/build_index.py --check
  • python3 -m json.tool pkg/oci/stackstate-k8s-agent/scan.openvex.json >/dev/null
  • git diff --check
  • grype --platform linux/amd64 --vex pkg/oci/stackstate-k8s-agent/scan.openvex.json -o json quay.io/stackstate/stackstate-k8s-agent:5bc56023
    • all ten target Python findings moved to ignoredMatches;
    • none of the ten target Python findings remained in active matches.
  • trivy image --platform linux/amd64 --scanners vuln --vex pkg/oci/stackstate-k8s-agent/scan.openvex.json --show-suppressed --format json quay.io/stackstate/stackstate-k8s-agent:5bc56023
    • no active Trivy vulnerabilities were reported for this image.

@LouisLotter LouisLotter requested a review from a team as a code owner June 30, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant