This is an automated email from the ASF dual-hosted git repository.
kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg.git
The following commit(s) were added to refs/heads/main by this push:
new 8e7ab3c881 CI: Make CVE scan blocking on PRs, informational on main
(#16287)
8e7ab3c881 is described below
commit 8e7ab3c881391487d3676fe31f53077e78f6375b
Author: Kevin Liu <[email protected]>
AuthorDate: Tue May 19 20:09:09 2026 -0400
CI: Make CVE scan blocking on PRs, informational on main (#16287)
---
.../spark-runtime-3.4_2.12.trivyignore | 29 ++++++++++++++++++++++
.github/workflows/cve-scan.yml | 22 ++++++++++------
2 files changed, 44 insertions(+), 7 deletions(-)
diff --git a/.github/trivyignores/spark-runtime-3.4_2.12.trivyignore
b/.github/trivyignores/spark-runtime-3.4_2.12.trivyignore
new file mode 100644
index 0000000000..c6ba9b1806
--- /dev/null
+++ b/.github/trivyignores/spark-runtime-3.4_2.12.trivyignore
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# CVE ignore list for spark-runtime-3.4_2.12.
+#
+# Each entry: CVE ID, optional expiry (`exp:YYYY-MM-DD`), and rationale.
+# Format reference:
https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore
+
+# CVE-2025-52999 — jackson-core 2.14.2 StackoverflowError on deeply-nested
input.
+# Pinned by Spark 3.4 runtime compatibility (Spark 3.4 ships jackson 2.14).
+# Spark 3.4 support is being removed from Iceberg in the near term; track the
+# removal and drop this file when the spark-runtime-3.4 module goes away.
+CVE-2025-52999
diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
index 875efa48f4..c27123958b 100644
--- a/.github/workflows/cve-scan.yml
+++ b/.github/workflows/cve-scan.yml
@@ -27,22 +27,27 @@ on:
- '2.*'
tags:
- 'apache-iceberg-**'
+ pull_request:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
- cancel-in-progress: false
+ cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
# ------------------------------------------------------------------
# Trivy CVE scan — scans bundled jars for known vulnerabilities.
#
- # Runs on push to main/release branches only (not PRs). Results are
- # uploaded as SARIF to the GitHub Security tab for ongoing tracking.
- # The scan is informational and does not block the build.
+ # Behaviour:
+ # - On PRs: the scan blocks CI if CVEs are found (exit-code 1).
+ # SARIF upload is skipped because GitHub's Security tab only
+ # accepts results from default/protected branches.
+ # - On push to main/release branches: the scan is informational
+ # (exit-code 0) and results are uploaded as SARIF to the GitHub
+ # Security tab for ongoing tracking.
# ------------------------------------------------------------------
cve-scan:
runs-on: ubuntu-24.04
@@ -77,6 +82,7 @@ jobs:
:iceberg-spark:iceberg-spark-runtime-3.4_2.12:shadowJar
scan-path: spark/v3.4/spark-runtime/build/libs
unpack: false
+ trivyignores: .github/trivyignores/spark-runtime-3.4_2.12.trivyignore
- distribution: spark-runtime-3.5_2.12
build-task: >-
-DsparkVersions=3.5
@@ -126,7 +132,7 @@ jobs:
with:
distribution: zulu
java-version: 21
- - uses:
gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 #
zizmor: ignore[cache-poisoning] -- cache writes are restricted to the default
branch by setup-gradle
+ - uses:
gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
# Read-only: small job; restore opportunistically from other jobs'
caches but never write.
cache-read-only: true
@@ -151,7 +157,9 @@ jobs:
scanners: 'vuln'
severity: 'HIGH,CRITICAL'
limit-severities-for-sarif: true
- exit-code: '0'
+ trivyignores: ${{ matrix.trivyignores || '' }}
+ # Block PRs on CVE findings; on main/release branches report without
failing
+ exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Print Trivy scan results
@@ -164,7 +172,7 @@ jobs:
echo "No SARIF file found — scan may have failed to install."
fi
- name: Upload Trivy results to GitHub Security tab
- if: always()
+ if: always() && github.event_name == 'push'
uses:
github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e #
v4.35.4
with:
sarif_file: 'trivy-results.sarif'
