feat(quality): add AI-assisted OSPS-QA-06.02 evaluation#346
Conversation
833cf87 to
ac70c26
Compare
27604ac to
ae28216
Compare
Kusari Analysis Results:Caution Flagged Issues Detected The code security analysis found zero issues across 10 files — no secrets, no workflow vulnerabilities, and no insecure code patterns. However, the dependency analysis identified a confirmed HIGH severity vulnerability (CVE-2026-50163, CVSS 3.1 High - AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) introduced via the privateer-sdk upgrade from v1.28.0 to v1.31.1. This upgrade pulls in oras.land/oras-go/v2 v2.6.1 as a transitive dependency, which contains a hardlink tar-extraction path escape flaw. A crafted OCI artifact layer can cause os.Link() to resolve against the process working directory rather than the intended extraction directory, potentially exposing sensitive files such as .env files, .git/config, and CI workspace credentials. Critically, no upstream fix is currently available — v2.6.1 is the latest release with fix_status confirmed as NO_FIX. The clean code scan does not reduce the dependency risk, as these are independent analyses. We strongly recommend addressing this before merging. Recommended actions: (1) Revert privateer-sdk to v1.28.0 until a patched version of oras-go is released and incorporated into privateer-sdk. (2) If the privateer-sdk upgrade is required for other reasons, assess whether your application invokes oras-go content.File extraction against untrusted OCI sources — if it does not, the practical risk may be lower, but the exposure remains. (3) Avoid any privateer-sdk APIs that trigger oras-go content.File extraction with io.deis.oras.content.unpack enabled against untrusted registry sources as a temporary mitigation. (4) Monitor the oras-project/oras-go repository for a patched release and update privateer-sdk to incorporate the fix as soon as one is available. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Found this helpful? Give it a 👍 or 👎 reaction! |
|
Kusari PR Analysis rerun based on - ae28216 performed at: 2026-07-09T17:04:52Z - link to updated analysis |
Implement AI-assisted assessment for OSPS-QA-06.02 (test execution documentation). When AI is configured, the step feeds README and CONTRIBUTING content to the model and records a structured verdict with evidence. Falls back gracefully to manual review when AI is unavailable. Updated to work with the TypedStep refactor (ossf#302) and SDK v1.28.0 bump (ossf#333). Changes: - Add TestExecutionDocumentation step with AI-assisted evaluation - Add testExecutionDocumentationEvidence to gather README/CONTRIBUTING - Add reusable_steps.AIFallback for generic AI degradation handling Signed-off-by: Vinaya Damle <vinayada1@users.noreply.github.com>
ae28216 to
eab9e8a
Compare
|
Kusari PR Analysis rerun based on - eab9e8a performed at: 2026-07-09T17:07:44Z - link to updated analysis |
|
@vinayada1 we merged the CVE fix and an sdk version with the fix also. Please rebase or merge main. |
Summary
Implements an AI-assisted evaluator for OSPS-QA-06.02 (documentation explains when and how tests are run), replacing the previous hard-coded
NeedsReviewstub.OSPS-QA-06.02to the newquality.TestExecutionDocumentationevaluator.sdkai.WritePacket), gated behind the SDK's double opt-in (config.Write+ai_write_evidence: true), with SDK-side redaction.Backward compatibility
Configis nil, the client is nil, orai_provider/ai_api_keyare missing, the evaluator returns the samegemara.NeedsReviewresult and message as the previous stub. All failure paths fall back to the sameNeedsReviewverdict.privateer-sdkv1.28.0 symbols (WritePacket,PacketAttempt,NewSanitizer,RedactPatterns,NewClientFromConfig).go.modalready pins v1.28.0, and Go's minimum version selection guarantees the floor at build time, so there is no silent old-SDK runtime risk.