Skip to content

fix: protobuf<6.32 for s390x builds to pass#133

Merged
openshift-merge-bot[bot] merged 2 commits into
opendatahub-io:mainfrom
dryszka:fix-build-s390x-pipelines-components
Jun 16, 2026
Merged

fix: protobuf<6.32 for s390x builds to pass#133
openshift-merge-bot[bot] merged 2 commits into
opendatahub-io:mainfrom
dryszka:fix-build-s390x-pipelines-components

Conversation

@dryszka

@dryszka dryszka commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Description of your changes:

Checklist:

Pre-Submission Checklist

Additional Checklist Items for New or Updated Components/Pipelines

  • metadata.yaml includes fresh lastVerified timestamp
  • All required files
    are present and complete
  • OWNERS file lists appropriate maintainers
  • README provides clear documentation with usage examples
  • Component follows snake_case naming convention
  • No security vulnerabilities in dependencies
  • Containerfile included if using a custom base image

Summary by CodeRabbit

  • Chores
    • Updated runtime dependencies for improved compatibility and stability
    • Removed version upper bounds on key dependencies to support newer releases
    • Updated protocol buffer handling configuration for better runtime behavior

dryszka added 2 commits June 16, 2026 13:30
@dryszka
fix: protobuf<6.32 for s390x builds to pass
a485a15 
Signed-off-by: Daniel Ryszka <dryszka@redhat.com>
@dryszka
remove duplicate reqs
8c81c54 
Signed-off-by: Daniel Ryszka <dryszka@redhat.com>
@coderabbitai

coderabbitai Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

protobuf is downgraded from 6.33.6 to 6.31.1 in requirements.txt with updated SHA256 hashes, and capped at <6.32 in pyproject.toml. The <2.17 upper bound is removed from both kfp and kfp-kubernetes in pyproject.toml. The Dockerfile gains ENV PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python to force the pure-Python protobuf implementation at runtime.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

requirements.txt — CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)

The hash pinning for protobuf==6.31.1 must be verified against PyPI's published checksums independently. A downgrade from 6.33.6 to 6.31.1 narrows the window of applied upstream security patches — confirm no CVEs exist between these two releases in the protobuf advisory history.

pyproject.toml — CWE-1395 (Dependency on Vulnerable Third-Party Component)

Removing the <2.17 cap on kfp and kfp-kubernetes opens the resolver to any future >=2.16.1 release, including unvetted versions. This is an unbounded supply chain surface. The protobuf<6.32 constraint is consistent with the requirements.txt downgrade but must not be the only control; hash pinning in requirements.txt is the authoritative lockfile and must stay in sync.

Dockerfile.konflux.pipelines-components — CWE-913 (Improper Control of Dynamically-Managed Code Resources)

PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python disables the C extension and forces the pure-Python implementation. This is a deliberate compatibility workaround, but it silently bypasses any native-extension integrity checks that would otherwise be enforced by the compiled upb backend. Verify this env var is intentional and not a mask for a broken native extension installation.

🚥 Pre-merge checks | ✅ 8 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Contribution Quality And Spam Detection ⚠️ Warning PR downgrades protobuf to 6.31.1 (CVE-2026-0994 vulnerable per GHSA-7gcm-g887-7qv7) without security justification. Empty PR description with only unchecked template boxes. Claimed s390x fix is une... Upgrade protobuf to 6.33.5+ (fixes CVE-2026-0994), document s390x issue link, provide threat model for ENV variable addition, complete PR description.
Description check ⚠️ Warning Pull request lacks substantive description of changes. Only template checklist is present without explanation of protobuf pinning, s390x compatibility issue, or rationale for version constraints. Add detailed description explaining: why protobuf is pinned to <6.32, which s390x build failures are being fixed, impact of kfp/kfp-kubernetes version constraint changes, and any testing performed on s390x architecture.
✅ Passed checks (8 passed)
Check name Status Explanation
Title check ✅ Passed Title clearly indicates a bug fix targeting s390x builds with a specific protobuf version constraint, directly matching the primary change in the PR.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No Hardcoded Secrets ✅ Passed No hardcoded secrets, API keys, tokens, passwords, private keys, credentials, or suspicious base64 strings found in modified files. Only public configuration, package names/versions, verifiable SHA...
No Weak Cryptography ✅ Passed No weak cryptographic primitives (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in PR changes.
No Injection Vectors ✅ Passed No code-level injection vectors (CWE-78/79/89/94/502) detected. Changes are purely dependency/configuration updates with hash verification in requirements.txt.
No Privileged Containers ✅ Passed No privileged container configurations detected. Both Dockerfiles properly drop privileges post-setup, switching to non-root USER 1001. No Kubernetes/Helm manifests with privileged settings, hostPI...
No Sensitive Data In Logs ✅ Passed PR modifies only configuration files (Dockerfile, pyproject.toml, requirements.txt) containing dependency constraints and environment variables; no logging statements present.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 16, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@requirements.txt`:
- Around line 55-59: Update the protobuf package pinning in requirements.txt
from version 6.31.1 to 6.33.5 to address the security vulnerability
GHSA-7gcm-g887-7qv7. Replace the current version number and all four associated
SHA256 hashes (the lines starting with --hash=sha256:) with the updated hashes
for protobuf 6.33.5. You can regenerate these hashes by running pip install
--require-hashes protobuf==6.33.5 or by verifying the official PyPI records for
version 6.33.5.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6b91dcf9-a9bd-4da4-a05f-4cf00844155e

📥 Commits

Reviewing files that changed from the base of the PR and between bb0a9e3 and 8c81c54.

📒 Files selected for processing (3)
  • Dockerfile.konflux.pipelines-components
  • pyproject.toml
  • requirements.txt

Comment thread requirements.txt
Comment on lines +55 to +59
protobuf==6.31.1 \
--hash=sha256:70d33f7dab888a6a41feb47d670fa1e70310e5142acb2e2284aa697932a78d44 \
--hash=sha256:de5ee2e1edaecb6ba391e9dc4f613072b3a655d82e3a20e70323c1ffb78b36dc \
--hash=sha256:ec92169112b71242b25b5a38b96e9536523783c675fbd2acbed1d599439ea674 \
--hash=sha256:f53a7d0fd79e44bb14cd95782cad2e0542a1915af35bfa09af9a86d12e465756

@coderabbitai coderabbitai Bot Jun 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For GHSA-7gcm-g887-7qv7 affecting python protobuf, what is the first patched version in the 6.x line, and does it remain compatible with kfp==2.16.1 / kfp-kubernetes==2.16.1?

💡 Result:

The first patched version of the python protobuf package in the 6.x line for vulnerability GHSA-7gcm-g887-7qv7 (also tracked as CVE-2026-0994) is 6.33.5 [1][2]. Regarding compatibility, kfp==2.16.1 and kfp-kubernetes==2.16.1 explicitly require protobuf to be in the range >=6.31.1 and <7.0 [3][4][5]. Since 6.33.5 falls within this defined constraint range (6.31.1 <= 6.33.5 < 7.0), it is compatible with kfp==2.16.1 and kfp-kubernetes==2.16.1 [3][4][5].

Citations:

🌐 Web query:

protobuf 6.33.5 SHA256 hashes PyPI package

💡 Result:

The SHA256 hashes for the protobuf 6.33.5 package on PyPI are documented in various dependency lockfiles [1][2][3]. The following hashes correspond to the distribution files for this version: Source distribution: - protobuf-6.33.5.tar.gz: 6ddcac2a081f8b7b9642c09406bc6a4290128fce5f471cddd165960bb9119e5c [2][3] Wheel distributions: - protobuf-6.33.5-py3-none-any.whl: 69915a973dd0f60f31a08b8318b73eab2bd6a392c79184b3612226b0a3f8ec02 [2][3] - protobuf-6.33.5-cp310-abi3-win32.whl: d71b040839446bac0f4d162e758bea99c8251161dae9d0983a3b88dee345153b [2][3] - protobuf-6.33.5-cp310-abi3-win_amd64.whl: 3093804752167bcab3998bec9f1048baae6e29505adaf1afd14a37bddede533c [2][3] - protobuf-6.33.5-cp39-abi3-macosx_10_9_universal2.whl: a5cb85982d95d906df1e2210e58f8e4f1e3cdc088e52c921a041f9c9a0386de5 [2][3] - protobuf-6.33.5-cp39-abi3-manylinux2014_aarch64.whl: 9b71e0281f36f179d00cbcb119cb19dec4d14a81393e5ea220f64b286173e190 [2][3] - protobuf-6.33.5-cp39-abi3-manylinux2014_s390x.whl: 8afa18e1d6d20af15b417e728e9f60f3aa108ee76f23c3b2c07a2c3b546d3afd [2][3] - protobuf-6.33.5-cp39-abi3-manylinux2014_x86_64.whl: cbf16ba3350fb7b889fca858fb215967792dc125b35c7976ca4818bee3521cf0 [2][3] - protobuf-6.33.5-cp39-cp39-win32.whl: a3157e62729aafb8df6da2c03aa5c0937c7266c626ce11a278b6eb7963c4e37c [2][3] - protobuf-6.33.5-cp39-cp39-win_amd64.whl: 8f04fa32763dcdb4973d537d6b54e615cc61108c7cb38fe59310c3192d29510a [2][3]

Citations:

🏁 Script executed:

#!/bin/bash
# Verify protobuf 6.33.5 hashes from official PyPI JSON API
curl -s "https://pypi.org/pypi/protobuf/6.33.5/json" | jq -r '.releases."6.33.5" | .[] | "\(.filename): \(.hashes.sha256)"' 2>/dev/null | head -20

Repository: opendatahub-io/pipelines-components

Length of output: 61

Upgrade protobuf to 6.33.5 to fix GHSA-7gcm-g887-7qv7 (CVE-2026-0994).

Line 55 pins protobuf==6.31.1, affected by JSON recursion-depth bypass (CWE-674). Upgrade to 6.33.5, which is compatible with kfp==2.16.1 and kfp-kubernetes==2.16.1 (constraints: >=6.31.1, <7.0).

Updated dependency with hashes 
-protobuf==6.31.1 \
-    --hash=sha256:70d33f7dab888a6a41feb47d670fa1e70310e5142acb2e2284aa697932a78d44 \
-    --hash=sha256:de5ee2e1edaecb6ba391e9dc4f613072b3a655d82e3a20e70323c1ffb78b36dc \
-    --hash=sha256:ec92169112b71242b25b5a38b96e9536523783c675fbd2acbed1d599439ea674 \
-    --hash=sha256:f53a7d0fd79e44bb14cd95782cad2e0542a1915af35bfa09af9a86d12e465756
+protobuf==6.33.5 \
+    --hash=sha256:69915a973dd0f60f31a08b8318b73eab2bd6a392c79184b3612226b0a3f8ec02 \
+    --hash=sha256:cbf16ba3350fb7b889fca858fb215967792dc125b35c7976ca4818bee3521cf0 \
+    --hash=sha256:8afa18e1d6d20af15b417e728e9f60f3aa108ee76f23c3b2c07a2c3b546d3afd \
+    --hash=sha256:9b71e0281f36f179d00cbcb119cb19dec4d14a81393e5ea220f64b286173e190

Regenerate hashes via pip install --require-hashes protobuf==6.33.5 or verify against official PyPI records.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
protobuf==6.31.1 \
--hash=sha256:70d33f7dab888a6a41feb47d670fa1e70310e5142acb2e2284aa697932a78d44 \
--hash=sha256:de5ee2e1edaecb6ba391e9dc4f613072b3a655d82e3a20e70323c1ffb78b36dc \
--hash=sha256:ec92169112b71242b25b5a38b96e9536523783c675fbd2acbed1d599439ea674 \
--hash=sha256:f53a7d0fd79e44bb14cd95782cad2e0542a1915af35bfa09af9a86d12e465756
protobuf==6.33.5 \
--hash=sha256:69915a973dd0f60f31a08b8318b73eab2bd6a392c79184b3612226b0a3f8ec02 \
--hash=sha256:cbf16ba3350fb7b889fca858fb215967792dc125b35c7976ca4818bee3521cf0 \
--hash=sha256:8afa18e1d6d20af15b417e728e9f60f3aa108ee76f23c3b2c07a2c3b546d3afd \
--hash=sha256:9b71e0281f36f179d00cbcb119cb19dec4d14a81393e5ea220f64b286173e190
🧰 Tools
🪛 OSV Scanner (2.3.8)

[HIGH] 55-55: protobuf 6.31.1: protobuf affected by a JSON recursion depth bypass

(GHSA-7gcm-g887-7qv7)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@requirements.txt` around lines 55 - 59, Update the protobuf package pinning
in requirements.txt from version 6.31.1 to 6.33.5 to address the security
vulnerability GHSA-7gcm-g887-7qv7. Replace the current version number and all
four associated SHA256 hashes (the lines starting with --hash=sha256:) with the
updated hashes for protobuf 6.33.5. You can regenerate these hashes by running
pip install --require-hashes protobuf==6.33.5 or by verifying the official PyPI
records for version 6.33.5.

Sources: Coding guidelines, Linters/SAST tools

@dryszka

dryszka commented Jun 16, 2026

Copy link
Copy Markdown
Author

/ok-to-test

@LukaszCmielowski

LukaszCmielowski commented Jun 16, 2026

Copy link
Copy Markdown

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jun 16, 2026
@LukaszCmielowski

LukaszCmielowski commented Jun 16, 2026

Copy link
Copy Markdown

/approve

@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: LukaszCmielowski

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit b3cd7ef into opendatahub-io:main Jun 16, 2026
27 of 28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@HumairAK HumairAK Awaiting requested review from HumairAK

@LukaszCmielowski LukaszCmielowski Awaiting requested review from LukaszCmielowski

Assignees

@LukaszCmielowski LukaszCmielowski

Labels

approved lgtm ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dryszka @LukaszCmielowski