Skip to content

Security(M-06): inconsistent software inventory with no dependency/vuln/SBOM gate #174

Description

@dcmcand

Summary

The software inventory is inconsistent across the parent chart, the pinned subchart, and the two custom images, and no workflow gates on advisory analysis, image scanning, SBOM policy, or a subchart/image compatibility matrix. The recent appVersion change did not resolve the underlying mismatch.

Severity: Medium · CWE-1104 (Use of Unmaintained Third-Party Components)
Validation: Confirmed against HEAD f932d80 on 2026-07-14 (partially changed since 69c84f7, see below).

Evidence

Version spread (all verified at HEAD):

  • Parent Chart.yaml:7 appVersion: "5.4.3" (was 1.0.0 at the assessed commit; commit 878db54 changed it). The deployed hub is the custom image, which pins JupyterHub ==5.1.0 (images/jupyterhub/pixi.toml:14), so appVersion: 5.4.3 still does not match the JupyterHub that actually runs.
  • Locked z2jh subchart 4.3.2 (Chart.yaml:11, Chart.lock:4).
  • Hub image: JupyterHub 5.1.0, KubeSpawner 6.2.0, jhub-apps pre-release 2026.5.1rc1 (images/jupyterhub/pixi.toml:14,15,32).
  • User image: JupyterLab 4.2.5, JupyterHub 5.1.0, and a different jhub-apps release 2025.11.1 (images/jupyterlab/pixi.toml:18,21,81).
  • The two jhub-apps releases force divergent transitive pins: hub sets pyjwt >=2.10 while the user image sets pyjwt <2.10.0, each justified by its own jhub-apps version.

No workflow performs Python advisory analysis, final-image vulnerability scanning, SBOM generation, or subchart/image compatibility gating (same grep as H-06 returns nothing). test.yaml:27-29 pin-tests the hub contract but validates behavior, not advisories.

Impact

Without one authoritative bill of materials and a scan gate, unmaintained or vulnerable components can ship undetected, and the pre-release jhub-apps plus mismatched hub/user versions raise the chance of an untested combination reaching production.

Remediation

  • Publish one exact bill of materials and define appVersion semantics.
  • Avoid pre-release components in production profiles.
  • Run source and final-image scans and publish SBOMs and compatibility-test results.
  • Define a maximum patch latency.

Acceptance criteria

  • A release manifest maps the chart to every exact package and image digest.
  • Policy-violating dependencies fail CI.

Source: data-science-pack 0.1.0 security assessment (pinned commit 69c84f72df259ec755ed40bfc83f20158c550d55), finding M-06.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: securitySecurity findings and hardening workpriority: medium ⚡Medium priority - standard queue

    Type

    No type

    Fields

    Priority

    None yet

    Start date

    None yet

    Target date

    None yet

    Size

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions