Skip to content

Add info about transitive dependencies to CVE Remediation #3402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
s-stumbo wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add info about transitive dependencies to CVE Remediation #3402

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d825dbf
Add info about transitives to CVE Remediation
s-stumbo Jun 9, 2026
2c5bb8b
update
s-stumbo Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions content/chainguard/libraries/cve-remediation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,20 @@ For Python, remediated packages use a `+cgr.N` local version suffix. For example

For Java, remediated artifacts use a `-0.cgr.N` suffix appended to the base version. For example, if `org.apache.commons:commons-lang3:3.18.0` has a remediated build, that build is published as org.apache.`commons:commons-lang3:3.18.0-0.cgr.1`. If Chainguard publishes another remediated iteration for the same base version, the trailing number increases, such as `-0.cgr.2` or `-0.cgr.3`.

### Remediation and transitive dependencies

**Python**

For Python, installing a `+cgr.N` package doesn't automatically remediate its entire dependency tree. Chainguard publishes a `+cgr.N` version only for a package that has a remediation to deliver, and it leaves that package's own dependency declarations unchanged.

This is intentional. Most packages don't pin their dependencies tightly enough to require a rewrite, so the package metadata stays identical to upstream.

Remediation propagates across the dependency tree through the index, not through dependency declarations. When you configure the Chainguard index, your package manager resolves every dependency, both direct and transitive, through Chainguard Libraries rather than the upstream index. As described in [Remediated version naming](#remediated-version-naming), a `+cgr.N` build is a higher-precedence local version, so the resolver selects it automatically wherever Chainguard has published one. Dependencies without a remediation resolve to the standard upstream version served through the same index.

**Java**

Java remediation behavior differs from Python. Because Maven POMs typically pin dependencies to exact versions rather than using version ranges, Chainguard may update a package's POM dependency tree directly to reference remediated versions of its dependencies. This means transitive dependencies can receive CVE remediations without requiring changes to your own dependency declarations.

@mosabua mosabua Jun 11, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

users should use Maven and other tools to make sure the right deps are used and potentially use dependenncyManagement and other means to override

### CVE remediation for vendored dependencies

Some Python packages bundle compiled code written in other languages (such as Go, Rust, or C/C++) directly into their wheel. When a CVE exists in a dependency of that
Expand Down