CVE Remediation for Chainguard Libraries

CVE remediation is a feature in Chainguard Libraries that provides security protection against high and critical CVEs. Applications often rely on older versions of libraries, but upstream maintainers may not apply and release patches for those versions. CVE remediation addresses this gap by applying vulnerability fixes from upstream to older releases, particularly in cases where maintainers are no longer able to support and provide fixes.

CVE remediation helps reduce risk for organizations that cannot always upgrade quickly since a larger upgrade to newer versions forces often disruptive changes. CVE remediation makes multiple incremental patch versions of affected older versions available and therefore allows a very minor upgrade that only addresses the CVE, but does not bring on other changes.

CVE remediation is available for a subset of Chainguard Libraries for Python. If you want to request CVE remediation for additional libraries, reach out to your account team.

About CVE Remediation

CVE remediation focuses on high and critical vulnerabilities. Chainguard backports fixes that are already available in the new versions of the upstream project to older versions that may no longer receive updates.

Before publishing a remediated version, Chainguard validates that the remediated version does not introduce regressions. All upstream test suites are run before and after applying the fix to confirm functional consistency. Chainguard also develops additional regression tests to validate the effectiveness of the CVE fix.

Remediated libraries are distributed through a dedicated repository. This provides the option to make remediated versions available for your development or opt out of using these versions completely and continue to use upstream versions only.

Advisories for each CVE addressed in our remediated libraries are published via a public VEX feed at https://libraries.cgr.dev/openvex/v1/all.json. Supported scanners and your own custom tooling can use this feed to identify and recognize remediated versions.

Scanning Remediated Libraries

Chainguard works closely with scanner partners so that remediated versions are properly recognized in vulnerability reports. This ensures that teams can maintain their existing scanning workflows while benefiting from patched dependencies.

Grype supports Chainguard remediated libraries starting with Grype version 0.100.0. You can use Grype in multiple ways:

• Scan the Python virtual environment directly. If your Python application is not containerized, this is recommended.
• Alternatively, scan the container image for your Python application. Grype detects and accounts for remediated library versions inside the image.

When scanning a Python project source directory that contains a dependency file such as requirements.txt, Grype reports against the declared versions rather than the installed versions. As a result, Chainguard’s remediated Python package versions are not recognized in this mode. To ensure accurate results, we recommend scanning the installed environment, such as a Python virtual environment directory, instead.

For additional guidance, see our documentation on Using Grype to Scan Container Images for Vulnerabilities.

Learn More

• Chainguard Libraries for Python Overview