CVE remediation for Chainguard Libraries

CVE remediation for Chainguard Libraries provides protection against critical and high CVEs. Applications often rely on older versions of libraries, but upstream maintainers may not apply and release patches for those versions. Chainguard addresses this gap by backporting vulnerability fixes from newer releases to older releases, particularly in cases where maintainers are no longer able to support and provide fixes.

CVE remediation helps reduce risk for organizations that cannot always upgrade quickly, especially when moving to a newer version would introduce disruptive changes. Remediated artifacts are published as incremental patch versions, allowing teams to take a targeted fix for a CVE without taking on a broader upgrade at the same time.

CVE remediation is available for a subset of Chainguard Libraries for Python and Chainguard Libraries for Java (available in private preview). If you want to request CVE remediation for additional libraries, reach out to your account team.

About CVE remediation

CVE remediation focuses on critical and high vulnerabilities. Chainguard backports fixes that are already available in the new versions of the upstream project to older versions that may no longer receive updates.

Before publishing a remediated version, Chainguard validates that the remediated version does not introduce regressions. All upstream test suites are run before and after applying the fix to confirm functional consistency. Chainguard also develops additional regression tests to validate the effectiveness of the CVE fix.

Remediated libraries are distributed through a dedicated repository. This provides the option to make remediated versions available for your development or opt out of using these versions completely and continue to use upstream versions only.

Remediated version naming

Chainguard publishes remediated versions using ecosystem-specific version suffixes.

For Python, remediated packages use a +cgr.N local version suffix. For example, if flask==1.1.2 has a remediated build, Chainguard publishes it as flask==1.1.2+cgr.1. Python package managers treat this as a higher-precedence local version of the base release, so remediated versions can be selected automatically during dependency resolution when the remediated index is configured.

For Java, remediated artifacts use a -0.cgr.N suffix appended to the base version. For example, if org.apache.commons:commons-lang3:3.18.0 has a remediated build, that build is published as org.apache.commons:commons-lang3:3.18.0-0.cgr.1. If Chainguard publishes another remediated iteration for the same base version, the trailing number increases, such as -0.cgr.2 or -0.cgr.3.

CVE remediation for vendored dependencies

Some Python packages bundle compiled code written in other languages (such as Go, Rust, or C/C++) directly into their wheel. When a CVE exists in a dependency of that vendored code, Chainguard may publish a remediated version even when no CVE has been filed against the Python package itself.

In these cases, Chainguard bumps the vulnerable dependency within the vendored code and publishes a new +cgr.N version of the package. Because the vulnerability exists at the vendored dependency level rather than the Python package level, no advisory entry is published in the VEX feed for these versions. However, scanners that inspect vendored binaries will reflect the fix in their results.

Browse libraries with CVE remediation

Remediated libraries are published in dedicated repositories:

• Python: In a PyPI-compatible index at https://libraries.cgr.dev/python-remediated/ - the simple index is at https://libraries.cgr.dev/python-remediated/simple/
• Java: In a repository at https://libraries.cgr.dev/java-remediated/ - a companion to the standard Chainguard Libraries for Java repository at https://libraries.cgr.dev/java/

You can:

• Browse them in the Chainguard Console
• Use the public VEX feed to understand what has been remediated
  • This feed does not include vendored dependencies.
• View them in a browser at the simple index URL
  • Learn more in Python Overview > Manual access and in Java Overview > Manual access.
• Expose them to your developers via a repo manager
  • Learn more in the global configuration docs for Python and Java.

Browse remediated libraries in the Chainguard Console

In the Chainguard Console, navigate to the Python or Java libraries, then click the Remediated tab. Click into a library to see which versions have remediated CVEs.

Learn more in Browsing Chainguard libraries.

Public VEX feed

Advisories for each CVE addressed in our remediated libraries are published via a public VEX feed at https://libraries.cgr.dev/openvex/v1/all.json. Supported scanners and your own custom tooling can use this feed to identify and recognize remediated versions.

To view more details on the CVE and versions of a library that have been remediated, identify the library then navigate to the URL. For example: https://libraries.cgr.dev/openvex/v1/pypi/urllib3.openvex.json.

Scanning remediated libraries

Chainguard works closely with scanner partners so that remediated versions are properly recognized in vulnerability reports. This ensures that teams can maintain their existing scanning workflows while benefiting from patched dependencies.

Find more general information and specifics for supported scanners in Vulnerability Scanners and Chainguard Libraries.