Skip to content

[https://nvbugs/6467696][fix] Change license_checker@v0.3.0license_checker@v0.3.1 on…#16525

Open
trtllm-agent wants to merge 1 commit into
NVIDIA:mainfrom
tensorrt-cicd:repair-bot-bug6467696
Open

[https://nvbugs/6467696][fix] Change license_checker@v0.3.0license_checker@v0.3.1 on…#16525
trtllm-agent wants to merge 1 commit into
NVIDIA:mainfrom
tensorrt-cicd:repair-bot-bug6467696

Conversation

@trtllm-agent

@trtllm-agent trtllm-agent commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Root cause: Jenkins release-check step pinned license_checker@v0.3.0, whose transitive dep go-git/v5 v5.18.0 has CVE GHSA-389r-gv7p-r3rp (fixed in go-git v5.19.0).
  • Fix: Change license_checker@v0.3.0license_checker@v0.3.1 on jenkins/L0_MergeRequest.groovy:519; repro.py accepts any non-v0.3.0 tag as PASS. Verified EXIT_CODE=0.
  • Automated fix generated by repair-bot

Test plan

  • Verify fix on the same GPU type as the original failure
  • Check for regressions in related tests

Links

Summary by CodeRabbit

  • Chores
    • Updated the Release Check pipeline’s license-check tooling to the latest supported version.
    • No changes were made to the overall release validation flow.

The Jenkins release-check step installs the external Go binary
license_checker@v0.3.0, which transitively pulls
github.com/go-git/go-git/v5 v5.18.0 (CVE GHSA-389r-gv7p-r3rp, fixed
in v5.19.0). TensorRT-LLM has no in-repo Go module, so the fix lives
in the upstream licensechecker repo (bumped to go-git v5 >= v5.19.0
and re-tagged as v0.3.1). Update the Jenkins pin here to pick up the
patched binary.

Signed-off-by: trtllm-agent <296075020+trtllm-agent@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4d04ec58-3c2c-48d1-b0f6-1320971a445d

📥 Commits

Reviewing files that changed from the base of the PR and between f4df481 and 7862143.

📒 Files selected for processing (1)
  • jenkins/L0_MergeRequest.groovy

📝 Walkthrough

Walkthrough

The Release Check pipeline now installs license_checker@v0.3.1 instead of v0.3.0.

Changes

Release Check pipeline

Layer / File(s) Summary
Update license checker installation
jenkins/L0_MergeRequest.groovy
Updates the go install version of the license checker from v0.3.0 to v0.3.1.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: crazydemo

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description explains the issue and fix, but it does not follow the repo template sections for Description, Test Coverage, or PR Checklist. Reformat the PR description to match the template and add the missing Description, Test Coverage, and PR Checklist sections.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and clearly identifies the fix to bump license_checker from v0.3.0 to v0.3.1.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants