NVIDIA / nvidia-container-toolkit
33%
main: 39%

Repo Added 22 May 2025 04:41PM UTC

Token yURQA9qJZkSTLsagBnXzxNupHtB5LQLk7 regen

Build 1847 Last

Files 236

Badge

Embed ▾

LAST BUILD ON BRANCH pull-request/1169
branch: pull-request/1169

CHANGE BRANCH
x

Reset

Sync Branches

pull-request/1169

1.18.0rc2

CNT-4766/create-so-symlinks

NewEmpty

add-additional-device-node-information

add-basic-csv-test

add-device-ids-to-getspec

add-disable-all-device

add-driver-lib-root-envvar

add-existing-runtimes-to-containerd-drop-in

add-imex-channel-to-jit-cdi

add-issue-templates

add-nspect-integration

add-nvidiascape-test

add-openrm-discoverer-to-csv-mode

add-restart-to-refresh-service

add-version-to-driver-struct

allow-config-override-by-envvar

allow-config-source-to-be-overridden

allow-device-ids-on-cdi-generate

allow-scan-failures

b/5363680

b/5366608

b/5371533

bug/5366608

bump-golang-125

bump-image-in-tests

bump-release-v1.18.0-rc.1

bump-release-v1.18.0-rc.3

bump-release-v1.18.0-rc.4

bump-release-v1.19.0-rc.1

bump-release-v1.19.0-rc.2

cdi_generate_env_cli

clean-runtime-config-api

cleanup-default-runtime-field

cleanup-logger-interface

codecov

configure-nvgpu-compat

cuda-elf-header

default-to-cdi

dependabot/docker/deployments/container/main/nvidia/cuda-12.9.1-base-ubuntu20.04

dependabot/docker/deployments/container/main/nvidia/distroless/go-v3.1.10-dev

dependabot/docker/deployments/container/main/nvidia/distroless/go-v3.1.11-dev

dependabot/docker/deployments/container/main/nvidia/distroless/go-v3.1.12-dev

dependabot/docker/deployments/container/main/nvidia/distroless/go-v3.2.2-dev

dependabot/docker/deployments/container/main/nvidia/distroless/go-v4.0.0-dev

dependabot/docker/deployments/container/main/nvidia/distroless/go-v4.0.1-dev

dependabot/docker/deployments/devel/main/golang-1.24.4

dependabot/docker/deployments/devel/main/golang-1.24.5

dependabot/docker/deployments/devel/main/golang-1.24.6

dependabot/docker/deployments/devel/main/golang-1.25.1

dependabot/docker/deployments/devel/main/golang-1.25.6

dependabot/github_actions/main/NVIDIA/holodeck-0.2.10

dependabot/github_actions/main/actions/checkout-5

dependabot/github_actions/main/actions/download-artifact-5

dependabot/github_actions/main/actions/download-artifact-7

dependabot/github_actions/main/actions/setup-go-6

dependabot/github_actions/main/actions/upload-artifact-6

dependabot/github_actions/main/slackapi/slack-github-action-2.1.1

dependabot/go_modules/deployments/devel/github.com/go-viper/mapstructure/v2-2.3.0

dependabot/go_modules/deployments/devel/main/github.com/matryer/moq-0.6.0

dependabot/go_modules/main/github.com/NVIDIA/go-nvlib-0.7.3

dependabot/go_modules/main/github.com/NVIDIA/go-nvlib-0.7.4

dependabot/go_modules/main/github.com/NVIDIA/go-nvlib-0.9.0

dependabot/go_modules/main/github.com/NVIDIA/go-nvml-0.12.9-0

dependabot/go_modules/main/github.com/NVIDIA/go-nvml-0.13.0-1

dependabot/go_modules/main/github.com/opencontainers/runc-1.3.1

dependabot/go_modules/main/github.com/opencontainers/runc-1.3.2

dependabot/go_modules/main/github.com/opencontainers/runc-1.4.0

dependabot/go_modules/main/github.com/sirupsen/logrus-1.9.4

dependabot/go_modules/main/github.com/stretchr/testify-1.11.0

dependabot/go_modules/main/github.com/stretchr/testify-1.11.1

dependabot/go_modules/main/github.com/urfave/cli-altsrc/v3-3.1.0

dependabot/go_modules/main/github.com/urfave/cli/v2-2.27.7

dependabot/go_modules/main/github.com/urfave/cli/v3-3.4.0

dependabot/go_modules/main/github.com/urfave/cli/v3-3.4.1

dependabot/go_modules/main/github.com/urfave/cli/v3-3.6.2

dependabot/go_modules/main/golang.org/x/mod-0.25.0

dependabot/go_modules/main/golang.org/x/mod-0.26.0

dependabot/go_modules/main/golang.org/x/mod-0.27.0

dependabot/go_modules/main/golang.org/x/mod-0.28.0

dependabot/go_modules/main/golang.org/x/mod-0.31.0

dependabot/go_modules/main/golang.org/x/mod-0.32.0

dependabot/go_modules/main/golang.org/x/sys-0.34.0

dependabot/go_modules/main/golang.org/x/sys-0.35.0

dependabot/go_modules/main/golang.org/x/sys-0.36.0

dependabot/go_modules/main/golang.org/x/sys-0.39.0

dependabot/go_modules/main/golang.org/x/sys-0.40.0

dependabot/go_modules/main/tags.cncf.io/container-device-interface-1.1.0

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.24.0

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.25.0

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.25.1

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.25.2

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.25.3

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.26.0

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.27.3

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.27.4

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.27.5

dependabot/go_modules/tests/main/github.com/onsi/ginkgo/v2-2.28.1

dependabot/go_modules/tests/main/github.com/onsi/gomega-1.38.0

dependabot/go_modules/tests/main/github.com/onsi/gomega-1.38.1

dependabot/go_modules/tests/main/github.com/onsi/gomega-1.38.2

dependabot/go_modules/tests/main/github.com/onsi/gomega-1.38.3

dependabot/go_modules/tests/main/github.com/onsi/gomega-1.39.0

dependabot/go_modules/tests/main/github.com/onsi/gomega-1.39.1

dependabot/go_modules/tests/main/golang.org/x/crypto-0.39.0

dependabot/go_modules/tests/main/golang.org/x/crypto-0.40.0

dependabot/go_modules/tests/main/golang.org/x/crypto-0.41.0

dependabot/go_modules/tests/main/golang.org/x/crypto-0.42.0

dependabot/go_modules/tests/main/golang.org/x/crypto-0.46.0

dependabot/go_modules/tests/main/golang.org/x/crypto-0.47.0

dependabot/submodules/main/third_party/libnvidia-container-5476521

dependabot/submodules/main/third_party/libnvidia-container-6eda4d7

dependabot/submodules/main/third_party/libnvidia-container-710a0f1

dependabot/submodules/main/third_party/libnvidia-container-889a3bb

dependabot/submodules/main/third_party/libnvidia-container-a83ddc0

dependabot/submodules/main/third_party/libnvidia-container-bceabbc

dgpu-on-nvgpu

disable-device-node-creation

drop-in-demo

drop-in-in-container

dropins

dropins_ctk_cmd

e2e/nvidia-container-cli

e2e_containerd

ensure-libcuda.so-in-ldcache

expose-tooling

fix-1517

fix-alpine-support

fix-cdi-spec-generation

fix-compat-on-csv

fix-deduplicate-driver-store-wsl

fix-docker-swarm-in-nvidia-runtime

fix-dri-symlinks

fix-driver-library-refactor

fix-dummy-sign-job

fix-e2e-for-docker-29.2.0

fix-gdrcopy-in-jit-cdi

fix-gitlab-references

fix-mixed-csv

fix-publish

fix-publishing-dummy-job

fix-purecsv

fix-release-tooling

fix-rpm-package-definition

fix-symlink-tests

fix-verison-string

fix-visible-devices-none

fix/1049

fix/remove-ro-from-ipc-mounts

fix_cdi_service

fix_systemd_install

forward-compat-tegra

forward-golang-version-to-libnvidia-container

gds-unprivileged

ghost-file-config

go-wrapper

holodeck_update_0213

i-1218

i/1049

i/1075

i1225

install-only-mode

integrate-ngc-automation

isue_1215

main

make-cdi-device-extraction-consistent

multiple_drivers_e2e

multiple_drivers_e2e_v2

no-pivot-root

nri-plugin-server

opt-out-of-drop-in

order-of-precedence-envvar

pass-options-to-asserts-in-test

patch-1

pin-libnvidia-container-tools-version

pr/1083

pull-request/1030

pull-request/1076

pull-request/1083

pull-request/1100

pull-request/1107

pull-request/1110

pull-request/1113

pull-request/1118

pull-request/1119

pull-request/1120

pull-request/1123

pull-request/1125

pull-request/1129

pull-request/1130

pull-request/1131

pull-request/1132

pull-request/1143

pull-request/1145

pull-request/1150

pull-request/1152

pull-request/1153

pull-request/1154

pull-request/1158

pull-request/1159

pull-request/1160

pull-request/1165

pull-request/1166

pull-request/1168

pull-request/1172

pull-request/1174

pull-request/1175

pull-request/1179

pull-request/1180

pull-request/1181

pull-request/1182

pull-request/1183

pull-request/1185

pull-request/1187

pull-request/1188

pull-request/1189

pull-request/1194

pull-request/1195

pull-request/1201

pull-request/1202

pull-request/1206

pull-request/1211

pull-request/1212

pull-request/1216

pull-request/1219

pull-request/1221

pull-request/1223

pull-request/1229

pull-request/1230

pull-request/1231

pull-request/1235

pull-request/1241

pull-request/1250

pull-request/1251

pull-request/1255

pull-request/1256

pull-request/1258

pull-request/1259

pull-request/1263

pull-request/1264

pull-request/1265

pull-request/1266

pull-request/1267

pull-request/1270

pull-request/1272

pull-request/1273

pull-request/1276

pull-request/1277

pull-request/1279

pull-request/1280

pull-request/1281

pull-request/1285

pull-request/1287

pull-request/1291

pull-request/1293

pull-request/1294

pull-request/1298

pull-request/1299

pull-request/1300

pull-request/1303

pull-request/1304

pull-request/1308

pull-request/1311

pull-request/1313

pull-request/1314

pull-request/1315

pull-request/1322

pull-request/1323

pull-request/1325

pull-request/1326

pull-request/1327

pull-request/1330

pull-request/1331

pull-request/1335

pull-request/1336

pull-request/1337

pull-request/1339

pull-request/1341

pull-request/1342

pull-request/1344

pull-request/1345

pull-request/1348

pull-request/1351

pull-request/1354

pull-request/1355

pull-request/1358

pull-request/1359

pull-request/1360

pull-request/1362

pull-request/1365

pull-request/1366

pull-request/1367

pull-request/1368

pull-request/1372

pull-request/1373

pull-request/1374

pull-request/1377

pull-request/1378

pull-request/1382

pull-request/1383

pull-request/1400

pull-request/1401

pull-request/1403

pull-request/1407

pull-request/1408

pull-request/1409

pull-request/1410

pull-request/1411

pull-request/1418

pull-request/1419

pull-request/1420

pull-request/1421

pull-request/1424

pull-request/1428

pull-request/1431

pull-request/1432

pull-request/1438

pull-request/1440

pull-request/1441

pull-request/1444

pull-request/1448

pull-request/1450

pull-request/1451

pull-request/1453

pull-request/1454

pull-request/1459

pull-request/1461

pull-request/1462

pull-request/1464

pull-request/1466

pull-request/1467

pull-request/1469

pull-request/1471

pull-request/1473

pull-request/1486

pull-request/1489

pull-request/1490

pull-request/1491

pull-request/1493

pull-request/1496

pull-request/1498

pull-request/1500

pull-request/1504

pull-request/1505

pull-request/1506

pull-request/1507

pull-request/1510

pull-request/1511

pull-request/1512

pull-request/1515

pull-request/1516

pull-request/1521

pull-request/1528

pull-request/1529

pull-request/1530

pull-request/1533

pull-request/1535

pull-request/1536

pull-request/1538

pull-request/1539

pull-request/1556

pull-request/1561

pull-request/1562

pull-request/1563

pull-request/1571

pull-request/1576

pull-request/1577

pull-request/1579

pull-request/1580

pull-request/1581

pull-request/1586

pull-request/1591

pull-request/1593

pull-request/1596

pull-request/1597

pull-request/1598

pull-request/1600

pull-request/1601

pull-request/1604

pull-request/1609

pull-request/1610

pull-request/1612

pull-request/1614

pull-request/1615

pull-request/315

pull-request/326

pull-request/602

pull-request/700

pull-request/763

pull-request/910

pull-request/927

pull-request/947

pull-request/958

pull-request/960

refactor-cdi-api

refresh_cdi

release-1.18

remove-dist-tag

remove-docker-runc

remove-release-archive

remove-unneeded-cdi-annotations

return-on-jid-cdi-error

run-golang-checks-on-prs

security/e2e-ssh-key-handling

switch-default-crio-config-mode

switch-to-distroless

switch-to-ubi9

sync_cg_permissions

systemd-envfile

systemd_e2e

unconditional-ldcache

update-driver-branches

update_ctk_unit_test

use-config-path-when-running-config-dump

use-go-logr-for-nvcdi

use-public-runners

use-rpm-rebuild-for-shas

use-securejoin

use-ubi8-image

vfio-cdi-mode

vulkan-target-cpu

Committed 03 Jul 2025 03:04PM UTC coverage: 33.117%. Remained the same

Build # 16054010473

Build Type

push

github

Committed by

ArangoGutierrez

Commit Message

[no-relnote] Add e2e test for firmware path traversal

A container image could be crafted with a symbolic link in
/lib/firmware/nvidia/ that points to a location outside of the
container's root filesystem. When running such a container with the
NVIDIA Container Toolkit, this could potentially lead to files being
created on the host filesystem.

This change adds an end-to-end test to ensure that the toolkit is not
vulnerable to this kind of path traversal attack.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

Run Details

4381 of 13229 relevant lines covered (33.12%)

0.37 hits per line

Relevant lines Covered

13229 RELEVANT LINES 4381 COVERED LINES

0.37 HITS PER LINE

Source Files on pull-request/1169

Recent builds

Builds	Branch	Commit	Type	Ran	Committer	Via	Coverage
16054010473	pull-request/1169	[no-relnote] Add e2e test for firmware path traversal A container image could be crafted with a symbolic link in /lib/firmware/nvidia/ that points to a location outside of the container's root filesystem. When running such a container with the NV...	push	03 Jul 2025 03:05PM UTC	ArangoGutierrez	github	33.12
16053975813	pull-request/1169	[no-relnote] Add e2e test for firmware path traversal A container image could be crafted with a symbolic link in /lib/firmware/nvidia/ that points to a location outside of the container's root filesystem. When running such a container with the NV...	push	03 Jul 2025 03:04PM UTC	ArangoGutierrez	github	33.12
16052595765	pull-request/1169	[no-relnote] Add e2e test for firmware path traversal A container image could be crafted with a symbolic link in /lib/firmware/nvidia/ that points to a location outside of the container's root filesystem. When running such a container with the NV...	push	03 Jul 2025 02:05PM UTC	ArangoGutierrez	github	33.12
16052265842	pull-request/1169	[no-relnote] Add e2e test for firmware path traversal A container image could be crafted with a symbolic link in /lib/firmware/nvidia/ that points to a location outside of the container's root filesystem. When running such a container with the NV...	push	03 Jul 2025 01:50PM UTC	ArangoGutierrez	github	33.12
16052182925	pull-request/1169	[no-relnote] Add test to check we don't leak firmware Now that the NVIDIA Container Toolkit uses CDI injection by default. This does not trigger the code in the nvidia-container-cli that creates the empty files on the host. Signed-off-by: Carlos...	push	03 Jul 2025 01:47PM UTC	ArangoGutierrez	github	33.12
16028511584	pull-request/1169	[no-relnote] Add test to check CDI injection by default Now that the NVIDIA Container Toolkit uses CDI injection by default. This does not trigger the code in the nvidia-container-cli that creates the empty files on the host. Signed-off-by: Carl...	push	02 Jul 2025 02:53PM UTC	ArangoGutierrez	github	33.21
16024195050	pull-request/1169	[no-relnote] Add test to check CDI injection by default Now that the NVIDIA Container Toolkit uses CDI injection by default. This does not trigger the code in the nvidia-container-cli that creates the empty files on the host. Signed-off-by: Carl...	push	02 Jul 2025 11:44AM UTC	ArangoGutierrez	github	33.21
16023919620	pull-request/1169	[no-relnote] Add test to check CDI injection by default Now that the NVIDIA Container Toolkit uses CDI injection by default. This does not trigger the code in the nvidia-container-cli that creates the empty files on the host. Signed-off-by: Carl...	push	02 Jul 2025 11:31AM UTC	ArangoGutierrez	github	33.21
16023554394	pull-request/1169	[no-relnote] Add test to check CDI injection by default Now that the NVIDIA Container Toolkit uses CDI injection by default. This does not trigger the code in the nvidia-container-cli that creates the empty files on the host. Signed-off-by: Carl...	push	02 Jul 2025 11:13AM UTC	ArangoGutierrez	github	33.21
16020899640	pull-request/1169	[no-relnote] Add test to check CDI injection by default Now that the NVIDIA Container Toolkit uses CDI injection by default. This does not trigger the code in the nvidia-container-cli that creates the empty files on the host. Signed-off-by: Carl...	push	02 Jul 2025 09:06AM UTC	ArangoGutierrez	github	33.21

See All Builds (1770)

Badge your Repo: nvidia-container-toolkit

We detected this repo isn’t badged! Grab the embed code to the right, add it to your repo to show off your code coverage, and when the badge is live hit the refresh button to remove this message.

Embed ▾

Refresh

NVIDIA / nvidia-container-toolkit
33%
main: 39%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

CHANGE BRANCH
x

Relevant lines Covered

Source Files on pull-request/1169

Recent builds

Badge your Repo: nvidia-container-toolkit

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

NVIDIA / nvidia-container-toolkit 33% main: 39%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

CHANGE BRANCH x

Relevant lines Covered

Source Files on pull-request/1169

Recent builds

Badge your Repo: nvidia-container-toolkit

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

NVIDIA / nvidia-container-toolkit
33%
main: 39%

README BADGES
x

CHANGE BRANCH
x

README BADGES
x