Add nvidia-vss-data-infrastructure 3.3.2 (NVIDIA VSS Blueprint 3.1.0)

[blik616287]

nvidia-vss-data-infrastructure — VSS 3.x, pack 3.2.0

VSS 3.x base data stores (redis, postgres, phoenix, elasticsearch, kibana) as a Helm chart, plus the cross-pack hf-token-secret and the vss-platform ConfigMap as kubeManifests (Palette resolves their .Values/spectro-var from the manifests.<name> values sub-tree). Note: kafka + logstash (search/alerts event streaming) are deferred — logstash needs a VSS-built image with the protobuf/redis-stream plugins (not the stock logstash:9.3.0); they are not on the base summarization route.

Versioning: chart/pack version: 3.2.0 (our packaging) · appVersion: 3.1.0 (upstream NVIDIA VSS Blueprint 3.x). Helm chart; images pinned in values.yaml pack.content.images.

Tested on NVIDIA GB10 / DGX Spark (arm64 SBSA)

Deployed via Palette add-on cluster profile vss-dgx-spark-3x on edge cluster edge-gx10 (single GB10). Full VSS 3.x route green — all 5 packs report Pack services are ready, cluster Running:

cosmos-reason2-8b-846f9747c9-b2z44           1/1 Running
elasticsearch-0                              1/1 Running
envoy-proxy-8654778857-4lh9r                 1/1 Running
kibana-6c48bf74cb-nlrm9                      1/1 Running
llm-vllm-66f78ff858-l5ftt                    2/2 Running
phoenix-0                                    1/1 Running
postgres-0                                   1/1 Running
redis-0                                      1/1 Running
vss-agent-669d5b5fd6-tzc7d                   1/1 Running
vss-agent-ui-98789c556-zq257                 1/1 Running
vss-proxy-6f8dc9d698-4rmmt                   1/1 Running
vss-vios-ingress-56485ddc44-s7pnf            1/1 Running
vss-vios-mcp-5d579cc49b-fjs68                1/1 Running
vss-vios-sensor-57d86f8dcb-9thct             1/1 Running
vss-vios-streamprocessing-789ccd7c59-xkfrc   1/1 Running

Validation: pack.json JSON-syntax/schema/version, logo, README, and pack.content.images all pass. The content.images pull (crane) fails for the gated nvcr.io/nim/* and nvcr.io/nvidia/vss-core/* images — the CI runner has no NGC credentials (the same image-pull exception as the 2.4 PRs #233–236; the cluster pulls them fine via ngc-pull-secret).

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 6
• Clean images: 0
• Images with CVEs: 6
• Total CVEs found: 1723

🔴 Critical CVEs: 55
🟠 High CVEs: 185
🟡 Medium CVEs: 255
🟢 Low CVEs: 1228

Images with CVEs:

• arizephoenix/phoenix:version-8.12.1: 283 CVEs (Critical: 8, High: 34, Medium: 50, Low: 191)
  Critical CVEs: CVE-2019-1010022, CVE-2023-45853, CVE-2025-6965, CVE-2025-7458, CVE-2026-31789, CVE-2026-7210
• confluentinc/cp-kafka:8.1.1: 422 CVEs (Critical: 13, High: 50, Medium: 77, Low: 282)
  Critical CVEs: CVE-2025-14087, CVE-2025-68121, CVE-2026-2332, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-7210
• docker.elastic.co/kibana/kibana:9.3.0: 455 CVEs (Critical: 15, High: 46, Medium: 80, Low: 314)
  Critical CVEs: CVE-2025-14087, CVE-2025-62718, CVE-2025-68665, CVE-2026-1525, CVE-2026-27699, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264, CVE-2026-4800, CVE-2026-7210
• docker.elastic.co/logstash/logstash:9.3.0: 350 CVEs (Critical: 13, High: 37, Medium: 41, Low: 259)
  Critical CVEs: CVE-2025-14087, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42257, CVE-2026-42258, CVE-2026-42581, CVE-2026-42584
• postgres:17.6-alpine: 130 CVEs (Critical: 4, High: 13, Medium: 6, Low: 107)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143, CVE-2026-31789
• redis:8.2.2-alpine: 83 CVEs (Critical: 2, High: 5, Medium: 1, Low: 75)
  Critical CVEs: CVE-2026-31789

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 4
• Clean images: 2
• Images with CVEs: 2
• Total CVEs found: 8

🔴 Critical CVEs: 1
🟠 High CVEs: 0
🟡 Medium CVEs: 1
🟢 Low CVEs: 6

Images with CVEs:

• cgr.dev/chainguard/python:latest-dev: 7 CVEs (Critical: 1, High: 0, Medium: 1, Low: 5)
  Critical CVEs: CVE-2026-7210
• cgr.dev/chainguard/redis:latest: 1 CVEs (Critical: 0, High: 0, Medium: 0, Low: 1)

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 3
• Clean images: 2
• Images with CVEs: 1
• Total CVEs found: 1

🔴 Critical CVEs: 0
🟠 High CVEs: 0
🟡 Medium CVEs: 0
🟢 Low CVEs: 1

Images with CVEs:

• cgr.dev/chainguard/redis:latest: 1 CVEs (Critical: 0, High: 0, Medium: 0, Low: 1)

✅ All scanned images have only low severity CVEs (1 total).

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 3
• Clean images: 2
• Images with CVEs: 1
• Total CVEs found: 1

🔴 Critical CVEs: 0
🟠 High CVEs: 0
🟡 Medium CVEs: 0
🟢 Low CVEs: 1

Images with CVEs:

• cgr.dev/chainguard/redis:latest: 1 CVEs (Critical: 0, High: 0, Medium: 0, Low: 1)

✅ All scanned images have only low severity CVEs (1 total).

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 4
• Clean images: 2
• Images with CVEs: 2
• Total CVEs found: 8

🔴 Critical CVEs: 1
🟠 High CVEs: 0
🟡 Medium CVEs: 1
🟢 Low CVEs: 6

Images with CVEs:

• cgr.dev/chainguard/python:latest-dev: 7 CVEs (Critical: 1, High: 0, Medium: 1, Low: 5)
  Critical CVEs: CVE-2026-7210
• cgr.dev/chainguard/redis:latest: 1 CVEs (Critical: 0, High: 0, Medium: 0, Low: 1)

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[blik616287]

CVE-2026-7210 (phoenix runtime base) — why it's not remediated here, and the path forward

The bulwark scan flags one Critical on this PR: CVE-2026-7210 in cgr.dev/chainguard/python:latest-dev — the runtime base for the phoenix StatefulSet (which pip installs arize-phoenix into a venv at deploy).

What it is
CVE-2026-7210 is a CPython / libexpat issue: xml.parsers.expat and xml.etree.ElementTree use insufficient entropy for Expat's hash-flooding protection, so a crafted XML document can trigger hash flooding (DoS). It lives in the Python interpreter / bundled expat, not in any pack-level dependency or chart code.

Why it can't be remediated in this PR right now

• It's the interpreter, so no base image avoids it. Every Chainguard/Wolfi Python variant — python:latest, python:latest-dev, or wolfi-base + apk add python3 — ships the same Wolfi CPython/expat and is equally affected. Swapping the base would not change the result, only add churn + re-validation.
• No fixed package exists yet. CVE-2026-7210 is not present in the Wolfi security DB (packages.wolfi.dev/os/security.json) at this time — upstream has not published a patched python/expat. There is no version to pin to.
• This is precisely why the pax-cve gate passes: it blocks only on fixable Critical/High CVEs and treats an unfixable one as non-blocking. The remaining pax-cve, pax-combined, validator, and gitleaks checks are green.

Exposure context
The finding is a hash-flooding DoS that requires parsing attacker-controlled XML. phoenix is an internal, cluster-internal observability UI (PHOENIX_ENDPOINT=http://phoenix:6006), not an XML-ingesting public endpoint, so practical exposure for this pack is low.

Path forward

1. Auto-remediation (preferred): the pack references the moving tag chainguard/python:latest-dev. Once Wolfi/Chainguard publish the patched python/expat, the next image rebuild + bulwark re-scan clears this finding with no pack change. Tracked against the Wolfi advisory for CVE-2026-7210.
2. Optional digest pin for reproducibility once a fix lands: pin chainguard/python to the first patched digest and re-scan to confirm 0/0.
3. No interim base swap — it cannot clear the CVE (same CPython) and only adds risk/churn.

Recommendation: merge on the green pax-cve gate (0 fixable Critical/High); the residual interpreter CVE is tracked to auto-clear on the next patched Python rebuild.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 4
• Clean images: 2
• Images with CVEs: 2
• Total CVEs found: 8

🔴 Critical CVEs: 1
🟠 High CVEs: 0
🟡 Medium CVEs: 1
🟢 Low CVEs: 6

Images with CVEs:

• cgr.dev/chainguard/python:latest-dev: 7 CVEs (Critical: 1, High: 0, Medium: 1, Low: 5)
  Critical CVEs: CVE-2026-7210
• cgr.dev/chainguard/redis:latest: 1 CVEs (Critical: 0, High: 0, Medium: 0, Low: 1)

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.