chore: squash High findings in pepr controller image #1123
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1123 +/- ##
=======================================
Coverage 85.65% 85.65%
=======================================
Files 26 26
Lines 1032 1032
Branches 222 222
=======================================
Hits 884 884
Misses 137 137
Partials 11 11 |
btlghrants
changed the title
|
Updating to the newest chainguard:node images removes the two "apk" findings, but the "npm" finding remains. Tracking that down now. |
|
Looks like it's express@4.19.2 that's pulling in the borked version of path-to-regexp@0.1.7. Updating pepr to express@4.20.0 pulls in the newer (and recommended ) version of path-to-regexp@0.1.10. |
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/express@4.19.2 |
btlghrants
requested review from
jeff-mccoy,
cmwylie19 and
schaeferka
as code owners
cmwylie19
approved these changes
Sep 10, 2024
btlghrants
added a commit
that referenced
this pull request
Sep 10, 2024
## Description A manual scan of grype reveals 3 High severity findings: ``` > docker run --rm \ --volume /var/run/docker.sock:/var/run/docker.sock \ --name Grype anchore/grype:v0.80.0 \ pepr:dev NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libcrypto3 3.3.1-r5 3.3.2-r0 apk CVE-2024-6119 High libssl3 3.3.1-r5 3.3.2-r0 apk CVE-2024-6119 High path-to-regexp 0.1.7 0.1.10 npm GHSA-9wv6-86v2-598j High ``` ## Related Issue Fixes #1122 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed
mjnagel
referenced
this pull request
in defenseunicorns/uds-core
Sep 17, 2024
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [husky](https://github.com/typicode/husky) | [`9.1.5` -> `9.1.6`](https://renovatebot.com/diffs/npm/husky/9.1.5/9.1.6) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [pepr](https://github.com/defenseunicorns/pepr) | [`0.34.1` -> `0.36.0`](https://renovatebot.com/diffs/npm/pepr/0.34.1/0.36.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | dependencies | minor | | [registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller](https://github.com/defenseunicorns/pepr) ([source](https://repo1.dso.mil/dsop/opensource/defenseunicorns/pepr/controller)) | `v0.34.1` -> `v0.36.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | minor | | [ts-jest](https://kulshekhar.github.io/ts-jest) ([source](https://github.com/kulshekhar/ts-jest)) | [`29.2.4` -> `29.2.5`](https://renovatebot.com/diffs/npm/ts-jest/29.2.4/29.2.5) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | --- ### Release Notes <details> <summary>typicode/husky (husky)</summary> ### [`v9.1.6`](https://github.com/typicode/husky/compare/v9.1.5...a2d942a670b3d6a04578005a0fd2dc310e511849) [Compare Source](https://github.com/typicode/husky/compare/v9.1.5...v9.1.6) </details> <details> <summary>defenseunicorns/pepr (pepr)</summary> ### [`v0.36.0`](https://github.com/defenseunicorns/pepr/releases/tag/v0.36.0) [Compare Source](https://github.com/defenseunicorns/pepr/compare/v0.35.0...v0.36.0) ##### Features - feat: withdeletiontimestamp filter by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1026](https://github.com/defenseunicorns/pepr/pull/1026) - feat: update CODEOWNERS by [@​daveworth](https://github.com/daveworth) in [https://github.com/defenseunicorns/pepr/pull/1111](https://github.com/defenseunicorns/pepr/pull/1111) - feat: update pepr reconcile strategy by [@​btlghrants](https://github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1127](https://github.com/defenseunicorns/pepr/pull/1127) ##### What's Changed - chore: support optional fields in ownerReferences by [@​samayer12](https://github.com/samayer12) in [https://github.com/defenseunicorns/pepr/pull/1104](https://github.com/defenseunicorns/pepr/pull/1104) - fix: reconcile queues scrambling Action callbacks by [@​btlghrants](https://github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1119](https://github.com/defenseunicorns/pepr/pull/1119) - chore: squash High findings in pepr controller image by [@​btlghrants](https://github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1123](https://github.com/defenseunicorns/pepr/pull/1123) - chore: bump github/codeql-action from 3.26.5 to 3.26.6 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1107](https://github.com/defenseunicorns/pepr/pull/1107) - chore: bump actions/upload-artifact from 4.3.6 to 4.4.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1112](https://github.com/defenseunicorns/pepr/pull/1112) - chore: bump pino from 9.3.2 to 9.4.0 in the production-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1117](https://github.com/defenseunicorns/pepr/pull/1117) - chore: bump [@​types/node](https://github.com/types/node) from 22.5.1 to 22.5.4 in the dev-deps group across 1 directory by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1118](https://github.com/defenseunicorns/pepr/pull/1118) - chore: bump the development-dependencies group with 2 updates by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1132](https://github.com/defenseunicorns/pepr/pull/1132) - chore: bump send and express by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1133](https://github.com/defenseunicorns/pepr/pull/1133) - chore: bump step-security/harden-runner from 2.9.1 to 2.10.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1130](https://github.com/defenseunicorns/pepr/pull/1130) - chore: bump github/codeql-action from 3.26.6 to 3.26.7 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1135](https://github.com/defenseunicorns/pepr/pull/1135) - chore: bump kubernetes-fluent-client from 3.0.2 to 3.0.3 in the production-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1136](https://github.com/defenseunicorns/pepr/pull/1136) - chore: bump chainguard/node from `0a7847d` to `5b59be4` by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1138](https://github.com/defenseunicorns/pepr/pull/1138) - chore: bump [@​types/node](https://github.com/types/node) from 22.5.4 to 22.5.5 in the development-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1137](https://github.com/defenseunicorns/pepr/pull/1137) ##### New Contributors - [@​daveworth](https://github.com/daveworth) made their first contribution in [https://github.com/defenseunicorns/pepr/pull/1111](https://github.com/defenseunicorns/pepr/pull/1111) - [@​samayer12](https://github.com/samayer12) made their first contribution in [https://github.com/defenseunicorns/pepr/pull/1104](https://github.com/defenseunicorns/pepr/pull/1104) **Full Changelog**: defenseunicorns/pepr@v0.35.0...v0.36.0 ### [`v0.35.0`](https://github.com/defenseunicorns/pepr/releases/tag/v0.35.0) [Compare Source](https://github.com/defenseunicorns/pepr/compare/v0.34.1...v0.35.0) #### What's Changed **Features** - feat: add custom liveness and readiness probes to helm chart by [@​nfoucha](https://github.com/nfoucha) in [https://github.com/defenseunicorns/pepr/pull/1086](https://github.com/defenseunicorns/pepr/pull/1086) - feat: sharded queue implementation by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1025](https://github.com/defenseunicorns/pepr/pull/1025) - feat: sharded queue feature flag [@​btlghrants](https://github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1025](https://github.com/defenseunicorns/pepr/pull/1025) **Other** - chore: bash based soak by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1072](https://github.com/defenseunicorns/pepr/pull/1072) - chore: named callbacks ADR by [@​schaeferka](https://github.com/schaeferka) in [https://github.com/defenseunicorns/pepr/pull/676](https://github.com/defenseunicorns/pepr/pull/676) - chore: add e2e test reference in pr template by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1091](https://github.com/defenseunicorns/pepr/pull/1091) - chore: address GHSA-952p-6rrq-rcjv by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1084](https://github.com/defenseunicorns/pepr/pull/1084) - chore: pin deps soak test by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1083](https://github.com/defenseunicorns/pepr/pull/1083) - chore: pin deps release action by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1082](https://github.com/defenseunicorns/pepr/pull/1082) - chore: default relist interval 10 min by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1099](https://github.com/defenseunicorns/pepr/pull/1099) - chore: added waitForConfigMapKey by [@​schaeferka](https://github.com/schaeferka) in [https://github.com/defenseunicorns/pepr/pull/1066](https://github.com/defenseunicorns/pepr/pull/1066) **Dependency Updates** - chore: bump actions/upload-artifact from 2 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1071](https://github.com/defenseunicorns/pepr/pull/1071) - chore: bump nock from 13.5.4 to 13.5.5 in the development-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1070](https://github.com/defenseunicorns/pepr/pull/1070) - chore: bump [@​types/node](https://github.com/types/node) from 22.4.1 to 22.5.0 in the development-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1078](https://github.com/defenseunicorns/pepr/pull/1078) - chore: bump github/codeql-action from 3.26.2 to 3.26.3 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1067](https://github.com/defenseunicorns/pepr/pull/1067) - chore: bump anchore/scan-action from 4.1.1 to 4.1.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1077](https://github.com/defenseunicorns/pepr/pull/1077) - chore: bump actions/upload-artifact from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1076](https://github.com/defenseunicorns/pepr/pull/1076) - chore: bump github/codeql-action from 3.26.3 to 3.26.4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1074](https://github.com/defenseunicorns/pepr/pull/1074) - chore: bump azure/setup-kubectl from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1075](https://github.com/defenseunicorns/pepr/pull/1075) - chore: bump github/codeql-action from 3.26.4 to 3.26.5 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1089](https://github.com/defenseunicorns/pepr/pull/1089) - chore: bump micromatch from 4.0.7 to 4.0.8 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1090](https://github.com/defenseunicorns/pepr/pull/1090) - chore: bump ts-jest from 29.2.4 to 29.2.5 in the development-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1088](https://github.com/defenseunicorns/pepr/pull/1088) - chore: bump the development-dependencies group with 3 updates by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1095](https://github.com/defenseunicorns/pepr/pull/1095) - chore: bump [@​types/ramda](https://github.com/types/ramda) from 0.30.1 to 0.30.2 in the production-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1094](https://github.com/defenseunicorns/pepr/pull/1094) - chore: bump kubernetes-fluent-client from 3.0.1 to 3.0.2 in the production-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1100](https://github.com/defenseunicorns/pepr/pull/1100) - chore: bump the development-dependencies group with 3 updates by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1101](https://github.com/defenseunicorns/pepr/pull/1101) - chore: bump chainguard/node-lts from `c48eef3` to `62bbead` by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1064](https://github.com/defenseunicorns/pepr/pull/1064) #### New Contributors - [@​nfoucha](https://github.com/nfoucha) made their first contribution in [https://github.com/defenseunicorns/pepr/pull/1086](https://github.com/defenseunicorns/pepr/pull/1086) **Full Changelog**: defenseunicorns/pepr@v0.34.1...v0.35.0 </details> <details> <summary>kulshekhar/ts-jest (ts-jest)</summary> ### [`v29.2.5`](https://github.com/kulshekhar/ts-jest/blob/HEAD/CHANGELOG.md#2925-2024-08-23) [Compare Source](https://github.com/kulshekhar/ts-jest/compare/v29.2.4...v29.2.5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
itsarijitray
pushed a commit
to itsarijitray/pepr
that referenced
this pull request
Sep 20, 2024
…#1123) ## Description A manual scan of grype reveals 3 High severity findings: ``` > docker run --rm \ --volume /var/run/docker.sock:/var/run/docker.sock \ --name Grype anchore/grype:v0.80.0 \ pepr:dev NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libcrypto3 3.3.1-r5 3.3.2-r0 apk CVE-2024-6119 High libssl3 3.3.1-r5 3.3.2-r0 apk CVE-2024-6119 High path-to-regexp 0.1.7 0.1.10 npm GHSA-9wv6-86v2-598j High ``` ## Related Issue Fixes defenseunicorns#1122 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
A manual scan of grype reveals 3 High severity findings:
Related Issue
Fixes #1122
Type of change
Checklist before merging