-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: squash High findings in pepr controller image #1123
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1123 +/- ##
=======================================
Coverage 85.65% 85.65%
=======================================
Files 26 26
Lines 1032 1032
Branches 222 222
=======================================
Hits 884 884
Misses 137 137
Partials 11 11 |
Updating to the newest chainguard:node images removes the two "apk" findings, but the "npm" finding remains. Tracking that down now.
|
Looks like it's express@4.19.2 that's pulling in the borked version of path-to-regexp@0.1.7. Updating pepr to express@4.20.0 pulls in the newer (and recommended ) version of path-to-regexp@0.1.10.
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/express@4.19.2 |
## Description A manual scan of grype reveals 3 High severity findings: ``` > docker run --rm \ --volume /var/run/docker.sock:/var/run/docker.sock \ --name Grype anchore/grype:v0.80.0 \ pepr:dev NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libcrypto3 3.3.1-r5 3.3.2-r0 apk CVE-2024-6119 High libssl3 3.3.1-r5 3.3.2-r0 apk CVE-2024-6119 High path-to-regexp 0.1.7 0.1.10 npm GHSA-9wv6-86v2-598j High ``` ## Related Issue Fixes #1122 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [husky](https://github.com/typicode/husky) | [`9.1.5` -> `9.1.6`](https://renovatebot.com/diffs/npm/husky/9.1.5/9.1.6) | [![age](https://developer.mend.io/api/mc/badges/age/npm/husky/9.1.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/husky/9.1.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/husky/9.1.5/9.1.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/husky/9.1.5/9.1.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [pepr](https://github.com/defenseunicorns/pepr) | [`0.34.1` -> `0.36.0`](https://renovatebot.com/diffs/npm/pepr/0.34.1/0.36.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/pepr/0.36.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/pepr/0.36.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/pepr/0.34.1/0.36.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pepr/0.34.1/0.36.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | dependencies | minor | | [registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller](https://github.com/defenseunicorns/pepr) ([source](https://repo1.dso.mil/dsop/opensource/defenseunicorns/pepr/controller)) | `v0.34.1` -> `v0.36.0` | [![age](https://developer.mend.io/api/mc/badges/age/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.36.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.36.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.34.1/v0.36.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.34.1/v0.36.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | minor | | [ts-jest](https://kulshekhar.github.io/ts-jest) ([source](https://github.com/kulshekhar/ts-jest)) | [`29.2.4` -> `29.2.5`](https://renovatebot.com/diffs/npm/ts-jest/29.2.4/29.2.5) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ts-jest/29.2.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ts-jest/29.2.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ts-jest/29.2.4/29.2.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ts-jest/29.2.4/29.2.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | --- ### Release Notes <details> <summary>typicode/husky (husky)</summary> ### [`v9.1.6`](https://github.com/typicode/husky/compare/v9.1.5...a2d942a670b3d6a04578005a0fd2dc310e511849) [Compare Source](https://github.com/typicode/husky/compare/v9.1.5...v9.1.6) </details> <details> <summary>defenseunicorns/pepr (pepr)</summary> ### [`v0.36.0`](https://github.com/defenseunicorns/pepr/releases/tag/v0.36.0) [Compare Source](https://github.com/defenseunicorns/pepr/compare/v0.35.0...v0.36.0) ##### Features - feat: withdeletiontimestamp filter by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1026](https://github.com/defenseunicorns/pepr/pull/1026) - feat: update CODEOWNERS by [@​daveworth](https://github.com/daveworth) in [https://github.com/defenseunicorns/pepr/pull/1111](https://github.com/defenseunicorns/pepr/pull/1111) - feat: update pepr reconcile strategy by [@​btlghrants](https://github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1127](https://github.com/defenseunicorns/pepr/pull/1127) ##### What's Changed - chore: support optional fields in ownerReferences by [@​samayer12](https://github.com/samayer12) in [https://github.com/defenseunicorns/pepr/pull/1104](https://github.com/defenseunicorns/pepr/pull/1104) - fix: reconcile queues scrambling Action callbacks by [@​btlghrants](https://github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1119](https://github.com/defenseunicorns/pepr/pull/1119) - chore: squash High findings in pepr controller image by [@​btlghrants](https://github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1123](https://github.com/defenseunicorns/pepr/pull/1123) - chore: bump github/codeql-action from 3.26.5 to 3.26.6 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1107](https://github.com/defenseunicorns/pepr/pull/1107) - chore: bump actions/upload-artifact from 4.3.6 to 4.4.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1112](https://github.com/defenseunicorns/pepr/pull/1112) - chore: bump pino from 9.3.2 to 9.4.0 in the production-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1117](https://github.com/defenseunicorns/pepr/pull/1117) - chore: bump [@​types/node](https://github.com/types/node) from 22.5.1 to 22.5.4 in the dev-deps group across 1 directory by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1118](https://github.com/defenseunicorns/pepr/pull/1118) - chore: bump the development-dependencies group with 2 updates by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1132](https://github.com/defenseunicorns/pepr/pull/1132) - chore: bump send and express by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1133](https://github.com/defenseunicorns/pepr/pull/1133) - chore: bump step-security/harden-runner from 2.9.1 to 2.10.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1130](https://github.com/defenseunicorns/pepr/pull/1130) - chore: bump github/codeql-action from 3.26.6 to 3.26.7 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1135](https://github.com/defenseunicorns/pepr/pull/1135) - chore: bump kubernetes-fluent-client from 3.0.2 to 3.0.3 in the production-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1136](https://github.com/defenseunicorns/pepr/pull/1136) - chore: bump chainguard/node from `0a7847d` to `5b59be4` by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1138](https://github.com/defenseunicorns/pepr/pull/1138) - chore: bump [@​types/node](https://github.com/types/node) from 22.5.4 to 22.5.5 in the development-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1137](https://github.com/defenseunicorns/pepr/pull/1137) ##### New Contributors - [@​daveworth](https://github.com/daveworth) made their first contribution in [https://github.com/defenseunicorns/pepr/pull/1111](https://github.com/defenseunicorns/pepr/pull/1111) - [@​samayer12](https://github.com/samayer12) made their first contribution in [https://github.com/defenseunicorns/pepr/pull/1104](https://github.com/defenseunicorns/pepr/pull/1104) **Full Changelog**: defenseunicorns/pepr@v0.35.0...v0.36.0 ### [`v0.35.0`](https://github.com/defenseunicorns/pepr/releases/tag/v0.35.0) [Compare Source](https://github.com/defenseunicorns/pepr/compare/v0.34.1...v0.35.0) #### What's Changed **Features** - feat: add custom liveness and readiness probes to helm chart by [@​nfoucha](https://github.com/nfoucha) in [https://github.com/defenseunicorns/pepr/pull/1086](https://github.com/defenseunicorns/pepr/pull/1086) - feat: sharded queue implementation by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1025](https://github.com/defenseunicorns/pepr/pull/1025) - feat: sharded queue feature flag [@​btlghrants](https://github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1025](https://github.com/defenseunicorns/pepr/pull/1025) **Other** - chore: bash based soak by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1072](https://github.com/defenseunicorns/pepr/pull/1072) - chore: named callbacks ADR by [@​schaeferka](https://github.com/schaeferka) in [https://github.com/defenseunicorns/pepr/pull/676](https://github.com/defenseunicorns/pepr/pull/676) - chore: add e2e test reference in pr template by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1091](https://github.com/defenseunicorns/pepr/pull/1091) - chore: address GHSA-952p-6rrq-rcjv by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1084](https://github.com/defenseunicorns/pepr/pull/1084) - chore: pin deps soak test by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1083](https://github.com/defenseunicorns/pepr/pull/1083) - chore: pin deps release action by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1082](https://github.com/defenseunicorns/pepr/pull/1082) - chore: default relist interval 10 min by [@​cmwylie19](https://github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1099](https://github.com/defenseunicorns/pepr/pull/1099) - chore: added waitForConfigMapKey by [@​schaeferka](https://github.com/schaeferka) in [https://github.com/defenseunicorns/pepr/pull/1066](https://github.com/defenseunicorns/pepr/pull/1066) **Dependency Updates** - chore: bump actions/upload-artifact from 2 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1071](https://github.com/defenseunicorns/pepr/pull/1071) - chore: bump nock from 13.5.4 to 13.5.5 in the development-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1070](https://github.com/defenseunicorns/pepr/pull/1070) - chore: bump [@​types/node](https://github.com/types/node) from 22.4.1 to 22.5.0 in the development-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1078](https://github.com/defenseunicorns/pepr/pull/1078) - chore: bump github/codeql-action from 3.26.2 to 3.26.3 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1067](https://github.com/defenseunicorns/pepr/pull/1067) - chore: bump anchore/scan-action from 4.1.1 to 4.1.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1077](https://github.com/defenseunicorns/pepr/pull/1077) - chore: bump actions/upload-artifact from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1076](https://github.com/defenseunicorns/pepr/pull/1076) - chore: bump github/codeql-action from 3.26.3 to 3.26.4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1074](https://github.com/defenseunicorns/pepr/pull/1074) - chore: bump azure/setup-kubectl from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1075](https://github.com/defenseunicorns/pepr/pull/1075) - chore: bump github/codeql-action from 3.26.4 to 3.26.5 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1089](https://github.com/defenseunicorns/pepr/pull/1089) - chore: bump micromatch from 4.0.7 to 4.0.8 by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1090](https://github.com/defenseunicorns/pepr/pull/1090) - chore: bump ts-jest from 29.2.4 to 29.2.5 in the development-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1088](https://github.com/defenseunicorns/pepr/pull/1088) - chore: bump the development-dependencies group with 3 updates by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1095](https://github.com/defenseunicorns/pepr/pull/1095) - chore: bump [@​types/ramda](https://github.com/types/ramda) from 0.30.1 to 0.30.2 in the production-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1094](https://github.com/defenseunicorns/pepr/pull/1094) - chore: bump kubernetes-fluent-client from 3.0.1 to 3.0.2 in the production-dependencies group by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1100](https://github.com/defenseunicorns/pepr/pull/1100) - chore: bump the development-dependencies group with 3 updates by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1101](https://github.com/defenseunicorns/pepr/pull/1101) - chore: bump chainguard/node-lts from `c48eef3` to `62bbead` by [@​dependabot](https://github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1064](https://github.com/defenseunicorns/pepr/pull/1064) #### New Contributors - [@​nfoucha](https://github.com/nfoucha) made their first contribution in [https://github.com/defenseunicorns/pepr/pull/1086](https://github.com/defenseunicorns/pepr/pull/1086) **Full Changelog**: defenseunicorns/pepr@v0.34.1...v0.35.0 </details> <details> <summary>kulshekhar/ts-jest (ts-jest)</summary> ### [`v29.2.5`](https://github.com/kulshekhar/ts-jest/blob/HEAD/CHANGELOG.md#2925-2024-08-23) [Compare Source](https://github.com/kulshekhar/ts-jest/compare/v29.2.4...v29.2.5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#1123) ## Description A manual scan of grype reveals 3 High severity findings: ``` > docker run --rm \ --volume /var/run/docker.sock:/var/run/docker.sock \ --name Grype anchore/grype:v0.80.0 \ pepr:dev NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libcrypto3 3.3.1-r5 3.3.2-r0 apk CVE-2024-6119 High libssl3 3.3.1-r5 3.3.2-r0 apk CVE-2024-6119 High path-to-regexp 0.1.7 0.1.10 npm GHSA-9wv6-86v2-598j High ``` ## Related Issue Fixes defenseunicorns#1122 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed
Description
A manual scan of grype reveals 3 High severity findings:
Related Issue
Fixes #1122
Type of change
Checklist before merging