Git Product home page Git Product logo

drone-yaml-validator's Introduction

simple-yaml kafka-lag-monitor
velocity-template-tester email-sender

drone-yaml-validator's People

Contributors

devatherock avatar mend-bolt-for-github[bot] avatar renovate-bot avatar renovate[bot] avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

amaybaum-prod

drone-yaml-validator's Issues

Add a unit test for the built docker image

Make the unit test agnostic of java/groovy so that even if the script was switched to a different language the unit tests will be able to test the new plugin without any change. Use a combination of container-structure-test and gradle tests pulling the plugin's docker image like described in this article

Improve unit test coverage

Things that could be done:

  • Introduce a test flag for unit testing, so that a runtime exception can be thrown instead of System.exit(1)
  • Refactor System.exit(1) statements into a separate exitWithError method
  • Use mock logging handlers for the unit test instead of mocking System.err and System.out

Allow custom constructors

I have yaml files for use with pyyaml where I have a custom constructor !include that allows me to include other yaml files.
The validation however fails because of that. Is there a way to allow such custom elements?

Build the native binary inside docker

Right now, the native binaries in both the linux/amd64 and linux/arm64 images are built in a CircleCI step which uses the linux/amd64 version of the java-to-native as the docker executor. The linux/arm64 image does work as of now, when tested using qemu-user-static on a x86 Ubuntu machine. But it might stop working or run into issues. The ideal way to ensure that both images keep working would be to build them in a multi-stage docker build, the first stage of which would perform the native binary build. The java-to-native image can be used as the base image of the first stage(once it has both linux/amd64 and linux/arm64 variants). Requires devatherock/java-to-native#4. Also build 2 separate images, instead of a multiarch image, as building a native binary with emulation is too slow as seen in this artifactory-badge build

CVE-2020-17521 (Medium) detected in groovy-2.5.7.jar - autoclosed

CVE-2020-17521 - Medium Severity Vulnerability

Vulnerable Library - groovy-2.5.7.jar

Groovy: A powerful, dynamic language for the JVM

Library home page: https://groovy-lang.org

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/2.5.7/99907efe4b69f800c42584386f5d668e4d952bd5/groovy-2.5.7.jar

Dependency Hierarchy:

  • groovy-2.5.7.jar (Vulnerable Library)

Found in HEAD commit: ec5444e3c7e0312cf8f67172d0e1d992138a0b53

Found in base branch: master

Vulnerability Details

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Publish Date: 2020-12-07

URL: CVE-2020-17521

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/GROOVY-9824

Release Date: 2020-12-07

Fix Resolution: 2.5.14

Step up your Open Source Security Game with Mend here

CVE-2022-38752 (Medium) detected in snakeyaml-1.31.jar - autoclosed

CVE-2022-38752 - Medium Severity Vulnerability

Vulnerable Library - snakeyaml-1.31.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /build.gradle

Path to vulnerable library: /modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar

Dependency Hierarchy:

  • snakeyaml-1.31.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-38751 (Medium) detected in snakeyaml-1.31.jar - autoclosed

CVE-2022-38751 - Medium Severity Vulnerability

Vulnerable Library - snakeyaml-1.31.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /build.gradle

Path to vulnerable library: /modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar

Dependency Hierarchy:

  • snakeyaml-1.31.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-1471 (High) detected in snakeyaml-1.33.jar - autoclosed

CVE-2022-1471 - High Severity Vulnerability

Vulnerable Library - snakeyaml-1.33.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar

Dependency Hierarchy:

  • snakeyaml-1.33.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

Step up your Open Source Security Game with Mend here

Compress native binary using upx

This will reduce the docker image size even more. Refer article. Shouldn't be used on serverless/short-lived web apps as decompression will increase startup time

CVE-2023-2976 (High) detected in guava-31.1-jre.jar - autoclosed

CVE-2023-2976 - High Severity Vulnerability

Vulnerable Library - guava-31.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.

Dependency Hierarchy:

  • checkstyle-10.12.0.jar (Root Library)
    • guava-31.1-jre.jar (Vulnerable Library)

Found in HEAD commit: c4cb9653a621b4ef4b7a9fcd569cd322e518a2a2

Found in base branch: master

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7g45-4rm6-3mm3

Release Date: 2023-06-14

Fix Resolution (com.google.guava:guava): 32.0.1-android

Direct dependency fix Resolution (com.puppycrawl.tools:checkstyle): 10.12.1

Step up your Open Source Security Game with Mend here

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: Invalid configuration option: extends[1].0, extends: preset value is not a string

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.