devatherock / drone-yaml-validator Goto Github PK
View Code? Open in Web Editor NEWCI plugin to validate yaml files
License: MIT License
CI plugin to validate yaml files
License: MIT License
It would be a nice feature to have, even as the default, with a flag to disable it. It has been requested in the gradle plugin as well
A flag named allow_trailing_spaces
can be used, with a default of false
If it gets too complex to convert to native image using graal, take a look at below options:
Make the unit test agnostic of java/groovy so that even if the script was switched to a different language the unit tests will be able to test the new plugin without any change. Use a combination of container-structure-test and gradle tests pulling the plugin's docker image like described in this article
drone
Things that could be done:
System.exit(1)
System.exit(1)
statements into a separate exitWithError
methodSystem.err
and System.out
I have yaml files for use with pyyaml where I have a custom constructor !include
that allows me to include other yaml files.
The validation however fails because of that. Is there a way to allow such custom elements?
Right now, the native binaries in both the linux/amd64
and linux/arm64
images are built in a CircleCI step which uses the linux/amd64 version of the java-to-native
as the docker executor. The linux/arm64 image does work as of now, when tested using qemu-user-static on a x86 Ubuntu machine. But it might stop working or run into issues. The ideal way to ensure that both images keep working would be to build them in a multi-stage docker build, the first stage of which would perform the native binary build. The java-to-native
image can be used as the base image of the first stage(once it has both linux/amd64 and linux/arm64 variants). Requires devatherock/java-to-native#4. Also build 2 separate images, instead of a multiarch image, as building a native binary with emulation is too slow as seen in this artifactory-badge build
Groovy: A powerful, dynamic language for the JVM
Library home page: https://groovy-lang.org
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/2.5.7/99907efe4b69f800c42584386f5d668e4d952bd5/groovy-2.5.7.jar
Dependency Hierarchy:
Found in HEAD commit: ec5444e3c7e0312cf8f67172d0e1d992138a0b53
Found in base branch: master
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Publish Date: 2020-12-07
URL: CVE-2020-17521
Base Score Metrics:
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/GROOVY-9824
Release Date: 2020-12-07
Fix Resolution: 2.5.14
Step up your Open Source Security Game with Mend here
Can be named yaml-validator
. Release it as a major release, 2.0.0
YAML 1.1 parser and emitter for Java
Library home page: https://bitbucket.org/snakeyaml/snakeyaml
Path to dependency file: /build.gradle
Path to vulnerable library: /modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar
Dependency Hierarchy:
Found in base branch: master
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
Base Score Metrics:
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: https://bitbucket.org/snakeyaml/snakeyaml
Path to dependency file: /build.gradle
Path to vulnerable library: /modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar
Dependency Hierarchy:
Found in base branch: master
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
Base Score Metrics:
Step up your Open Source Security Game with Mend here
By default, org.yaml.snakeyaml.LoaderOptions.allowDuplicateKeys
is true
. Setting it to false
would treat YAML files with duplicate keys as invalid
Needs a groovy upgrade from 2.5.x to 3.0.9. Requires devatherock/java-to-native#5
YAML 1.1 parser and emitter for Java
Library home page: https://bitbucket.org/snakeyaml/snakeyaml
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar
Dependency Hierarchy:
Found in base branch: master
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Publish Date: 2022-12-01
URL: CVE-2022-1471
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution: org.yaml:snakeyaml:2.0
Step up your Open Source Security Game with Mend here
This will reduce the docker image size even more. Refer article. Shouldn't be used on serverless/short-lived web apps as decompression will increase startup time
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Dependency Hierarchy:
Found in HEAD commit: c4cb9653a621b4ef4b7a9fcd569cd322e518a2a2
Found in base branch: master
Use of Java's default temporary directory for file creation in FileBackedOutputStream
in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution (com.google.guava:guava): 32.0.1-android
Direct dependency fix Resolution (com.puppycrawl.tools:checkstyle): 10.12.1
Step up your Open Source Security Game with Mend here
Need to support reading the debug flag from PARAMETER_DEBUG
environment variable
Refer PR. Remove drone-
prefix on the repo name in readme
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Location: renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: Invalid configuration option: extends[1].0, extends: preset value is not a string
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.