Alauda 2025.1.0 #54
Closed
Alauda 2025.1.0 #54
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: mingfu <[email protected]>
Signed-off-by: mingfu <[email protected]>
…8.0 [security] (#2) * fix(deps): update dependency org.apache.commons:commons-lang3 to v3.18.0 [security] * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-bgdq4-update-chart-values --------- Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Co-authored-by: Alauda Bot <[email protected]>
Signed-off-by: mingfu <[email protected]>
Signed-off-by: mingfu <[email protected]>
Signed-off-by: mingfu <[email protected]>
* fix(deps): update all patch dependencies * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-xczdb-update-chart-values --------- Co-authored-by: Renovate Bot <[email protected]> Co-authored-by: Alauda Bot <[email protected]>
…-update-chart-values
* fix: fix vulnerabilities Signed-off-by: mingfu <[email protected]> * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-fkk2c-update-chart-values Signed-off-by: mingfu <[email protected]> --------- Signed-off-by: mingfu <[email protected]> Co-authored-by: Alauda Bot <[email protected]>
…-update-chart-values
…o /etc/hosts Signed-off-by: mingfu <[email protected]>
…-update-chart-values
…to v4.5.0 (#18) * fix(deps): update dependency org.apache.commons:commons-collections4 to v4.5.0 * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-4nr56-update-chart-values * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-xxh9m-update-chart-values --------- Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Co-authored-by: Alauda Bot <[email protected]> Co-authored-by: nanjingfm <[email protected]>
…-update-chart-values
* chore(deps): update all patch dependencies * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-pm8s7-update-chart-values --------- Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Co-authored-by: Alauda Bot <[email protected]>
#22) * feat: enhance sonar configuration script to dynamically merge settings * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-spz52-update-chart-values * fix: update PostgreSQL image to use dynamic registry configuration in YAML files * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-klxdc-update-chart-values --------- Co-authored-by: Alauda Bot <[email protected]>
…-update-chart-values
#23) * fix: update sonar-findbugs plugin version to 4.5.2 and install perl-base in Dockerfile * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-khwff-update-chart-values --------- Co-authored-by: Alauda Bot <[email protected]>
…-update-chart-values
* add use-mw-pg deploy sonar case * update
…orization headers (#31)
* fix(deps): update all patch dependencies * Auto-commit by alaudabot in edge [ci skip] - devops/sonar-image-kn7g8-update-chart-values --------- Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Co-authored-by: Alauda Bot <[email protected]>
…-update-chart-values
…-update-chart-values
* feat: add sso plugin to plugin image. Signed-off-by: kychen <[email protected]> * fix: update Dockerfile and build.gradle dependencies for compatibility - Updated JRE image version in Dockerfile to use '17.0.16_8-jre-ubi10-minimal'. - Upgraded sonar-java-symbolic-execution-plugin, sonar-javascript-plugin, and sonar-iac plugins to their latest versions in build.gradle for improved functionality and security. * fix: update Dockerfile to use ARG for dependency versions - Replaced hardcoded dependency versions with ARG variables for netty and bouncycastle in Dockerfile. - This change improves maintainability and allows for easier updates in the future. --------- Signed-off-by: kychen <[email protected]>
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
…cat to v2.0.7 (#53) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
…dle (#61) * fix(deps): update lz4-java dependency to at.yawk.lz4 and adjust Dockerfiles - Replaced org.lz4:lz4-java with at.yawk.lz4:lz4-java in build.gradle and sonar-db-dao/build.gradle. - Updated Dockerfile for community-build to include lz4-java version 1.10.1. - Changed base image version in plugin Dockerfile to 3.21.5-alauda-202512020944. * fix(deps): update dependencies and Dockerfile versions - Updated SonarQube image tags in chart/values.yaml to v2025.1.0-g48aaba9. - Changed base image version in testing/Dockerfile to golang:1.25.5. - Updated Go module version in testing/go.mod to go 1.25.5 and updated various dependencies to their latest versions. - Adjusted go.sum to reflect the updated dependencies.
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
* fix: update plugin Dockerfile to use xargs for wget command * chore: update SonarQube and plugin image tags in values.yaml
…-update-chart-values
…#68) * chore: remove unnecessary sniff tools from community build Dockerfile * chore: update SonarQube and plugin image tags in values.yaml to v2025.1.0-g2e7b71d
* chore: [DEVOPS-42856] add MIT license for chart * chore: [DEVOPS-42856] optimize license * chore: [DEVOPS-42856] optimize license, add license for image * chore: [DEVOPS-42856] optimize license, use ELv2 license which is from official repo
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
…-update-chart-values
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
|
| Severity | Issue | Location |
|---|---|---|
| CRITICAL | Docker security vulnerabilities in base testing image | .tekton/dockerfile/Dockerfile.base |
| WARNING | Potential race conditions in SSO test flow | testing/steps/sso.go |
| WARNING | Missing checksum verification for binary downloads | .tekton/dockerfile/Dockerfile.base |
Recommendation: Address critical Docker security issues before merge
Review Details (48 files)
Files: Tekton pipelines, Docker images, testing infrastructure, source code, dependencies
Critical Issues Found:
- Docker Security Vulnerabilities: New base testing image uses Early Access OpenJDK 26, lacks non-root user, and downloads binaries without verification
- SSO Test Reliability: Enhanced login flow with multiple fallbacks may introduce timing issues in E2E tests
- Missing Security Controls: No checksum verification for kubectl, helm, yq downloads
Positive Changes:
- Improved license documentation with proper Elastic License 2.0 compliance
- Updated SonarQube plugins (FindBugs 4.4.2 → 4.5.2, added OIDC auth plugin)
- Modernized Apache Commons library imports
- Enhanced Tekton pipeline PR integration
Files with Issues: .tekton/dockerfile/Dockerfile.base (2 issues), testing/steps/sso.go (1 issue)
Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.