Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE Fixes #104

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

CVE Fixes #104

wants to merge 18 commits into from

Conversation

sriramr98
Copy link
Collaborator

Changes proposed in this PR:

  • Updated go version to 1.23.7 to 1.20.3
  • Updated multiple dependencies with vulnerabilities to a later version without vulnerabilities

How I've tested this PR:

  • Ran tests locally

How I expect reviewers to test this PR:

Checklist:

  • Tests added
  • CHANGELOG entry added

@sriramr98 sriramr98 requested a review from a team as a code owner March 26, 2025 07:30
@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Mar 26, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@sriramr98 sriramr98 requested a review from a team as a code owner March 26, 2025 08:57
@sriramr98 sriramr98 force-pushed the sriramr98/cve_fixes branch from f8bbafe to b8896aa Compare March 26, 2025 09:04
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 26, 2025 15:43 — with GitHub Actions Inactive
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 26, 2025 15:48 — with GitHub Actions Inactive
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 26, 2025 15:57 — with GitHub Actions Inactive
srahul3
srahul3 previously approved these changes Mar 27, 2025
View reviewed changes
Copy link

@srahul3 srahul3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ LGTM

@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 27, 2025 07:35 — with GitHub Actions Inactive
sreeram77
sreeram77 previously approved these changes Mar 27, 2025
View reviewed changes
Copy link
Member

@sreeram77 sreeram77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 28, 2025 03:20 — with GitHub Actions Inactive
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 28, 2025 03:23 — with GitHub Actions Inactive
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 28, 2025 03:30 — with GitHub Actions Inactive
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 28, 2025 06:00 — with GitHub Actions Inactive
srahul3
srahul3 previously approved these changes Mar 28, 2025
View reviewed changes
Copy link

@srahul3 srahul3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ LGTM

dduzgun-security
dduzgun-security reviewed Mar 28, 2025
View reviewed changes
Copy link

@dduzgun-security dduzgun-security left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sriramr98 Thanks a lot for looking into it.
Few comments but the rest looks good. I'll look at the CI too so we can fix it and merge

.github/workflows/bin-ci.yml Outdated
@@ -96,7 +96,7 @@ jobs:
--junitfile "$TEST_RESULTS_DIR/${{ matrix.consul-version }}/gotestsum-report.xml" -- \
-race "${PACKAGE_NAMES[@]}" \
-- "$FLAG"
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

.github/workflows/build.yml Outdated
@@ -55,7 +55,7 @@ jobs:
version: ${{ needs.get-product-version.outputs.product-version }}
product: ${{ env.PRD_NAME }}
repositoryOwner: "hashicorp"
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

.github/workflows/build.yml Outdated
@@ -105,13 +105,13 @@ jobs:
zip -r out/${{ env.EXT_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ env.GOOS }}_${{ env.GOARCH }}.zip extensions/

- name: Upload consul-lambda-registrator
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

.github/workflows/build.yml Outdated
with:
name: ${{ env.REG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ env.GOOS }}_${{ env.GOARCH }}.zip
path: ./consul-lambda/out/${{ env.REG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ env.GOOS }}_${{ env.GOARCH }}.zip

- name: Upload consul-lambda-extension
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

.github/workflows/build.yml Outdated
@@ -169,7 +169,7 @@ jobs:
git-short-sha: ${{ needs.get-product-version.outputs.git-short-sha }}
steps:
- name: Download image artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
uses: actions/download-artifact@v4
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e #v4.2.1

.github/workflows/terraform-ci.yml Outdated
@@ -121,7 +125,7 @@ jobs:
--junitfile "$TEST_RESULTS/gotestsum-report.xml" \
--format standard-verbose -- \
./... -p 1 -timeout 90m -v -failfast
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

.github/workflows/build.yml Outdated
@@ -139,7 +139,7 @@ jobs:
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

- name: Docker Build
uses: hashicorp/actions-docker-build@v1
uses: hashicorp/actions-docker-build@v2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
uses: hashicorp/actions-docker-build@v2
uses: hashicorp/actions-docker-build@11d43ef520c65f58683d048ce9b47d6617893c9a #v2

.github/workflows/terraform-ci.yml Outdated
@@ -24,9 +24,9 @@ jobs:
- name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: Setup Terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
uses: hashicorp/setup-terraform@v3
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
uses: hashicorp/setup-terraform@v3
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd #v3.1.2

.github/workflows/terraform-ci.yml Outdated
@@ -108,6 +108,10 @@ jobs:
aws configure set role_arn "${{ secrets.AWS_ROLE_ARN }}"
aws configure set region us-west-2
aws configure set source_profile lambda_user
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should pin the GitHub Action for better security.

Suggested change
uses: hashicorp/setup-terraform@v3
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd #v3.1.2

@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 29, 2025 12:53 — with GitHub Actions Inactive
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 29, 2025 12:56 — with GitHub Actions Inactive
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 29, 2025 13:00 — with GitHub Actions Inactive
@sriramr98 sriramr98 force-pushed the sriramr98/cve_fixes branch from bccf70f to 76227cc Compare March 29, 2025 13:01
@sriramr98 sriramr98 temporarily deployed to dockerhub/hashicorpdev March 29, 2025 13:03 — with GitHub Actions Inactive
sriramr98 added 13 commits March 29, 2025 18:38
@sriramr98
Updated terraform action version to v3
8457c39
@sriramr98
Updated terraform action version to v3
d1c426a
@sriramr98
Updated hashicorp.actions-docker-build to v2 since v1 contains an old…
9e1bdc5 
…er action dependency which fails tests by default as it's deprecated
@sriramr98
Removed unwanted terraform dependency init
4ae93c1
@sriramr98
Added terraform setup step in acceptance tests CI
6f2aa4b
@sriramr98
Updated consul version in unit tests CI
fc25cd5
@sriramr98
Reverted InsecureSkipVerify to default behaviour in extension.go
b71276a 
…-> `proxyConfig`
@sriramr98
Added a debug log - to be reverted after debugging
63b2cd9
@sriramr98
Added a debug log - to be reverted after debugging
08645f0
@sriramr98
Reverting the debug log
9198c00
@sriramr98
Added version.go to keep track of the version which is then used to d…
cf57145 
…ecide whether or not to enforce mTLs.
@sriramr98
Trying to increase VPC quota through CLI which failed due to permissi…
1a67b64 
…on issues. Squashing related commits for sanity.
@sriramr98
Hardcoded specific workflow action ID for security purposes.
32878aa
@sriramr98 sriramr98 force-pushed the sriramr98/cve_fixes branch from 8695981 to 32878aa Compare March 29, 2025 13:08
Vikramarjuna
Vikramarjuna previously approved these changes Mar 29, 2025
View reviewed changes
@sriramr98 sriramr98 deployed to dockerhub/hashicorpdev March 31, 2025 12:18 — with GitHub Actions Active
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dduzgun-security dduzgun-security dduzgun-security left review comments

@Vikramarjuna Vikramarjuna Vikramarjuna left review comments

@sreeram77 sreeram77 sreeram77 left review comments

@srahul3 srahul3 srahul3 left review comments

@sarahethompson sarahethompson Awaiting requested review from sarahethompson sarahethompson is a code owner automatically assigned from hashicorp/team-selfmanaged-releng

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sriramr98 @Vikramarjuna @sreeram77 @srahul3 @dduzgun-security