Backport of [NET-2420] security: re-enable security scan release block into release/1.4.x #3651
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
zalimeni
force-pushed
the
backport/zalimeni/net-2420-reenable-security-scans-k8s/fully-deep-griffon
branch
from
f330e23
to
5d17d4b
Compare
This was previously disabled due to an unresolved false-positive CVE. Re-enabling both secrets and OSV + Go Modules scanning, which per our current scan results should not be a blocker to future releases. Also add security scans on PR and merge to protected branches to allow proactive triage going forward. See hashicorp/consul#19978 for similar change in that repo, adapted here.
Triage this scan result as `consul-k8s` should not be directly impacted and it is medium severity. Follow-up ticket filed for remediation. Also improve formatting of scan config since this change will be backported.
zalimeni
force-pushed
the
backport/zalimeni/net-2420-reenable-security-scans-k8s/fully-deep-griffon
branch
from
0ad259c
to
eceb562
Compare
2 tasks
zalimeni
approved these changes
Feb 21, 2024
zalimeni
deleted the
backport/zalimeni/net-2420-reenable-security-scans-k8s/fully-deep-griffon
branch
zalimeni
added a commit
that referenced
this pull request
Feb 28, 2024
* Backport of [NET-5932] chore: remove comment from closed ticket into release/1.4.x (#3637) backport of commit a95e951 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of build: Create arm64 packages as well into release/1.4.x (#3647) backport of commit affc631 Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> * Backport of [NET-2420] security: Upgrade helm containerd and several other dependencies into release/1.4.x (#3641) * security: upgrade helm/v3 to 3.11.3 Addresses multiple CVEs: - CVE-2023-25165 - CVE-2022-23524 - CVE-2022-23526 - CVE-2022-23525 * chore: upgrade k8s dependencies to match controller-runtime * security: upgrade containerd to latest Addresses GHSA-7ww5-4wqc-m92c (GO-2023-2412) * security: upgrade docker/docker to latest Addresses GHSA-jq35-85cj-fj4p * security: upgrade docker/distribution to latest Addresses CVE-2023-2253 * security: upgrade filepath-securejoin to latest patch Addresses GHSA-6xv5-86q9-7xr8 (GO-2023-2048) * chore: upgrade oras-go to fix docker incompatibility * Add changelog --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of values.yaml - tlsServerName docs into release/1.4.x (#3667) * backport of commit 1598b40 * backport of commit 41dabc4 --------- Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of [NET-2420] security: re-enable security scan release block into release/1.4.x (#3651) * security: re-enable security scan release block This was previously disabled due to an unresolved false-positive CVE. Re-enabling both secrets and OSV + Go Modules scanning, which per our current scan results should not be a blocker to future releases. Also add security scans on PR and merge to protected branches to allow proactive triage going forward. See hashicorp/consul#19978 for similar change in that repo, adapted here. * security: add scan triage for CVE-2024-25620 (helm/v3) Triage this scan result as `consul-k8s` should not be directly impacted and it is medium severity. Follow-up ticket filed for remediation. Also improve formatting of scan config since this change will be backported. --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of [NET-6741] make: Add target for updating dependencies across all modules into release/1.4.x (#3673) backport of commit 44583d3 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of build.yml: Add ECR images back into release/1.4.x (#3679) * backport of commit 8fba327 * backport of commit 9a73765 * backport of commit dd2222f --------- Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of build.yml: typo on tags into release/1.4.x (#3684) backport of commit cf8dcbe Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of [NET-8174] security: add scan triage for CVE-2024-26147 (helm/v3) into release/1.4.x (#3692) backport of commit 4b8bc71 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of bump kind to v0.22.0 and update k8s support into release/1.4.x (#3687) * backport of commit 9f495e0 * backport of commit df8edec * backport of commit ca89a82 --------- Co-authored-by: NicoletaPopoviciu <nicoleta@hashicorp.com> --------- Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com> Co-authored-by: NicoletaPopoviciu <nicoleta@hashicorp.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #3628 to be assessed for backporting due to the inclusion of the label backport/1.4.x.
🚨
The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Follow-up to #3625 to re-enable scans.
Changes proposed in this PR
mainandrelease/**Scanner config is intentionally aligned w/ changes made in hashicorp/consul#19978 for consistency.
How I've tested this PR
CI continues to pass, scan results are working as expected.
How I expect reviewers to test this PR
👀
Checklist
Overview of commits