Skip to content

[release-4.19] USHIFT-5711: Address snyk errors #4868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 7, 2025
Merged

[release-4.19] USHIFT-5711: Address snyk errors #4868

merged 5 commits into from
May 7, 2025

Conversation

pacevedom
Copy link
Contributor

@pacevedom pacevedom commented May 6, 2025
edited
Loading

Addressing snyk errors:

 ✗ [Medium] Path Traversal
ID: 7154f7f8-a0c9-42ec-b8b7-dc8727837ddf Path: pkg/cmd/init.go, line 614   
Info: Unsanitized input from file name flows into os.RemoveAll, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files

✗ [Medium] Improper Certificate Validation   
ID: cd1300f4-2c30-4395-b9cd-31e44905379f   
Path: pkg/util/net.go, line 91   
Info: TrustManager might be too permissive: The client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

Which issue(s) this PR addresses:

Closes #

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 6, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 6, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@pacevedom
Copy link
Contributor Author

/test security

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 6, 2025
@pacevedom
Copy link
Contributor Author

/test security

2 similar comments
@pacevedom
Copy link
Contributor Author

/test security

@pacevedom
Copy link
Contributor Author

/test security

@pacevedom
Copy link
Contributor Author

/test security

@pacevedom
Copy link
Contributor Author

/test security

@pacevedom
Copy link
Contributor Author

/test security

@pacevedom pacevedom changed the title wip [release-4.19] NO-ISSUE: Address snyk errors May 6, 2025
@pacevedom pacevedom marked this pull request as ready for review May 6, 2025 13:05
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 6, 2025
@openshift-ci-robot
Copy link

@pacevedom: This pull request explicitly references no jira issue.

In response to this:

Which issue(s) this PR addresses:

Closes #

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 6, 2025
@openshift-ci openshift-ci bot requested review from pmtk and vanhalenar May 6, 2025 13:05
@pacevedom pacevedom mentioned this pull request May 6, 2025
Merged
@pacevedom pacevedom changed the title [release-4.19] NO-ISSUE: Address snyk errors [release-4.19] USHIFT-5711: Address snyk errors May 6, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 6, 2025
edited by openshift-ci bot
Loading

@pacevedom: This pull request references USHIFT-5711 which is a valid jira issue.

In response to this:

Which issue(s) this PR addresses:

Closes #

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

openshift-ci-robot commented May 6, 2025
edited by openshift-ci bot
Loading

@pacevedom: This pull request references USHIFT-5711 which is a valid jira issue.

In response to this:

Addressing snyk errors:

✗ [Medium] Path Traversal
ID: 7154f7f8-a0c9-42ec-b8b7-dc8727837ddf Path: pkg/cmd/init.go, line 614   
Info: Unsanitized input from file name flows into os.RemoveAll, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files

✗ [Medium] Improper Certificate Validation   
ID: cd1300f4-2c30-4395-b9cd-31e44905379f   
Path: pkg/util/net.go, line 91   
Info: TrustManager might be too permissive: The client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

Which issue(s) this PR addresses:

Closes #

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pacevedom
Copy link
Contributor Author

/label backport-risk-assessed
/label cherry-pick-approved

@openshift-ci openshift-ci bot added backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. labels May 6, 2025
@pacevedom
Copy link
Contributor Author

/label jira/valid-bug

@openshift-ci openshift-ci bot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label May 6, 2025
@pmtk
Copy link
Member

pmtk commented May 7, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 7, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 7, 2025

@pacevedom: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit fedc158 into openshift:release-4.19 May 7, 2025
11 checks passed
@microshift-rebase-script microshift-rebase-script bot mentioned this pull request May 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmtk pmtk Awaiting requested review from pmtk

@vanhalenar vanhalenar Awaiting requested review from vanhalenar

Assignees

@pmtk pmtk

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pacevedom @openshift-ci-robot @pmtk