From bdf73495dec75715a13a26616e7a218fc2aad668 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Wed, 16 Oct 2024 14:55:17 +0000 Subject: [PATCH 01/10] chore(release): 3.32.0 # [3.32.0](https://github.com/splunk/splunk-connect-for-syslog/compare/v3.31.0...v3.32.0) (2024-10-16) ### Bug Fixes * fix GDB installation ([#2615](https://github.com/splunk/splunk-connect-for-syslog/issues/2615)) ([44d6433](https://github.com/splunk/splunk-connect-for-syslog/commit/44d6433c799f62a90ce82f7cf64df8d956c37e75)) * remove goss from healthcheck ([#2600](https://github.com/splunk/splunk-connect-for-syslog/issues/2600)) ([b6ac66b](https://github.com/splunk/splunk-connect-for-syslog/commit/b6ac66b05a822c804bf802d1e3588898fd120b10)) ### Features * Adds config checksums to Helm chart to trigger rollout on change ([#2551](https://github.com/splunk/splunk-connect-for-syslog/issues/2551)) ([3a18d00](https://github.com/splunk/splunk-connect-for-syslog/commit/3a18d006e9dc709556e18078bc2fb10e951ff25d)) --- charts/splunk-connect-for-syslog/Chart.yaml | 4 ++-- package/etc/VERSION | 2 +- pyproject.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/splunk-connect-for-syslog/Chart.yaml b/charts/splunk-connect-for-syslog/Chart.yaml index 0c832a81cb..2a0337c186 100644 --- a/charts/splunk-connect-for-syslog/Chart.yaml +++ b/charts/splunk-connect-for-syslog/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: splunk-connect-for-syslog description: Deploy Splunk Connect for Syslog type: application -version: 3.31.0 -appVersion: "3.31.0" +version: 3.32.0 +appVersion: "3.32.0" diff --git a/package/etc/VERSION b/package/etc/VERSION index d9351e5882..cac6068cfc 100644 --- a/package/etc/VERSION +++ b/package/etc/VERSION @@ -1 +1 @@ -3.31.0 +3.32.0 diff --git a/pyproject.toml b/pyproject.toml index ed44759638..39ddfafda3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "splunk-connect-for-syslog" -version = "3.31.0" +version = "3.32.0" description = "" authors = ["rjha-splunk "] license = "Apache-2.0" From 14f12c443158eec18a8f349fd24e5d2655b5815d Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 17 Oct 2024 13:07:07 +0000 Subject: [PATCH 02/10] fix: fix sqlitedict CVE --- package/etc/pylib/parser_source_cache.py | 40 ++++++++++++++++++++++-- package/etc/pylib/parser_vps_cache.py | 38 ++++++++++++++++++++-- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/package/etc/pylib/parser_source_cache.py b/package/etc/pylib/parser_source_cache.py index dc573a3449..61e670d445 100644 --- a/package/etc/pylib/parser_source_cache.py +++ b/package/etc/pylib/parser_source_cache.py @@ -17,6 +17,40 @@ class LogParser: class LogDestination: pass +import builtins +import io +import pickle +from base64 import b64decode + +safe_builtins = { + 'range', + 'complex', + 'set', + 'frozenset', + 'slice', +} + +class RestrictedUnpickler(pickle.Unpickler): + def find_class(self, module, name): + # Only allow safe classes from builtins. + if module == "builtins" and name in safe_builtins: + return getattr(builtins, name) + # Forbid everything else. + raise pickle.UnpicklingError("global '%s.%s' is forbidden" % + (module, name)) + +def restricted_loads(s): + """Helper function analogous to pickle.loads().""" + return RestrictedUnpickler(io.BytesIO(s)).load() + +def restricted_decode(obj): + """Overwrite sqlitedict.decode to prevent code injection.""" + return restricted_loads(bytes(obj)) + +def restricted_decode_key(key): + """Overwrite sqlitedict.decode_key to prevent code injection.""" + return restricted_loads(b64decode(key.encode("ascii"))) + def ip2int(addr): ip4_to_int = lambda addr: struct.unpack("!I", socket.inet_aton(addr))[0] @@ -54,7 +88,7 @@ def int_to_ip6(num): class psc_parse(LogParser): def init(self, options): self.logger = syslogng.Logger() - self.db = SqliteDict(f"{hostdict}.sqlite") + self.db = SqliteDict(f"{hostdict}.sqlite", decode=restricted_decode, decode_key=restricted_decode_key) return True def deinit(self): @@ -82,7 +116,7 @@ class psc_dest(LogDestination): def init(self, options): self.logger = syslogng.Logger() try: - self.db = SqliteDict(f"{hostdict}.sqlite", autocommit=True) + self.db = SqliteDict(f"{hostdict}.sqlite", autocommit=True, decode=restricted_decode, decode_key=restricted_decode_key) except Exception: exc_type, exc_value, exc_traceback = sys.exc_info() lines = traceback.format_exception(exc_type, exc_value, exc_traceback) @@ -123,7 +157,7 @@ def flush(self): if __name__ == "__main__": - db = SqliteDict(f"{hostdict}.sqlite", autocommit=True) + db = SqliteDict(f"{hostdict}.sqlite", autocommit=True, decode=restricted_decode, decode_key=restricted_decode_key) db[0] = "seed" db.commit() db.close() \ No newline at end of file diff --git a/package/etc/pylib/parser_vps_cache.py b/package/etc/pylib/parser_vps_cache.py index a95162862b..d55d5ef040 100644 --- a/package/etc/pylib/parser_vps_cache.py +++ b/package/etc/pylib/parser_vps_cache.py @@ -18,13 +18,47 @@ class LogDestination: pass +import builtins +import io +import pickle +from base64 import b64decode + +safe_builtins = { + 'range', + 'complex', + 'set', + 'frozenset', + 'slice', +} + +class RestrictedUnpickler(pickle.Unpickler): + def find_class(self, module, name): + # Only allow safe classes from builtins. + if module == "builtins" and name in safe_builtins: + return getattr(builtins, name) + # Forbid everything else. + raise pickle.UnpicklingError("global '%s.%s' is forbidden" % + (module, name)) + +def restricted_loads(s): + """Helper function analogous to pickle.loads().""" + return RestrictedUnpickler(io.BytesIO(s)).load() + +def restricted_decode(obj): + """Overwrite sqlitedict.decode to prevent code injection.""" + return restricted_loads(bytes(obj)) + +def restricted_decode_key(key): + """Overwrite sqlitedict.decode_key to prevent code injection.""" + return restricted_loads(b64decode(key.encode("ascii"))) + hostdict = str("/var/lib/syslog-ng/vps") class vpsc_parse(LogParser): def init(self, options): self.logger = syslogng.Logger() - self.db = SqliteDict(f"{hostdict}.sqlite") + self.db = SqliteDict(f"{hostdict}.sqlite", decode=restricted_decode, decode_key=restricted_decode_key) return True def deinit(self): @@ -52,7 +86,7 @@ class vpsc_dest(LogDestination): def init(self, options): self.logger = syslogng.Logger() try: - self.db = SqliteDict(f"{hostdict}.sqlite", autocommit=True) + self.db = SqliteDict(f"{hostdict}.sqlite", autocommit=True, decode=restricted_decode, decode_key=restricted_decode_key) except Exception: exc_type, exc_value, exc_traceback = sys.exc_info() lines = traceback.format_exception(exc_type, exc_value, exc_traceback) From 750ecdb45fb1fa13d08d186290ddce6938b0ea12 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Mon, 21 Oct 2024 09:07:59 +0000 Subject: [PATCH 03/10] Add trivyignore --- .trivyignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000000..0a7be8250b --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +# This has been safeguarded directly in the code +CVE-2024-35515 \ No newline at end of file From d18a1c9a220877853f422cb94074638c8960ac3f Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Mon, 21 Oct 2024 09:31:54 +0000 Subject: [PATCH 04/10] Add trivyignores to CI configuration --- .github/workflows/ci-lite.yaml | 1 + .github/workflows/ci-main.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml index 96cc4e7b29..eecf951b64 100644 --- a/.github/workflows/ci-lite.yaml +++ b/.github/workflows/ci-lite.yaml @@ -168,6 +168,7 @@ jobs: format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH,MEDIUM,LOW' + trivyignores: '.trivyignore' test-container: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml index 9d02ba3fc7..fddd57dec8 100644 --- a/.github/workflows/ci-main.yaml +++ b/.github/workflows/ci-main.yaml @@ -168,6 +168,7 @@ jobs: format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH,MEDIUM,LOW' + trivyignores: '.trivyignore' test-container: runs-on: ubuntu-latest From 3fa9a29d4855cb86edb4647d7d9e6644b3a4fca4 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Mon, 21 Oct 2024 09:46:06 +0000 Subject: [PATCH 05/10] Update trivyignore path --- .github/workflows/ci-lite.yaml | 2 +- .github/workflows/ci-main.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml index eecf951b64..673202819b 100644 --- a/.github/workflows/ci-lite.yaml +++ b/.github/workflows/ci-lite.yaml @@ -168,7 +168,7 @@ jobs: format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH,MEDIUM,LOW' - trivyignores: '.trivyignore' + trivyignores: './.trivyignore' test-container: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml index fddd57dec8..1a43e121bb 100644 --- a/.github/workflows/ci-main.yaml +++ b/.github/workflows/ci-main.yaml @@ -168,7 +168,7 @@ jobs: format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH,MEDIUM,LOW' - trivyignores: '.trivyignore' + trivyignores: './.trivyignore' test-container: runs-on: ubuntu-latest From 3538b6be22a5968a797dd8608a68a58acef2d226 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Mon, 21 Oct 2024 09:59:56 +0000 Subject: [PATCH 06/10] Add the checkout step --- .github/workflows/ci-lite.yaml | 8 +++++++- .github/workflows/ci-main.yaml | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml index 673202819b..4f98722b05 100644 --- a/.github/workflows/ci-lite.yaml +++ b/.github/workflows/ci-lite.yaml @@ -161,6 +161,12 @@ jobs: - meta - build_action steps: + # To use .trivyignore file, you must check out the repository + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: false + persist-credentials: false - name: Run docker vulnerability scanner uses: aquasecurity/trivy-action@master with: @@ -168,7 +174,7 @@ jobs: format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH,MEDIUM,LOW' - trivyignores: './.trivyignore' + trivyignores: '.trivyignore' test-container: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml index 1a43e121bb..4a827ecb3d 100644 --- a/.github/workflows/ci-main.yaml +++ b/.github/workflows/ci-main.yaml @@ -161,6 +161,12 @@ jobs: - meta - build_action steps: + # To use .trivyignore file, you must check out the repository + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: false + persist-credentials: false - name: Run docker vulnerability scanner uses: aquasecurity/trivy-action@master with: @@ -168,7 +174,7 @@ jobs: format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH,MEDIUM,LOW' - trivyignores: './.trivyignore' + trivyignores: '.trivyignore' test-container: runs-on: ubuntu-latest From 103539459cc2604628ab521ac8b0759cc0120640 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Mon, 21 Oct 2024 13:45:11 +0000 Subject: [PATCH 07/10] Move RestrictedUnpickler to a dedicated module --- package/etc/pylib/parser_source_cache.py | 48 +++++------------------- package/etc/pylib/parser_vps_cache.py | 44 +++------------------- package/etc/pylib/sqlite_utils.py | 40 ++++++++++++++++++++ 3 files changed, 55 insertions(+), 77 deletions(-) create mode 100644 package/etc/pylib/sqlite_utils.py diff --git a/package/etc/pylib/parser_source_cache.py b/package/etc/pylib/parser_source_cache.py index 61e670d445..1ffa3c114e 100644 --- a/package/etc/pylib/parser_source_cache.py +++ b/package/etc/pylib/parser_source_cache.py @@ -2,7 +2,6 @@ import traceback import socket import struct -from sqlitedict import SqliteDict import time @@ -17,41 +16,6 @@ class LogParser: class LogDestination: pass -import builtins -import io -import pickle -from base64 import b64decode - -safe_builtins = { - 'range', - 'complex', - 'set', - 'frozenset', - 'slice', -} - -class RestrictedUnpickler(pickle.Unpickler): - def find_class(self, module, name): - # Only allow safe classes from builtins. - if module == "builtins" and name in safe_builtins: - return getattr(builtins, name) - # Forbid everything else. - raise pickle.UnpicklingError("global '%s.%s' is forbidden" % - (module, name)) - -def restricted_loads(s): - """Helper function analogous to pickle.loads().""" - return RestrictedUnpickler(io.BytesIO(s)).load() - -def restricted_decode(obj): - """Overwrite sqlitedict.decode to prevent code injection.""" - return restricted_loads(bytes(obj)) - -def restricted_decode_key(key): - """Overwrite sqlitedict.decode_key to prevent code injection.""" - return restricted_loads(b64decode(key.encode("ascii"))) - - def ip2int(addr): ip4_to_int = lambda addr: struct.unpack("!I", socket.inet_aton(addr))[0] @@ -87,8 +51,10 @@ def int_to_ip6(num): class psc_parse(LogParser): def init(self, options): + from sqlite_utils import RestrictedSqliteDict + self.logger = syslogng.Logger() - self.db = SqliteDict(f"{hostdict}.sqlite", decode=restricted_decode, decode_key=restricted_decode_key) + self.db = RestrictedSqliteDict(f"{hostdict}.sqlite") return True def deinit(self): @@ -114,9 +80,11 @@ def parse(self, log_message): class psc_dest(LogDestination): def init(self, options): + from sqlite_utils import RestrictedSqliteDict + self.logger = syslogng.Logger() try: - self.db = SqliteDict(f"{hostdict}.sqlite", autocommit=True, decode=restricted_decode, decode_key=restricted_decode_key) + self.db = RestrictedSqliteDict(f"{hostdict}.sqlite", autocommit=True) except Exception: exc_type, exc_value, exc_traceback = sys.exc_info() lines = traceback.format_exception(exc_type, exc_value, exc_traceback) @@ -157,7 +125,9 @@ def flush(self): if __name__ == "__main__": - db = SqliteDict(f"{hostdict}.sqlite", autocommit=True, decode=restricted_decode, decode_key=restricted_decode_key) + from sqlite_utils import RestrictedSqliteDict + + db = RestrictedSqliteDict(f"{hostdict}.sqlite", autocommit=True) db[0] = "seed" db.commit() db.close() \ No newline at end of file diff --git a/package/etc/pylib/parser_vps_cache.py b/package/etc/pylib/parser_vps_cache.py index d55d5ef040..61575c1f8c 100644 --- a/package/etc/pylib/parser_vps_cache.py +++ b/package/etc/pylib/parser_vps_cache.py @@ -2,7 +2,6 @@ import traceback import socket import struct -from sqlitedict import SqliteDict import time @@ -17,48 +16,15 @@ class LogParser: class LogDestination: pass - -import builtins -import io -import pickle -from base64 import b64decode - -safe_builtins = { - 'range', - 'complex', - 'set', - 'frozenset', - 'slice', -} - -class RestrictedUnpickler(pickle.Unpickler): - def find_class(self, module, name): - # Only allow safe classes from builtins. - if module == "builtins" and name in safe_builtins: - return getattr(builtins, name) - # Forbid everything else. - raise pickle.UnpicklingError("global '%s.%s' is forbidden" % - (module, name)) - -def restricted_loads(s): - """Helper function analogous to pickle.loads().""" - return RestrictedUnpickler(io.BytesIO(s)).load() - -def restricted_decode(obj): - """Overwrite sqlitedict.decode to prevent code injection.""" - return restricted_loads(bytes(obj)) - -def restricted_decode_key(key): - """Overwrite sqlitedict.decode_key to prevent code injection.""" - return restricted_loads(b64decode(key.encode("ascii"))) - hostdict = str("/var/lib/syslog-ng/vps") class vpsc_parse(LogParser): def init(self, options): + from sqlite_utils import RestrictedSqliteDict + self.logger = syslogng.Logger() - self.db = SqliteDict(f"{hostdict}.sqlite", decode=restricted_decode, decode_key=restricted_decode_key) + self.db = RestrictedSqliteDict(f"{hostdict}.sqlite") return True def deinit(self): @@ -84,9 +50,11 @@ def parse(self, log_message): class vpsc_dest(LogDestination): def init(self, options): + from sqlite_utils import RestrictedSqliteDict + self.logger = syslogng.Logger() try: - self.db = SqliteDict(f"{hostdict}.sqlite", autocommit=True, decode=restricted_decode, decode_key=restricted_decode_key) + self.db = RestrictedSqliteDict(f"{hostdict}.sqlite", autocommit=True) except Exception: exc_type, exc_value, exc_traceback = sys.exc_info() lines = traceback.format_exception(exc_type, exc_value, exc_traceback) diff --git a/package/etc/pylib/sqlite_utils.py b/package/etc/pylib/sqlite_utils.py new file mode 100644 index 0000000000..e6e8baa293 --- /dev/null +++ b/package/etc/pylib/sqlite_utils.py @@ -0,0 +1,40 @@ +import builtins +import io +import pickle +from base64 import b64decode +from sqlitedict import SqliteDict + +safe_builtins = { + 'range', + 'complex', + 'set', + 'frozenset', + 'slice', +} + + +class RestrictedUnpickler(pickle.Unpickler): + def find_class(self, module, name): + # Only allow safe classes from builtins. + if module == "builtins" and name in safe_builtins: + return getattr(builtins, name) + # Forbid everything else. + raise pickle.UnpicklingError("global '%s.%s' is forbidden" % + (module, name)) + +def restricted_loads(s): + """Helper function analogous to pickle.loads().""" + return RestrictedUnpickler(io.BytesIO(s)).load() + +def restricted_decode(obj): + """Overwrite sqlitedict.decode to prevent code injection.""" + return restricted_loads(bytes(obj)) + +def restricted_decode_key(key): + """Overwrite sqlitedict.decode_key to prevent code injection.""" + return restricted_loads(b64decode(key.encode("ascii"))) + + +class RestrictedSqliteDict(SqliteDict): + def __init__(self, *args, **kwargs): + super(RestrictedSqliteDict, self).__init__(*args, decode=restricted_decode, decode_key=restricted_decode_key, **kwargs) \ No newline at end of file From 27b778614f51900e3c7b1553456487241701e7ba Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Tue, 29 Oct 2024 13:04:26 +0000 Subject: [PATCH 08/10] Add tests for RestrictedSqliteDict --- package/etc/pylib/sqlite_utils.py | 22 ++++-------------- tests/test_name_cache.py | 38 ++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 18 deletions(-) diff --git a/package/etc/pylib/sqlite_utils.py b/package/etc/pylib/sqlite_utils.py index e6e8baa293..fa16ace292 100644 --- a/package/etc/pylib/sqlite_utils.py +++ b/package/etc/pylib/sqlite_utils.py @@ -1,37 +1,25 @@ -import builtins import io import pickle from base64 import b64decode from sqlitedict import SqliteDict -safe_builtins = { - 'range', - 'complex', - 'set', - 'frozenset', - 'slice', -} - class RestrictedUnpickler(pickle.Unpickler): def find_class(self, module, name): - # Only allow safe classes from builtins. - if module == "builtins" and name in safe_builtins: - return getattr(builtins, name) - # Forbid everything else. - raise pickle.UnpicklingError("global '%s.%s' is forbidden" % - (module, name)) + """Override pickle.Unpickler.find_class() to prevent deserialization of class instances.""" + raise pickle.UnpicklingError("Class deserialization is disabled") + def restricted_loads(s): """Helper function analogous to pickle.loads().""" return RestrictedUnpickler(io.BytesIO(s)).load() def restricted_decode(obj): - """Overwrite sqlitedict.decode to prevent code injection.""" + """Overwrite sqlitedict.decode() to prevent code injection.""" return restricted_loads(bytes(obj)) def restricted_decode_key(key): - """Overwrite sqlitedict.decode_key to prevent code injection.""" + """Overwrite sqlitedict.decode_key() to prevent code injection.""" return restricted_loads(b64decode(key.encode("ascii"))) diff --git a/tests/test_name_cache.py b/tests/test_name_cache.py index ce8a56f502..21ac8ad2c5 100644 --- a/tests/test_name_cache.py +++ b/tests/test_name_cache.py @@ -5,8 +5,10 @@ # https://opensource.org/licenses/BSD-2-Clause import datetime +import pickle import random import re +import tempfile import time from jinja2 import Environment @@ -16,6 +18,7 @@ from .sendmessage import sendsingle from .splunkutils import splunk_single from package.etc.pylib.parser_source_cache import ip2int, int2ip +from package.etc.pylib.sqlite_utils import RestrictedSqliteDict env = Environment() @@ -73,4 +76,37 @@ def test_ipv4_utils(): @pytest.mark.name_cache def test_ipv6_utils(): ip = generate_random_ipv6() - assert ip == int2ip(ip2int(ip)) \ No newline at end of file + assert ip == int2ip(ip2int(ip)) + +@pytest.mark.name_cache +def test_RestrictedSqliteDict_stores_and_retrieves_string(): + with tempfile.NamedTemporaryFile(delete=True) as temp_db_file: + cache = RestrictedSqliteDict(f"{temp_db_file.name}.db") + cache["key"] = "value" + cache.commit() + cache.close() + + cache = RestrictedSqliteDict(f"{temp_db_file.name}.db") + assert cache["key"] == "value" + cache.close() + +@pytest.mark.name_cache +def test_RestrictedSqliteDict_prevents_code_injection(): + class InjectionTestClass: + def __reduce__(self): + import os + return os.system, ('touch pwned.txt',) + + with tempfile.NamedTemporaryFile(delete=True) as temp_db_file: + # Initialize the RestrictedSqliteDict and insert an 'injected' object + cache = RestrictedSqliteDict(f"{temp_db_file.name}.db") + cache["key"] = InjectionTestClass() + cache.commit() + cache.close() + + # Re-open cache and attempt to deserialize 'injected' object + # Expecting UnpicklingError due to RestrictedSqliteDict restrictions + cache = RestrictedSqliteDict(f"{temp_db_file.name}.db") + with pytest.raises(pickle.UnpicklingError): + _ = cache["key"] + cache.close() \ No newline at end of file From fec1e322f6c1a55707b11f6083eca8406e7d80c4 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Wed, 30 Oct 2024 12:34:29 +0000 Subject: [PATCH 09/10] upgrade openssl --- package/Dockerfile | 2 +- package/Dockerfile.lite | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/Dockerfile b/package/Dockerfile index c91e3bc53a..b730d652d6 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -28,7 +28,7 @@ RUN apk add -U --upgrade --no-cache \ less \ net-tools \ netcat-openbsd \ - openssl \ + "openssl>=3.3.2-r1" \ procps \ py3-pip \ python3 \ diff --git a/package/Dockerfile.lite b/package/Dockerfile.lite index 24f30686d2..e54ceee047 100644 --- a/package/Dockerfile.lite +++ b/package/Dockerfile.lite @@ -28,7 +28,7 @@ RUN apk add -U --upgrade --no-cache \ less \ net-tools \ netcat-openbsd \ - openssl \ + "openssl>=3.3.2-r1" \ procps \ py3-pip \ python3 \ From 0a88f7d4dfefed12572af104564bcb4a1ada4682 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Wed, 30 Oct 2024 14:31:04 +0000 Subject: [PATCH 10/10] Limit scanners to vuln --- .github/workflows/ci-lite.yaml | 3 ++- .github/workflows/ci-main.yaml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml index 4f98722b05..752565bf15 100644 --- a/.github/workflows/ci-lite.yaml +++ b/.github/workflows/ci-lite.yaml @@ -175,7 +175,8 @@ jobs: exit-code: '1' severity: 'CRITICAL,HIGH,MEDIUM,LOW' trivyignores: '.trivyignore' - + scanners: "vuln" + test-container: runs-on: ubuntu-latest needs: diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml index 4a827ecb3d..f2a4a8976d 100644 --- a/.github/workflows/ci-main.yaml +++ b/.github/workflows/ci-main.yaml @@ -175,7 +175,8 @@ jobs: exit-code: '1' severity: 'CRITICAL,HIGH,MEDIUM,LOW' trivyignores: '.trivyignore' - + scanners: "vuln" + test-container: runs-on: ubuntu-latest needs: