Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: upgrade git-url-parse to avoid CVE-2022-0624 #10117

Closed
wants to merge 1 commit into from
Closed

chore: upgrade git-url-parse to avoid CVE-2022-0624 #10117

wants to merge 1 commit into from

Conversation

crenshaw-dev
Copy link
Collaborator

Before:

snyk output before change 
$ snyk test --org=argoproj --all-projects --exclude=docs,site --severity-threshold=high --policy-path=.snyk

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   gomodules
Target file:       go.mod
Project name:      github.com/argoproj/argo-cd/v2
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 1360 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Tested 356 dependencies for known issues, found 1 issue, 1 vulnerable path.


Issues to fix by upgrading:

  Upgrade git-url-parse@11.6.0 to git-url-parse@12.0.0 to fix
  ✗ Authorization Bypass Through User-Controlled Key (new) [High Severity][https://snyk.io/vuln/SNYK-JS-PARSEPATH-2936439] in parse-path@4.0.4
    introduced by git-url-parse@11.6.0 > git-up@4.0.5 > parse-url@6.0.5 > parse-path@4.0.4



Organization:      argoproj
Package manager:   yarn
Target file:       ui/yarn.lock
Project name:      argo-cd-ui
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

-------------------------------------------------------

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   yarn
Target file:       ui-test/yarn.lock
Project name:      ui-test
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 116 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


Tested 3 projects, 1 contained vulnerable paths.

After:

snyk output after change 
$ snyk test --org=argoproj --all-projects --exclude=docs,site --severity-threshold=high --policy-path=.snyk

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   gomodules
Target file:       go.mod
Project name:      github.com/argoproj/argo-cd/v2
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 1360 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   yarn
Target file:       ui/yarn.lock
Project name:      argo-cd-ui
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 350 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   yarn
Target file:       ui-test/yarn.lock
Project name:      ui-test
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 116 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


Tested 3 projects, no vulnerable paths were found.

@crenshaw-dev
chore: upgrade git-url-parse to avoid CVE-2022-0624
0fb8608 
Signed-off-by: CI <michael@crenshaw.dev>
@crenshaw-dev crenshaw-dev mentioned this pull request Jul 27, 2022
Open
88 tasks
@crenshaw-dev
Copy link
Collaborator Author

This upgrade needs to wait at least until this is merged / released: IonicaBizau/parse-url#50

@crenshaw-dev
Copy link
Collaborator Author

Will reopen when a git-up version is cut with the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@crenshaw-dev