-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NO_ISSUE: Fix CVE-2022-48345
(@braintree/sanitize-url
) & CVE-2022-25883
(semver
)
#1907
Conversation
…ility CVE-2022-25883: semver vulnerable to Regular Expression Denial of Service
PR job Reproducerbuild-chain build full_downstream -f 'https://raw.githubusercontent.com/${AUTHOR:apache}/incubator-kie-kogito-pipelines/${BRANCH:main}/.ci/buildchain-config-pr-cdb.yaml' -o 'bc' -p apache/incubator-kie-kogito-apps -u #1907 --skipParallelCheckout NOTE: To install the build-chain tool, please refer to https://github.com/kiegroup/github-action-build-chain#local-execution Please look here: https://ci-builds.apache.org/job/KIE/job/temporary/job/kogito-apps-1.40.x-pr/job/PR-1907/2/display/redirect Console Logs[INFO] Execution summary for apache/incubator-kie-kogito-examples# [BEFORE] [apache/incubator-kie-kogito-examples] export INTEGRATION_BRANCH= [INFO] OK [Executed in 0.181219 ms] # [BEFORE] [apache/incubator-kie-kogito-examples] bash -c "if [ ! -z '' ] && [ -f .ci/environments/update.sh ]; then .ci/environments/update.sh ; fi" [INFO] OK [Executed in 15.475233 ms] # [COMMANDS] [apache/incubator-kie-kogito-examples] mvn dependency:tree clean install -DskipTests -DskipITs -s /home/jenkins/jenkins-agent/workspace/ry_kogito-apps-1.40.x-pr_PR-1907/kogito-pipelines@tmp/config10731027822991881872tmp -Dmaven.wagon.http.ssl.insecure=true -Dmaven.test.failure.ignore=true -nsu -ntp -fae -e -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.retryHandler.count=3 -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn -B [INFO] OK [Executed in 1788801.176936 ms] [INFO] [AFTER] No commands were found for apache/incubator-kie-kogito-examples # Uploading artifacts [INFO] Will not upload any artifacts in CLI environment [Pipeline] sh + find . -type d -name node_modules -exec rm -rf '{}' ';' find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/node/node_modules�: No such file or directory find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/node_modules�: No such file or directory find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/runtime-tools-dev-ui-webapp/node_modules�: No such file or directory find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/management-console-webapp/node_modules�: No such file or directory find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/patternfly-base/node_modules�: No such file or directory find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/common/node_modules�: No such file or directory find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/trusty/node_modules�: No such file or directory find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/components-common/node_modules�: No such file or directory + true [Pipeline] junit Recording test results [Checks API] No suitable checks publisher found. [Pipeline] archiveArtifacts Archiving artifacts [Pipeline] } [Pipeline] // withCredentials [Pipeline] } Deleting 1 temporary files [Pipeline] // configFileProvider [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Sonar analysis) [Pipeline] } [Pipeline] // stage [Pipeline] echo Got build result UNSTABLE [Pipeline] sh + wget --no-check-certificate -qO - 'https://ci-builds.apache.org/job/KIE/job/temporary/job/kogito-apps-1.40.x-pr/job/PR-1907/2/api/json?depth=0' [Pipeline] readJSON [Pipeline] sh + wget --no-check-certificate -qO - https://ci-builds.apache.org/job/KIE/job/temporary/job/kogito-apps-1.40.x-pr/job/PR-1907/2/consoleText + tail -n 50 |
PR job Reproducerbuild-chain build full_downstream -f 'https://raw.githubusercontent.com/${AUTHOR:apache}/incubator-kie-kogito-pipelines/${BRANCH:main}/.ci/buildchain-config-pr-cdb.yaml' -o 'bc' -p apache/incubator-kie-kogito-apps -u #1907 --skipParallelCheckout NOTE: To install the build-chain tool, please refer to https://github.com/kiegroup/github-action-build-chain#local-execution Please look here: https://ci-builds.apache.org/job/KIE/job/temporary/job/kogito-apps-1.40.x-pr/job/PR-1907/3/display/redirect Test results:
Those are the test failures: org.kie.kogito.index.infinispan.ProcessDataIndexInfinispanKafkaIT.testProcessInstanceEvents1 expectation failed.JSON path errors doesn't match. Expected: null Actual: <[{message=Exception while fetching data (/UserTaskInstanceCommentUpdate) : Index 0 out of bounds for length 0, locations=[{line=1, column=12}], path=[UserTaskInstanceCommentUpdate], extensions={classification=DataFetchingException}}]> |
@paulovmr would you mind taking a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
CVE-2022-48345
:@braintree/sanitize-url
Cross-site Scripting vulnerabilityCVE-2022-25883
:semver
vulnerable to Regular Expression Denial of ServiceMany thanks for submitting your Pull Request ❤️!
Please make sure that your PR meets the following requirements:
KOGITO-XYZ Subject
[0.9.x] KOGITO-XYZ Subject
How to replicate CI configuration locally?
Build Chain tool does "simple" maven build(s), the builds are just Maven commands, but because the repositories relates and depends on each other and any change in API or class method could affect several of those repositories there is a need to use build-chain tool to handle cross repository builds and be sure that we always use latest version of the code for each repository.
build-chain tool is a build tool which can be used on command line locally or in Github Actions workflow(s), in case you need to change multiple repositories and send multiple dependent pull requests related with a change you can easily reproduce the same build by executing it on Github hosted environment or locally in your development environment. See local execution details to get more information about it.
How to retest this PR or trigger a specific build:
for pull request checks
Please add comment: Jenkins retest this
for a specific pull request check
Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] tests
for quarkus branch checks
Run checks against Quarkus current used branch
Please add comment: Jenkins run quarkus-branch
for a quarkus branch specific check
Run checks against Quarkus current used branch
Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] quarkus-branch
for quarkus main checks
Run checks against Quarkus main branch
Please add comment: Jenkins run quarkus-main
for a specific quarkus main check
Run checks against Quarkus main branch
Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] quarkus-main
for quarkus lts checks
Run checks against Quarkus lts branch
Please add comment: Jenkins run quarkus-lts
for a specific quarkus lts check
Run checks against Quarkus lts branch
Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] quarkus-lts
for native checks
Run native checks
Please add comment: Jenkins run native
for a specific native check
Run native checks
Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] native
for native lts checks
Run native checks against quarkus lts branch
Please add comment: Jenkins run native-lts
for a specific native lts check
Run native checks against quarkus lts branch
Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] native-lts
How to backport a pull request to a different branch?
In order to automatically create a backporting pull request please add one or more labels having the following format
backport-<branch-name>
, where<branch-name>
is the name of the branch where the pull request must be backported to (e.g.,backport-7.67.x
to backport the original PR to the7.67.x
branch).Once the original pull request is successfully merged, the automated action will create one backporting pull request per each label (with the previous format) that has been added.
If something goes wrong, the author will be notified and at this point a manual backporting is needed.
Quarkus-3 PR check is failing ... what to do ?
The Quarkus 3 check is applying patches from the `.ci/environments/quarkus-3/patches`.The first patch, called
0001_before_sh.patch
, is generated from Openrewrite.ci/environments/quarkus-3/quarkus3.yml
recipe. The patch is created to speed up the check. But it may be that some changes in the PR broke this patch.No panic, there is an easy way to regenerate it. You just need to comment on the PR:
and it should, after some minutes (~20/30min) apply a commit on the PR with the patch regenerated.
Other patches were generated manually. If any of it fails, you will need to manually update it... and push your changes.