Comments (4)
@AgustinBettati Sorry for the confusion. There's nothing wrong with the verify-changed-files
Action, the issue here is with the GitHub Dependency Review API not being able to infer the proper ordering of pinned GitHub Actions versions. Keeping the bug tag since users should not have PRs blocked for non-vulnerable dependencies.
from dependency-review-action.
@AgustinBettati Thank you for reporting this issue. After spending a bit of time trying to find out how vulnerabilities work in pinned SHAs, I don't think Dependency Review Action has a great answer to offer here. Suppose we have an Action with two commits:
- Commit
abcd
introduces a vulnerability - Commit
ef01
fixes the vulnerability
How do we know that version ef01
(or any version really) is more recent than the commit introducing the vulnerability (abcd
)? With traditional versioning schemes like SemVer it's easy to tell that 2.0.0 is more recent than 1.0.0 because 2 is greater than 1. Because pinned SHAs do not have this property, we can't tell Action-side if abcd
is greater or not than ef01
.
I looked into the vulnerability ranges GitHub reports for this Action, and it reports that this vulnerability affects all versions < 17
, so I'm guessing this works fine when using version numbers but not SHAs.
@jonjanego Pinning SHAs is one of the recommended security practices. Do you know if/how Dependency Graph or other supply chain products in GitHub do version comparisons against SHAs to find vulnerabilities?
from dependency-review-action.
A bit more triage info:
$ gh api repos/future-funk/congenial-chainsaw/dependency-graph/compare/main...febuiles-patch-2
[
{
"change_type": "added",
"manifest": ".github/workflows/updates.yml",
"ecosystem": "actions",
"name": "tj-actions/verify-changed-files",
"version": "5ef175f2fd84957530d0fdd1384a541069e403f2",
"package_url": "pkg:githubactions/tj-actions/verify-changed-files@5ef175f2fd84957530d0fdd1384a541069e403f2",
"license": null,
"source_repository_url": "https://github.com/tj-actions/verify-changed-files",
"scope": "runtime",
"vulnerabilities": [
{
"severity": "high",
"advisory_ghsa_id": "GHSA-ghm2-rq8q-wrhc",
"advisory_summary": "Potential Actions command injection in output filenames (GHSL-2023-275)",
"advisory_url": "https://github.com/advisories/GHSA-ghm2-rq8q-wrhc"
}
]
},
{
"change_type": "removed",
"manifest": ".github/workflows/updates.yml",
"ecosystem": "actions",
"name": "tj-actions/verify-changed-files",
"version": "58f5ac78e19e6cc3fb9d4048ae1a13bf364fa983",
"package_url": "pkg:githubactions/tj-actions/verify-changed-files@58f5ac78e19e6cc3fb9d4048ae1a13bf364fa983",
"license": null,
"source_repository_url": "https://github.com/tj-actions/verify-changed-files",
"scope": "runtime",
"vulnerabilities": []
}
]
The DR API endpoint is wrongly reporting thattj-actions/verify-changed-files
at version 5ef175f2fd84957530d0fdd1384a541069e403f2
is vulnerable for the GHSA (it's not). The VVR for this advisory (49560) has the fields fixed: 17
, affects: < 17
.
from dependency-review-action.
@febuiles thank you for the updates here.
From your latest update just wanted to be clear if this might be a bug associated to the specific action (tj-actions/verify-changed-files), or if dependency-review-action lacks support for pinned SHAs altogether and in that case we can transition this to an enhancement request.
from dependency-review-action.
Related Issues (20)
- No clear Error 403 on submit depenedncy graph for public repo HOT 1
- retry-on-snapshot-warnings - not working as expected on separate snapshot/review workflows HOT 7
- Feature Request: Ensure GitHub Action Dependencies are Pinned HOT 1
- detected a "new" vulnerbility which was already in the project HOT 1
- deny-licenses mistakenly blocking LGPL-3.0 license
- Characterization of thosomes HOT 1
- Update previous comment when failure is resolved HOT 3
- 15WeKFs8FmJrAKHs5iMhS2Mb87LqkA43HE
- Dependency repo
- B
- Properly resolve licenses with "OR" expressions HOT 4
- Failure to determine license and flag to explicitly deny unknown licenses HOT 2
- Allow Running on PUSH events HOT 2
- Dependency review does not detect vulnerabilties in maven dependency
- Sarif output HOT 5
- Plugin management section is not taken into acount HOT 1
- Unable to use `allow-dependency-licenses` to allowlist Github Actions dependencies HOT 2
- deny-licenses blocking with OR statement HOT 1
- Comment Summary in PR happens when option not specified HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-review-action.