delineaxpm / dsv-k8s Goto Github PK
View Code? Open in Web Editor NEWA Delinea DevOps Secrets Vault Kubernetes Secrets Injector and Syncer
Home Page: https://delinea.com/products/devops-secrets-management-vault
License: MIT License
A Delinea DevOps Secrets Vault Kubernetes Secrets Injector and Syncer
Home Page: https://delinea.com/products/devops-secrets-management-vault
License: MIT License
There is an error with this repository's Mend configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.
Errors:
a Make/rake-like dev tool using Go
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-11023 | Medium | 6.1 | github.com/magefile/mage-v1.13.0 | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
CVE-2020-11022 | Medium | 6.1 | github.com/magefile/mage-v1.13.0 | Direct | jQuery - 3.5.0 | ❌ |
CVE-2015-9251 | Medium | 6.1 | github.com/magefile/mage-v1.13.0 | Direct | jQuery - v3.0.0 | ❌ |
CVE-2019-11358 | Medium | 6.1 | github.com/magefile/mage-v1.13.0 | Direct | 3.4.0 | ❌ |
a Make/rake-like dev tool using Go
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
a Make/rake-like dev tool using Go
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
a Make/rake-like dev tool using Go
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
a Make/rake-like dev tool using Go
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
@all-contributors please add @sheldonhull for code, docs, tests
The latest version of this repository introduced a new component, the “syncer.” After the injector has done the initial patch, it works with the syncer to re-patch annotated k8s secrets when required.
When the syncer was added, the injector was re-configured to only act on Kubernetes secret CREATE not UPDATE, as it did previously. This was to avoid a “double-update” when the syncer runs. However, it resulted in an integration bug whereby updating a Kubernetes secret with an unannotated input drops the annotations and does not get patched then or subsequently.
The injector and syncer will share an “exemption” token. When the syncer updates a secret, it will use the exemption token to tell the injector that it should not operate on this secret because the syncer already has.
Both the injector and the syncer will be updated to create/overwrite and read the exemption token from a Kubernetes secret that both components have access to.
Both charts will need a mechanism for creating and specifying overwrite behavior on/for the exemption token. However, a non-default overwrite setting in the chart values should be sufficient as overwrite is not frequently or generally useful.
The secret itself will be a base64 encoded UUID. However, any base64 encoded string that is 40 characters or more in length will be considered valid.
The injector will now have a service account, authenticate itself to the cluster, and have a role that reads a secret. In the current version, the injector has no rights to the cluster, nor is it aware of whether it is a part of one.
A malicious actor can theoretically steal the exemption token; however, any practical attack would require more access than the token would grant them.
A shared “exemption token” will be added to the injector and syncer such that the syncer adds the exemption token and the injector does not act on UPDATE the Kubernetes secret when the exemption token is present matching. A malicious actor would need more access to steal the exemption token than it is worth.
related AB#449116
Hello,
I tried to follow your documentation, in order to install dsv-syncer and injector on a Kubernetes cluster (rke2). As we have our instance located in europe (tld = eu).
Unfortunately, in the documentation there's no example to change the TLD so I decided to add it in my PR.
I also got a patch error (on the syncer side) if I didn't add a dummy value in the secret data, so I also modified this part in the documentation.
Thank you for the work you do and I hope my PR is done properly.
Best regards,
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-30633 | High | 7.5 | github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc | Transitive | N/A | ❌ |
CVE-2022-28131 | High | 7.5 | github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc | Transitive | N/A | ❌ |
[mirror] Go supplementary network libraries
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
Publish Date: 2022-08-10
URL: CVE-2022-30633
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633
Release Date: 2022-05-13
Fix Resolution: go1.17.12,go1.18.4
[mirror] Go supplementary network libraries
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
Publish Date: 2022-08-10
URL: CVE-2022-28131
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131
Release Date: 2022-03-29
Fix Resolution: go1.17.12,go1.18.4
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These branches will be created by Renovate only once you click their checkbox below.
elgohr/go-vulncheck-action
, github/codeql-action
)k8s.io/apimachinery
, k8s.io/client-go
)actions/cache
, actions/checkout
, aquaproj/aqua-installer
, codecov/codecov-action
, docker/login-action
, github/codeql-action
, magefile/mage-action
, magnetikonline/action-golang-cache
)github.com/brianvoe/gofakeit/v6
, github.com/caarlos0/env/v6
, github.com/imdario/mergo
)aquaproj/aqua-registry
, golang/go
, golangci/golangci-lint
, goreleaser/goreleaser
, helm/helm
, kubernetes-sigs/kind
, mvdan/gofumpt
).devcontainer/Dockerfile
Dockerfile
docker/Dockerfile.chainguard
docker/Dockerfile.distroless
.github/workflows/assign.yml
delineaxpm/github-workflows main
.github/workflows/changie-trigger-release.yml
delineaxpm/github-workflows main
.github/workflows/conventional-pr.yml
delineaxpm/github-workflows main
.github/workflows/lint.yml
delineaxpm/github-workflows main
.github/workflows/release.yml
actions/checkout v3@f43a0e5ff2bd294095638e18286ca9a3d1956744
magnetikonline/action-golang-cache v3@797f193169d3c8ba6f60d90f50ecdadd2583fbd8
aquaproj/aqua-installer v2.3.2@fd2089d1f56724d6456f24d58605e6964deae124
magefile/mage-action v2@a3d5bb52942181c125118a2be4b4664c3337aef6
docker/login-action v2@465a07811f14bebb1938fbed4728c6a1ff8901fc
docker/login-action v2@465a07811f14bebb1938fbed4728c6a1ff8901fc
magefile/mage-action v2@a3d5bb52942181c125118a2be4b4664c3337aef6
.github/workflows/scan.yml
actions/checkout v3@f43a0e5ff2bd294095638e18286ca9a3d1956744
aquaproj/aqua-installer v2.3.2@fd2089d1f56724d6456f24d58605e6964deae124
actions/cache v3@e12d46a63a90f2fae62d114769bbf2a179198b5c
elgohr/go-vulncheck-action e73217f293105d5418d631c4d308eb0c27943f1d
actions/checkout v3@f43a0e5ff2bd294095638e18286ca9a3d1956744
github/codeql-action v2@e113c555ef0956479345cfc3ed530c938d670db0
github/codeql-action v2@e113c555ef0956479345cfc3ed530c938d670db0
github/codeql-action v2@e113c555ef0956479345cfc3ed530c938d670db0
.github/workflows/stale.yaml
delineaxpm/github-workflows main
.github/workflows/test.yml
actions/checkout v3@f43a0e5ff2bd294095638e18286ca9a3d1956744
aquaproj/aqua-installer v2.3.2@fd2089d1f56724d6456f24d58605e6964deae124
actions/cache v3@e12d46a63a90f2fae62d114769bbf2a179198b5c
codecov/codecov-action v3.1.6@ab904c41d6ece82784817410c45d8b8c02684457
go.mod
go 1.22.0
github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.2
github.com/bitfield/script v0.22.1
github.com/brianvoe/gofakeit/v6 v6.28.0
github.com/caarlos0/env/v6 v6.10.1
github.com/magefile/mage v1.15.0
github.com/mattbaird/jsonpatch v0.0.0-20240118010651-0ba75a80ca38@0ba75a80ca38
github.com/pterm/pterm v0.12.79
github.com/rs/zerolog v1.33.0
github.com/sheldonhull/magetools v1.0.2
k8s.io/api v0.30.3
k8s.io/apimachinery v0.30.3
k8s.io/client-go v0.30.3
github.com/imdario/mergo v0.3.16
charts/dsv-injector/values.yaml
charts/dsv-syncer/values.yaml
.aqua/aqua.yaml
aquaproj/aqua-registry v4.212.0
miniscruff/changie v1.19.1
golang/go go1.22.6
direnv/direnv v2.34.0
magefile/mage v1.15.0
charmbracelet/glow v1.5.1
goreleaser/goreleaser v2.1.0
mvdan/gofumpt v0.6.0
anchore/syft v1.11.0
norwoodj/helm-docs v1.14.2
gotestyourself/gotestsum v1.12.0
c-bata/kube-prompt v1.0.11
kubernetes-sigs/kind v0.23.0
helm/helm v3.15.3
kubernetes/minikube v1.33.1
stern/stern v1.30.0
tilt-dev/tilt v0.33.19
golangci/golangci-lint v1.59.1
DelineaXPM/dsv-cli v1.41.1
gitleaks/gitleaks v8.18.4
charmbracelet/gum v0.14.3
.aqua/aqua.yaml
aquaproj/aqua-registry v4.212.0
miniscruff/changie v1.19.1
golang/go go1.22.6
direnv/direnv v2.34.0
magefile/mage v1.15.0
charmbracelet/glow v1.5.1
goreleaser/goreleaser v2.1.0
mvdan/gofumpt v0.6.0
anchore/syft v1.11.0
norwoodj/helm-docs v1.14.2
gotestyourself/gotestsum v1.12.0
c-bata/kube-prompt v1.0.11
kubernetes-sigs/kind v0.23.0
helm/helm v3.15.3
kubernetes/minikube v1.33.1
stern/stern v1.30.0
tilt-dev/tilt v0.33.19
golangci/golangci-lint v1.59.1
DelineaXPM/dsv-cli v1.41.1
gitleaks/gitleaks v8.18.4
charmbracelet/gum v0.14.3
.github/workflows/release.yml
aquaproj/aqua v2.28.0
.github/workflows/scan.yml
aquaproj/aqua v2.28.0
.github/workflows/test.yml
aquaproj/aqua v2.28.0
.aqua/aqua.yaml
golang/go 1.22.6
Description of the issue
The Red Hat Quay image is broken and so is the build badge.
Expected behaviour
Installing the helm chart and using the injector and syncer should work.
Actual behavior
They don't because the injector in the current image in Quay is broken.
Your environment
Affects all users
Steps to reproduce
Install the chart and test the injector
Description of the issue
Can this URL be updated (https://gist.github.com/amigus/b4e6e642f88e756be1996e44a1c35349) to use a different resource.
Steps to reproduce
ℹ️ All this assumes that the injector uses a certificate signed by the cluster CA. There are several options like [cert-manager](https://cert-manager.io/) for getting cluster-signed certs, however, this simple [bash script](https://gist.github.com/amigus/b4e6e642f88e756be1996e44a1c35349) will request and grant a suitable certificate from the cluster using cURL and OpenSSL.
After updating the image repository to docker, installing chart has this problem. The version with the old repository (quay.io) works fine.
I think the image is the problem.
We also use another way of using Delinea, related to kuberentes (Sidecar), the image was updated some time ago and changed from amd64 to arm64, can you fix that?
Before this update the latest version was amd64 and worked relatively well.
Hello guys!
Guys, we use your integration for kubernetes (sidecar) which is in the repository https://hub.docker.com/r/thycotic/dsv-k8s-controller (https://docs.thycotic.com/dsv/current/usage/integrations/kubernetes/kubernetes-sidecar/broker.md), some time ago we reported a problem that the broker restarted from time to time, it was updated on dockerhub with the solution, but with an arm64 version, now it's updated to amd64 again, but the restart problem is back, follow the error log, you can do it Help us?
time="2023-01-30T18:57:34Z" level=error msg="Error getting pod" error=EOF
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x8d0fc5]
goroutine 30 [running]:
container-go/pkg/pods.NewPodRegistry.func1({0x7ffeca2a40bf, 0xd}, 0xc000237550, 0x0?, 0x0?, 0x0?)
/go/src/container-go/pkg/pods/registry.go:63 +0x105
created by container-go/pkg/pods.NewPodRegistry
/go/src/container-go/pkg/pods/registry.go:55 +0x36a
Another thing we wanted was the availability of this code on Github so that it would be easier for us to report problems and/or solutions.
Thanks!
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Location: renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: Configuration option 'packageRules[0].group' should be a json object, Configuration option 'packageRules[1].group' should be a json object
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2016-9121 | High | 9.1 | github.com/docker/distribution-v2.8.1 | Transitive | N/A | ❌ |
CVE-2021-3121 | High | 8.6 | github.com/docker/cli-v20.10.17 | Transitive | N/A | ❌ |
CVE-2016-9122 | High | 7.5 | github.com/docker/distribution-v2.8.1 | Transitive | N/A | ❌ |
CVE-2022-21698 | High | 7.5 | detected in multiple dependencies | Transitive | N/A | ❌ |
WS-2021-0200 | High | 7.5 | github.com/docker/distribution-v2.8.1 | Transitive | N/A | ❌ |
CVE-2020-29652 | High | 7.5 | github.com/docker/cli-v20.10.17 | Transitive | N/A | ❌ |
CVE-2016-9123 | High | 7.5 | github.com/docker/distribution-v2.8.1 | Transitive | N/A | ❌ |
CVE-2022-27191 | High | 7.5 | github.com/docker/cli-v20.10.17 | Transitive | N/A | ❌ |
CVE-2021-44716 | High | 7.5 | detected in multiple dependencies | Transitive | N/A | ❌ |
CVE-2021-43565 | High | 7.5 | github.com/docker/cli-v20.10.17 | Transitive | N/A | ❌ |
CVE-2020-8559 | Medium | 6.8 | github.com/docker/cli-v20.10.17 | Transitive | N/A | ❌ |
CVE-2019-11254 | Medium | 6.5 | github.com/docker/distribution-v2.8.1 | Transitive | N/A | ❌ |
CVE-2021-31525 | Medium | 5.9 | github.com/docker/cli-v20.10.17 | Transitive | N/A | ❌ |
CVE-2020-8565 | Medium | 5.5 | github.com/docker/cli-v20.10.17 | Transitive | N/A | ❌ |
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.
Publish Date: 2017-03-28
URL: CVE-2016-9121
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9121
Release Date: 2017-03-28
Fix Resolution: 1.0.4
The Docker CLI
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Publish Date: 2021-01-11
URL: CVE-2021-3121
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121
Release Date: 2021-01-11
Fix Resolution: v1.3.2
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.
Publish Date: 2017-03-28
URL: CVE-2016-9122
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0011
Release Date: 2017-03-28
Fix Resolution: v1.1.0
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
The Docker CLI
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler*
middleware except RequestsInFlight
; not filter any specific methods (e.g GET) before middleware; pass metric with method
label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method
. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method
label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Publish Date: 2022-02-15
URL: CVE-2022-21698
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cg3q-j54f-5p7p
Release Date: 2022-02-15
Fix Resolution: v1.11.1
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
Yaml in versions v2.2.0 to v2.2.2 is vulnerable to denial of service vector.
Related to decode.go
Publish Date: 2021-04-14
URL: WS-2021-0200
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0061
Release Date: 2021-04-14
Fix Resolution: v2.2.3
The Docker CLI
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures.
Publish Date: 2017-03-28
URL: CVE-2016-9123
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0009
Release Date: 2017-03-28
Fix Resolution: v1.0.5
The Docker CLI
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191
Release Date: 2022-03-18
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1
The Docker CLI
Dependency Hierarchy:
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Publish Date: 2022-01-01
URL: CVE-2021-44716
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vc3p-29h2-gpcp
Release Date: 2022-01-01
Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
The Docker CLI
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565
Release Date: 2021-11-10
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1
The Docker CLI
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
Publish Date: 2020-07-22
URL: CVE-2020-8559
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-08-10
Fix Resolution: v1.18.6,v1.17.9,v1.16.13
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-10-02
Fix Resolution: v2.2.8
The Docker CLI
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
The Docker CLI
Dependency Hierarchy:
Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5
Found in base branch: main
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Publish Date: 2020-12-07
URL: CVE-2020-8565
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0064
Release Date: 2020-12-07
Fix Resolution: v1.20.0-alpha.2
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Renovate tried to run on this repository, but found these problems.
These branches will be created by Renovate only once you click their checkbox below.
actions/cache
, actions/checkout
, aquaproj/aqua-installer
, codecov/codecov-action
, docker/login-action
, elgohr/go-vulncheck-action
, github/codeql-action
, magefile/mage-action
, magnetikonline/action-golang-cache
)github.com/mattbaird/jsonpatch
, github.com/pterm/pterm
, k8s.io/api
, k8s.io/apimachinery
, k8s.io/client-go
)actions/cache
, actions/checkout
, docker/login-action
, github/codeql-action
, magefile/mage-action
, magnetikonline/action-golang-cache
)DelineaXPM/dsv-cli
, anchore/syft
, aquaproj/aqua-registry
, helm/helm
, miniscruff/changie
).tool-versions
node 17.3.0
.devcontainer/Dockerfile
Dockerfile
docker/Dockerfile.chainguard
docker/Dockerfile.distroless
.github/workflows/assign.yml
.github/workflows/conventional-pr.yml
.github/workflows/github.yml
actions/checkout v3
magnetikonline/action-golang-cache v3
.github/workflows/lint.yml
.github/workflows/release.yml
actions/checkout v3
magnetikonline/action-golang-cache v3@797f193169d3c8ba6f60d90f50ecdadd2583fbd8
aquaproj/aqua-installer v2.0.2@61e2563dfe7674cbf74fe6ec212e444198a3bb00
magefile/mage-action v2@3b833fb24c0d19eed3aa760b9eb285b4b84f420f
docker/login-action v2
docker/login-action v2
magefile/mage-action v2@3b833fb24c0d19eed3aa760b9eb285b4b84f420f
.github/workflows/scan.yml
actions/checkout v3
aquaproj/aqua-installer v2.0.2@61e2563dfe7674cbf74fe6ec212e444198a3bb00
actions/cache v3
elgohr/go-vulncheck-action 90e331d6e77587505906ef175d4b44a1d2cb6a63
actions/checkout v3
github/codeql-action v2
github/codeql-action v2
github/codeql-action v2
.github/workflows/stale.yaml
.github/workflows/test.yml
actions/checkout v3
aquaproj/aqua-installer v2.0.2@61e2563dfe7674cbf74fe6ec212e444198a3bb00
actions/cache v3
codecov/codecov-action v3.1.1@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
go.mod
go 1.21
github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0
github.com/bitfield/script v0.22.0
github.com/caarlos0/env/v6 v6.10.1
github.com/magefile/mage v1.15.0
github.com/mattbaird/jsonpatch v0.0.0-20230413205102-771768614e91@771768614e91
github.com/pterm/pterm v0.12.74
github.com/rs/zerolog v1.31.0
github.com/sheldonhull/magetools v1.0.1
k8s.io/api v0.29.0
k8s.io/apimachinery v0.29.0
k8s.io/client-go v0.29.0
charts/dsv-injector/values.yaml
docker.io/delineaxpm/dsv-k8s v1.2.2
charts/dsv-syncer/values.yaml
docker.io/delineaxpm/dsv-k8s v1.2.2
.aqua/aqua.yaml
aquaproj/aqua-registry v4.118.0
miniscruff/changie v1.17.0
golang/go go1.21.6
direnv/direnv v2.33.0
magefile/mage v1.15.0
charmbracelet/glow v1.5.1
goreleaser/goreleaser v1.23.0
mvdan/gofumpt v0.5.0
anchore/syft v0.100.0
norwoodj/helm-docs v1.12.0
gotestyourself/gotestsum v1.11.0
c-bata/kube-prompt v1.0.11
kubernetes-sigs/kind v0.20.0
helm/helm v3.13.3
kubernetes/minikube v1.32.0
stern/stern v1.28.0
tilt-dev/tilt v0.33.10
golangci/golangci-lint v1.55.2
DelineaXPM/dsv-cli v1.40.5
gitleaks/gitleaks v8.18.1
.aqua/aqua.yaml
aquaproj/aqua-registry v4.118.0
miniscruff/changie v1.17.0
golang/go go1.21.6
direnv/direnv v2.33.0
magefile/mage v1.15.0
charmbracelet/glow v1.5.1
goreleaser/goreleaser v1.23.0
mvdan/gofumpt v0.5.0
anchore/syft v0.100.0
norwoodj/helm-docs v1.12.0
gotestyourself/gotestsum v1.11.0
c-bata/kube-prompt v1.0.11
kubernetes-sigs/kind v0.20.0
helm/helm v3.13.3
kubernetes/minikube v1.32.0
stern/stern v1.28.0
tilt-dev/tilt v0.33.10
golangci/golangci-lint v1.55.2
DelineaXPM/dsv-cli v1.40.5
gitleaks/gitleaks v8.18.1
.github/workflows/release.yml
aquaproj/aqua v1.38.0
.github/workflows/scan.yml
aquaproj/aqua v1.38.0
.github/workflows/test.yml
aquaproj/aqua v1.38.0
.aqua/aqua.yaml
golang/go 1.21.6
charts/dsv-injector/templates/webhook.yaml
generates a cert if the user doesn't provide their own.releasename-tls
is found, it defaults to this.So the basics of current behavior
{{- $tlsCert := genSelfSignedCert (include "dsv.dnsname" .) nil (list (include "dsv.dnsname" .) (include "dsv.name" .)) (default 365 .Values.webhookCertExpireDays | int) -}}
{{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}
$tlsCert
== self signed cert always generated on run (it's a helm function)
$tlsSecret
is a lookup to find the "CurrentReleaseName-tls".
The clientConfig:
value for the webhook:
clientConfig:
{{- if eq .Values.service.type "ExternalName" }}
caBundle: {{ .Values.caBundle }}
{{- else if $tlsSecret }}
caBundle: {{ $tlsSecret.data.cert }}
{{- else }}
caBundle: {{ $tlsCert.Cert | b64enc }}
Logic explained:
eq .Values.service.type "ExternalName"
is set, then this takes precedence (for when service is running external to kubernetes). The default in charts/dsv-injector/values.yaml
is set to type: ClusterIP
. This means unless this is changed, the default behavior will fall through to checking if existing cert found in namespace for this release (aka someone installed their own cert before.caBundle
is not set by default, but could be passed in with the helm install command if desired the caBundle must be a base64 string containing a PEM-encoded certificate chain that validates the certificate
per charts/dsv-injector/values.yaml
.$tlsSecret
that was looked up is found, then it uses this. That doesn't check if it's valid or not, so it will just reuse what's there.genSelfSignedCert
.caBundle
to only be used when designating an external service.{{- else if $tlsSecret }}
should check if exists, but also check that the tls secret cert expiration <= in days from recreateSelfSignedCertThreshold
.recreateSelfSignedCertThreshold
will default in helm values to 90 days.webhookCertExpireDays
should be exposed in the values.yaml
with default of 365
, rather than default set in the webhook.yaml
so it's more visiblecharts/dsv-injector/templates/webhook.yaml
. This should be modified to also have the same check for expiration.data:
{{- if $tlsSecret }}
cert.pem: {{ $tlsSecret.data.cert }}
key.pem: {{ $tlsSecret.data.key }}
{{- else }}
cert.pem: {{ $tlsCert.Cert | b64enc }}
key.pem: {{ $tlsCert.Key | b64enc }}
{{- end }}
SelfSignedCertRegeneration
to avoid impact to custom provided cert. ANSWER: The logic expects caBundle
to only be used when designating an external service. Otherwise genSelfSignedCert
is what's used.DSV_CERT
I believe. Validate if this impacts anything here, since it's not exposed as a helm input for this process currently, but expected to be done on app loading. ANSWERED below.cmd/injector/main.go
caused some confusion initially as a container wouldn't have knowledge of "${HOME}". I backtracked this though and recall now why this is set.
nonroot
by convention with them./home/nonroot/credentials
.So yes it was always finding it (else it would error as fatal/termination of Run.
But nothing was checking the expiration of the cert.
related to AB#590946
Problem
Connection to Secret Server fails because of missing trusted Root CA:
2023/08/29 07:11:56 [DEBUG] grant response error:Post "https://swwpam.ch/SecretServer/.secretsvaultcloud.com/v1/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
I guess I can set the company Root CA's over the optional ConfigMap section in values.yaml:
configmap:
DSV_CERT:
DSV_KEY:
DSV_CREDENTIALS_JSON:
DSV_SERVER_ADDRESS:
DSV_DEBUG: 'true'
But I miss some documentation here. Maybe an example.
Thank you in advance for some hints or feedback regarding this topic.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.