ci: Add Semgrep to workflows (#30610) #30611
Conversation
spbolton
force-pushed
the
issue-30610-add-semgrep-to-workflows
branch
2 times, most recently
from
084de1d
to
e6f976a
Compare
|
Semgrep found 3
Risk: Affected versions of com.graphql-java:graphql-java are vulnerable to Allocation of Resources Without Limits or Throttling. The package does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. Fix: Upgrade this library to at least version 19.11 at core/dotcms-integration/maven_dep_tree.txt:126. Reference(s): GHSA-h9mq-f6q5-6c8m, CVE-2024-40094 Ignore this finding from ssc-76fc8612-6086-65ec-f222-eb87f32205aa.Semgrep found 2
Risk: Affected versions of io.quarkus:quarkus-core are vulnerable to Cleartext Storage Of Sensitive Information In An Environment Variable. The vulnerability lies within the quarkus-core component, concerning how Quarkus handles local environment variables; specifically, during the build phase of a Quarkus application, it captures and embeds the local environment variables under the Quarkus namespace into the application, potentially exposing test configurations set by developers or continuous integration (CI) systems, thus risking insecure behavior in production if not overridden. Manual Review Advice: A vulnerability from this advisory is reachable if you are using configuration properties that are prefixed with Fix: Upgrade this library to at least version 3.8.4 at core/tools/dotcms-cli/api-data-model/maven_dep_tree.txt:11. Reference(s): GHSA-f8h5-v2vg-46rr, CVE-2024-2700 Ignore this finding from ssc-ffb00194-3ce4-4701-a3d0-7ebcdec196e5.Semgrep found 1 Risk: Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat are vulnerable to Improper Input Validation. The vulnerability in Apache Tomcat involves a Denial of Service due to improper input validation in HTTP/2 requests, where if the request surpasses configured header limits, the corresponding HTTP/2 stream remains unreset until after all headers have been processed. Fix: Upgrade this library to at least version 9.0.86 at core/dotCMS/maven_dep_tree.txt:396. Reference(s): GHSA-7w75-32cg-r6g2, CVE-2024-24549 Ignore this finding from ssc-2f60da75-9a82-4e28-a683-78548dcdb586.Semgrep found 3
Risk: Affected versions of org.elasticsearch:elasticsearch are vulnerable to Uncontrolled Resource Consumption. An unauthenticated user can induce an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests, due to the way Elasticsearch handles incoming requests on the HTTP layer. Fix: Upgrade this library to at least version 7.17.13 at core/dotcms-integration/maven_dep_tree.txt:167. Reference(s): GHSA-2cqf-6xv9-f22w, CVE-2023-31418 Ignore this finding from ssc-edad62ae-dae3-44f1-950a-94488a700a38.Semgrep found 1 Risk: Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-coyote are vulnerable to Improper Handling of Exceptional Conditions / Uncontrolled Resource Consumption. Fix: Upgrade this library to at least version 9.0.90 at core/dotCMS/maven_dep_tree.txt:396. Reference(s): GHSA-wm9w-rjj3-j356, CVE-2024-34750 Ignore this finding from ssc-013caec7-58ca-cb2e-f8e3-0c6382ec5d6f. |
spbolton
force-pushed
the
issue-30610-add-semgrep-to-workflows
branch
from
1c074e0
to
8315925
Compare
|
Semgrep found 3
Risk: Affected versions of com.graphql-java:graphql-java are vulnerable to Allocation of Resources Without Limits or Throttling. The package does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. Fix: Upgrade this library to at least version 19.11 at core/dotcms-integration/maven_dep_tree.txt:126. Reference(s): GHSA-h9mq-f6q5-6c8m, CVE-2024-40094 Ignore this finding from ssc-76fc8612-6086-65ec-f222-eb87f32205aa.Semgrep found 2
Risk: Affected versions of io.quarkus:quarkus-core are vulnerable to Cleartext Storage Of Sensitive Information In An Environment Variable. The vulnerability lies within the quarkus-core component, concerning how Quarkus handles local environment variables; specifically, during the build phase of a Quarkus application, it captures and embeds the local environment variables under the Quarkus namespace into the application, potentially exposing test configurations set by developers or continuous integration (CI) systems, thus risking insecure behavior in production if not overridden. Manual Review Advice: A vulnerability from this advisory is reachable if you are using configuration properties that are prefixed with Fix: Upgrade this library to at least version 3.8.4 at core/tools/dotcms-cli/api-data-model/maven_dep_tree.txt:11. Reference(s): GHSA-f8h5-v2vg-46rr, CVE-2024-2700 Ignore this finding from ssc-ffb00194-3ce4-4701-a3d0-7ebcdec196e5.Semgrep found 3
Risk: Affected versions of org.elasticsearch:elasticsearch are vulnerable to Uncontrolled Resource Consumption. An unauthenticated user can induce an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests, due to the way Elasticsearch handles incoming requests on the HTTP layer. Fix: Upgrade this library to at least version 7.17.13 at core/dotcms-integration/maven_dep_tree.txt:167. Reference(s): GHSA-2cqf-6xv9-f22w, CVE-2023-31418 Ignore this finding from ssc-edad62ae-dae3-44f1-950a-94488a700a38. |
spbolton
force-pushed
the
issue-30610-add-semgrep-to-workflows
branch
from
8315925
to
ae3fc78
Compare
|
Semgrep found 3
Risk: Affected versions of com.graphql-java:graphql-java are vulnerable to Allocation of Resources Without Limits or Throttling. The package does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. Fix: Upgrade this library to at least version 19.11 at core/dotcms-integration/maven_dep_tree.txt:126. Reference(s): GHSA-h9mq-f6q5-6c8m, CVE-2024-40094 Ignore this finding from ssc-76fc8612-6086-65ec-f222-eb87f32205aa.Semgrep found 2
Risk: Affected versions of io.quarkus:quarkus-core are vulnerable to Cleartext Storage Of Sensitive Information In An Environment Variable. The vulnerability lies within the quarkus-core component, concerning how Quarkus handles local environment variables; specifically, during the build phase of a Quarkus application, it captures and embeds the local environment variables under the Quarkus namespace into the application, potentially exposing test configurations set by developers or continuous integration (CI) systems, thus risking insecure behavior in production if not overridden. Manual Review Advice: A vulnerability from this advisory is reachable if you are using configuration properties that are prefixed with Fix: Upgrade this library to at least version 3.8.4 at core/tools/dotcms-cli/api-data-model/maven_dep_tree.txt:11. Reference(s): GHSA-f8h5-v2vg-46rr, CVE-2024-2700 Ignore this finding from ssc-ffb00194-3ce4-4701-a3d0-7ebcdec196e5.Semgrep found 3
Risk: Affected versions of org.elasticsearch:elasticsearch are vulnerable to Uncontrolled Resource Consumption. An unauthenticated user can induce an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests, due to the way Elasticsearch handles incoming requests on the HTTP layer. Fix: Upgrade this library to at least version 7.17.13 at core/dotcms-integration/maven_dep_tree.txt:167. Reference(s): GHSA-2cqf-6xv9-f22w, CVE-2023-31418 Ignore this finding from ssc-edad62ae-dae3-44f1-950a-94488a700a38. |
spbolton
force-pushed
the
issue-30610-add-semgrep-to-workflows
branch
from
ae3fc78
to
4095b98
Compare
|
vars.SEMGREP_NO_FAIL is enabled to allow us to merge the base code into main without fixing the issues found at this time. We can remove this flag when we are ready. |
|
Proposed Changes
setting vars.SEMGREP_NO_FAIL=true will run Semgrep unless it is disabled, but will not fail the workflow step
This PR fixes: #30610