Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit - support scanning Conan v2 projects #182

Merged
merged 4 commits into from
Sep 26, 2024

Conversation

orto17
Copy link
Contributor

@orto17 orto17 commented Sep 22, 2024

  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....
  • All static analysis checks passed.
  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Sep 22, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 22, 2024
@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Sep 22, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 22, 2024
Copy link
Contributor

@attiasas attiasas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link

🚨 Frogbot scanned this pull request and found the below:

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Unknown
Not Covered github.com/golang/go:v1.22.3 github.com/golang/go v1.22.3 [1.22.7]
[1.23.1]
CVE-2024-34155

Unknown
Not Covered github.com/golang/go:v1.22.3 github.com/golang/go v1.22.3 [1.22.7]
[1.23.1]
CVE-2024-34158

Unknown
Not Covered github.com/golang/go:v1.22.3 github.com/golang/go v1.22.3 [1.22.7]
[1.23.1]
CVE-2024-34156

Critical
Not Applicable github.com/golang/go:v1.22.3 github.com/golang/go v1.22.3 [1.21.11]
[1.22.4]
CVE-2024-24790

Medium
Not Applicable github.com/golang/go:v1.22.3 github.com/golang/go v1.22.3 [1.21.11]
[1.22.4]
CVE-2024-24789

Unknown
Not Applicable github.com/golang/go:v1.22.3 github.com/golang/go v1.22.3 [1.21.12]
[1.22.5]
CVE-2024-24791

🔬 Research Details

[ CVE-2024-34155 ] github.com/golang/go v1.22.3

Description:
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

[ CVE-2024-34158 ] github.com/golang/go v1.22.3

Description:
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

[ CVE-2024-34156 ] github.com/golang/go v1.22.3

Description:
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

[ CVE-2024-24790 ] github.com/golang/go v1.22.3

Description:
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

[ CVE-2024-24789 ] github.com/golang/go v1.22.3

Description:
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

[ CVE-2024-24791 ] github.com/golang/go v1.22.3

Description:
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.


@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Sep 26, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 26, 2024
@orto17 orto17 merged commit 6356c7f into jfrog:dev Sep 26, 2024
8 of 9 checks passed
@attiasas attiasas added the new feature Automatically generated release notes label Sep 27, 2024
@attiasas attiasas changed the title Enabling Conan audit command Audit - support scanning Conan v2 projects Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
new feature Automatically generated release notes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants