Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chore: Update repository.go #599

Merged
merged 4 commits into from
Feb 19, 2025
Merged

Chore: Update repository.go #599

merged 4 commits into from
Feb 19, 2025
+4 −3

Conversation

morri-son
Copy link
Contributor

Description

Try to correct gosec linter exception as the former one was not working (dunno if an extra space after the double slash would have already helped, so I made it an own line and added a space...)

@morri-son morri-son added area/ipcei Important Project of Common European Interest kind/chore chore, maintenance, etc. labels Feb 19, 2025
@morri-son morri-son added this to the 2025-Q1 milestone Feb 19, 2025
@morri-son morri-son requested a review from a team as a code owner February 19, 2025 11:44
@github-actions GitHub Actions
Copy link

Mend Scan Summary: ❌

Repository: open-component-model/ocm-controller

VIOLATION DESCRIPTION NUMBER OF VIOLATIONS
HIGH/CRITICAL SECURITY VULNERABILITIES 2
MAJOR UPDATES AVAILABLE 0
LICENSE REQUIRES REVIEW 1
LICENSE RISK HIGH 9
RESTRICTED LICENSE FOR ON-PREMISE DELIVERY 0

Detailed Logs: mend-scan-> Generate Report
Mend UI

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 19, 2025
View reviewed changes
pkg/oci/repository.go
@@ -143,7 +143,8 @@
}

func (c *Client) constructTLSRoundTripper() http.RoundTripper {
tlsConfig := &tls.Config{} //nolint:gosec // must provide lower version for quay.io
// nolint:gosec // must provide lower version for quay.io
tlsConfig := &tls.Config{}

Check failure

Code scanning / gosec

TLS MinVersion too low. Error

TLS MinVersion too low.
@github-actions GitHub Actions
Copy link

Mend Scan Summary: ❌

Repository: open-component-model/ocm-controller

VIOLATION DESCRIPTION NUMBER OF VIOLATIONS
HIGH/CRITICAL SECURITY VULNERABILITIES 2
MAJOR UPDATES AVAILABLE 0
LICENSE REQUIRES REVIEW 1
LICENSE RISK HIGH 9
RESTRICTED LICENSE FOR ON-PREMISE DELIVERY 0

Detailed Logs: mend-scan-> Generate Report
Mend UI

@github-actions GitHub Actions
Copy link

Mend Scan Summary: ❌

Repository: open-component-model/ocm-controller

VIOLATION DESCRIPTION NUMBER OF VIOLATIONS
HIGH/CRITICAL SECURITY VULNERABILITIES 2
MAJOR UPDATES AVAILABLE 0
LICENSE REQUIRES REVIEW 1
LICENSE RISK HIGH 9
RESTRICTED LICENSE FOR ON-PREMISE DELIVERY 0

Detailed Logs: mend-scan-> Generate Report
Mend UI

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 19, 2025
View reviewed changes
api/v1alpha1/constants.go
@@ -2,7 +2,7 @@

const (
// DefaultRegistryCertificateSecretName is the name of the of certificate secret for client and registry.
DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" //nolint:gosec // not a credential
DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" // nolint:gosec // not a credential

Check failure

Code scanning / gosec

Potential hardcoded credentials Error

Potential hardcoded credentials
api/v1alpha1/constants.go
@@ -35,5 +35,5 @@
// Ocm credential config key for secrets.
const (
// OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config.
OCMCredentialConfigKey = ".ocmcredentialconfig" //nolint:gosec // it isn't a cred
OCMCredentialConfigKey = ".ocmcredentialconfig" // nolint:gosec // it isn't a cred

Check failure

Code scanning / gosec

Potential hardcoded credentials Error

Potential hardcoded credentials
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 19, 2025
View reviewed changes
api/v1alpha1/constants.go
@@ -2,7 +2,7 @@

const (
// DefaultRegistryCertificateSecretName is the name of the of certificate secret for client and registry.
DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" //nolint:gosec // not a credential
DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" // nolint:gosec // not a credential

Check failure

Code scanning / CodeQL

Hard-coded credentials Critical

Hard-coded
secret
Loading
.
@hilmarf
Copy link
Member

hilmarf commented Feb 19, 2025

are you sure, that the checks are executed on the correct branch/PR?

@morri-son
Copy link
Contributor Author

morri-son commented Feb 19, 2025
edited
Loading

@hilmarf

are you sure, that the checks are executed on the correct branch/PR?

that I'm now asking myself, too. But when looking at the action https://github.com/open-component-model/ocm-controller/pull/599/checks?check_run_id=37463785489 and then using the "View all branch alerts" link I'm directed to the security alerts page and the branch is shown as refs/pull/599/merge

But to get this confirmed, let's merge the PR and check what the CodeQl checks on push on main will tell us. If they still report issues I have no clue why the no lint comments don't work 🤔

@morri-son morri-son enabled auto-merge (squash) February 19, 2025 12:13
@github-actions GitHub Actions
Copy link

Mend Scan Summary: ❌

Repository: open-component-model/ocm-controller

VIOLATION DESCRIPTION NUMBER OF VIOLATIONS
HIGH/CRITICAL SECURITY VULNERABILITIES 2
MAJOR UPDATES AVAILABLE 0
LICENSE REQUIRES REVIEW 1
LICENSE RISK HIGH 9
RESTRICTED LICENSE FOR ON-PREMISE DELIVERY 0

Detailed Logs: mend-scan-> Generate Report
Mend UI

@morri-son morri-son merged commit 1251851 into main Feb 19, 2025
10 of 11 checks passed
@morri-son morri-son deleted the morri-son-patch-1 branch February 19, 2025 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hilmarf hilmarf hilmarf approved these changes

Assignees
No one assigned
Labels
area/ipcei Important Project of Common European Interest kind/chore chore, maintenance, etc.
Projects
None yet
Milestone
2025-Q1
Development

Successfully merging this pull request may close these issues.
2 participants
@morri-son @hilmarf