-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(GHSA-5336-2g3f-9g3m): Fixes GSA GHSA-5336-2g3f-9g3m #1442
Conversation
Ensures that all trusted builder image prefixes end in a slash so that registry identifiers can't be spoofed with name extensions. /kind fix Signed-off-by: Lance Ball <lball@redhat.com>
@lance: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Codecov ReportBase: 62.75% // Head: 63.12% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #1442 +/- ##
==========================================
+ Coverage 62.75% 63.12% +0.37%
==========================================
Files 74 75 +1
Lines 10734 10740 +6
==========================================
+ Hits 6736 6780 +44
+ Misses 3438 3401 -37
+ Partials 560 559 -1
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/LGTM
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andrew-su, lance The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/override "OnCluster Test / On Cluster Test (1.18.x, ubuntu-latest)" |
This comment was marked as outdated.
This comment was marked as outdated.
/override "On Cluster Test (1.18.x, ubuntu-latest)" |
@lance: Overrode contexts on behalf of lance: On Cluster Test (1.18.x, ubuntu-latest) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-1.8 |
@lance: #1442 failed to apply on top of branch "release-1.8":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Ensures that all trusted builder image prefixes end in a slash so that registry identifiers can't be spoofed with name extensions. /kind fix Signed-off-by: Lance Ball <lball@redhat.com>
Ensures that all trusted builder image prefixes end in a slash so that registry identifiers can't be spoofed with name extensions. /kind fix Signed-off-by: Lance Ball <lball@redhat.com> Signed-off-by: Lance Ball <lball@redhat.com>
knative#1443) Ensures that all trusted builder image prefixes end in a slash so that registry identifiers can't be spoofed with name extensions. /kind fix Signed-off-by: Lance Ball <lball@redhat.com> Signed-off-by: Lance Ball <lball@redhat.com>
* [release-1.8] techdebt(buildpacks): test builder image prefix (knative#1441) * techdebt(buildpacks): test builder image prefix Adds a test for the known builder image prefixes, ensuring they are considered trusted. Removes the check for old versions of podman in order to facilitate this test without turning it into an integration test. Podman 3.4 was released in the summer of '21, more than a year ago, and all published versions of RHEL ship with podman 4.2. /kind techdebt Signed-off-by: Lance Ball <lball@redhat.com> * fixup: remove unused code Signed-off-by: Lance Ball <lball@redhat.com> * fixup: run ./hack/update-codegen.sh Signed-off-by: Lance Ball <lball@redhat.com> * fixup: run ./hack/update-codegen.sh Signed-off-by: Lance Ball <lball@redhat.com> Signed-off-by: Lance Ball <lball@redhat.com> Co-authored-by: Lance Ball <lball@redhat.com> * fix(GHSA-5336-2g3f-9g3m): Fixes GSA GHSA-5336-2g3f-9g3m (knative#1442) (knative#1443) Ensures that all trusted builder image prefixes end in a slash so that registry identifiers can't be spoofed with name extensions. /kind fix Signed-off-by: Lance Ball <lball@redhat.com> Signed-off-by: Lance Ball <lball@redhat.com> Signed-off-by: Lance Ball <lball@redhat.com> Co-authored-by: Knative Prow Robot <knative-prow-robot@google.com> Co-authored-by: Lance Ball <lball@redhat.com>
* fix(GHSA-5336-2g3f-9g3m): Fixes GSA GHSA-5336-2g3f-9g3m (#1442) Ensures that all trusted builder image prefixes end in a slash so that registry identifiers can't be spoofed with name extensions. /kind fix Signed-off-by: Lance Ball <lball@redhat.com> * fix: make socat image public and remove socat image env (#1384) * chore: verbose version to display image ref Signed-off-by: Lance Ball <lball@redhat.com> Co-authored-by: Jefferson Ramos <jeramos@redhat.com>
Ensures that all trusted builder image prefixes end in a slash so that registry identifiers can't be spoofed with name extensions. /kind fix Signed-off-by: Lance Ball <lball@redhat.com> Signed-off-by: Lance Ball <lball@redhat.com>
Changes
GHSA-5336-2g3f-9g3m
The trusted builder prefixes should end with a slash in order to prevent malicious parties from using a builder such as
quay.io/bosonhacks/rootkit
. Should be cherry-picked torelease-1.8
/kind fix
Signed-off-by: Lance Ball lball@redhat.com
Release Note