From 38dcef1b42ffd066a3ae71ae7440a541b3e8a6d1 Mon Sep 17 00:00:00 2001 From: Christophe Jauffret Date: Tue, 9 Aug 2022 13:44:04 +0200 Subject: [PATCH 1/7] extended blackduck scan (#44) --- .github/workflows/synopsys-schedule.yaml | 29 ++++++++++++++++++++++++ .github/workflows/synopsys.yaml | 8 +++---- 2 files changed, 32 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/synopsys-schedule.yaml diff --git a/.github/workflows/synopsys-schedule.yaml b/.github/workflows/synopsys-schedule.yaml new file mode 100644 index 0000000..4ddab58 --- /dev/null +++ b/.github/workflows/synopsys-schedule.yaml @@ -0,0 +1,29 @@ +name: Black Duck Intelligent Policy Check +on: + schedule: + - cron: "0 0 * * *" + +jobs: + security: + if: github.repository == 'nutanix-cloud-native/packer-plugin-nutanix' + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Go + uses: actions/setup-go@v3 + with: + go-version: "^1.17" + + - name: Build Project + run: make build + + - name: Run Synopsys Detect + uses: synopsys-sig/detect-action@v0.3.2 + with: + scan-mode: INTELLIGENT + github-token: ${{ secrets.GITHUB_TOKEN }} + detect-version: 7.9.0 + blackduck-url: ${{ secrets.BLACKDUCK_URL }} + blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }} diff --git a/.github/workflows/synopsys.yaml b/.github/workflows/synopsys.yaml index 3a61f91..a23830a 100644 --- a/.github/workflows/synopsys.yaml +++ b/.github/workflows/synopsys.yaml @@ -3,8 +3,6 @@ on: pull_request: branches: - main - schedule: - - cron: '0 0 * * *' push: jobs: @@ -18,11 +16,11 @@ jobs: - name: Setup Go uses: actions/setup-go@v3 with: - go-version: '^1.17' + go-version: "^1.17" - - name: Build Project + - name: Build Project run: make build - + - name: Run Synopsys Detect uses: synopsys-sig/detect-action@v0.3.2 with: From 6c4f168a7f71248746e4c7b00fc0416943376be3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Aug 2022 17:11:18 -0700 Subject: [PATCH 2/7] Bump aquasecurity/trivy-action from 0.6.2 to 0.7.1 (#46) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.6.2 to 0.7.1. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/0.6.2...0.7.1) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/integration.yml | 2 +- .github/workflows/trivy-scan.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 181322d..c4640bb 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -53,7 +53,7 @@ jobs: run: make build - name: Trivy scan - uses: aquasecurity/trivy-action@0.6.2 + uses: aquasecurity/trivy-action@0.7.1 with: scan-type: "fs" ignore-unfixed: true diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml index 11fc6ac..5847a3f 100644 --- a/.github/workflows/trivy-scan.yaml +++ b/.github/workflows/trivy-scan.yaml @@ -20,7 +20,7 @@ jobs: uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.6.2 + uses: aquasecurity/trivy-action@0.7.1 with: scan-type: "fs" format: "sarif" From 0bf21e1aaeeb146277fdd171d5133b1a78617fa0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Aug 2022 17:25:40 +0200 Subject: [PATCH 3/7] Bump github.com/zclconf/go-cty from 1.10.0 to 1.11.0 (#48) Bumps [github.com/zclconf/go-cty](https://github.com/zclconf/go-cty) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/zclconf/go-cty/releases) - [Changelog](https://github.com/zclconf/go-cty/blob/main/CHANGELOG.md) - [Commits](https://github.com/zclconf/go-cty/compare/v1.10.0...v1.11.0) --- updated-dependencies: - dependency-name: github.com/zclconf/go-cty dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index b3c6249..2686aad 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/hashicorp/hcl/v2 v2.13.0 github.com/hashicorp/packer-plugin-sdk v0.3.1 github.com/nutanix-cloud-native/prism-go-client v0.2.0 - github.com/zclconf/go-cty v1.10.0 + github.com/zclconf/go-cty v1.11.0 ) require ( diff --git a/go.sum b/go.sum index ba86bba..b220724 100644 --- a/go.sum +++ b/go.sum @@ -622,8 +622,9 @@ github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLE github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= -github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0= github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty v1.11.0 h1:726SxLdi2SDnjY+BStqB9J1hNp4+2WlzyXLuimibIe0= +github.com/zclconf/go-cty v1.11.0/go.mod h1:s9IfD1LK5ccNMSWCVFCE2rJfHiZgi7JijgeWIMfhLvA= github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= From 3e689110d2e0c262a33865919bb79b6c7644b9b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Sep 2022 09:52:54 +0200 Subject: [PATCH 4/7] Bump github.com/hashicorp/hcl/v2 from 2.13.0 to 2.14.0 (#50) Bumps [github.com/hashicorp/hcl/v2](https://github.com/hashicorp/hcl) from 2.13.0 to 2.14.0. - [Release notes](https://github.com/hashicorp/hcl/releases) - [Changelog](https://github.com/hashicorp/hcl/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/hcl/compare/v2.13.0...v2.14.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/hcl/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 2686aad..48f0548 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ replace ( ) require ( - github.com/hashicorp/hcl/v2 v2.13.0 + github.com/hashicorp/hcl/v2 v2.14.0 github.com/hashicorp/packer-plugin-sdk v0.3.1 github.com/nutanix-cloud-native/prism-go-client v0.2.0 github.com/zclconf/go-cty v1.11.0 diff --git a/go.sum b/go.sum index b220724..5a3916e 100644 --- a/go.sum +++ b/go.sum @@ -380,8 +380,9 @@ github.com/hashicorp/hc-install v0.3.2/go.mod h1:xMG6Tr8Fw1WFjlxH0A9v61cW15pFwgE github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcl/v2 v2.12.0/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg= -github.com/hashicorp/hcl/v2 v2.13.0 h1:0Apadu1w6M11dyGFxWnmhhcMjkbAiKCv7G1r/2QgCNc= github.com/hashicorp/hcl/v2 v2.13.0/go.mod h1:e4z5nxYlWNPdDSNYX+ph14EvWYMFm3eP0zIUqPc2jr0= +github.com/hashicorp/hcl/v2 v2.14.0 h1:jX6+Q38Ly9zaAJlAjnFVyeNSNCKKW8D0wvyg7vij5Wc= +github.com/hashicorp/hcl/v2 v2.14.0/go.mod h1:e4z5nxYlWNPdDSNYX+ph14EvWYMFm3eP0zIUqPc2jr0= github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= From c71ba475b55698b443e12032ad75291537e5d265 Mon Sep 17 00:00:00 2001 From: Christophe Jauffret Date: Wed, 14 Sep 2022 11:12:38 +0200 Subject: [PATCH 5/7] fix CVE-2022-27664 (#52) --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 48f0548..e3d187c 100644 --- a/go.mod +++ b/go.mod @@ -90,7 +90,7 @@ require ( github.com/ulikunitz/xz v0.5.10 // indirect go.opencensus.io v0.23.0 // indirect golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167 // indirect - golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b // indirect + golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect diff --git a/go.sum b/go.sum index 5a3916e..400c806 100644 --- a/go.sum +++ b/go.sum @@ -749,6 +749,8 @@ golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b h1:3ogNYyK4oIQdIKzTu68hQrr4iuVxF3AxKl9Aj/eDrw0= golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI= +golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= From c7ab1a24101a865646957916f93a62b6bc445b46 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Sep 2022 12:43:08 +0200 Subject: [PATCH 6/7] Bump github.com/hashicorp/packer-plugin-sdk from 0.3.1 to 0.3.2 (#51) Bumps [github.com/hashicorp/packer-plugin-sdk](https://github.com/hashicorp/packer-plugin-sdk) from 0.3.1 to 0.3.2. - [Release notes](https://github.com/hashicorp/packer-plugin-sdk/releases) - [Changelog](https://github.com/hashicorp/packer-plugin-sdk/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/packer-plugin-sdk/compare/v0.3.1...v0.3.2) --- updated-dependencies: - dependency-name: github.com/hashicorp/packer-plugin-sdk dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index e3d187c..a089075 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ replace ( require ( github.com/hashicorp/hcl/v2 v2.14.0 - github.com/hashicorp/packer-plugin-sdk v0.3.1 + github.com/hashicorp/packer-plugin-sdk v0.3.2 github.com/nutanix-cloud-native/prism-go-client v0.2.0 github.com/zclconf/go-cty v1.11.0 ) diff --git a/go.sum b/go.sum index 400c806..6c515a3 100644 --- a/go.sum +++ b/go.sum @@ -389,8 +389,8 @@ github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/memberlist v0.2.4 h1:OOhYzSvFnkFQXm1ysE8RjXTHsqSRDyP4emusC9K7DYg= github.com/hashicorp/memberlist v0.2.4/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= -github.com/hashicorp/packer-plugin-sdk v0.3.1 h1:Gr/mnihsdUcPfGiruFL93BQkiFh3EFPwyxxTWkwvRsQ= -github.com/hashicorp/packer-plugin-sdk v0.3.1/go.mod h1:+GzydiXdn0CkueigqXBsX4Poz5gfmFXZ/DkxKt4fmt4= +github.com/hashicorp/packer-plugin-sdk v0.3.2 h1:4Kqq7B8CRDMbfZmkloyz11t1hfqazJuBbW8ZFo4QlN4= +github.com/hashicorp/packer-plugin-sdk v0.3.2/go.mod h1:XZRvL9kRqJJtB6rf9Lu2zWLJbf2/4ImWXDjp9O9UQGE= github.com/hashicorp/serf v0.9.5 h1:EBWvyu9tcRszt3Bxp3KNssBMP1KuHWyO51lz9+786iM= github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= github.com/hashicorp/terraform-exec v0.16.1/go.mod h1:aj0lVshy8l+MHhFNoijNHtqTJQI3Xlowv5EOsEaGO7M= @@ -747,8 +747,6 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b h1:3ogNYyK4oIQdIKzTu68hQrr4iuVxF3AxKl9Aj/eDrw0= -golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= From 65e2df93cec0ec3805b1faf708038347477c9097 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Sep 2022 15:51:43 +0200 Subject: [PATCH 7/7] Bump synopsys-sig/detect-action from 0.3.2 to 0.3.3 (#53) Bumps [synopsys-sig/detect-action](https://github.com/synopsys-sig/detect-action) from 0.3.2 to 0.3.3. - [Release notes](https://github.com/synopsys-sig/detect-action/releases) - [Changelog](https://github.com/synopsys-sig/detect-action/blob/main/jenkinsfile_release) - [Commits](https://github.com/synopsys-sig/detect-action/compare/v0.3.2...v0.3.3) --- updated-dependencies: - dependency-name: synopsys-sig/detect-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/synopsys-schedule.yaml | 2 +- .github/workflows/synopsys.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synopsys-schedule.yaml b/.github/workflows/synopsys-schedule.yaml index 4ddab58..d44e0d7 100644 --- a/.github/workflows/synopsys-schedule.yaml +++ b/.github/workflows/synopsys-schedule.yaml @@ -20,7 +20,7 @@ jobs: run: make build - name: Run Synopsys Detect - uses: synopsys-sig/detect-action@v0.3.2 + uses: synopsys-sig/detect-action@v0.3.3 with: scan-mode: INTELLIGENT github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/synopsys.yaml b/.github/workflows/synopsys.yaml index a23830a..33738bb 100644 --- a/.github/workflows/synopsys.yaml +++ b/.github/workflows/synopsys.yaml @@ -22,7 +22,7 @@ jobs: run: make build - name: Run Synopsys Detect - uses: synopsys-sig/detect-action@v0.3.2 + uses: synopsys-sig/detect-action@v0.3.3 with: github-token: ${{ secrets.GITHUB_TOKEN }} detect-version: 7.9.0