Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: upgrade git-url-parse to avoid CVE-2022-0624 #10117

Closed

Conversation

crenshaw-dev
Copy link
Member

Before:

snyk output before change
$ snyk test --org=argoproj --all-projects --exclude=docs,site --severity-threshold=high --policy-path=.snyk

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   gomodules
Target file:       go.mod
Project name:      github.com/argoproj/argo-cd/v2
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 1360 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Tested 356 dependencies for known issues, found 1 issue, 1 vulnerable path.


Issues to fix by upgrading:

  Upgrade git-url-parse@11.6.0 to git-url-parse@12.0.0 to fix
  ✗ Authorization Bypass Through User-Controlled Key (new) [High Severity][https://snyk.io/vuln/SNYK-JS-PARSEPATH-2936439] in parse-path@4.0.4
    introduced by git-url-parse@11.6.0 > git-up@4.0.5 > parse-url@6.0.5 > parse-path@4.0.4



Organization:      argoproj
Package manager:   yarn
Target file:       ui/yarn.lock
Project name:      argo-cd-ui
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

-------------------------------------------------------

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   yarn
Target file:       ui-test/yarn.lock
Project name:      ui-test
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 116 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


Tested 3 projects, 1 contained vulnerable paths.

After:

snyk output after change
$ snyk test --org=argoproj --all-projects --exclude=docs,site --severity-threshold=high --policy-path=.snyk

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   gomodules
Target file:       go.mod
Project name:      github.com/argoproj/argo-cd/v2
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 1360 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   yarn
Target file:       ui/yarn.lock
Project name:      argo-cd-ui
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 350 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...

Organization:      argoproj
Package manager:   yarn
Target file:       ui-test/yarn.lock
Project name:      ui-test
Open source:       no
Project path:      /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses:          enabled

✔ Tested 116 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


Tested 3 projects, no vulnerable paths were found.

Signed-off-by: CI <michael@crenshaw.dev>
@crenshaw-dev
Copy link
Member Author

This upgrade needs to wait at least until this is merged / released: IonicaBizau/parse-url#50

@crenshaw-dev
Copy link
Member Author

Will reopen when a git-up version is cut with the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant