Closed
Description
gitea actions update clarification
Hi,
not sure whether this is a good feature request but will try anyway (it is more of a proposal).
problem / context:
gitea.com uses github compatible actions fot pipelines. but some / most of the actions offered on gitea.com are outdated and contain vulnerabilities.
example: see below trivy scanning reports on the actions/checkout repo.
i think pulling in some software as part of running a pipeline is ok as long as there is trust on that the code is maintained / safe.
questions:
from what i see each gitea actions repo is a plain mirror of github, but simply not updated ?
suggestions:
can you share some light on whether it's recommeneded to use github actions straight away or share wether there is intention to update the gitea actions ?
or it's perhaps to early to tell (since gitea actions are still work in progress?
other than that: documentation looks great, speed of gitea is excellent so thanks already for that.
Screenshots
~$ trivy repository https://gitea.com/actions/checkout
2024-02-25T22:14:58.929+0100 INFO Need to update DB
2024-02-25T22:14:58.929+0100 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-02-25T22:14:58.929+0100 INFO Downloading DB...
43.24 MiB / 43.24 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 18.83 MiB p/s 2.5s
2024-02-25T22:15:02.173+0100 INFO Vulnerability scanning is enabled
2024-02-25T22:15:02.173+0100 INFO Secret scanning is enabled
2024-02-25T22:15:02.173+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-25T22:15:02.173+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 450, done.
Counting objects: 100% (450/450), done.
Compressing objects: 100% (259/259), done.
Total 450 (delta 275), reused 279 (delta 152), pack-reused 0
2024-02-25T22:15:05.552+0100 INFO To collect the license information of packages in "package-lock.json", "npm install" needs to be performed beforehand
2024-02-25T22:15:05.647+0100 INFO Number of language-specific files: 1
2024-02-25T22:15:05.647+0100 INFO Detecting npm vulnerabilities...
package-lock.json (npm)
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 2, CRITICAL: 0)
┌───────────────┬────────────────┬──────────┬──────────┬───────────────────┬──────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────┼────────────────┼──────────┼──────────┼───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @actions/core │ CVE-2022-35954 │ MEDIUM │ fixed │ 1.2.6 │ 1.9.1 │ @actions/core has Delimiter Injection Vulnerability in │
│ │ │ │ │ │ │ exportVariable │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-35954 │
├───────────────┼────────────────┼──────────┼──────────┼───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ lodash.set │ CVE-2020-8203 │ HIGH │ affected │ 4.3.2 │ │ nodejs-lodash: prototype pollution in zipObjectDeep function │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8203 │
├───────────────┼────────────────┤ ├──────────┼───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ qs │ CVE-2022-24999 │ │ fixed │ 6.10.1 │ 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, │ express: "qs" prototype poisoning causes the hang of the │
│ │ │ │ │ │ 6.2.4 │ node process │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24999 │
├───────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ semver │ CVE-2022-25883 │ MEDIUM │ │ 5.7.1 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883 │
│ │ │ │ ├───────────────────┤ │ │
│ │ │ │ │ 6.3.0 │ │ │
│ │ │ │ │ │ │ │
└───────────────┴────────────────┴──────────┴──────────┴───────────────────┴──────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
:~$ trivy repository https://github.com/actions/checkout
2024-02-25T22:16:18.054+0100 INFO Vulnerability scanning is enabled
2024-02-25T22:16:18.054+0100 INFO Secret scanning is enabled
2024-02-25T22:16:18.054+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-25T22:16:18.054+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 964, done.
Counting objects: 100% (964/964), done.
Compressing objects: 100% (495/495), done.
Total 964 (delta 610), reused 720 (delta 395), pack-reused 0
2024-02-25T22:16:20.797+0100 INFO To collect the license information of packages in "package-lock.json", "npm install" needs to be performed beforehand
2024-02-25T22:16:20.869+0100 INFO Number of language-specific files: 1
2024-02-25T22:16:20.869+0100 INFO Detecting npm vulnerabilities...