Skip to content

Crawling Azure devops repositories#94

Merged
vincent-fuchs merged 22 commits intomasterfrom
crawlingAzureDevops
Mar 23, 2022
Merged

Crawling Azure devops repositories#94
vincent-fuchs merged 22 commits intomasterfrom
crawlingAzureDevops

Conversation

@vincent-fuchs
Copy link
Contributor

@vincent-fuchs vincent-fuchs commented Mar 20, 2022

No description provided.

sonatype-lift[bot]
sonatype-lift bot reviewed Mar 20, 2022
View reviewed changes
github-crawler-core/pom.xml
</dependency>


<dependency>
Copy link

@sonatype-lift sonatype-lift bot Mar 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:

pkg:maven/com.squareup.okhttp3/logging-interceptor@3.10.0

0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components
    pkg:maven/com.squareup.okhttp3/okhttp@3.10.0
      SEVERE Vulnerabilities (1)

        [CVE-2018-20200] ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in...

        ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in square/okhttp#4967.

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)

sonatype-lift[bot]
sonatype-lift bot reviewed Mar 22, 2022
View reviewed changes
github-crawler-core/pom.xml
</dependency>


<dependency>
Copy link

@sonatype-lift sonatype-lift bot Mar 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:maven/com.squareup.okhttp3/logging-interceptor@3.14.9

1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components
    pkg:maven/com.squareup.okhttp3/okhttp@3.14.9
      CRITICAL Vulnerabilities (1)

        [CVE-2021-0341] CWE-295: Improper Certificate Validation

        In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-295

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Mar 22, 2022
View reviewed changes
github-crawler-core/pom.xml
@@ -94,9 +94,15 @@
<dependency>
Copy link

@sonatype-lift sonatype-lift bot Mar 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:maven/com.squareup.okhttp3/okhttp@3.14.9

1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components
    pkg:maven/com.squareup.okhttp3/okhttp@3.14.9
      CRITICAL Vulnerabilities (1)

        [CVE-2021-0341] CWE-295: Improper Certificate Validation

        In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-295

(at-me in a reply with help or ignore)

Vincent Fuchs and others added 22 commits March 23, 2022 09:43
first impl for azure devops.. wip
0a38ace
fixed authentication for azure devops
7c04feb
upgrading okHttp and Gson. sticking Jackson to 2.12.6
d01b806
fixing okhttp dependency issue
0c1aef0
@vincent-fuchs
rollbacking okHttp upgrade
044e92c
move test files to specific folders
e6c7b2a
specific profiles for tests
18f45e6
some integration tests for azure devops
d27554a
simple run is now passing for AzureDevops
a5957b7
added on logging statement
24f0c06
debugging for TravisCI
52a866a
move application.yml to test folder, so that it doesn't impact other …
96bfa1b 
…tests by being loaded by default
debugging for travisCI
c03219d
reloading context in integration tests
cd1d252
logging URL called
cf8658d
logging stuff from context
a666d6b
more logging stuff
7c18379
more logging stuff
51ad4f4
more logging stuff
d50ff96
tasksToPerform should not be static, ie shared
304f3c1
refactored, introducing AvailableParsersAndTasks to share what can be…
33c98d0 
… shared easily and safely
clean up logging for debug
9f53818
@vincent-fuchs vincent-fuchs merged commit 2076aef into master Mar 23, 2022
@vincent-fuchs vincent-fuchs deleted the crawlingAzureDevops branch March 24, 2022 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vincent-fuchs