doodlescheduling / flux-build Goto Github PK
View Code? Open in Web Editor NEWBuild and test kustomize overlays with flux2 HelmRelease support
License: Apache License 2.0
flux-build's People
Contributors
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Stargazers
Watchers
flux-build's Issues
Vulnerabilities detected
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-24T06:02:25.254993957Z","ArtifactName":"ghcr.io/doodlescheduling/flux-build:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:ee345dd5b1cf013d5df06ab9f091bb1b668dc2a1019cdc43a0843d8c48232477","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"],"RepoTags":["ghcr.io/doodlescheduling/flux-build:latest"],"RepoDigests":["ghcr.io/doodlescheduling/flux-build@sha256:a9ac9a619d04a3dab1d29dae0d501c594c6df8b2e7687f0dbed52268824c3c0e"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T10:03:57.084531493Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"COPY flux-build flux-build # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"ENTRYPOINT ["/flux-build"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"]},"config":{"Entrypoint":["/flux-build"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T10:03:47Z","org.opencontainers.image.description":"flux-build","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4053c2d8ed16b942b2d22ea3eb0cdb15afcb93d1","org.opencontainers.image.source":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.title":"flux-build","org.opencontainers.image.url":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.version":"2.4.0"},"User":"0","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/flux-build:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"flux-build","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-41110","PkgName":"github.com/docker/docker","PkgIdentifier":{"PURL":"pkg:golang/github.com/docker/[email protected]%2Bincompatible","UID":"4a63aa4b4eb54b6c"},"InstalledVersion":"v26.1.0+incompatible","FixedVersion":"23.0.15, 26.1.5, 27.1.1, 25.0.6","Status":"fixed","Layer":{"Digest":"sha256:82846ec4ab2bccc65431f496934c81fa46dab87fedbe3424a40738599b73b225","DiffID":"sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"},"SeveritySource":"ghsa","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-41110","DataSource":{"ID":"ghsa","Name":"GitHub Security Advisory Go","URL":"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"},"Title":"moby: Authz zero length regression","Description":"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.","Severity":"CRITICAL","CweIDs":["CWE-187","CWE-444","CWE-863"],"VendorSeverity":{"amazon":3,"cbl-mariner":4,"ghsa":4,"redhat":4},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":10},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":9.9}},"References":["https://access.redhat.com/security/cve/CVE-2024-41110","https://github.com/moby/moby","https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191","https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76","https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919","https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b","https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0","https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1","https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00","https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f","https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801","https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb","https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq","https://nvd.nist.gov/vuln/detail/CVE-2024-41110","https://www.cve.org/CVERecord?id=CVE-2024-41110","https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"],"PublishedDate":"2024-07-24T17:15:11.053Z","LastModifiedDate":"2024-07-30T20:15:04.567Z"}]}]}
Helm post-rendering breaks resources outside release namespace
Hi,
when building a HelmRelease from a helm chart that has resources outside the release namespace, the post-rendering will forcefully move those resources to the release namespace.
In our case we have two Roles with the same name, one in the release namespace and another one in kube-public. Due to both being in the same namespace now, there is an ID conflict - but even without that ID conflict, the deployment does not look the same as Flux applies this HelmRelease.
I'm not sure why this post-rendering was added, but at the very least, it should only apply to resources without an explicitly configured namespace? Should this done to the manifests rendered by Helm at all?
Otherwise a really useful piece of software, gonna help us a lot - found it via your comment on fluxcd/flux2 issue 2808 (not a link on purpose, to not link this on that issue), many thanks for that :)
Add diff like support
Hello,
Thanks for your tool, it's great !
Do you think you could add a "diff" command doing a diff between current installation in cluster and provided HelmRelease ?
Usecase: Print diff in CI before applying upgrade so we can easily track changes
Thanks
panic: concurrent map read and map write
Hi,
in some cases, flux-build panics with a fatal error: concurrent map read and map write, see the output below.
flux-build was invoked with flux-build ./clusters/kubermatic-seed/dev-0401/apps common > $someOutputFile in this case, the kustomization at common only including some HelmRepository manifests, which are referenced by HelmReleases in the other kustomization.
Retrying works most of the time and I do not yet have minimal example, if the stack trace isn't helping, I'll gladly try to find one.
Log including stack traces
2023-07-13T12:28:24.798Z INFO action/action.go:89 build kustomize path {"path": "./clusters/kubermatic-seed/dev-0401/apps"}
2023-07-13T12:28:24.798Z INFO action/action.go:89 build kustomize path {"path": "common"}
fatal error: concurrent map read and map write
goroutine 30 [running]:
sigs.k8s.io/kustomize/kyaml/openapi.isNamespaceScopedFromSchema(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:381
sigs.k8s.io/kustomize/kyaml/openapi.IsNamespaceScoped({{0xc001d2bf80, 0x18}, {0xc0031c48f0, 0xe}})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:376 +0xa5
sigs.k8s.io/kustomize/kyaml/openapi.IsCertainlyClusterScoped(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:390
sigs.k8s.io/kustomize/kyaml/resid.NewGvk({0xc00317b290?, 0x2196ac3?}, {0xc00317b2a6?, 0xc000eca200?}, {0xc0031c48f0?, 0x14?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resid/gvk.go:27 +0x131
sigs.k8s.io/kustomize/kyaml/resid.GvkFromNode(0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resid/gvk.go:33 +0xd3
sigs.k8s.io/kustomize/api/resource.(*Resource).GetGvk(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resource/resource.go:57
sigs.k8s.io/kustomize/api/resource.(*Resource).CurId(0xc0031de320)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resource/resource.go:442 +0x65
sigs.k8s.io/kustomize/api/resmap.(*resWrangler).Append(0xc002ca0678, 0xc0031de320)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/reswrangler.go:77 +0x45
sigs.k8s.io/kustomize/api/resmap.(*resWrangler).appendAll(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/reswrangler.go:468
sigs.k8s.io/kustomize/api/resmap.(*resWrangler).AppendAll(0xc0031c4be0?, {0x2535710?, 0xc002ca0a50?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/reswrangler.go:462 +0xaa
sigs.k8s.io/kustomize/api/internal/accumulator.(*ResAccumulator).AppendAll(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/accumulator/resaccumulator.go:45
sigs.k8s.io/kustomize/api/internal/accumulator.(*ResAccumulator).MergeAccumulator(0xc002bf4c40, 0xc002bf4d40)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/accumulator/resaccumulator.go:95 +0x53
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateDirectory(0xc0002dacd0, 0xc002bf4c40, {0x251b308?, 0xc0002dad70}, 0x0)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:515 +0x67c
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources(0xc0002dacd0, 0x7eff0ef455b8?, {0xc002cb3e00?, 0x2, 0xc002c656e0?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:429 +0x2a5
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget(0xc0002dacd0, 0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:188 +0x3d
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget(0xc002c9fe10?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:181 +0x105
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateDirectory(0xc00060c050, 0xc000392200, {0x251b308?, 0xc0002dac80}, 0x0)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:509 +0x64f
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources(0xc00060c050, 0x7eff0ef45f18?, {0xc0000b3560?, 0x9, 0xc000710d20?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:429 +0x2a5
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget(0xc00060c050, 0x14fb27d?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:188 +0x3d
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget(0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:181 +0x105
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).makeCustomizedResMap(0xc00060c050)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:127 +0x5f
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).MakeCustomizedResMap(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:118
sigs.k8s.io/kustomize/api/krusty.(*Kustomizer).Run(0xc000ecbd18, {0x2525b80, 0x36bdf40}, {0x7fffecdc88ba, 0x28})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/krusty/kustomizer.go:88 +0x317
github.com/doodlescheduling/flux-build/internal/build.(*Kustomize).buildKustomization(0x0?, {0x7fffecdc88ba, 0x28})
/go/src/github.com/DoodleScheduling/flux-build/internal/build/kustomize.go:99 +0x5db
github.com/doodlescheduling/flux-build/internal/build.(*Kustomize).Build(0x4b506566696e6b77?, {0x201?, 0x7add000000000000?})
/go/src/github.com/DoodleScheduling/flux-build/internal/build/kustomize.go:35 +0x25
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func3({0x2519bd8?, 0xc000844550?})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:96 +0x9f
github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:134 +0x6b
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:132 +0x8a
goroutine 1 [semacquire]:
sync.runtime_Semacquire(0xc000063b00?)
/usr/local/go/src/runtime/sema.go:62 +0x27
sync.(*WaitGroup).Wait(0xc000063980?)
/usr/local/go/src/sync/waitgroup.go:116 +0x4b
github.com/doodlescheduling/flux-build/internal/worker.(*pool).Wait(0xc000846d20)
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:142 +0x2f
github.com/doodlescheduling/flux-build/internal/action.(*Action).exit(0xc000927280, {0xc001c40d88?, 0x1, 0x21c1a4a?})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:167 +0x62
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run(0xc000927280, {0x2519c10?, 0xc00005c108?})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:130 +0x56b
main.main()
/go/src/github.com/DoodleScheduling/flux-build/main.go:105 +0x799
goroutine 11 [chan receive]:
github.com/golang/glog.(*loggingT).flushDaemon(0xc0000a03c0?)
/go/pkg/mod/github.com/golang/[email protected]/glog.go:882 +0x6a
created by github.com/golang/glog.init.0
/go/pkg/mod/github.com/golang/[email protected]/glog.go:410 +0x1bf
goroutine 58 [select]:
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func2({0x2519bd8, 0xc000844500})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:69 +0xdf
github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:134 +0x6b
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:132 +0x8a
goroutine 22 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:79 +0xa8
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:77 +0x5a
goroutine 23 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func2()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:110 +0xd2
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:106 +0xaf
goroutine 57 [select]:
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func4({0x2519bd8, 0xc0008445f0})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:111 +0xb5
github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:134 +0x6b
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:132 +0x8a
goroutine 25 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func2()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:110 +0xd2
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:106 +0xaf
goroutine 26 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:79 +0xa8
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:77 +0x5a
goroutine 27 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func2()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:110 +0xd2
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:106 +0xaf
goroutine 28 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:79 +0xa8
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:77 +0x5a
goroutine 29 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func2()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:110 +0xd2
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:106 +0xaf
goroutine 31 [runnable]:
compress/flate.(*huffmanDecoder).init(0xc00087b450, {0xc001b9e8e8, 0x17, 0x1f?})
/usr/local/go/src/compress/flate/inflate.go:116 +0x50f
compress/flate.(*decompressor).readHuffman(0xc00087ac00)
/usr/local/go/src/compress/flate/inflate.go:459 +0x42f
compress/flate.(*decompressor).nextBlock(0xc00087ac00)
/usr/local/go/src/compress/flate/inflate.go:322 +0x10e
compress/flate.(*decompressor).Read(0xc00087ac00, {0xc00117f000, 0x200, 0xc000a181d8?})
/usr/local/go/src/compress/flate/inflate.go:347 +0x7e
compress/gzip.(*Reader).Read(0xc002b0f080, {0xc00117f000, 0x200, 0x200})
/usr/local/go/src/compress/gzip/gunzip.go:252 +0xbb
bytes.(*Buffer).ReadFrom(0xc000a0d9b0, {0x24f68c0, 0xc002b0f080})
/usr/local/go/src/bytes/buffer.go:202 +0x98
io.copyBuffer({0x24f6820, 0xc000a0d9b0}, {0x24f68c0, 0xc002b0f080}, {0x0, 0x0, 0x0})
/usr/local/go/src/io/io.go:413 +0x14b
io.Copy(...)
/usr/local/go/src/io/io.go:386
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.bindataRead({0x353f120, 0x1e0, 0x1e0}, {0x21d7da2, 0x1d})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:28 +0x176
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.kustomizationapiSwaggerJsonBytes(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:86
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.kustomizationapiSwaggerJson()
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:93 +0x4c
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.Asset({0x21d7da2, 0x1d})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:109 +0x76
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.MustAsset({0x21d7da2, 0x1d})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:121 +0x27
sigs.k8s.io/kustomize/kyaml/openapi.initSchema()
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:620 +0xa6
sigs.k8s.io/kustomize/kyaml/openapi.isNamespaceScopedFromSchema(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:380
sigs.k8s.io/kustomize/kyaml/openapi.IsNamespaceScoped({{0xc0007f6960, 0x20}, {0xc0006e0270, 0xe}})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:376 +0x88
sigs.k8s.io/kustomize/kyaml/openapi.IsCertainlyClusterScoped(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:390
sigs.k8s.io/kustomize/kyaml/resid.NewGvk({0xc0002cc960?, 0x2196ac3?}, {0xc0002cc979?, 0xc0006e02c0?}, {0xc0006e0270?, 0x0?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resid/gvk.go:27 +0x131
sigs.k8s.io/kustomize/kyaml/resid.GvkFromNode(0x40dc8a?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resid/gvk.go:33 +0xd3
sigs.k8s.io/kustomize/api/resource.(*Resource).GetGvk(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resource/resource.go:57
sigs.k8s.io/kustomize/api/resource.(*Resource).CurId(0xc000175b30)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resource/resource.go:442 +0x65
sigs.k8s.io/kustomize/api/resmap.(*resWrangler).Append(0xc0008518d8, 0xc000175b30)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/reswrangler.go:77 +0x45
sigs.k8s.io/kustomize/api/resmap.newResMapFromResourceSlice({0xc000873fc0, 0x1, 0xc000624af8?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/factory.go:130 +0x8c
sigs.k8s.io/kustomize/api/resmap.(*Factory).NewResMapFromBytes(0xc0001758b0?, {0xc000015800?, 0x18?, 0x2155160?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/factory.go:73 +0x45
sigs.k8s.io/kustomize/api/resmap.(*Factory).FromFile(0xc00014b530?, {0x251b308?, 0xc0001758b0?}, {0xc0007ad248, 0x18})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/factory.go:60 +0x5a
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateFile(0xc000175900, 0xc000406cc0, {0xc0007ad248, 0x18})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:525 +0x66
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources(0xc000175900, 0x7eff0ef455b8?, {0xc000847800?, 0x5, 0xc000537bc0?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:408 +0x9e
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget(0xc000175900, 0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:188 +0x3d
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget(0xc0006e01f0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:181 +0x105
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateDirectory(0xc000175810, 0xc000406b40, {0x251b308?, 0xc0001758b0}, 0x0)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:509 +0x64f
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources(0xc000175810, 0x7eff0ef455b8?, {0xc0005a84c0?, 0x1, 0xc000537680?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:429 +0x2a5
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget(0xc000175810, 0x14fb27d?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:188 +0x3d
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget(0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:181 +0x105
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).makeCustomizedResMap(0xc000175810)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:127 +0x5f
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).MakeCustomizedResMap(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:118
sigs.k8s.io/kustomize/api/krusty.(*Kustomizer).Run(0xc000a19d18, {0x2525b80, 0x36bdf40}, {0x7fffecdc88e3, 0x6})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/krusty/kustomizer.go:88 +0x317
github.com/doodlescheduling/flux-build/internal/build.(*Kustomize).buildKustomization(0x0?, {0x7fffecdc88e3, 0x6})
/go/src/github.com/DoodleScheduling/flux-build/internal/build/kustomize.go:99 +0x5db
github.com/doodlescheduling/flux-build/internal/build.(*Kustomize).Build(0x2014b5067?, {0x0?, 0x189a940e42a00?})
/go/src/github.com/DoodleScheduling/flux-build/internal/build/kustomize.go:35 +0x25
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func3({0x2519bd8?, 0xc000844550?})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:96 +0x9f
github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:134 +0x6b
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:132 +0x8a
Local cache for helm charts
I'm trying to use flux-build for not a big gitops repo, but it downloads ~30 helm charts 4000 times! This overloads our registry and slows down rendering a lot.
I've seen that there are commented out attempts to add cache, also there are different caching in helm packages. I could contribute, but would appreciate some hints how to do it better.
Thanks!
Vulnerabilities detected
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-26T06:02:53.957435539Z","ArtifactName":"ghcr.io/doodlescheduling/flux-build:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:ee345dd5b1cf013d5df06ab9f091bb1b668dc2a1019cdc43a0843d8c48232477","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"],"RepoTags":["ghcr.io/doodlescheduling/flux-build:latest"],"RepoDigests":["ghcr.io/doodlescheduling/flux-build@sha256:a9ac9a619d04a3dab1d29dae0d501c594c6df8b2e7687f0dbed52268824c3c0e"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T10:03:57.084531493Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"COPY flux-build flux-build # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"ENTRYPOINT ["/flux-build"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"]},"config":{"Entrypoint":["/flux-build"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T10:03:47Z","org.opencontainers.image.description":"flux-build","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4053c2d8ed16b942b2d22ea3eb0cdb15afcb93d1","org.opencontainers.image.source":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.title":"flux-build","org.opencontainers.image.url":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.version":"2.4.0"},"User":"0","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/flux-build:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"flux-build","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-41110","PkgName":"github.com/docker/docker","PkgIdentifier":{"PURL":"pkg:golang/github.com/docker/[email protected]%2Bincompatible","UID":"4a63aa4b4eb54b6c"},"InstalledVersion":"v26.1.0+incompatible","FixedVersion":"23.0.15, 26.1.5, 27.1.1, 25.0.6","Status":"fixed","Layer":{"Digest":"sha256:82846ec4ab2bccc65431f496934c81fa46dab87fedbe3424a40738599b73b225","DiffID":"sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"},"SeveritySource":"ghsa","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-41110","DataSource":{"ID":"ghsa","Name":"GitHub Security Advisory Go","URL":"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"},"Title":"moby: Authz zero length regression","Description":"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.","Severity":"CRITICAL","CweIDs":["CWE-187","CWE-444","CWE-863"],"VendorSeverity":{"amazon":3,"cbl-mariner":4,"ghsa":4,"redhat":4},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":10},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":9.9}},"References":["https://access.redhat.com/security/cve/CVE-2024-41110","https://github.com/moby/moby","https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191","https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76","https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919","https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b","https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0","https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1","https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00","https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f","https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801","https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb","https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq","https://nvd.nist.gov/vuln/detail/CVE-2024-41110","https://www.cve.org/CVERecord?id=CVE-2024-41110","https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"],"PublishedDate":"2024-07-24T17:15:11.053Z","LastModifiedDate":"2024-07-30T20:15:04.567Z"}]}]}
include helm hook manifests
Should call `log.SetLogger` or suppress the log message
If flux-build runs longer than 30s, it outputs the following debug message:
[controller-runtime] log.SetLogger(...) was never called; logs will not be displayed.
Detected at:
> goroutine 4785 [running]:
> runtime/debug.Stack()
> /opt/hostedtoolcache/go/1.22.6/x64/src/runtime/debug/stack.go:24 +0x5e
> sigs.k8s.io/controller-runtime/pkg/log.eventuallyFulfillRoot()
> /home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/log.go:60 +0xcd
> sigs.k8s.io/controller-runtime/pkg/log.(*delegatingLogSink).WithValues(0xc0001cfec0, {0x0, 0x0, 0x0})
> /home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/deleg.go:168 +0x49
> github.com/go-logr/logr.Logger.WithValues(...)
> /home/runner/go/pkg/mod/github.com/go-logr/[email protected]/logr.go:332
> sigs.k8s.io/controller-runtime/pkg/log.FromContext({0x261a2a0?, 0xc002fc45b0?}, {0x0?, 0x0?, 0x0?})
> /home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/log.go:98 +0xba
> github.com/fluxcd/pkg/oci/auth/login.(*Manager).Login(0xc0028d0490, {0x261a2a0, 0xc002fc45b0}, {0xc00204fd16, 0x3b}, {0x261e920, 0xc0004cda90}, {0x0, 0x1, 0x0, ...})
> /home/runner/go/pkg/mod/github.com/fluxcd/pkg/[email protected]/auth/login/login.go:115 +0x65
> github.com/doodlescheduling/flux-build/internal/build.oidcAuth({0x261a2a0, 0xc002fc45b0}, {0xc00204fd10?, 0x41?}, {0xc001b89cac, 0x3})
> /home/runner/work/flux-build/flux-build/internal/build/helm.go:674 +0x299
> github.com/doodlescheduling/flux-build/internal/build.(*Helm).buildFromHelmRepository(0xc00050a090, {0x261a230, 0xc000502050}, 0xc0028d0a68, 0xc00206c8c0, 0xc0028d1a48, 0xc0005073b0)
> /home/runner/work/flux-build/flux-build/internal/build/helm.go:496 +0x6af
> github.com/doodlescheduling/flux-build/internal/build.(*Helm).buildChart(_, {_, _}, {_, _}, {{{0xc001b89780, 0xb}, {0xc001b4e240, 0x1e}}, {{0xc0034b3710, ...}, ...}, ...}, ...)
> /home/runner/work/flux-build/flux-build/internal/build/helm.go:233 +0x17b
> github.com/doodlescheduling/flux-build/internal/build.(*Helm).Build(0xc00050a090, {0x261a230, 0xc000502050}, 0xc000e26480, 0xc0005073b0)
> /home/runner/work/flux-build/flux-build/internal/build/helm.go:157 +0x452
> github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func5({0x261a230, 0xc000502050})
> /home/runner/work/flux-build/flux-build/internal/action/action.go:149 +0x1e5
> github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
> /home/runner/work/flux-build/flux-build/internal/worker/pool.go:134 +0x63
> created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask in goroutine 36
> /home/runner/work/flux-build/flux-build/internal/worker/pool.go:132 +0x77
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- chore(deps): update gcr.io/distroless/static:latest docker digest to 95eb83a
- chore(deps-dev): update pascalgn/size-label-action digest to 49850f3
- chore(deps): update module github.com/sigstore/sigstore to v1.8.8
- chore(deps): update module github.com/fluxcd/pkg/oci to v0.40.0
- chore(deps): update module github.com/sigstore/cosign/v2 to v2.4.0
- Click on this checkbox to rebase all open PRs at once
Detected dependencies
dockerfile
Dockerfile
gcr.io/distroless/static latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3
github-actions
.github/workflows/main.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32shogo82148/actions-goveralls v1.9.0@785c9d68212c91196d3994652647f8721918ba11.github/workflows/pr-actions.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332zgosalvez/github-actions-ensure-sha-pinned-actions v3.0.11@3c16e895bb662b4d7e284f032cbe8835a57773cc.github/workflows/pr-build.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32chrisdickinson/setup-yq v1.0.1@3d931309f27270ebbafd53f2daee773a82ea1822shogo82148/actions-goveralls v1.9.0@785c9d68212c91196d3994652647f8721918ba11.github/workflows/pr-goreleaser.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332goreleaser/goreleaser-action v6.0.0@286f3b13b1b49da4ac219696163fb8c1c93e1200.github/workflows/pr-label.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdepascalgn/size-label-action bbbaa0d5ccce8e2e76254560df5c64b82dac2e12.github/workflows/pr-stale.yaml
actions/stale v9.0.0@28ca1036281a5e5922ead5184a1bbf96e5fc984e.github/workflows/pr-trivy.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeaquasecurity/trivy-action 0.24.0@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8github/codeql-action v3.26.6@4dd16135b69a43b6c8efb853346f8437d92d3c93.github/workflows/publish-release.yaml
Actions-R-Us/actions-tagger v2.0.3@330ddfac760021349fef7ff62b372f2f691c20fb.github/workflows/rebase.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332cirrus-actions/rebase 1.8@b87d48154a87a85666003575337e27b8cd65f691.github/workflows/release.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32docker/login-action v3.3.0@9780b0c442fbb1117ed29e0efdff1e18412f7567sigstore/cosign-installer v3.6.0@4959ce089c160fddf62f7b42464195ba1a56d382anchore/sbom-action v0.17.2@61119d458adab75f756bc0b9e4bde25725f86a7agoreleaser/goreleaser-action v6.0.0@286f3b13b1b49da4ac219696163fb8c1c93e1200.github/workflows/report-on-vulnerabilities.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeaquasecurity/trivy-action 0.24.0@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8actions/upload-artifact v4.4.0@50769540e7f4bd5e21e526ee35c689e35e0d6874step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332actions/download-artifact v4.1.8@fa0a91b85d4f404e444e00e005971372dc801d16JasonEtco/create-an-issue v2.9.2@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5.github/workflows/scan.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818.github/workflows/scorecard.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbdeactions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332ossf/scorecard-action v2.4.0@62b2cac7ed8198b15735ed49ab1e5cf35480ba46actions/upload-artifact v4.4.0@50769540e7f4bd5e21e526ee35c689e35e0d6874github/codeql-action v3.26.6@4dd16135b69a43b6c8efb853346f8437d92d3c93
gomod
go.mod
go 1.22.0github.com/Masterminds/semver/v3 v3.3.0github.com/cyphar/filepath-securejoin v0.3.1github.com/docker/cli v27.2.0+incompatiblegithub.com/drone/envsubst v1.0.3github.com/fluxcd/helm-controller/api v1.0.1github.com/fluxcd/pkg/apis/kustomize v1.6.0github.com/fluxcd/pkg/oci v0.38.1github.com/fluxcd/pkg/runtime v0.49.0github.com/fluxcd/pkg/version v0.4.0github.com/fluxcd/source-controller/api v1.3.0github.com/go-logr/logr v1.4.2github.com/go-logr/zapr v1.3.0github.com/google/go-containerregistry v0.20.2github.com/onsi/gomega v1.34.2github.com/opencontainers/go-digest v1.0.0github.com/otiai10/copy v1.14.0github.com/sethvargo/go-envconfig v1.1.0github.com/sigstore/cosign/v2 v2.2.4github.com/sigstore/sigstore v1.8.7github.com/spf13/pflag v1.0.5go.uber.org/zap v1.27.0golang.org/x/sync v0.8.0helm.sh/helm/v3 v3.15.4k8s.io/api v0.31.0k8s.io/apimachinery v0.31.0k8s.io/helm v2.17.0+incompatiblesigs.k8s.io/kustomize/api v0.17.3sigs.k8s.io/kustomize/kyaml v0.17.2sigs.k8s.io/yaml v1.4.0sigs.k8s.io/kustomize/api v0.17.3sigs.k8s.io/kustomize/kyaml v0.17.2
helm-requirements
internal/helm/testdata/charts/helmchartwithdeps-v1/requirements.yaml
helm-values
internal/helm/testdata/charts/helmchart-v1/values.yaml
internal/helm/testdata/charts/helmchartwithdeps-v1/values.yaml
helmv3
internal/helm/testdata/charts/helmchartwithdeps/Chart.yaml
grafana >=5.7.0
homebrew
Formula/flux-build.rb
DoodleScheduling/flux-build v2.4.0
- Check this box to trigger a request for Renovate to run again on this repository
exclude empty resources from output
HelmRelease sourceRef namespace should be HelmRelease namespace by default
In Flux, if you don't have any sourceRef set in HelmReleases .spec.chart.spec.sourceRef.namespace, it searches for the source in the same Namespace.
Currently, if a Namespace is not set, flux-build just fails with "no source HelmRepository.source.toolkit.fluxcd.io found for helmrelease"
Vulnerabilities detected
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-23T06:02:49.321523843Z","ArtifactName":"ghcr.io/doodlescheduling/flux-build:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:ee345dd5b1cf013d5df06ab9f091bb1b668dc2a1019cdc43a0843d8c48232477","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"],"RepoTags":["ghcr.io/doodlescheduling/flux-build:latest"],"RepoDigests":["ghcr.io/doodlescheduling/flux-build@sha256:a9ac9a619d04a3dab1d29dae0d501c594c6df8b2e7687f0dbed52268824c3c0e"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T10:03:57.084531493Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"COPY flux-build flux-build # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"ENTRYPOINT ["/flux-build"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"]},"config":{"Entrypoint":["/flux-build"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T10:03:47Z","org.opencontainers.image.description":"flux-build","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4053c2d8ed16b942b2d22ea3eb0cdb15afcb93d1","org.opencontainers.image.source":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.title":"flux-build","org.opencontainers.image.url":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.version":"2.4.0"},"User":"0","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/flux-build:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"flux-build","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-41110","PkgName":"github.com/docker/docker","PkgIdentifier":{"PURL":"pkg:golang/github.com/docker/[email protected]%2Bincompatible","UID":"4a63aa4b4eb54b6c"},"InstalledVersion":"v26.1.0+incompatible","FixedVersion":"23.0.15, 26.1.5, 27.1.1, 25.0.6","Status":"fixed","Layer":{"Digest":"sha256:82846ec4ab2bccc65431f496934c81fa46dab87fedbe3424a40738599b73b225","DiffID":"sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"},"SeveritySource":"ghsa","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-41110","DataSource":{"ID":"ghsa","Name":"GitHub Security Advisory Go","URL":"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"},"Title":"moby: Authz zero length regression","Description":"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.","Severity":"CRITICAL","CweIDs":["CWE-187","CWE-444","CWE-863"],"VendorSeverity":{"amazon":3,"cbl-mariner":4,"ghsa":4,"redhat":4},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":10},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":9.9}},"References":["https://access.redhat.com/security/cve/CVE-2024-41110","https://github.com/moby/moby","https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191","https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76","https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919","https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b","https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0","https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1","https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00","https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f","https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801","https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb","https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq","https://nvd.nist.gov/vuln/detail/CVE-2024-41110","https://www.cve.org/CVERecord?id=CVE-2024-41110","https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"],"PublishedDate":"2024-07-24T17:15:11.053Z","LastModifiedDate":"2024-07-30T20:15:04.567Z"}]}]}
Vulnerabilities detected
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-25T06:02:47.779132681Z","ArtifactName":"ghcr.io/doodlescheduling/flux-build:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:ee345dd5b1cf013d5df06ab9f091bb1b668dc2a1019cdc43a0843d8c48232477","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"],"RepoTags":["ghcr.io/doodlescheduling/flux-build:latest"],"RepoDigests":["ghcr.io/doodlescheduling/flux-build@sha256:a9ac9a619d04a3dab1d29dae0d501c594c6df8b2e7687f0dbed52268824c3c0e"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T10:03:57.084531493Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"COPY flux-build flux-build # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"ENTRYPOINT ["/flux-build"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"]},"config":{"Entrypoint":["/flux-build"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T10:03:47Z","org.opencontainers.image.description":"flux-build","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4053c2d8ed16b942b2d22ea3eb0cdb15afcb93d1","org.opencontainers.image.source":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.title":"flux-build","org.opencontainers.image.url":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.version":"2.4.0"},"User":"0","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/flux-build:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"flux-build","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-41110","PkgName":"github.com/docker/docker","PkgIdentifier":{"PURL":"pkg:golang/github.com/docker/[email protected]%2Bincompatible","UID":"4a63aa4b4eb54b6c"},"InstalledVersion":"v26.1.0+incompatible","FixedVersion":"23.0.15, 26.1.5, 27.1.1, 25.0.6","Status":"fixed","Layer":{"Digest":"sha256:82846ec4ab2bccc65431f496934c81fa46dab87fedbe3424a40738599b73b225","DiffID":"sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"},"SeveritySource":"ghsa","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-41110","DataSource":{"ID":"ghsa","Name":"GitHub Security Advisory Go","URL":"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"},"Title":"moby: Authz zero length regression","Description":"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.","Severity":"CRITICAL","CweIDs":["CWE-187","CWE-444","CWE-863"],"VendorSeverity":{"amazon":3,"cbl-mariner":4,"ghsa":4,"redhat":4},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":10},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":9.9}},"References":["https://access.redhat.com/security/cve/CVE-2024-41110","https://github.com/moby/moby","https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191","https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76","https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919","https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b","https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0","https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1","https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00","https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f","https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801","https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb","https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq","https://nvd.nist.gov/vuln/detail/CVE-2024-41110","https://www.cve.org/CVERecord?id=CVE-2024-41110","https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"],"PublishedDate":"2024-07-24T17:15:11.053Z","LastModifiedDate":"2024-07-30T20:15:04.567Z"}]}]}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.