doodlescheduling / flux-build Goto Github PK
View Code? Open in Web Editor NEWBuild and test kustomize overlays with flux2 HelmRelease support
License: Apache License 2.0
Build and test kustomize overlays with flux2 HelmRelease support
License: Apache License 2.0
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-24T06:02:25.254993957Z","ArtifactName":"ghcr.io/doodlescheduling/flux-build:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:ee345dd5b1cf013d5df06ab9f091bb1b668dc2a1019cdc43a0843d8c48232477","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"],"RepoTags":["ghcr.io/doodlescheduling/flux-build:latest"],"RepoDigests":["ghcr.io/doodlescheduling/flux-build@sha256:a9ac9a619d04a3dab1d29dae0d501c594c6df8b2e7687f0dbed52268824c3c0e"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T10:03:57.084531493Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"COPY flux-build flux-build # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"ENTRYPOINT ["/flux-build"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"]},"config":{"Entrypoint":["/flux-build"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T10:03:47Z","org.opencontainers.image.description":"flux-build","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4053c2d8ed16b942b2d22ea3eb0cdb15afcb93d1","org.opencontainers.image.source":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.title":"flux-build","org.opencontainers.image.url":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.version":"2.4.0"},"User":"0","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/flux-build:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"flux-build","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-41110","PkgName":"github.com/docker/docker","PkgIdentifier":{"PURL":"pkg:golang/github.com/docker/[email protected]%2Bincompatible","UID":"4a63aa4b4eb54b6c"},"InstalledVersion":"v26.1.0+incompatible","FixedVersion":"23.0.15, 26.1.5, 27.1.1, 25.0.6","Status":"fixed","Layer":{"Digest":"sha256:82846ec4ab2bccc65431f496934c81fa46dab87fedbe3424a40738599b73b225","DiffID":"sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"},"SeveritySource":"ghsa","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-41110","DataSource":{"ID":"ghsa","Name":"GitHub Security Advisory Go","URL":"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"},"Title":"moby: Authz zero length regression","Description":"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.","Severity":"CRITICAL","CweIDs":["CWE-187","CWE-444","CWE-863"],"VendorSeverity":{"amazon":3,"cbl-mariner":4,"ghsa":4,"redhat":4},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":10},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":9.9}},"References":["https://access.redhat.com/security/cve/CVE-2024-41110","https://github.com/moby/moby","https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191","https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76","https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919","https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b","https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0","https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1","https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00","https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f","https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801","https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb","https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq","https://nvd.nist.gov/vuln/detail/CVE-2024-41110","https://www.cve.org/CVERecord?id=CVE-2024-41110","https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"],"PublishedDate":"2024-07-24T17:15:11.053Z","LastModifiedDate":"2024-07-30T20:15:04.567Z"}]}]}
Hi,
when building a HelmRelease
from a helm chart that has resources outside the release namespace, the post-rendering will forcefully move those resources to the release namespace.
In our case we have two Roles with the same name, one in the release namespace and another one in kube-public
. Due to both being in the same namespace now, there is an ID conflict - but even without that ID conflict, the deployment does not look the same as Flux applies this HelmRelease
.
I'm not sure why this post-rendering was added, but at the very least, it should only apply to resources without an explicitly configured namespace? Should this done to the manifests rendered by Helm at all?
Otherwise a really useful piece of software, gonna help us a lot - found it via your comment on fluxcd/flux2 issue 2808 (not a link on purpose, to not link this on that issue), many thanks for that :)
Hello,
Thanks for your tool, it's great !
Do you think you could add a "diff" command doing a diff between current installation in cluster and provided HelmRelease ?
Usecase: Print diff in CI before applying upgrade so we can easily track changes
Thanks
Hi,
in some cases, flux-build
panics with a fatal error: concurrent map read and map write
, see the output below.
flux-build
was invoked with flux-build ./clusters/kubermatic-seed/dev-0401/apps common > $someOutputFile
in this case, the kustomization at common
only including some HelmRepository
manifests, which are referenced by HelmRelease
s in the other kustomization.
Retrying works most of the time and I do not yet have minimal example, if the stack trace isn't helping, I'll gladly try to find one.
2023-07-13T12:28:24.798Z INFO action/action.go:89 build kustomize path {"path": "./clusters/kubermatic-seed/dev-0401/apps"}
2023-07-13T12:28:24.798Z INFO action/action.go:89 build kustomize path {"path": "common"}
fatal error: concurrent map read and map write
goroutine 30 [running]:
sigs.k8s.io/kustomize/kyaml/openapi.isNamespaceScopedFromSchema(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:381
sigs.k8s.io/kustomize/kyaml/openapi.IsNamespaceScoped({{0xc001d2bf80, 0x18}, {0xc0031c48f0, 0xe}})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:376 +0xa5
sigs.k8s.io/kustomize/kyaml/openapi.IsCertainlyClusterScoped(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:390
sigs.k8s.io/kustomize/kyaml/resid.NewGvk({0xc00317b290?, 0x2196ac3?}, {0xc00317b2a6?, 0xc000eca200?}, {0xc0031c48f0?, 0x14?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resid/gvk.go:27 +0x131
sigs.k8s.io/kustomize/kyaml/resid.GvkFromNode(0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resid/gvk.go:33 +0xd3
sigs.k8s.io/kustomize/api/resource.(*Resource).GetGvk(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resource/resource.go:57
sigs.k8s.io/kustomize/api/resource.(*Resource).CurId(0xc0031de320)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resource/resource.go:442 +0x65
sigs.k8s.io/kustomize/api/resmap.(*resWrangler).Append(0xc002ca0678, 0xc0031de320)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/reswrangler.go:77 +0x45
sigs.k8s.io/kustomize/api/resmap.(*resWrangler).appendAll(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/reswrangler.go:468
sigs.k8s.io/kustomize/api/resmap.(*resWrangler).AppendAll(0xc0031c4be0?, {0x2535710?, 0xc002ca0a50?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/reswrangler.go:462 +0xaa
sigs.k8s.io/kustomize/api/internal/accumulator.(*ResAccumulator).AppendAll(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/accumulator/resaccumulator.go:45
sigs.k8s.io/kustomize/api/internal/accumulator.(*ResAccumulator).MergeAccumulator(0xc002bf4c40, 0xc002bf4d40)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/accumulator/resaccumulator.go:95 +0x53
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateDirectory(0xc0002dacd0, 0xc002bf4c40, {0x251b308?, 0xc0002dad70}, 0x0)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:515 +0x67c
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources(0xc0002dacd0, 0x7eff0ef455b8?, {0xc002cb3e00?, 0x2, 0xc002c656e0?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:429 +0x2a5
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget(0xc0002dacd0, 0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:188 +0x3d
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget(0xc002c9fe10?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:181 +0x105
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateDirectory(0xc00060c050, 0xc000392200, {0x251b308?, 0xc0002dac80}, 0x0)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:509 +0x64f
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources(0xc00060c050, 0x7eff0ef45f18?, {0xc0000b3560?, 0x9, 0xc000710d20?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:429 +0x2a5
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget(0xc00060c050, 0x14fb27d?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:188 +0x3d
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget(0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:181 +0x105
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).makeCustomizedResMap(0xc00060c050)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:127 +0x5f
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).MakeCustomizedResMap(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:118
sigs.k8s.io/kustomize/api/krusty.(*Kustomizer).Run(0xc000ecbd18, {0x2525b80, 0x36bdf40}, {0x7fffecdc88ba, 0x28})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/krusty/kustomizer.go:88 +0x317
github.com/doodlescheduling/flux-build/internal/build.(*Kustomize).buildKustomization(0x0?, {0x7fffecdc88ba, 0x28})
/go/src/github.com/DoodleScheduling/flux-build/internal/build/kustomize.go:99 +0x5db
github.com/doodlescheduling/flux-build/internal/build.(*Kustomize).Build(0x4b506566696e6b77?, {0x201?, 0x7add000000000000?})
/go/src/github.com/DoodleScheduling/flux-build/internal/build/kustomize.go:35 +0x25
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func3({0x2519bd8?, 0xc000844550?})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:96 +0x9f
github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:134 +0x6b
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:132 +0x8a
goroutine 1 [semacquire]:
sync.runtime_Semacquire(0xc000063b00?)
/usr/local/go/src/runtime/sema.go:62 +0x27
sync.(*WaitGroup).Wait(0xc000063980?)
/usr/local/go/src/sync/waitgroup.go:116 +0x4b
github.com/doodlescheduling/flux-build/internal/worker.(*pool).Wait(0xc000846d20)
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:142 +0x2f
github.com/doodlescheduling/flux-build/internal/action.(*Action).exit(0xc000927280, {0xc001c40d88?, 0x1, 0x21c1a4a?})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:167 +0x62
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run(0xc000927280, {0x2519c10?, 0xc00005c108?})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:130 +0x56b
main.main()
/go/src/github.com/DoodleScheduling/flux-build/main.go:105 +0x799
goroutine 11 [chan receive]:
github.com/golang/glog.(*loggingT).flushDaemon(0xc0000a03c0?)
/go/pkg/mod/github.com/golang/[email protected]/glog.go:882 +0x6a
created by github.com/golang/glog.init.0
/go/pkg/mod/github.com/golang/[email protected]/glog.go:410 +0x1bf
goroutine 58 [select]:
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func2({0x2519bd8, 0xc000844500})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:69 +0xdf
github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:134 +0x6b
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:132 +0x8a
goroutine 22 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:79 +0xa8
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:77 +0x5a
goroutine 23 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func2()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:110 +0xd2
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:106 +0xaf
goroutine 57 [select]:
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func4({0x2519bd8, 0xc0008445f0})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:111 +0xb5
github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:134 +0x6b
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:132 +0x8a
goroutine 25 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func2()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:110 +0xd2
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:106 +0xaf
goroutine 26 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:79 +0xa8
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:77 +0x5a
goroutine 27 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func2()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:110 +0xd2
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:106 +0xaf
goroutine 28 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:79 +0xa8
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:77 +0x5a
goroutine 29 [select]:
github.com/doodlescheduling/flux-build/internal/worker.(*pool).start.func2()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:110 +0xd2
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).start
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:106 +0xaf
goroutine 31 [runnable]:
compress/flate.(*huffmanDecoder).init(0xc00087b450, {0xc001b9e8e8, 0x17, 0x1f?})
/usr/local/go/src/compress/flate/inflate.go:116 +0x50f
compress/flate.(*decompressor).readHuffman(0xc00087ac00)
/usr/local/go/src/compress/flate/inflate.go:459 +0x42f
compress/flate.(*decompressor).nextBlock(0xc00087ac00)
/usr/local/go/src/compress/flate/inflate.go:322 +0x10e
compress/flate.(*decompressor).Read(0xc00087ac00, {0xc00117f000, 0x200, 0xc000a181d8?})
/usr/local/go/src/compress/flate/inflate.go:347 +0x7e
compress/gzip.(*Reader).Read(0xc002b0f080, {0xc00117f000, 0x200, 0x200})
/usr/local/go/src/compress/gzip/gunzip.go:252 +0xbb
bytes.(*Buffer).ReadFrom(0xc000a0d9b0, {0x24f68c0, 0xc002b0f080})
/usr/local/go/src/bytes/buffer.go:202 +0x98
io.copyBuffer({0x24f6820, 0xc000a0d9b0}, {0x24f68c0, 0xc002b0f080}, {0x0, 0x0, 0x0})
/usr/local/go/src/io/io.go:413 +0x14b
io.Copy(...)
/usr/local/go/src/io/io.go:386
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.bindataRead({0x353f120, 0x1e0, 0x1e0}, {0x21d7da2, 0x1d})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:28 +0x176
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.kustomizationapiSwaggerJsonBytes(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:86
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.kustomizationapiSwaggerJson()
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:93 +0x4c
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.Asset({0x21d7da2, 0x1d})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:109 +0x76
sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi.MustAsset({0x21d7da2, 0x1d})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/kustomizationapi/swagger.go:121 +0x27
sigs.k8s.io/kustomize/kyaml/openapi.initSchema()
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:620 +0xa6
sigs.k8s.io/kustomize/kyaml/openapi.isNamespaceScopedFromSchema(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:380
sigs.k8s.io/kustomize/kyaml/openapi.IsNamespaceScoped({{0xc0007f6960, 0x20}, {0xc0006e0270, 0xe}})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:376 +0x88
sigs.k8s.io/kustomize/kyaml/openapi.IsCertainlyClusterScoped(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/openapi/openapi.go:390
sigs.k8s.io/kustomize/kyaml/resid.NewGvk({0xc0002cc960?, 0x2196ac3?}, {0xc0002cc979?, 0xc0006e02c0?}, {0xc0006e0270?, 0x0?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resid/gvk.go:27 +0x131
sigs.k8s.io/kustomize/kyaml/resid.GvkFromNode(0x40dc8a?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resid/gvk.go:33 +0xd3
sigs.k8s.io/kustomize/api/resource.(*Resource).GetGvk(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resource/resource.go:57
sigs.k8s.io/kustomize/api/resource.(*Resource).CurId(0xc000175b30)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resource/resource.go:442 +0x65
sigs.k8s.io/kustomize/api/resmap.(*resWrangler).Append(0xc0008518d8, 0xc000175b30)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/reswrangler.go:77 +0x45
sigs.k8s.io/kustomize/api/resmap.newResMapFromResourceSlice({0xc000873fc0, 0x1, 0xc000624af8?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/factory.go:130 +0x8c
sigs.k8s.io/kustomize/api/resmap.(*Factory).NewResMapFromBytes(0xc0001758b0?, {0xc000015800?, 0x18?, 0x2155160?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/factory.go:73 +0x45
sigs.k8s.io/kustomize/api/resmap.(*Factory).FromFile(0xc00014b530?, {0x251b308?, 0xc0001758b0?}, {0xc0007ad248, 0x18})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/resmap/factory.go:60 +0x5a
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateFile(0xc000175900, 0xc000406cc0, {0xc0007ad248, 0x18})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:525 +0x66
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources(0xc000175900, 0x7eff0ef455b8?, {0xc000847800?, 0x5, 0xc000537bc0?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:408 +0x9e
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget(0xc000175900, 0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:188 +0x3d
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget(0xc0006e01f0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:181 +0x105
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateDirectory(0xc000175810, 0xc000406b40, {0x251b308?, 0xc0001758b0}, 0x0)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:509 +0x64f
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources(0xc000175810, 0x7eff0ef455b8?, {0xc0005a84c0?, 0x1, 0xc000537680?})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:429 +0x2a5
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget(0xc000175810, 0x14fb27d?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:188 +0x3d
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget(0x0?)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:181 +0x105
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).makeCustomizedResMap(0xc000175810)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:127 +0x5f
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).MakeCustomizedResMap(...)
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/internal/target/kusttarget.go:118
sigs.k8s.io/kustomize/api/krusty.(*Kustomizer).Run(0xc000a19d18, {0x2525b80, 0x36bdf40}, {0x7fffecdc88e3, 0x6})
/go/pkg/mod/sigs.k8s.io/kustomize/[email protected]/krusty/kustomizer.go:88 +0x317
github.com/doodlescheduling/flux-build/internal/build.(*Kustomize).buildKustomization(0x0?, {0x7fffecdc88e3, 0x6})
/go/src/github.com/DoodleScheduling/flux-build/internal/build/kustomize.go:99 +0x5db
github.com/doodlescheduling/flux-build/internal/build.(*Kustomize).Build(0x2014b5067?, {0x0?, 0x189a940e42a00?})
/go/src/github.com/DoodleScheduling/flux-build/internal/build/kustomize.go:35 +0x25
github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func3({0x2519bd8?, 0xc000844550?})
/go/src/github.com/DoodleScheduling/flux-build/internal/action/action.go:96 +0x9f
github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:134 +0x6b
created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask
/go/src/github.com/DoodleScheduling/flux-build/internal/worker/pool.go:132 +0x8a
I'm trying to use flux-build for not a big gitops repo, but it downloads ~30 helm charts 4000 times! This overloads our registry and slows down rendering a lot.
I've seen that there are commented out attempts to add cache, also there are different caching in helm packages. I could contribute, but would appreciate some hints how to do it better.
Thanks!
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-26T06:02:53.957435539Z","ArtifactName":"ghcr.io/doodlescheduling/flux-build:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:ee345dd5b1cf013d5df06ab9f091bb1b668dc2a1019cdc43a0843d8c48232477","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"],"RepoTags":["ghcr.io/doodlescheduling/flux-build:latest"],"RepoDigests":["ghcr.io/doodlescheduling/flux-build@sha256:a9ac9a619d04a3dab1d29dae0d501c594c6df8b2e7687f0dbed52268824c3c0e"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T10:03:57.084531493Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"COPY flux-build flux-build # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"ENTRYPOINT ["/flux-build"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"]},"config":{"Entrypoint":["/flux-build"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T10:03:47Z","org.opencontainers.image.description":"flux-build","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4053c2d8ed16b942b2d22ea3eb0cdb15afcb93d1","org.opencontainers.image.source":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.title":"flux-build","org.opencontainers.image.url":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.version":"2.4.0"},"User":"0","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/flux-build:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"flux-build","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-41110","PkgName":"github.com/docker/docker","PkgIdentifier":{"PURL":"pkg:golang/github.com/docker/[email protected]%2Bincompatible","UID":"4a63aa4b4eb54b6c"},"InstalledVersion":"v26.1.0+incompatible","FixedVersion":"23.0.15, 26.1.5, 27.1.1, 25.0.6","Status":"fixed","Layer":{"Digest":"sha256:82846ec4ab2bccc65431f496934c81fa46dab87fedbe3424a40738599b73b225","DiffID":"sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"},"SeveritySource":"ghsa","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-41110","DataSource":{"ID":"ghsa","Name":"GitHub Security Advisory Go","URL":"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"},"Title":"moby: Authz zero length regression","Description":"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.","Severity":"CRITICAL","CweIDs":["CWE-187","CWE-444","CWE-863"],"VendorSeverity":{"amazon":3,"cbl-mariner":4,"ghsa":4,"redhat":4},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":10},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":9.9}},"References":["https://access.redhat.com/security/cve/CVE-2024-41110","https://github.com/moby/moby","https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191","https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76","https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919","https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b","https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0","https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1","https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00","https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f","https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801","https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb","https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq","https://nvd.nist.gov/vuln/detail/CVE-2024-41110","https://www.cve.org/CVERecord?id=CVE-2024-41110","https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"],"PublishedDate":"2024-07-24T17:15:11.053Z","LastModifiedDate":"2024-07-30T20:15:04.567Z"}]}]}
If flux-build runs longer than 30s, it outputs the following debug message:
[controller-runtime] log.SetLogger(...) was never called; logs will not be displayed.
Detected at:
> goroutine 4785 [running]:
> runtime/debug.Stack()
> /opt/hostedtoolcache/go/1.22.6/x64/src/runtime/debug/stack.go:24 +0x5e
> sigs.k8s.io/controller-runtime/pkg/log.eventuallyFulfillRoot()
> /home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/log.go:60 +0xcd
> sigs.k8s.io/controller-runtime/pkg/log.(*delegatingLogSink).WithValues(0xc0001cfec0, {0x0, 0x0, 0x0})
> /home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/deleg.go:168 +0x49
> github.com/go-logr/logr.Logger.WithValues(...)
> /home/runner/go/pkg/mod/github.com/go-logr/[email protected]/logr.go:332
> sigs.k8s.io/controller-runtime/pkg/log.FromContext({0x261a2a0?, 0xc002fc45b0?}, {0x0?, 0x0?, 0x0?})
> /home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/log.go:98 +0xba
> github.com/fluxcd/pkg/oci/auth/login.(*Manager).Login(0xc0028d0490, {0x261a2a0, 0xc002fc45b0}, {0xc00204fd16, 0x3b}, {0x261e920, 0xc0004cda90}, {0x0, 0x1, 0x0, ...})
> /home/runner/go/pkg/mod/github.com/fluxcd/pkg/[email protected]/auth/login/login.go:115 +0x65
> github.com/doodlescheduling/flux-build/internal/build.oidcAuth({0x261a2a0, 0xc002fc45b0}, {0xc00204fd10?, 0x41?}, {0xc001b89cac, 0x3})
> /home/runner/work/flux-build/flux-build/internal/build/helm.go:674 +0x299
> github.com/doodlescheduling/flux-build/internal/build.(*Helm).buildFromHelmRepository(0xc00050a090, {0x261a230, 0xc000502050}, 0xc0028d0a68, 0xc00206c8c0, 0xc0028d1a48, 0xc0005073b0)
> /home/runner/work/flux-build/flux-build/internal/build/helm.go:496 +0x6af
> github.com/doodlescheduling/flux-build/internal/build.(*Helm).buildChart(_, {_, _}, {_, _}, {{{0xc001b89780, 0xb}, {0xc001b4e240, 0x1e}}, {{0xc0034b3710, ...}, ...}, ...}, ...)
> /home/runner/work/flux-build/flux-build/internal/build/helm.go:233 +0x17b
> github.com/doodlescheduling/flux-build/internal/build.(*Helm).Build(0xc00050a090, {0x261a230, 0xc000502050}, 0xc000e26480, 0xc0005073b0)
> /home/runner/work/flux-build/flux-build/internal/build/helm.go:157 +0x452
> github.com/doodlescheduling/flux-build/internal/action.(*Action).Run.func5({0x261a230, 0xc000502050})
> /home/runner/work/flux-build/flux-build/internal/action/action.go:149 +0x1e5
> github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask.func1()
> /home/runner/work/flux-build/flux-build/internal/worker/pool.go:134 +0x63
> created by github.com/doodlescheduling/flux-build/internal/worker.(*pool).runTask in goroutine 36
> /home/runner/work/flux-build/flux-build/internal/worker/pool.go:132 +0x77
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
Dockerfile
gcr.io/distroless/static latest@sha256:ce46866b3a5170db3b49364900fb3168dc0833dfb46c26da5c77f22abb01d8c3
.github/workflows/main.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
shogo82148/actions-goveralls v1.9.0@785c9d68212c91196d3994652647f8721918ba11
.github/workflows/pr-actions.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332
zgosalvez/github-actions-ensure-sha-pinned-actions v3.0.11@3c16e895bb662b4d7e284f032cbe8835a57773cc
.github/workflows/pr-build.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
chrisdickinson/setup-yq v1.0.1@3d931309f27270ebbafd53f2daee773a82ea1822
shogo82148/actions-goveralls v1.9.0@785c9d68212c91196d3994652647f8721918ba11
.github/workflows/pr-goreleaser.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332
goreleaser/goreleaser-action v6.0.0@286f3b13b1b49da4ac219696163fb8c1c93e1200
.github/workflows/pr-label.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
pascalgn/size-label-action bbbaa0d5ccce8e2e76254560df5c64b82dac2e12
.github/workflows/pr-stale.yaml
actions/stale v9.0.0@28ca1036281a5e5922ead5184a1bbf96e5fc984e
.github/workflows/pr-trivy.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
aquasecurity/trivy-action 0.24.0@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
github/codeql-action v3.26.6@4dd16135b69a43b6c8efb853346f8437d92d3c93
.github/workflows/publish-release.yaml
Actions-R-Us/actions-tagger v2.0.3@330ddfac760021349fef7ff62b372f2f691c20fb
.github/workflows/rebase.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
cirrus-actions/rebase 1.8@b87d48154a87a85666003575337e27b8cd65f691
.github/workflows/release.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
docker/login-action v3.3.0@9780b0c442fbb1117ed29e0efdff1e18412f7567
sigstore/cosign-installer v3.6.0@4959ce089c160fddf62f7b42464195ba1a56d382
anchore/sbom-action v0.17.2@61119d458adab75f756bc0b9e4bde25725f86a7a
goreleaser/goreleaser-action v6.0.0@286f3b13b1b49da4ac219696163fb8c1c93e1200
.github/workflows/report-on-vulnerabilities.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
aquasecurity/trivy-action 0.24.0@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
actions/upload-artifact v4.4.0@50769540e7f4bd5e21e526ee35c689e35e0d6874
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332
actions/download-artifact v4.1.8@fa0a91b85d4f404e444e00e005971372dc801d16
JasonEtco/create-an-issue v2.9.2@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5
.github/workflows/scan.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818
github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818
github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818
.github/workflows/scorecard.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332
ossf/scorecard-action v2.4.0@62b2cac7ed8198b15735ed49ab1e5cf35480ba46
actions/upload-artifact v4.4.0@50769540e7f4bd5e21e526ee35c689e35e0d6874
github/codeql-action v3.26.6@4dd16135b69a43b6c8efb853346f8437d92d3c93
go.mod
go 1.22.0
github.com/Masterminds/semver/v3 v3.3.0
github.com/cyphar/filepath-securejoin v0.3.1
github.com/docker/cli v27.2.0+incompatible
github.com/drone/envsubst v1.0.3
github.com/fluxcd/helm-controller/api v1.0.1
github.com/fluxcd/pkg/apis/kustomize v1.6.0
github.com/fluxcd/pkg/oci v0.38.1
github.com/fluxcd/pkg/runtime v0.49.0
github.com/fluxcd/pkg/version v0.4.0
github.com/fluxcd/source-controller/api v1.3.0
github.com/go-logr/logr v1.4.2
github.com/go-logr/zapr v1.3.0
github.com/google/go-containerregistry v0.20.2
github.com/onsi/gomega v1.34.2
github.com/opencontainers/go-digest v1.0.0
github.com/otiai10/copy v1.14.0
github.com/sethvargo/go-envconfig v1.1.0
github.com/sigstore/cosign/v2 v2.2.4
github.com/sigstore/sigstore v1.8.7
github.com/spf13/pflag v1.0.5
go.uber.org/zap v1.27.0
golang.org/x/sync v0.8.0
helm.sh/helm/v3 v3.15.4
k8s.io/api v0.31.0
k8s.io/apimachinery v0.31.0
k8s.io/helm v2.17.0+incompatible
sigs.k8s.io/kustomize/api v0.17.3
sigs.k8s.io/kustomize/kyaml v0.17.2
sigs.k8s.io/yaml v1.4.0
sigs.k8s.io/kustomize/api v0.17.3
sigs.k8s.io/kustomize/kyaml v0.17.2
internal/helm/testdata/charts/helmchartwithdeps-v1/requirements.yaml
internal/helm/testdata/charts/helmchart-v1/values.yaml
internal/helm/testdata/charts/helmchartwithdeps-v1/values.yaml
internal/helm/testdata/charts/helmchartwithdeps/Chart.yaml
grafana >=5.7.0
Formula/flux-build.rb
DoodleScheduling/flux-build v2.4.0
In Flux, if you don't have any sourceRef set in HelmReleases .spec.chart.spec.sourceRef.namespace
, it searches for the source in the same Namespace.
Currently, if a Namespace is not set, flux-build just fails with "no source HelmRepository.source.toolkit.fluxcd.io
found for helmrelease"
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-23T06:02:49.321523843Z","ArtifactName":"ghcr.io/doodlescheduling/flux-build:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:ee345dd5b1cf013d5df06ab9f091bb1b668dc2a1019cdc43a0843d8c48232477","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"],"RepoTags":["ghcr.io/doodlescheduling/flux-build:latest"],"RepoDigests":["ghcr.io/doodlescheduling/flux-build@sha256:a9ac9a619d04a3dab1d29dae0d501c594c6df8b2e7687f0dbed52268824c3c0e"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T10:03:57.084531493Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"COPY flux-build flux-build # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"ENTRYPOINT ["/flux-build"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"]},"config":{"Entrypoint":["/flux-build"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T10:03:47Z","org.opencontainers.image.description":"flux-build","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4053c2d8ed16b942b2d22ea3eb0cdb15afcb93d1","org.opencontainers.image.source":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.title":"flux-build","org.opencontainers.image.url":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.version":"2.4.0"},"User":"0","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/flux-build:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"flux-build","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-41110","PkgName":"github.com/docker/docker","PkgIdentifier":{"PURL":"pkg:golang/github.com/docker/[email protected]%2Bincompatible","UID":"4a63aa4b4eb54b6c"},"InstalledVersion":"v26.1.0+incompatible","FixedVersion":"23.0.15, 26.1.5, 27.1.1, 25.0.6","Status":"fixed","Layer":{"Digest":"sha256:82846ec4ab2bccc65431f496934c81fa46dab87fedbe3424a40738599b73b225","DiffID":"sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"},"SeveritySource":"ghsa","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-41110","DataSource":{"ID":"ghsa","Name":"GitHub Security Advisory Go","URL":"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"},"Title":"moby: Authz zero length regression","Description":"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.","Severity":"CRITICAL","CweIDs":["CWE-187","CWE-444","CWE-863"],"VendorSeverity":{"amazon":3,"cbl-mariner":4,"ghsa":4,"redhat":4},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":10},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":9.9}},"References":["https://access.redhat.com/security/cve/CVE-2024-41110","https://github.com/moby/moby","https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191","https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76","https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919","https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b","https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0","https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1","https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00","https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f","https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801","https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb","https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq","https://nvd.nist.gov/vuln/detail/CVE-2024-41110","https://www.cve.org/CVERecord?id=CVE-2024-41110","https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"],"PublishedDate":"2024-07-24T17:15:11.053Z","LastModifiedDate":"2024-07-30T20:15:04.567Z"}]}]}
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-25T06:02:47.779132681Z","ArtifactName":"ghcr.io/doodlescheduling/flux-build:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:ee345dd5b1cf013d5df06ab9f091bb1b668dc2a1019cdc43a0843d8c48232477","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"],"RepoTags":["ghcr.io/doodlescheduling/flux-build:latest"],"RepoDigests":["ghcr.io/doodlescheduling/flux-build@sha256:a9ac9a619d04a3dab1d29dae0d501c594c6df8b2e7687f0dbed52268824c3c0e"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T10:03:57.084531493Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"COPY flux-build flux-build # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T10:03:57.084531493Z","created_by":"ENTRYPOINT ["/flux-build"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"]},"config":{"Entrypoint":["/flux-build"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T10:03:47Z","org.opencontainers.image.description":"flux-build","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4053c2d8ed16b942b2d22ea3eb0cdb15afcb93d1","org.opencontainers.image.source":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.title":"flux-build","org.opencontainers.image.url":"https://github.com/doodlescheduling/flux-build","org.opencontainers.image.version":"2.4.0"},"User":"0","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/flux-build:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"flux-build","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-41110","PkgName":"github.com/docker/docker","PkgIdentifier":{"PURL":"pkg:golang/github.com/docker/[email protected]%2Bincompatible","UID":"4a63aa4b4eb54b6c"},"InstalledVersion":"v26.1.0+incompatible","FixedVersion":"23.0.15, 26.1.5, 27.1.1, 25.0.6","Status":"fixed","Layer":{"Digest":"sha256:82846ec4ab2bccc65431f496934c81fa46dab87fedbe3424a40738599b73b225","DiffID":"sha256:1ae5dd9d909d9b7990c5823579f6977d9be3aed1a553eace66568d0d8f9b2c47"},"SeveritySource":"ghsa","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-41110","DataSource":{"ID":"ghsa","Name":"GitHub Security Advisory Go","URL":"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"},"Title":"moby: Authz zero length regression","Description":"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.","Severity":"CRITICAL","CweIDs":["CWE-187","CWE-444","CWE-863"],"VendorSeverity":{"amazon":3,"cbl-mariner":4,"ghsa":4,"redhat":4},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":10},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","V3Score":9.9}},"References":["https://access.redhat.com/security/cve/CVE-2024-41110","https://github.com/moby/moby","https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191","https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76","https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919","https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b","https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0","https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1","https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00","https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f","https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801","https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb","https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq","https://nvd.nist.gov/vuln/detail/CVE-2024-41110","https://www.cve.org/CVERecord?id=CVE-2024-41110","https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"],"PublishedDate":"2024-07-24T17:15:11.053Z","LastModifiedDate":"2024-07-30T20:15:04.567Z"}]}]}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.