Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Fix /trivy action running against target branch instead of PR branch #10824

Merged
merged 1 commit into from
Sep 4, 2024
Merged

Fix /trivy action running against target branch instead of PR branch #10824

merged 1 commit into from
Sep 4, 2024

Conversation

brandond
Copy link
Member

@brandond brandond commented Sep 4, 2024
edited by dereknola
Loading

Proposed Changes

Fix /trivy action running against target branch instead of PR branch

Ref: actions/checkout#331 (comment)

Types of Changes

ci fix

Verification

Trigger the action

Testing

Linked Issues

#10759

User-Facing Change

Further Comments

@brandond
Fix /trivy action running against target branch instead of PR branch
2d4b007 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond brandond requested a review from a team as a code owner September 4, 2024 22:47
@brandond
Copy link
Member Author

brandond commented Sep 4, 2024

/trivy

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 4, 2024
edited
Loading 


bin/k3s (gobinary)
==================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │ fixed  │ v0.45.0           │ 0.46.0        │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                │          │        │                   │               │ to unbound cardinality metrics                              │
│                                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

bin/runc (gobinary)
===================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH     │ fixed  │ v0.8.0            │ 0.17.0        │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                  │                │          │        │                   │               │ excessive work (CVE-2023-44487)                              │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

@brandond
Copy link
Member Author

brandond commented Sep 4, 2024

Ah boo, the action runs from the definition on master, so I can't test it until it's merged.

dereknola
dereknola approved these changes Sep 4, 2024
View reviewed changes
Copy link
Member

@dereknola dereknola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, but that's a nice security feature, it just makes testing a pain.

@brandond brandond merged commit 3d6e4a7 into k3s-io:master Sep 4, 2024
1 of 2 checks passed
This was referenced Sep 5, 2024
Merged
Merged
Merged
Merged
@cguertin14 cguertin14 mentioned this pull request Jan 11, 2025
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@cwayne18 cwayne18 cwayne18 approved these changes

@briandowns briandowns briandowns approved these changes

@dereknola dereknola dereknola approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@brandond @cwayne18 @briandowns @dereknola