diff --git a/.dockerignore b/.dockerignore index 90af8d52e..db22d9646 100644 --- a/.dockerignore +++ b/.dockerignore @@ -8,6 +8,5 @@ docs .git .vscode findbugs-exclude.xml -kubernetes .gradle .gradle_home diff --git a/.gitignore b/.gitignore index 5f5997588..15e696334 100755 --- a/.gitignore +++ b/.gitignore @@ -21,10 +21,6 @@ bin/ /.metadata/ out/ gradle.zip -/docker/**/*.*ar -/docker/.env -/docker/data -/docker/client-components /.vscode lang-java-reach-soot-init/lib/*.jar docs/site @@ -33,16 +29,20 @@ docs/.tmp /*/src/main/webapp/model/Version.js values_dev.yaml test.yaml -kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/files/tls/*.key -kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/files/tls/*.crt -/kubernetes/kustomize/secrets/* -!/kubernetes/kustomize/secrets/*.sample -/docker/**/import_vulas_kb.sh -google-java-format-*.jar .DS_Store -docker/kb-importer/data/** **/*.buildinfo -docker/kb-importer/data/** +# Created by the generator Docker container (/docker/Dockerfile and /docker/run.sh) +/docker/**/*.*ar +/docker/client-components +/docker/all-components + +# Environment and data folders when running the Docker Compose app in the cloned repo +/docker/.env +/docker/*/data +/docker/kb-importer/conf/kaybeeconf.yaml + +# Files created by .travis/check_code_style.sh +google-java-format-*.jar java-files.txt -non-compliant-files.txt \ No newline at end of file +non-compliant-files.txt diff --git a/.reuse/dep5 b/.reuse/dep5 index 91feca0c3..55dc87b40 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -3,7 +3,7 @@ Upstream-Name: steady Upstream-Contact: Henrik Plate Source: https://github.com/eclipse/steady -Files: .github/* .travis/* cli-scanner/* docker/* docs/* frontend-apps/* frontend-bugs/* kb-importer/* kubernetes/* lang/* lang-java/* lang-java-reach/* lang-java-reach-soot/* lang-java-reach-wala/* lang-python/* patch-analyzer/* patch-lib-analyzer/* plugin-gradle/* plugin-maven/* repo-client/* rest-backend/* rest-lib-utils/* shared/* .dockerignore .gitignore .travis.yml CONTRIBUTING.md CONTRIBUTORS.md findbugs-exclude.xml findbugs-include.xml README.md requirements.txt SECURITY.md Jenkinsfile .pipeline/* +Files: .github/* .travis/* cli-scanner/* docker/* docs/* frontend-apps/* frontend-bugs/* kb-importer/* lang/* lang-java/* lang-java-reach/* lang-java-reach-soot/* lang-java-reach-wala/* lang-python/* patch-analyzer/* patch-lib-analyzer/* plugin-gradle/* plugin-maven/* repo-client/* rest-backend/* rest-lib-utils/* shared/* .dockerignore .gitignore .travis.yml CONTRIBUTING.md CONTRIBUTORS.md findbugs-exclude.xml findbugs-include.xml README.md requirements.txt SECURITY.md Jenkinsfile .pipeline/* Copyright: 2018-2021 SAP SE or an SAP affiliate company and Eclipse Steady contributors License: Apache-2.0 diff --git a/bump-version.sh b/bump-version.sh index 9e4be1c22..8855a72c8 100755 --- a/bump-version.sh +++ b/bump-version.sh @@ -60,6 +60,3 @@ if [ -z $is_snap ]; then sed -i "" "s/${old_doc}/${new}/" docker/start-steady.sh sed -i "" "s/${old_doc}/${new}/" docker/.env.sample fi - -# Kubernetes doc files -find kubernetes -name README.md -exec sed -i "" "s/${old}/${new}/" {} \; diff --git a/docker/cache/nginx.conf b/docker/cache/conf/nginx.conf similarity index 100% rename from docker/cache/nginx.conf rename to docker/cache/conf/nginx.conf diff --git a/docker/docker-compose-new.yml b/docker/docker-compose-new.yml deleted file mode 100755 index 77810a8d8..000000000 --- a/docker/docker-compose-new.yml +++ /dev/null @@ -1,181 +0,0 @@ -version: '2.4' - -# This Docker Compose application makes use of profiles, available as of Docker -# Compose 1.28. -# -# - Core services: haproxy, rest-backend and postgresql need to always run -# - UI services: frontend-apps, frontend-bugs and cache deliver OpenUI5 Web -# applications for scan results (http://localhost:8033/apps) and -# vulnerabilities (http://localhost:8033/bugs). -# - VDB services: rest-lib-utils, kb-importer and patch-lib-analyzer update -# the vulnerability database and resolve unassessed findings (by comparing -# method bodies obtained from rest-lib-utils) -# -# The different profiles can be started using start-steady.sh or using Docker -# Compose's --profile option, e.g. docker-compose --profile ui up -d --build - -services: - - # Core services - haproxy: - container_name: steady-haproxy - hostname: haproxy - env_file: .env - image: haproxy:2.3-alpine - ports: - - "8033:8080" - - "8034:7070" - volumes: - - "./conf/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg" - command: ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"] - depends_on: - - rest-backend - security_opt: - - no-new-privileges - restart: always - - rest-backend: - container_name: steady-rest-backend - hostname: rest-backend - env_file: - - .env - - ./conf/rest-backend/restbackend.properties - image: eclipse/steady-rest-backend:${VULAS_RELEASE} - expose: - - "8091" - environment: - - DELAY_STARTUP=5 - - vulas.shared.cia.serviceUrl=http://rest-lib-utils:8092/cia - - vulas.shared.cve.serviceUrl=https://services.nvd.nist.gov/rest/json/cve/1.0/ - - spring.datasource.username=${POSTGRES_USER} - - spring.datasource.password=${POSTGRES_PASSWORD} - volumes: - - "./data/rest-backend:/flyway-callbacks" - depends_on: - - postgresql - security_opt: - - no-new-privileges - restart: always - - postgresql: - container_name: steady-postgresql - hostname: postgresql - image: postgres:11-alpine - environment: - - POSTGRES_DB=vulas - - POSTGRES_USER=${POSTGRES_USER} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - - PGDATA=/var/lib/postgresql/data - ports: - - "8032:5432" - volumes: - - steady-postgres-data:/var/lib/postgresql/data - - ./conf/postgresql:/docker-entrypoint-initdb.d:ro - security_opt: - - no-new-privileges - restart: always - - # UI services - frontend-apps: - container_name: steady-frontend-apps - hostname: frontend-apps - image: eclipse/steady-frontend-apps:${VULAS_RELEASE} - expose: - - "8080" - depends_on: - - rest-backend - - cache - security_opt: - - no-new-privileges - restart: always - profiles: - - ui - - frontend-bugs: - container_name: steady-frontend-bugs - hostname: frontend-bugs - image: eclipse/steady-frontend-bugs:${VULAS_RELEASE} - expose: - - "8080" - depends_on: - - rest-backend - security_opt: - - no-new-privileges - restart: always - profiles: - - ui - - cache: - container_name: steady-cache - hostname: cache - image: nginx:alpine - expose: - - "80" - volumes: - - ./conf/cache/nginx.conf:/etc/nginx/nginx.conf:ro - - ./data/cache/:/tmp/cache_all/ - security_opt: - - no-new-privileges - restart: always - profiles: - - ui - - # VDB services - patch-lib-analyzer: - container_name: steady-patch-lib-analyzer - hostname: patch-lib-analyzer - image: eclipse/steady-patch-lib-analyzer:${VULAS_RELEASE} - expose: - - "8080" - volumes: - - "./data/patch-lib-analyzer:/patcheval-data" - depends_on: - - rest-backend - - rest-lib-utils - environment: - - PATCHEVAL_OPTS=-bug "" -folder /patcheval-data -j -h 0 -p 6 - - vulas.shared.cia.serviceUrl=http://rest-lib-utils:8092/cia - - vulas.shared.backend.serviceUrl=http://rest-backend:8091/backend - - vulas.patchEval.onlyAddNewResults=true - security_opt: - - no-new-privileges - restart: always - profiles: - - vdb - - rest-lib-utils: - container_name: steady-rest-lib-utils - hostname: rest-lib-utils - image: eclipse/steady-rest-lib-utils:${VULAS_RELEASE} - expose: - - "8092" - volumes: - - "./data/rest-lib-utils:/root/" - security_opt: - - no-new-privileges - restart: always - profiles: - - vdb - - kb-importer: - container_name: steady-kb-importer - image: eclipse/steady-kb-importer:${VULAS_RELEASE} - env_file: .env - volumes: - - "./conf/kb-importer:/kb-importer/conf" - - "./certs:/kb-importer/certs" - - "./data/kb-importer:/kb-importer/data:delegated" - environment: - - CIA_SERVICE_URL=http://rest-lib-utils:8092/cia - - BACKEND_SERVICE_URL=http://rest-backend:8091/backend - depends_on: - - rest-backend - - rest-lib-utils - security_opt: - - no-new-privileges - restart: always - profiles: - - vdb - -volumes: - steady-postgres-data: diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 8296aa874..840bc58ab 100755 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -1,26 +1,22 @@ version: '2.4' -services: - frontend-apps: - container_name: steady-frontend-apps - hostname: frontend-apps - image: eclipse/steady-frontend-apps:${VULAS_RELEASE} - expose: - - "8080" - security_opt: - - no-new-privileges - restart: always +# This Docker Compose application makes use of profiles, available as of Docker +# Compose 1.28. +# +# - Core services: haproxy, rest-backend and postgresql need to always run +# - UI services: frontend-apps, frontend-bugs and cache deliver OpenUI5 Web +# applications for scan results (http://localhost:8033/apps) and +# vulnerabilities (http://localhost:8033/bugs). +# - VDB services: rest-lib-utils, kb-importer and patch-lib-analyzer update +# the vulnerability database and resolve unassessed findings (by comparing +# method bodies obtained from rest-lib-utils) +# +# The different profiles can be started using start-steady.sh or using Docker +# Compose's --profile option, e.g. docker-compose --profile ui up -d --build - frontend-bugs: - container_name: steady-frontend-bugs - hostname: frontend-bugs - image: eclipse/steady-frontend-bugs:${VULAS_RELEASE} - expose: - - "8080" - security_opt: - - no-new-privileges - restart: always +services: + # Core services haproxy: container_name: steady-haproxy hostname: haproxy @@ -33,32 +29,30 @@ services: - "./haproxy/conf/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg" command: ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"] depends_on: - - frontend-apps - - frontend-bugs - rest-backend - - rest-lib-utils security_opt: - no-new-privileges restart: always - patch-lib-analyzer: - container_name: steady-patch-lib-analyzer - hostname: patch-lib-analyzer - image: eclipse/steady-patch-lib-analyzer:${VULAS_RELEASE} + rest-backend: + container_name: steady-rest-backend + hostname: rest-backend + env_file: + - .env + - ./rest-backend/conf/restbackend.properties + image: eclipse/steady-rest-backend:${VULAS_RELEASE} expose: - - "8080" + - "8091" + environment: + - DELAY_STARTUP=5 + - vulas.shared.cia.serviceUrl=http://rest-lib-utils:8092/cia + - vulas.shared.cve.serviceUrl=https://services.nvd.nist.gov/rest/json/cve/1.0/ + - spring.datasource.username=${POSTGRES_USER} + - spring.datasource.password=${POSTGRES_PASSWORD} volumes: - - "./data/patcheval:/patcheval-data" - links: - - rest-backend:backend - - rest-lib-utils:cia + - "./rest-backend/data:/flyway-callbacks" depends_on: - - rest-backend - environment: - - PATCHEVAL_OPTS=-bug "" -folder /patcheval-data -j -h 0 -p 6 - - vulas.shared.cia.serviceUrl=http://cia:8092/cia - - vulas.shared.backend.serviceUrl=http://backend:8091/backend - - vulas.patchEval.onlyAddNewResults=true + - postgresql security_opt: - no-new-privileges restart: always @@ -76,48 +70,40 @@ services: - "8032:5432" volumes: - steady-postgres-data:/var/lib/postgresql/data - - ./postgresql/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d:ro + - ./postgresql/conf:/docker-entrypoint-initdb.d:ro security_opt: - no-new-privileges restart: always - rest-backend: - container_name: steady-rest-backend - hostname: rest-backend - env_file: - - .env - - ./rest-backend/conf/restbackend.properties - image: eclipse/steady-rest-backend:${VULAS_RELEASE} + # UI services + frontend-apps: + container_name: steady-frontend-apps + hostname: frontend-apps + image: eclipse/steady-frontend-apps:${VULAS_RELEASE} expose: - - "8091" - environment: - - DELAY_STARTUP=5 - - vulas.shared.cia.serviceUrl=http://cia:8092/cia - - vulas.shared.cve.serviceUrl=https://services.nvd.nist.gov/rest/json/cve/1.0/ - - spring.datasource.username=${POSTGRES_USER} - - spring.datasource.password=${POSTGRES_PASSWORD} - links: - - postgresql:postgresql - - rest-lib-utils:cia - volumes: - - "./data/db-dump/flyway-callbacks:/flyway-callbacks" + - "8080" depends_on: - - postgresql + - rest-backend + - cache security_opt: - no-new-privileges restart: always + profiles: + - ui - rest-lib-utils: - container_name: steady-rest-lib-utils - hostname: rest-lib-utils - image: eclipse/steady-rest-lib-utils:${VULAS_RELEASE} + frontend-bugs: + container_name: steady-frontend-bugs + hostname: frontend-bugs + image: eclipse/steady-frontend-bugs:${VULAS_RELEASE} expose: - - "8092" - volumes: - - "./data/rest-lib-utils:/root/" + - "8080" + depends_on: + - rest-backend security_opt: - no-new-privileges restart: always + profiles: + - ui cache: container_name: steady-cache @@ -126,11 +112,50 @@ services: expose: - "80" volumes: - - ./cache/nginx.conf:/etc/nginx/nginx.conf:ro - - ./data/cache/:/tmp/cache_all/ + - ./cache/conf/nginx.conf:/etc/nginx/nginx.conf:ro + - ./cache/data/:/tmp/cache_all/ security_opt: - no-new-privileges restart: always + profiles: + - ui + + # VDB services + patch-lib-analyzer: + container_name: steady-patch-lib-analyzer + hostname: patch-lib-analyzer + image: eclipse/steady-patch-lib-analyzer:${VULAS_RELEASE} + expose: + - "8080" + volumes: + - "./patch-lib-analyzer/data:/patcheval-data" + depends_on: + - rest-backend + - rest-lib-utils + environment: + - PATCHEVAL_OPTS=-bug "" -folder /patcheval-data -j -h 0 -p 6 + - vulas.shared.cia.serviceUrl=http://rest-lib-utils:8092/cia + - vulas.shared.backend.serviceUrl=http://rest-backend:8091/backend + - vulas.patchEval.onlyAddNewResults=true + security_opt: + - no-new-privileges + restart: always + profiles: + - vdb + + rest-lib-utils: + container_name: steady-rest-lib-utils + hostname: rest-lib-utils + image: eclipse/steady-rest-lib-utils:${VULAS_RELEASE} + expose: + - "8092" + volumes: + - "./rest-lib-utils/data:/root/" + security_opt: + - no-new-privileges + restart: always + profiles: + - vdb kb-importer: container_name: steady-kb-importer @@ -141,16 +166,16 @@ services: - "./kb-importer/certs:/kb-importer/certs" - "./kb-importer/data:/kb-importer/data:delegated" environment: - - CIA_SERVICE_URL=http://cia:8092/cia - - BACKEND_SERVICE_URL=http://backend:8091/backend + - CIA_SERVICE_URL=http://rest-lib-utils:8092/cia + - BACKEND_SERVICE_URL=http://rest-backend:8091/backend depends_on: - rest-backend - links: - - rest-backend:backend - - rest-lib-utils:cia + - rest-lib-utils security_opt: - no-new-privileges restart: always + profiles: + - vdb volumes: steady-postgres-data: diff --git a/docker/postgresql/docker-entrypoint-initdb.d/10-vulas-setup.sh b/docker/postgresql/conf/10-vulas-setup.sh similarity index 100% rename from docker/postgresql/docker-entrypoint-initdb.d/10-vulas-setup.sh rename to docker/postgresql/conf/10-vulas-setup.sh diff --git a/docker/setup-steady.sh b/docker/setup-steady.sh index c661f2e22..c3ba9f61b 100755 --- a/docker/setup-steady.sh +++ b/docker/setup-steady.sh @@ -48,23 +48,23 @@ setup (){ # Create directories #mkdir -p $DIR/certs for s in $conf_services; do - mkdir -p $DIR/conf/$s + mkdir -p $DIR/$s/conf done for s in $data_services; do - mkdir -p $DIR/data/$s + mkdir -p $DIR/$s/data done # Download all necessary files - curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/docker-compose-new.yml -o ./$DIR/docker-compose.yml - curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/.env.sample -o ./$DIR/.env - curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/start-steady.sh -o ./$DIR/start-steady.sh + curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/docker-compose.yml -o ./$DIR/docker-compose.yml + curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/.env.sample -o ./$DIR/.env + curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/start-steady.sh -o ./$DIR/start-steady.sh chmod 744 ./$DIR/start-steady.sh - curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/haproxy/conf/haproxy.cfg -o ./$DIR/conf/haproxy/haproxy.cfg - curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/postgresql/docker-entrypoint-initdb.d/10-vulas-setup.sh -o ./$DIR/conf/postgresql/10-vulas-setup.sh - curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/cache/nginx.conf -o ./$DIR/conf/cache/nginx.conf - curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/kb-importer/conf/kaybeeconf.yaml.sample -o ./$DIR/conf/kb-importer/kaybeeconf.yaml.sample - curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/rest-backend/conf/restbackend.properties -o ./$DIR/conf/rest-backend/restbackend.properties + curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/haproxy/conf/haproxy.cfg -o ./$DIR/haproxy/conf/haproxy.cfg + curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/postgresql/conf/10-vulas-setup.sh -o ./$DIR/postgresql/conf/10-vulas-setup.sh + curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/cache/conf/nginx.conf -o ./$DIR/cache/conf/nginx.conf + curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/kb-importer/conf/kaybeeconf.yaml.sample -o ./$DIR/kb-importer/conf/kaybeeconf.yaml.sample + curl -s https://raw.githubusercontent.com/eclipse/steady/$TAG/docker/rest-backend/conf/restbackend.properties -o ./$DIR/rest-backend/conf/restbackend.properties # Create default configuration in user's home directory home_config="$HOME/.steady.properties" diff --git a/docker/start-steady.sh b/docker/start-steady.sh index 0c23bdbc6..80f7769df 100755 --- a/docker/start-steady.sh +++ b/docker/start-steady.sh @@ -96,10 +96,18 @@ if [[ $rc == 0 ]]; then exit 1 fi +# If run from the cloned repo, the file docker-compose.build.yaml can be used to +# create new Docker images for snapshot versions. When run after +# steady-setup.sh, the images will be downloaded from Docker Hub. +build="" +if [[ -f docker-compose.build.yml ]]; then + build="-f docker-compose.build.yml" +fi + # Start different sets of services case $SERVICES in none) - docker-compose -f ./docker-compose.yml stop + docker-compose -f ./docker-compose.yml $build stop rc=$? if [[ $rc == 0 ]]; then printf "Stopped all of Steady's Docker Compose services\n" @@ -111,7 +119,7 @@ case $SERVICES in core) stop_ui stop_vdb - docker-compose -f ./docker-compose.yml up -d --build + docker-compose -f ./docker-compose.yml $build up -d --build rc=$? if [[ $rc == 0 ]]; then printf "Started Steady's core Docker Compose services\n" @@ -122,7 +130,7 @@ case $SERVICES in ;; ui) stop_vdb - docker-compose -f ./docker-compose.yml --profile ui up -d --build + docker-compose -f ./docker-compose.yml $build --profile ui up -d --build rc=$? if [[ $rc == 0 ]]; then printf "Started Steady's core and UI Docker Compose services\n" @@ -133,7 +141,7 @@ case $SERVICES in ;; vdb) stop_ui - docker-compose -f ./docker-compose.yml --profile vdb up -d --build + docker-compose -f ./docker-compose.yml $build --profile vdb up -d --build rc=$? if [[ $rc == 0 ]]; then printf "Started Steady's core and vdb Docker Compose services\n" @@ -143,7 +151,7 @@ case $SERVICES in fi ;; all) - docker-compose -f ./docker-compose.yml --profile ui --profile vdb up -d --build + docker-compose -f ./docker-compose.yml $build --profile ui --profile vdb up -d --build rc=$? if [[ $rc == 0 ]]; then printf "Started all of Steady's Docker Compose services\n" diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 393066c55..3f89ac336 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -43,10 +43,6 @@ nav: - 'Deploy on Docker': 'admin/tutorials/docker.md' - 'Build JAVA archives/Docker images': 'admin/tutorials/build.md' - 'Push Docker images to a registry': 'admin/tutorials/registry.md' - # - 'Deploy on Kubernetes with Kustomize': 'admin/tutorials/kustomize.md' - # - 'Deploy on Kubernetes with Helm': 'admin/tutorials/helm.md' - - Misc: - - 'Kubernetes resources requirements': 'admin/tutorials/kubernetes_resources.md' - Contribute: - Contribute: contributor/index.md # - Tutorials: diff --git a/docs/public/content/admin/tutorials/build.md b/docs/public/content/admin/tutorials/build.md index 4f3d5b930..75e386e5a 100644 --- a/docs/public/content/admin/tutorials/build.md +++ b/docs/public/content/admin/tutorials/build.md @@ -60,7 +60,7 @@ You are now ready to run the system with the generated archives and create the D You can create and run containers from the generated images. ```sh -(cd docker && docker-compose -f docker-compose.yml -f docker-compose.build.yml up -d) +(cd docker && docker-compose -f docker-compose.yml -f docker-compose.build.yml --profile vdb --profile ui up -d) ``` To check everything started successfully, browse the page `http://localhost:8033/haproxy?stats`. All endpoints should appear as green. @@ -70,8 +70,9 @@ To check everything started successfully, browse the page `http://localhost:8033 Run the following to stop all containers. ```sh -(cd docker && docker-compose -f docker-compose.yml -f docker-compose.build.yml down) +(cd docker && docker-compose -f docker-compose.yml -f docker-compose.build.yml --profile vdb --profile ui down) ``` + --- Get going: diff --git a/docs/public/content/admin/tutorials/helm.md b/docs/public/content/admin/tutorials/helm.md deleted file mode 100644 index e63ae5b94..000000000 --- a/docs/public/content/admin/tutorials/helm.md +++ /dev/null @@ -1,89 +0,0 @@ -# Deploy on Kubernetes with Helm - -In this tutorial you will be guided through the necessary steps to set-up the @@PROJECT_NAME@@ services in a Kubernetes cluster using [Helm](https://helm.sh/) version [3.0.0-beta4](https://github.com/helm/helm/releases/tag/v3.0.0-beta.4) and is compatible with any helm2 version [2.15.0](https://github.com/helm/helm/releases/tag/v2.15.0). - -!!! info "Helm2 and Helm3" - - `Helm2` has officially gone into maintenance mode (no further release after 2.15.0) but this chart is meant to be compatible with both major versions of Helm. The main difference being that in `helm 3` tiller is no longer required and all charts are namespaced. - - -## Pre-requisites - -- git -- Helm -- Kubernetes >=v1.15.0 with Beta APIs enabled - -## Setup - -![helm-chart](../../images/helm_architecture.png) - -This repository contains three charts: - -- **vulnerability-assessment-tool-core**: which encapsulates all the core components of the tool -- **vulnerability-assessment-tool-admin**: which encapsulates all the cluster admin tools (namely the ingress controller to expose the service) -- **vulnerability-assessment-tool-monitoring**: which is used to deploy the dedicated monitoring stack - -Clone locally `Eclipse Steady` repository and change the directory to the Helm chart's folder - -```sh -git clone https://github.com/eclipse/steady.git -cd steady/kubernetes/helm -``` - -Modify the `values.yaml` files and edit them to match your needs. -In order to verify the validity of your values and get a preview of your generated chart: - -```sh -helm template vulnerability-assessment-tool-core -helm template vulnerability-assessment-tool-admin -helm template vulnerability-assessment-tool-monitoring -``` - -## Run - -You are now ready to deploy @@PROJECT_NAME@@ inside your Kubernetes cluster: - -### Vulnerability-assessment-tool-core chart - -```sh -# For helm 2 -helm install vulnerability-assessment-tool-core/ --name ReleaseName - -# For helm 3 -helm install vulnerability-assessment-tool-core ReleaseName -``` - -The above command will create a `Namespace` called `vulnerability-assessment-tool-core` (which can be specified in the [vulnerability-assessment-tool-core/values.yaml](https://github.com/eclipse/steady/blob/master/kubernetes/helm/vulnerability-assessment-tool-core/values.yaml)) and install all the component on it. To check if everything is starting successfully you can watch the deployments by running the command `kubectl get pods -n vulnerability-assessment-tool-core`. The deployment will request a couple `PersistentVolumeClaims` which could need some time to be created depending on the cloud provider you are running on. - - -### Vulnerability-assessment-tool-monitoring chart - -```sh -# For helm 2 -helm install vulnerability-assessment-tool-monitoring/ --name ReleaseName - -# For helm 3 -helm install vulnerability-assessment-tool-monitoring ReleaseName -``` - -The above command will create a `Namespace` called `vulnerability-assessment-tool-monitoring` (which can be specified in the [vulnerability-assessment-tool-monitoring/values.yaml](https://github.com/eclipse/steady/blob/master/kubernetes/helm/vulnerability-assessment-tool-monitoring/values.yaml)) and install all the component on it. To check if everything is starting successfully you can watch the deployments by running the command `kubectl get pods -n vulnerability-assessment-tool-monitoring`. The deployment will request a couple `PersistentVolumeClaims` which could need some time to be created depending on the cloud provider you are running on. - -!!! info "Monitoring scope" - - This chart's monitoring is not scoped to any namespace so you can add other pods to be monitored simply by adding `prometheus.io/scrape: "true"` in the correct pod annotation and in which ever namespace you desire. - -### Vulnerability-assessment-tool-admin chart - -```sh -# For helm 2 -helm install vulnerability-assessment-tool-admin/ --name ReleaseName - -# For helm 3 -helm install vulnerability-assessment-tool-admin ReleaseName -``` - -The above command will create a `Namespace` called `vulnerability-assessment-tool-admin` (which can be specified in the [vulnerability-assessment-tool-admin/values.yaml](https://github.com/eclipse/steady/blob/master/kubernetes/helm/vulnerability-assessment-tool-admin/values.yaml)) and install all the component on it. To check if everything is starting successfully you can watch the deployments by running the command `kubectl get pods -n vulnerability-assessment-tool-admin`. The deployment will request a `LoadBalancer` which could need some time to be created depending on the cloud provider you are running on. - -!!! warning "Reaching @@PROJECT_NAME@@ from the Internet" - - This chart creates a `LoadBalancer` to allow Internet traffic to reach the cluster provisioned by your provider and will connect to it. This `LoadBalancer` will be exposed on the Internet so be careful to change the authentication ingress values from the default ones. The `Service type:LoadBalancer` should work with most providers such as GKE, Azure. If not, you can follow this [ingress-nginx guide](https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md#provider-specific-steps) diff --git a/docs/public/content/admin/tutorials/kubernetes_resources.md b/docs/public/content/admin/tutorials/kubernetes_resources.md deleted file mode 100644 index c92cf42b7..000000000 --- a/docs/public/content/admin/tutorials/kubernetes_resources.md +++ /dev/null @@ -1,176 +0,0 @@ - -# Operational requirements - -The following document is meant to summarize the Eclipse Steady requirements when it comes to running it on the Kubernetes architecture. This will detail its operational cost for a couple of scenarios: - -- **Lightweight** : the cluster is instantiated with no prior scan and data, then, the bugs are loaded using the patch-analyzer. This deployment is not destined for high availability or resilience (therefore with less replicas, no auto-scaling) and is optimal for small testing environments with a 6 month usage buffer. - -- **Lightweight HA** : same as the above but with the sufficient amount of replicas that will ensure high availability and resilience. - -- **Medium Load** : the cluster is instantiated with no prior scan and data, then, the bugs are loaded using the patch-analyzer. This deployment is not destined for high availability or resilience (therefore with less replicas, no auto-scaling) and is optimal for small production environments with a 2 year buffer. - -- **Medium Load HA** : same as the above but with the sufficient amount of replicas that will ensure high availability and resilience. - -- **Production Load** : the cluster is loaded with the latest dump of the internal SAP Eclipse Steady database (which at the time of this document creation is around 249GB). This deployment is not destined for high availability or -resilience and is optimal for production environments with a 3-5 year usage buffer. This data load includes app specific data (once those are removed, the database size is around 150GB in our current setup) - -- **Production Load HA** : same as the above but with the sufficient amount of replicas that will ensure high availability and resilience. - -- **Extra PVC** : this use case is destined towards optimizing certain components of the Eclipse Steady which require read write many volumes (in particular `rest-lib-utils`) - -- **Hosted DB** : for using a pre-existing database (for cloud providers such as GCP, AWS, Azure, etc...) which require lower resources as the database are no longer self managed. - -| | CPU request | CPU Limit | Memory Request (GiB) | Memory Limit (GiB) | PV (GiB) | -| ----------------------------------- | ----------- | --------- | -------------------- | ------------------ | -------- | -| Lightweight | 8.5 | 17.1 | 12.5 | 25.6 | 30 | -| Lightweight HA | 17.6 | 35.2 | 30.5 | 61.2 | 90 | -| Lightweight HA (with extra PVC) | 17.6 | 35.2 | 30.5 | 61.2 | 102 | -| Medium Load | 16.5 | 33.1 | 24.5 | 49.6 | 50 | -| Medium Load HA | 30.2 | 60.7 | 51.7 | 102.7 | 150 | -| Medium Load HA (with extra PVC) | 30.2 | 60.7 | 51.7 | 102.7 | 195 | -| Production Load | 40.7 | 57.6 | 57.2 | 92.6 | 400 | -| Production Load HA | 107.9 | 160.2 | 159.4 | 262.2 | 1200 | -| Production Load HA (with extra PVC) | 107.9 | 160.2 | 159.4 | 262.2 | 1380 | -| Lightweight HA (hosted db) | 8.7 | 17.7 | 16.7 | 34.2 | 90 | -| Medium Load HA (hosted db) | 16.7 | 33.7 | 32.7 | 66.2 | 150 | -| Production Load HA (hosted db) | 48.9 | 98.2 | 97.4 | 197.2 | 1200 | - - -### In-depth break down of resource requirements - -#### Frontendapps - -| | replicas | cpu_limit | cpu_request | memory_limit(GiB) | memory_request(GiB) | PV(GiB) | -|--------------------------|----------|-----------|-------------|-------------------|---------------------|---------| -| lightweight | 1 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| lightweight_ha | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| lightweight_ha_extra_pvc | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| medium_load | 1 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| medium_load_ha | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| medium_load_ha_extra_pvc | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| prod_load | 1 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| prod_load_ha | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| prod_load_ha_extra_pvc | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| lightweight_ha_hosted_db | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| medium_load_ha_hosted_db | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| prod_load_ha_hosted_db | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | - - -#### Frontendbugs - -| | replicas | cpu_limit | cpu_request | memory_limit(GiB) | memory_request(GiB) | PV(GiB) | -|--------------------------|----------|-----------|-------------|-------------------|---------------------|---------| -| lightweight | 1 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| lightweight_ha | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| lightweight_ha_extra_pvc | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| medium_load | 1 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| medium_load_ha | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| medium_load_ha_extra_pvc | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| prod_load | 1 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| prod_load_ha | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| prod_load_ha_extra_pvc | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| lightweight_ha_hosted_db | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| medium_load_ha_hosted_db | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | -| prod_load_ha_hosted_db | 2 | 0.1 | 0.3 | 0.1 | 0.3 | 0 | - -#### Patch-lib-analyzer - -| | replicas | cpu_limit | cpu_request | memory_limit(GiB) | memory_request(GiB) | PV(GiB) | -|--------------------------|----------|-----------|-------------|-------------------|---------------------|---------| -| lightweight | 1 | 0.3 | 0.5 | 0.3 | 1 | 0 | -| lightweight_ha | 2 | 0.3 | 0.5 | 0.3 | 1 | 0 | -| lightweight_ha_extra_pvc | 2 | 0.3 | 0.5 | 0.3 | 1 | 2 | -| medium_load | 1 | 0.3 | 0.5 | 0.3 | 1 | 0 | -| medium_load_ha | 2 | 0.3 | 0.5 | 0.3 | 1 | 0 | -| medium_load_ha_extra_pvc | 2 | 0.3 | 0.5 | 0.3 | 1 | 5 | -| prod_load | 1 | 0.5 | 1 | 1 | 4 | 0 | -| prod_load_ha | 2 | 0.5 | 1 | 1 | 4 | 30 | -| prod_load_ha_extra_pvc | 2 | 0.5 | 1 | 1 | 4 | 0 | -| lightweight_ha_hosted_db | 2 | 0.3 | 0.5 | 0.3 | 1 | 0 | -| medium_load_ha_hosted_db | 2 | 0.3 | 0.5 | 0.3 | 1 | 0 | -| prod_load_ha_hosted_db | 2 | 0.5 | 1 | 1 | 0.3 | 0 | - -#### Rest-lib-utils - -| | replicas | cpu_limit | cpu_request | memory_limit(GiB) | memory_request(GiB) | PV(GiB) | -|--------------------------|----------|-----------|-------------|-------------------|---------------------|---------| -| lightweight | 1 | 2 | 4 | 4 | 8 | 0 | -| lightweight_ha | 2 | 2 | 4 | 4 | 8 | 0 | -| lightweight_ha_extra_pvc | 2 | 2 | 4 | 4 | 8 | 5 | -| medium_load | 1 | 4 | 8 | 8 | 16 | 0 | -| medium_load_ha | 2 | 4 | 8 | 8 | 16 | 0 | -| medium_load_ha_extra_pvc | 2 | 4 | 8 | 8 | 16 | 20 | -| prod_load | 1 | 8 | 16 | 16 | 32 | 0 | -| prod_load_ha | 3 | 8 | 16 | 16 | 32 | 0 | -| prod_load_ha_extra_pvc | 3 | 8 | 16 | 16 | 32 | 50 | -| lightweight_ha_hosted_db | 2 | 2 | 4 | 4 | 8 | 0 | -| medium_load_ha_hosted_db | 2 | 4 | 8 | 8 | 16 | 0 | -| prod_load_ha_hosted_db | 3 | 8 | 16 | 16 | 32 | 0 | - -#### Rest-backend - -| | replicas | cpu_limit | cpu_request | memory_limit(GiB) | memory_request(GiB) | PV(GiB) | -|--------------------------|----------|-----------|-------------|-------------------|---------------------|---------| -| lightweight | 1 | 2 | 4 | 4 | 8 | 0 | -| lightweight_ha | 2 | 2 | 4 | 4 | 8 | 0 | -| lightweight_ha_extra_pvc | 2 | 2 | 4 | 4 | 8 | 0 | -| medium_load | 1 | 4 | 8 | 8 | 16 | 0 | -| medium_load_ha | 2 | 4 | 8 | 8 | 16 | 0 | -| medium_load_ha_extra_pvc | 2 | 4 | 8 | 8 | 16 | 0 | -| prod_load | 1 | 8 | 16 | 16 | 32 | 0 | -| prod_load_ha | 3 | 8 | 16 | 16 | 32 | 0 | -| prod_load_ha_extra_pvc | 3 | 8 | 16 | 16 | 32 | 0 | -| lightweight_ha_hosted_db | 2 | 2 | 4 | 4 | 8 | 0 | -| medium_load_ha_hosted_db | 2 | 4 | 8 | 8 | 16 | 0 | -| prod_load_ha_hosted_db | 3 | 8 | 16 | 16 | 32 | 0 | - -#### Postgres master - -| | replicas | cpu_limit | cpu_request | memory_limit(GiB) | memory_request(GiB) | PV(GiB) | -|--------------------------|----------|-----------|-------------|-------------------|---------------------|---------| -| lightweight | 1 | 4 | 8 | 4 | 8 | 30 | -| lightweight_ha | 1 | 4 | 8 | 4 | 8 | 0 | -| lightweight_ha_extra_pvc | 1 | 4 | 8 | 4 | 8 | 0 | -| medium_load | 1 | 8 | 16 | 8 | 16 | 50 | -| medium_load_ha | 1 | 8 | 16 | 8 | 16 | 50 | -| medium_load_ha_extra_pvc | 1 | 8 | 16 | 8 | 16 | 50 | -| prod_load | 1 | 24 | 24 | 24 | 24 | 0 | -| prod_load_ha | 1 | 24 | 24 | 24 | 24 | 0 | -| prod_load_ha_extra_pvc | 1 | 24 | 24 | 24 | 24 | 0 | -| lightweight_ha_hosted_db | 1 | 0 | 0 | 0 | 0 | 30 | -| medium_load_ha_hosted_db | 1 | 0 | 0 | 0 | 0 | 50 | -| prod_load_ha_hosted_db | 1 | 0 | 0 | 0 | 0 | 400 | - -#### Postgres replicas - -| | replicas | cpu_limit | cpu_request | memory_limit(GiB) | memory_request(GiB) | PV(GiB) | -|--------------------------|----------|-----------|-------------|-------------------|---------------------|---------| -| lightweight | 0 | 0 | 0 | 0 | 0 | 0 | -| lightweight_ha | 2 | 2 | 4 | 4 | 8 | 30 | -| lightweight_ha_extra_pvc | 2 | 2 | 4 | 4 | 8 | 0 | -| medium_load | 0 | 0 | 0 | 0 | 0 | 0 | -| medium_load_ha | 2 | 2 | 4 | 4 | 8 | 50 | -| medium_load_ha_extra_pvc | 2 | 2 | 4 | 4 | 8 | 50 | -| prod_load | 0 | 0 | 0 | 0 | 0 | 0 | -| prod_load_ha | 2 | 16 | 16 | 16 | 16 | 400 | -| prod_load_ha_extra_pvc | 2 | 16 | 16 | 16 | 16 | 400 | -| lightweight_ha_hosted_db | 2 | 0 | 0 | 0 | 0 | 30 | -| medium_load_ha_hosted_db | 2 | 0 | 0 | 0 | 0 | 50 | -| prod_load_ha_hosted_db | 2 | 0 | 0 | 0 | 0 | 400 | - -#### Pgpool - -| | replicas | cpu_limit | cpu_request | memory_limit(GiB) | memory_request(GiB) | PV(GiB) | -|--------------------------|----------|-----------|-------------|-------------------|---------------------|---------| -| lightweight | 0 | 0 | 0 | 0 | 0 | 0 | -| lightweight_ha | 3 | 0.3 | 0.5 | 0.6 | 1 | 0 | -| lightweight_ha_extra_pvc | 3 | 0.3 | 0.5 | 0.6 | 1 | 0 | -| medium_load | 0 | 0 | 0 | 0 | 0 | 0 | -| medium_load_ha | 3 | 0.5 | 1 | 1 | 1.5 | 0 | -| medium_load_ha_extra_pvc | 3 | 0.5 | 1 | 1 | 1.5 | 0 | -| prod_load | 0 | 0 | 0 | 0 | 0 | 0 | -| prod_load_ha | 3 | 1 | 2 | 2 | 3 | 0 | -| prod_load_ha_extra_pvc | 3 | 1 | 2 | 2 | 3 | 0 | -| lightweight_ha_hosted_db | 0 | 0 | 0 | 0 | 0 | 0 | -| medium_load_ha_hosted_db | 0 | 0 | 0 | 0 | 0 | 0 | -| prod_load_ha_hosted_db | 0 | 0 | 0 | 0 | 0 | 0 | diff --git a/docs/public/content/admin/tutorials/kustomize.md b/docs/public/content/admin/tutorials/kustomize.md deleted file mode 100644 index 6b2dd23b2..000000000 --- a/docs/public/content/admin/tutorials/kustomize.md +++ /dev/null @@ -1,70 +0,0 @@ -# Deploy on Kubernetes with Kustomize - -In this tutorial you will be guided through the necessary steps to set-up the @@PROJECT_NAME@@ backend services in a Kubernetes cluster using [Kustomize](https://github.com/kubernetes-sigs/kustomize) version [2.0.3](https://github.com/kubernetes-sigs/kustomize/releases/tag/v2.0.3) - -!!! info "Kustomize and Kubectl" - - `kubectl` starting version 1.14 already comes with Kustomize 2.0.3 bundled. As of now Kustomize 3.1.0 is not supported by `kubectl` so it will also not be supported by @@PROJECT_NAME@@ - -## Pre-requisites - -- git -- kubectl -- a Kubernetes cluster - -## Setup - -Clone locally `Eclipse Steady` repository and change the directory to Kustomize's folder - -```sh -git clone https://github.com/eclipse/steady.git -cd steady/kubernetes/kustomize -``` - -Make a copy of the files in `kubernetes/kustomize/secrets` and edit them to match your needs. - -```sh -cp secrets/.env.sample secrets/.env -cp secrets/bugs-frontend-credentials.sample secrets/bugs-frontend-credentials -# edit the above files -``` - -## Run - -You are now ready to deploy @@PROJECT_NAME@@ inside your Kubernetes cluster: - -```sh -kubectl apply -k . -``` - -The above command will create a `Namespace` called `vulnerability-assessment-tool` and install all the component on it. To check if everything is starting successfully you can watch the deployments by running the command `kubectl -n vulnerability-assessment-tool get pods -w`. The deployment will request two `PersistentVolumeClaims` and a `Service type:LoadBalancer` which could need some time to be created depending on the provider you are running on. - -!!! warning "Reaching @@PROJECT_NAME@@ from the Internet" - - @@PROJECT_NAME@@ uses a `Service` of type `LoadBalancer` to allow Internet traffic to reach the cluster. This `Service` will request an external `LoadBalancer` to your provider and will connect to it. This `LoadBalancer` will be exposed on the Internet so be careful. The `Service type:LoadBalancer` should work with most providers such as GKE, Azure. If not, you can follow this [ingress-nginx guide](https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md#provider-specific-steps) - -!!! info "Debugging @@PROJECT_NAME@@ from the local network" - - You can avoid listening to the Internet by disabling the `Service` present in the `services/cloud.yml` file. To disable the file you can just comment the relative line in the root-level `kustomization.yaml` file. You can then connect to the main `Service` by `port-forward`ing with the command `kubectl -n vulnerability-assessment-tool port-forward svc/haproxy-ingress 7000:8080` and then opening your browser at `localhost:8080/apps` - -### Populate/maintain the vulnerability database - -In order for the tool to detect vulnerabilities, you need to import and analyze them first so that they are available in the tool's vulnerability database. Large part of CVE's and bugs are open sourced in [vulnerability-assessment-kb](https://github.com/SAP/vulnerability-assessment-kb). - -Follow the instructions mentioned [here](../../../vuln_db/tutorials/vuln_db_tutorial/#batch-import-from-knowledge-base), to import and build all the vulnerabilities' knowledge. - ---- - -Get going: - -1. [Import](../../../vuln_db/tutorials/vuln_db_tutorial/) all the CVEs and bugs in your local database -2. Setup your [workspace](../../../user/manuals/setup/#workspace) (if you don't have one) -3. Become familiar with the various analysis [goals](../../../user/manuals/analysis/) (first time users) -4. Analyze your [Java](../../../user/tutorials/java_maven/) or [Python](../../../user/tutorials/python_cli/) application (on a regular basis) -5. [Assess](../../../user/manuals/assess_and_mitigate/) findings using the apps Web frontend (following every analysis) - -Further links: - -- [Configure](../../../user/tutorials/) the client-side analysis -- [Automate](../../../user/tutorials/jenkins_howto/) with Jenkins -- [Get help](../../../user/support/) if you run into troubles diff --git a/docs/public/content/admin/tutorials/registry.md b/docs/public/content/admin/tutorials/registry.md index 51b084221..e7c94708f 100644 --- a/docs/public/content/admin/tutorials/registry.md +++ b/docs/public/content/admin/tutorials/registry.md @@ -45,9 +45,3 @@ You can use Docker to pull your images from a registry. ```sh docker pull [registry]/[project]/steady-rest-backend:[steady-version] ``` - ---- - -Get going: - -1. [Deploy](../kustomize/) a Kubernetes cluster on the Internet with the images you just pushed diff --git a/kubernetes/helm/README.md b/kubernetes/helm/README.md deleted file mode 100644 index e30d47cf6..000000000 --- a/kubernetes/helm/README.md +++ /dev/null @@ -1,117 +0,0 @@ -# Vulnerability assessment tool helm chart - -This readme is meant to give an overall view of the Eclipse Steady deployment to a Kubernetes cluster and does not go into detail about helm chart values. -For more detailed configuration see: -- [vulnerability-assessment-tool-core chart](vulnerability-assessment-tool-core/README.md) -- [vulnerability-assessment-tool-admin chart](vulnerability-assessment-tool-admin/README.md) -- [vulnerability-assessment-tool-monitoring chart](vulnerability-assessment-tool-monitoring/README.md) - -# Overall Architecture - -![architecture](../../docs/public/content/images/helm_architecture.png) - -This repository contains three subcharts which are meant to be installed independently from each other: -- **vulnerability-assessment-tool-core**: which encapsulates all the core components of the tool including: - - *frontendapps*: Jetty web UI which allows submitting code for review - - *frontendbugs*: Jetty web UI which allows admins to manage bugs database - - *patchlibanalyzer*: CronJob which analyzes code submitted - - *restbackend*: Springboot backend which communicates with postgres - - *restlibutils*: Springboot backend which provides extra utilities - - *database*: HA Postgresql Vulnerability database - -- **vulnerability-assessment-tool-admin**: which encapsulates all the cluster admin tools - - *nginx-ingress*: NGINX ingress controller used to expose the service - - (future releases) *redis*: A caching server for NGINX - -- **vulnerability-assessment-tool-monitoring**: which is used to deploy the dedicated monitoring stack - - *elastic*: Elasticsearch + Kibana stack - - *fluentd*: Log collection daemonset - - *grafana*: Metrics graphing - - *prometheus*: Metrics collector + exporters - - -# Vulnerability-assessment-tool Core -This chart comprises of 6 subcharts and represents the tool's core architecture. - -## Frontendapps and Frontendbugs -These two are Jetty Web servers written in SAP-UI5 which allows for submitting code for review (frontendapps serving on the path `/apps`) and for administering bugs database (frontendbugs serving on the path `/bugs`) . It uses Ajax requests to communicate with other components in the architecture (mainly the restbackend). Due to the fact that computing in this component is delegated to the client, it has a really light footprint and can function with minimal resources such as: -```yaml -resources: - limits: - memory: "200Mi" - cpu: "200m" - requests: - memory: "100Mi" - cpu: "100m" -``` - -For more information see the [frontendbugs chart](vulnerability-assessment-tool-core/charts/frontendbugs) and [frontendapps chart](vulnerability-assessment-tool-core/charts/frontendapps) - -## Patchlibanalyzer -A Java application which runs constantly in order to analyze packages for vulnerable constructs. It can be run as a Kubernetes managed cronjob by disabling (`deployment.enabled=false`) or as a standalone self managed cronjob by enabling (`deployment.enabled=true`). This component communicates directly with both the restbackend (configured through the environment variable **vulas.shared.backend.serviceUrl**) and the restlibutils (configured through the environment variable **vulas.shared.backend.serviceUrl**) - -For more information see the [patchlibanalyzer chart](vulnerability-assessment-tool-core/charts/patchlibanalyzer) - -## Restbackend -A springboot backend which communicates with the Postgres database through **hibernate** (see [docs](https://hibernate.org/)) and the infrastructure's cornerstone. The connection is direct and the host can be configured through the env variable **spring.datasource.url** (which has to be a jdbc syntax compliant string). - -Since the schema is bound to change over time, the restbackend also has a **flyway** module (see [docs](https://flywaydb.org/)) which allow for on the fly schema migration. This connection is also direct and can be configured with the env variable **FLYWAY_URL** (also a jdbc syntax compliant string). - -Since queries and calls are both numerous and complex, this component requires a lot of resources. In production, with a data load of about 300GB, the recommended resources are: -```yaml -resources: - limits: - memory: "16Gi" - cpu: "8" - requests: - memory: "8Gi" - cpu: "4" -``` - -For more information see the [restbackend chart](vulnerability-assessment-tool-core/charts/restbackend) - -## Restlibutils -A springboot backend which is used by the restbackend and patchlibanalyzer to perform construct analysis. As this is the component in charge of the analysis, it is also recommended to allocated it quite a lot of resources, such as: -```yaml -resources: - limits: - memory: "15Gi" - cpu: "7" - requests: - memory: "8Gi" - cpu: "2" -``` - -For more information see the [restlibutils chart](vulnerability-assessment-tool-core/charts/restlibutils) - -## Postgres - -The database storing all data related to the vulnerability-assessment-tool. For high availability as well as performance, this chart implements a master-slave replication cluster for postgres. The replication method (see [postgres HA docs](https://www.postgresql.org/docs/current/high-availability.html)) can be summed up by the graph below: - -![database](../../docs/public/content/images/helm_postgres.png) - -- i) The init container in the postgres replica pod uses pg_basebackup pointed to the postgres master container. This command copies the data from the master node to make sure that the replica is up to date, then creates the `replica.conf` file which tells the replica node that it is the master's standby. -- ii) Once the pg_basebackup succeeds, it allows for the postgres replica container to spin up, mounting the same PVC as the init container (thus sharing the data + config) -- iii) The replica nodes frequently queries the master to ask for the most recent WAL segment. This gets writen if the master has updates (Insert/ update queries). -- iv) The master sends the most recent WAL segments to the slave, thus ensuring replication. - -This replication method presents one main issue: **the read and write streams have to be separate to ensure data consistency**, therefore, you can't write into replica nodes. This is where **pgpool** comes in and acts as a buffer to distinguish read from write requests and proxy them accordingly. - -For more information see the [database chart](vulnerability-assessment-tool-core/charts/database) - - -# Vulnerability-assessment-tool Admin -This chart contains only a single nginx-ingress subchart configured to serve vulnerability assessment tool core components. It will however include a redis subchart to serve as a distributed caching db for nginx. -For more information see the [nginx-ingress chart](vulnerability-assessment-tool-admin/charts/nginx-ingress) - -# Vulnerability-assessment-tool Monitoring -This chart contains a logging and monitoring stack for the vulnerability-assessment-tool core cluster. It contains 4 subcharts: -- *elastic* : contains elasticsearch + kibana, used for storing and visualising logs -- *fluentd* : log fetcher for the logging stack -- *prometheus*: contains node exporter (for exporting node related metrics, kube-state-metrics for cluster wide metrics and prom-server for the actual prometheus server) -- *grafana*: graphing for monitoring stack - - ---- -# Contributing -See [Contributing](docs/Contributing.md) diff --git a/kubernetes/helm/docs/BenchmarkResults.md b/kubernetes/helm/docs/BenchmarkResults.md deleted file mode 100644 index f50690ba8..000000000 --- a/kubernetes/helm/docs/BenchmarkResults.md +++ /dev/null @@ -1,96 +0,0 @@ -# Database Cluster benchmark - -Pgbench run as a Kubernetes scheduled job within the cluster (on a distinct node from databases) with the following specs: -- Scaling factor: 1 -- Query mode: simple (restricted here to Read queries) -- Number of clients: 80 -- Number of threads: 8 - -This benchmark is performed with a Kubernetes cluster hosted on SAP Converge Cloud (based on Openstack) with three machines: -- 1 x 24560MB RAM, 24 VCPU, 64GB disk hosting the master database -- 2 x 16368MB RAM, 16 VCPU, 64GB disk hosting the slave database - -Each of these have a mounted PVC (provisioned by Openstack Cinder) with a storage capacity of 400GB. - -**Test cases:** -All the below test cases execute a ready only sql script (see below) meant to globally simulate real life usages tested against a dataset of around 300gb and can be launched as a job (see in [benchmarking folder](../vulnerability-assessment-tool-core/templates/benchmark/README.md)). - -- Master direct: pgbench runs directly against the master node with `nclients` concurrent clients. This would represent the 'old' setup but with replication added on which would slightly tax performance. -- Slave direct: pgbench runs directly against the slave service (with two exact endpoints). This would be the most optimal situation since pgbench clients can query both databases and thus reduce the response time on both. (Purely hypothethical as test cases only touch read-only queries) -- Single pgpool instance: pgbench runs against pgpool connected to one master node and to slaves. -- Multiple pgpool instances (3): pgbench runs against pgpool-service connected to 3 pgpool non clustered instance. - -| | Average Latency(ms) | tps(with handshake) | tps(w/ handshake) | Q0 | Q1 | Q2 | Q3 | Q4 | Q5 | Q6 | Q7 | Q8 | Q9 | Q10 | Q11 | Q12 | Q13 | Q14 | Q15 | Q16 | Q17 | -|:--------------:|:--------------------:|:-------------------:|:-----------------:|:-----:|:-----:|:------:|:-------:|:------:|:--------:|:------:|:-----:|:-----:|:-----:|:-----:|:------:|:-----:|:------:|:-----:|:---------:|:------:|:-----:| -| Master Direct | 7448.431 | 10.740517 | 10.740645 | 2.326 | 1.624 | 8.176 | 536.314 | 7.345 | 3018.764 | 21.753 | 3.847 | 2.468 | 1.650 | 3.315 | 15.557 | 2.919 | 2.341 | 3.209 | 3781.280 | 10.604 | 4.490 | -| Slave Direct | 6655.745 | 12.019692 | 12.019790 | 1.180 | 0.992 | 5.526 | 411.687 | 6.348 | 2746.081 | 29.709 | 1.817 | 1.172 | 0.832 | 2.999 | 24.242 | 1.463 | 0.965 | 2.770 | 3388.693 | 8.212 | 3.042 | -| Single pgpool | 8364.560 | 9.54162 | 9.56348 | 2.727 | 2.167 | 8.458 | 575.846 | 8.354 | 3432.151 | 23.134 | 4.465 | 2.896 | 2.157 | 4.203 | 16.413 | 3.166 | 2.508 | 3.945 | 4234.848 | 10.405 | 4.791 | -| Pgpool cluster(3) | 6027.996 | 13.271408 | 13.271679 | 6.569 | 6.529 | 14.449 | 637.22 | 10.497 | 2287.350 | 26.816 | 7.384 | 6.981 | 6.558 | 8.472 | 24.400 | 6.997 | 6.6027 | 8.339 | 2982.970 | 11.871 | 7.649 | - -## Statistical view - -**Average Latency** - -| | Average Latency difference from optimal setup : slave direct (in ms) | Average Latency difference from optimal setup (% over slave direct) | -|:--------------:|:---------------------------------------------------------------------:|:-------------------------------------------------------------------:| -| Slave Direct | + 0.00 | 0% | -| Master Direct | + 792.686 | 11.9% | -| Pgpool | + 1708.815 | 25.7% | -| Pgpool cluster(3) | -6.27.74899 | -9.43% | - -**Tps (Transaction per seconds)** - -| | tps with handshake difference from optimal setup (tps) | tps with handshake difference from optimal setup (ratio over slave direct) | tps w/o handshake difference from optimal setup (tps) | tps w/o handshake difference from optimal setup (ratio over slave direct) | -|:--------------:|:------------------------------------------------------:|:---------------------------------------------------------------------------:|:-----------------------------------------------------:|:--------------------------------------------------------------------------:| -| Slave Direct | + 0.00 | 0% | + 0.00 | 0% | -| Master Direct | - 1.279175 | - 10.6% | - 1.279145 | - 10.6% | -| Pgpool | - 2.478072 | - 20.6% | - 2.45631 | - 20.4% | -| Pgpool cluster(3) | + 1.251716 | + 10.4% | + 1.2518890 | +10.42% | - -Clustering pgpool seem to increase postgres performance drastically observable when it comes to more complex transactions such as those in Q15 and Q5. This is possibly due to the inane 'loadbalancing' provided by both service layers (pgpool-service) as well as pgpool load balancing mechanism. This comes at an lower performance for simple requests as the constant shifting and handshakes required makes simple queries unviable (sometimes with 300% average latencies than other methods) - - -## In depth Analysis of Pgpool clustering performance -![perf](../../../docs/public/content/images/helm_db_benchmark.png) - -With our current setup (1 master and 2 replicas with pgpool instance each having affinity towards sharing nodes with postgres instances), 3 replicas seems to be the optimal setup to reduce both latency and increase tps. - - -## Script - -```sql -BEGIN; -select tenant0_.id as id1_27_, tenant0_.created_at as created_2_27_, tenant0_.is_default as is_defau3_27_, tenant0_.last_modified as last_mod4_27_, tenant0_.tenant_name as tenant_n5_27_, tenant0_.tenant_token as tenant_t6_27_ from tenant tenant0_ where tenant0_.is_default=true ; - -select spaces0_.tenant as tenant11_24_0_, spaces0_.id as id1_24_0_, spaces0_.id as id1_24_1_, spaces0_.bug_filter as bug_filt2_24_1_, spaces0_.created_at as created_3_24_1_, spaces0_.export_configuration as export_c4_24_1_, spaces0_.is_default as is_defau5_24_1_, spaces0_.is_public as is_publi6_24_1_, spaces0_.last_modified as last_mod7_24_1_, spaces0_.space_description as space_de8_24_1_, spaces0_.space_name as space_na9_24_1_, spaces0_.space_token as space_t10_24_1_, spaces0_.tenant as tenant11_24_1_ from space spaces0_ where spaces0_.tenant='319624120'; - -select distinct a.id, a.artifact, a.created_at, a.modified_at, a.last_vuln_change, a.last_scan, a.mvn_group, a.space, a.version from app a inner join space s on a.space=s.id where s.space_token= 'A5344E8A6D26617C92A0CAD02F10C89C' and (extract(epoch from last_vuln_change) > 0 OR extract(epoch from last_scan) > 0) ; - -select applicatio0_.id as id1_0_0_, space1_.id as id1_24_1_, applicatio0_.artifact as artifact2_0_0_, applicatio0_.created_at as created_3_0_0_, applicatio0_.last_scan as last_sca4_0_0_, applicatio0_.last_vuln_change as last_vul5_0_0_, applicatio0_.modified_at as modified6_0_0_, applicatio0_.mvn_group as mvn_grou7_0_0_, applicatio0_.space as space9_0_0_, applicatio0_.version as version8_0_0_, space1_.bug_filter as bug_filt2_24_1_, space1_.created_at as created_3_24_1_, space1_.export_configuration as export_c4_24_1_, space1_.is_default as is_defau5_24_1_, space1_.is_public as is_publi6_24_1_, space1_.last_modified as last_mod7_24_1_, space1_.space_description as space_de8_24_1_, space1_.space_name as space_na9_24_1_, space1_.space_token as space_t10_24_1_, space1_.tenant as tenant11_24_1_ from app applicatio0_ inner join space space1_ on applicatio0_.space=space1_.id where applicatio0_.mvn_group='com.acme' and applicatio0_.artifact='vulas-testapp-webapp' and applicatio0_.version='2.5.2-MVN' and applicatio0_.space='319624121' ; - - select dependenci0_.app as app10_2_0_, dependenci0_.id as id1_2_0_, dependenci0_.id as id1_2_1_, dependenci0_.app as app10_2_1_, dependenci0_.declared as declared2_2_1_, dependenci0_.filename as filename3_2_1_, dependenci0_.lib as lib11_2_1_, dependenci0_.origin as origin4_2_1_, dependenci0_.parent as parent12_2_1_, dependenci0_.path as path5_2_1_, dependenci0_.relative_path as relative6_2_1_, dependenci0_.scope as scope7_2_1_, dependenci0_.traced as traced8_2_1_, dependenci0_.transitive as transiti9_2_1_, library1_.id as id1_19_2_, library1_.created_at as created_2_19_2_, library1_.digest as digest3_19_2_, library1_.digest_algorithm as digest_a4_19_2_, library1_.digest_verification_url as digest_v5_19_2_, library1_.library_id_id as library_8_19_2_, library1_.modified_at as modified6_19_2_, library1_.wellknown_digest as wellknow7_19_2_, libraryid2_.id as id1_22_3_, libraryid2_.artifact as artifact2_22_3_, libraryid2_.mvn_group as mvn_grou3_22_3_, libraryid2_.version as version4_22_3_ from app_dependency dependenci0_ inner join lib library1_ on dependenci0_.lib=library1_.digest left outer join library_id libraryid2_ on library1_.library_id_id=libraryid2_.id where dependenci0_.app='319633948'; - - select constructs0_.application_id as applicat1_1_0_, constructs0_.constructs_id as construc2_1_0_, constructi1_.id as id1_18_1_, constructi1_.lang as lang2_18_1_, constructi1_.qname as qname3_18_1_, constructi1_.type as type4_18_1_ from app_constructs constructs0_ inner join construct_id constructi1_ on constructs0_.constructs_id=constructi1_.id where constructs0_.application_id='319633948'; - -select goalexecut0_.id as id1_5_, goalexecut0_.app as app12_5_, goalexecut0_.client_version as client_v2_5_, goalexecut0_.created_at as created_3_5_, goalexecut0_.exception as exceptio4_5_, goalexecut0_.execution_id as executio5_5_, goalexecut0_.goal as goal6_5_, goalexecut0_.mem_max as mem_max7_5_, goalexecut0_.mem_used_avg as mem_used8_5_, goalexecut0_.mem_used_max as mem_used9_5_, goalexecut0_.runtime_nano as runtime10_5_, goalexecut0_.started_at_client as started11_5_ from app_goal_exe goalexecut0_ where goalexecut0_.app='319633948' order by goalexecut0_.started_at_client DESC ; - - -select applicatio0_.id as id1_0_0_, space1_.id as id1_24_1_, applicatio0_.artifact as artifact2_0_0_, applicatio0_.created_at as created_3_0_0_, applicatio0_.last_scan as last_sca4_0_0_, applicatio0_.last_vuln_change as last_vul5_0_0_, applicatio0_.modified_at as modified6_0_0_, applicatio0_.mvn_group as mvn_grou7_0_0_, applicatio0_.space as space9_0_0_, applicatio0_.version as version8_0_0_, space1_.bug_filter as bug_filt2_24_1_, space1_.created_at as created_3_24_1_, space1_.export_configuration as export_c4_24_1_, space1_.is_default as is_defau5_24_1_, space1_.is_public as is_publi6_24_1_, space1_.last_modified as last_mod7_24_1_, space1_.space_description as space_de8_24_1_, space1_.space_name as space_na9_24_1_, space1_.space_token as space_t10_24_1_, space1_.tenant as tenant11_24_1_ from app applicatio0_ inner join space space1_ on applicatio0_.space=space1_.id where applicatio0_.mvn_group='com.acme' and applicatio0_.artifact='vulas-testapp-webapp' and applicatio0_.version='2.5.2-MVN' and applicatio0_.space='319624121' ; - -SELECT id FROM app_goal_exe WHERE app = '319633948' AND goal = 'APP' ORDER BY started_at_client DESC LIMIT 1 ; - -select goalexecut0_.id as id1_5_0_, goalexecut0_.app as app12_5_0_, goalexecut0_.client_version as client_v2_5_0_, goalexecut0_.created_at as created_3_5_0_, goalexecut0_.exception as exceptio4_5_0_, goalexecut0_.execution_id as executio5_5_0_, goalexecut0_.goal as goal6_5_0_, goalexecut0_.mem_max as mem_max7_5_0_, goalexecut0_.mem_used_avg as mem_used8_5_0_, goalexecut0_.mem_used_max as mem_used9_5_0_, goalexecut0_.runtime_nano as runtime10_5_0_, goalexecut0_.started_at_client as started11_5_0_, applicatio1_.id as id1_0_1_, applicatio1_.artifact as artifact2_0_1_, applicatio1_.created_at as created_3_0_1_, applicatio1_.last_scan as last_sca4_0_1_, applicatio1_.last_vuln_change as last_vul5_0_1_, applicatio1_.modified_at as modified6_0_1_, applicatio1_.mvn_group as mvn_grou7_0_1_, applicatio1_.space as space9_0_1_, applicatio1_.version as version8_0_1_, space2_.id as id1_24_2_, space2_.bug_filter as bug_filt2_24_2_, space2_.created_at as created_3_24_2_, space2_.export_configuration as export_c4_24_2_, space2_.is_default as is_defau5_24_2_, space2_.is_public as is_publi6_24_2_, space2_.last_modified as last_mod7_24_2_, space2_.space_description as space_de8_24_2_, space2_.space_name as space_na9_24_2_, space2_.space_token as space_t10_24_2_, space2_.tenant as tenant11_24_2_, properties3_.space_id as space_id1_25_3_, property4_.id as properti2_25_3_, property4_.id as id1_23_4_, property4_.name as name2_23_4_, property4_.property_value as property3_23_4_, property4_.source as source4_23_4_, property4_.value_sha1 as value_sh5_23_4_, spaceowner5_.space_id as space_id1_26_5_, spaceowner5_.space_owners as space_ow2_26_5_, tenant6_.id as id1_27_6_, tenant6_.created_at as created_2_27_6_, tenant6_.is_default as is_defau3_27_6_, tenant6_.last_modified as last_mod4_27_6_, tenant6_.tenant_name as tenant_n5_27_6_, tenant6_.tenant_token as tenant_t6_27_6_ from app_goal_exe goalexecut0_ inner join app applicatio1_ on goalexecut0_.app=applicatio1_.id inner join space space2_ on applicatio1_.space=space2_.id left outer join space_properties properties3_ on space2_.id=properties3_.space_id left outer join property property4_ on properties3_.properties_id=property4_.id left outer join space_owners spaceowner5_ on space2_.id=spaceowner5_.space_id inner join tenant tenant6_ on space2_.tenant=tenant6_.id where goalexecut0_.id='319767613'; - -select configurat0_.goal_execution_id as goal_exe1_6_0_, configurat0_.configuration_id as configur2_6_0_, property1_.id as id1_23_1_, property1_.name as name2_23_1_, property1_.property_value as property3_23_1_, property1_.source as source4_23_1_, property1_.value_sha1 as value_sh5_23_1_ from app_goal_exe_configuration configurat0_ inner join property property1_ on configurat0_.configuration_id=property1_.id where configurat0_.goal_execution_id='319767613'; - -select systeminfo0_.goal_execution_id as goal_exe1_7_0_, systeminfo0_.system_info_id as system_i2_7_0_, property1_.id as id1_23_1_, property1_.name as name2_23_1_, property1_.property_value as property3_23_1_, property1_.source as source4_23_1_, property1_.value_sha1 as value_sh5_23_1_ from app_goal_exe_system_info systeminfo0_ inner join property property1_ on systeminfo0_.system_info_id=property1_.id where systeminfo0_.goal_execution_id='319767613'; - -select statistics0_.goal_execution_id as goal_exe1_8_0_, statistics0_.statistics as statisti2_8_0_, statistics0_.statistics_key as statisti3_0_ from app_goal_exe_statistics statistics0_ where statistics0_.goal_execution_id='319767613' ; - -select goalexecut0_.id as id1_5_0_, goalexecut0_.app as app12_5_0_, goalexecut0_.client_version as client_v2_5_0_, goalexecut0_.created_at as created_3_5_0_, goalexecut0_.exception as exceptio4_5_0_, goalexecut0_.execution_id as executio5_5_0_, goalexecut0_.goal as goal6_5_0_, goalexecut0_.mem_max as mem_max7_5_0_, goalexecut0_.mem_used_avg as mem_used8_5_0_, goalexecut0_.mem_used_max as mem_used9_5_0_, goalexecut0_.runtime_nano as runtime10_5_0_, goalexecut0_.started_at_client as started11_5_0_, applicatio1_.id as id1_0_1_, applicatio1_.artifact as artifact2_0_1_, applicatio1_.created_at as created_3_0_1_, applicatio1_.last_scan as last_sca4_0_1_, applicatio1_.last_vuln_change as last_vul5_0_1_, applicatio1_.modified_at as modified6_0_1_, applicatio1_.mvn_group as mvn_grou7_0_1_, applicatio1_.space as space9_0_1_, applicatio1_.version as version8_0_1_, space2_.id as id1_24_2_, space2_.bug_filter as bug_filt2_24_2_, space2_.created_at as created_3_24_2_, space2_.export_configuration as export_c4_24_2_, space2_.is_default as is_defau5_24_2_, space2_.is_public as is_publi6_24_2_, space2_.last_modified as last_mod7_24_2_, space2_.space_description as space_de8_24_2_, space2_.space_name as space_na9_24_2_, space2_.space_token as space_t10_24_2_, space2_.tenant as tenant11_24_2_, properties3_.space_id as space_id1_25_3_, property4_.id as properti2_25_3_, property4_.id as id1_23_4_, property4_.name as name2_23_4_, property4_.property_value as property3_23_4_, property4_.source as source4_23_4_, property4_.value_sha1 as value_sh5_23_4_, spaceowner5_.space_id as space_id1_26_5_, spaceowner5_.space_owners as space_ow2_26_5_, tenant6_.id as id1_27_6_, tenant6_.created_at as created_2_27_6_, tenant6_.is_default as is_defau3_27_6_, tenant6_.last_modified as last_mod4_27_6_, tenant6_.tenant_name as tenant_n5_27_6_, tenant6_.tenant_token as tenant_t6_27_6_ from app_goal_exe goalexecut0_ inner join app applicatio1_ on goalexecut0_.app=applicatio1_.id inner join space space2_ on applicatio1_.space=space2_.id left outer join space_properties properties3_ on space2_.id=properties3_.space_id left outer join property property4_ on properties3_.properties_id=property4_.id left outer join space_owners spaceowner5_ on space2_.id=spaceowner5_.space_id inner join tenant tenant6_ on space2_.tenant=tenant6_.id where goalexecut0_.id='319767613' ; - -select distinct dependency0_.id as col_0_0_, bug5_.id as col_1_0_ from app_dependency dependency0_ inner join app applicatio1_ on dependency0_.app=applicatio1_.id inner join lib library2_ on dependency0_.lib=library2_.digest inner join lib_constructs constructs3_ on library2_.id=constructs3_.library_id inner join construct_id constructi4_ on constructs3_.constructs_id=constructi4_.id cross join bug bug5_ inner join bug_construct_change constructc6_ on bug5_.bug_id=constructc6_.bug where applicatio1_.mvn_group='com.acme' and applicatio1_.artifact='vulas-testapp-webapp' and applicatio1_.version='2.5.2-MVN' and applicatio1_.space='319624121' and constructi4_.id=constructc6_.construct_id and (constructi4_.type<>'PACK' or not (exists (select 1 from bug_construct_change constructc7_ inner join construct_id constructi8_ on constructc7_.construct_id=constructi8_.id where constructc7_.bug=constructc6_.bug and constructi8_.type<>'PACK' and (constructi8_.qname not like '%test%') and (constructi8_.qname not like '%Test%') and constructc7_.construct_change_type<>'ADD'))) and (constructi4_.type<>'MODU' or constructi4_.qname<>'setup') ; - -select a.affected from (select distinct bug_id,library_id,affected from bug_affected_library where source='MANUAL' and lib is null UNION select distinct al1.bug_id,al1.library_id,al1.affected from bug_affected_library as al1 where al1.lib is null and (al1.source='AST_EQUALITY' OR al1.source='MINOR_EQUALITY'OR al1.source='MAJOR_EQUALITY' OR al1.source='GREATER_RELEASE' OR al1.source='INTERSECTION' OR al1.source='PROPAGATE_MANUAL') and not exists (select 1 from bug_affected_library as al2 where al2.source='MANUAL' and al1.bug_id=al2.bug_id and al1.library_id=al2.library_id)) as a where a.bug_id='CVE-2014-3612' and a.library_id='236764304'; -END; -``` diff --git a/kubernetes/helm/docs/Contributing.md b/kubernetes/helm/docs/Contributing.md deleted file mode 100644 index d5cbade75..000000000 --- a/kubernetes/helm/docs/Contributing.md +++ /dev/null @@ -1,152 +0,0 @@ -# Folder structure and Overall Conventions - -## Subchart templates - -The vulnerability-assessment-tool deployment is composed of three charts: -- vulnerability-assessment-tool-core : which encapsulates all its core functions -- vulnerability-assessment-tool-monitoring : which encapsulates its monitoring stack -- vulnerability-assessment-tool-admin : which encapsulates admin functionalities - -All values in this helm chart and its subcharts are in camelCase (for example *someVariable*). As every subcharts should be a standalone implementation of a helm charts, each one has an individual set of helper templates mainly: -- _getter.tpl : contains all basic name composition templates -- _labels.tpl : contains all basic label creation templates - -Along with these helpers, they also share global ones located in `shared` (with a simple soft symlink) to avoid redundancy. - -### .**Subchart composition** -As declartaions are numerous, the following encapsulating folder scheme has been devised: -- if the subchart contains different distinct application that require each other to function, it will be put in its own repo. -- Each file will be named to represent best its object kind (for example configMap.yaml) writen in camelCase. - -For example: -``` -. -├── Chart.yaml -├── README.md -├── templates -│   ├── kube-state-metrics -│   │   ├── clusterRoleBinding.yaml -│   │   ├── clusterRole.yaml -│   │   ├── deployment.yaml -│   │   ├── _getters.tpl -│   │   ├── _labels.tpl -│   │   ├── serviceAccount.yaml -│   │   └── service.yaml -│   ├── node-exporter -│   │   ├── daemonSet.yaml -│   │   ├── _getters.tpl -│   │   ├── _labels.tpl -│   │   ├── podSecurityPolicy.yaml -│   │   ├── roleBinding.yaml -│   │   ├── role.yaml -│   │   ├── serviceAccount.yaml -│   │   └── service.yaml -│   ├── NOTES.txt -│   └── prom-server -│   ├── clusterRoleBinding.yaml -│   ├── clusterRole.yaml -│   ├── configMap.yaml -│   ├── _getters.tpl -│   ├── _labels.tpl -│   ├── serviceAccount.yaml -│   ├── serviceHeadless.yaml -│   ├── service.yaml -│   └── statefulSet.yaml -├── _values.yaml -└── values.yaml -``` - -### .**Helpers** -Each helper functions header contains the name of said function along with a short description of its purpose, its usage context (Note that if is says `contexts: [ . ]` it can only be used within the subcharts contexts) and an example usage. - -Within reasonable limits, all helper functions must be : -- limited to its subcharts scope -- preceded by the chart's name -- camelCase -- refrain from verbs as a whole for naming -- indicate which object it targets - -(like *subchart.objectName*). - -### .**Templating Object Declarations** - -In order to garantee a coherent and consistent declaration convention, each yml should loosely follow this order (line jumps indicated with #), explicited for controllers : - -```yaml -apiVersion: {{ .apiVersion }} -kind: {{ .objectKind }} -# -metadata: - name: {{{ template "subchart.objectName" . }} - labels: - app.kubernetes.io/name : {{ template "subchart.objectName" . }} - app.kubernetes.io/part-of: {{ include "subchart.name" . }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -# -spec: - replicas: {{ .replicas }} -# - template: - metadata: - labels: - app.kubernetes.io/name : {{ template "subchart.objectName" . }} - app.kubernetes.io/part-of: {{ include "subchart.name" . }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{ include "subchart.objectName.otherLabels" . }} - # - spec: - volumes: - - name: --- - configMap: - name: --- - # - initContainers: - - name: --- - image: --- - imagePullPolicy: --- - command: --- - # - envFrom: - - configMapRef: --- - name: --- - # - securityContext: --- # User - securityContext: --- # Linux capabilities - # - Containers: - - name: --- - image: --- - imagePullPolicy: --- - # - ports: --- - # - envFrom: --- - # - livenessProbe: --- - # - readinessProbe: --- -``` - -With emphasis on when it comes to declarations: -- version of release on each object -- envFrom over env -- livenessProbe and readinessProbe preferably different -- ports always having names -- imagePullPolicy always indicated - -When it comes to templating: -- prefer `nindent` over `indent` -- when including templates retain the original tabulations for readability -- prefer `include` over `template` when not inline and vice versa - -When it comes to writing conditional and complex values -- prefer using `with` or `$variable:=` to shorten naming scheme -- when checking if a layered variable exist use the staircase method (to garantee passing the `helm lint --strict`), for example: -``` -{{- if .Values.a }} -{{- if .Values.a.b }} -{{- end }} -{{- end }} -``` diff --git a/kubernetes/helm/docs/LoadingDumps.md b/kubernetes/helm/docs/LoadingDumps.md deleted file mode 100644 index 5a20ee6e4..000000000 --- a/kubernetes/helm/docs/LoadingDumps.md +++ /dev/null @@ -1,132 +0,0 @@ -# Loading dumps and migrating from existing database - -This guide is destined to those who want to migrate their old Eclipse Steady database to the Kubernetes deployment. - -## Preliminary - -Requirements: -- kubectl (with access to cluster) - -Warning: -- During the first phase, the source database will be under some strain so its recommended to perform this operation during low load periods -- During the migration, accessing the destination database will break the destination database. Therefore, it is recommended to scale down the restbackend and restlibutils to avoid going into the broken state with these commands: -```sh -kubectl scale statefulset.apps restbackend --replicas 0 \ - && kubectl scale deployment.apps restlibutils --replicas 0 -``` -- This process may take up to 5 hours depending on the amount of data present - -## Migration using Go module - -This migration can be automated using the utils packaged with this chart (which can be installed by following this [guide](../utils/README.md)). You can run the following command, once the module is built: - -```sh -utils migrate -n { CoreNamespace } -sh { SourceHost } \ - -sp { SourcePort } -spa { Source Dump Path } -su { SourceUser } \ - -spw { SourcePassword } -dH { DestinationHost } -dp { DestinationPort } \ - -du { DestinationUser } -dpw { DestinationPassword } - - -# for more info and flags -utils migrate --help -``` - -## Manual Migration - -This can be done with a single job run from within the destination cluster (provided the source is accessible from within the k8s cluster). This job is meant to be templated with helm with the command: -```sh -# with values.yaml -$ helm template . -x _postgres-migrator.yaml | kubectl apply -f - - -# without values.yaml -$ helm template . -x _postgres-migrator.yaml \ - --set .... | kubectl apply -f - -``` - -It can however still be run without helm by manually replacing values inside {{ }} with the desired values and then applied via `kubectl apply -f -`. - -### _postgres-migrator.yaml -```sh -apiVersion: batch/v1 -kind: Job - -metadata: - name: postgres-migrator - -spec: - # Disables retries - backoffLimit: 0 - - template: - spec: - containers: - - name: postgres-migrator - # It is important that this variable corresponds to the source database version - image: postgres:{{ .Values.migration.version }} - command: - - sh - - -c - - |- - #!/bin/bash - # env injection for pgdump - export PGPASSWORD={{ .Values.migration.source.password }} - - DATE=`date +%Y%m%d` - start_time=`date +%s` - mkdir -p /dumps/ - - # In values.yaml: - # migration: - # source: - # port: # source database port to pull the dump from - # host: # source host - # dbname: # source vuln database name - # user: # user name - # password: # user password - pg_dump -Fc --host {{ .Values.migration.source.host }} \ - -U {{ .Values.migration.source.user }} \ - --dbname {{ .Values.migration.source.dbname }} \ - --port {{ .Values.migration.source.port }} >> /dumps/$DATE.dump - - echo "[+] Database dump completed in $((($(date +%s)-$start)/60)) minutes" - start_time=`date +%s` - - # In values.yaml: - # migration: - # destination: - # port: # source database port to pull the dump from - # host: # source host - # dbname: # source vuln database name - # user: # user name - # password: # user password - export PGPASSWORD={{ .Values.migration.destination.password }} - - # If you have the chart up and running, you can - # use the postgres-readwrite-service (master node) - # as a host value directly - pg_restore --verbose --clean --if-exists --no-acl \ - --host {{ .Values.migration.destination.host }} \ - --U {{ .Values.migration.destination.user }} \ - --port {{ .Values.migration.destination.port }} \ - --dbname {{ .Values.migration.destination.dbname }} \ - --jobs={{ .Values.migration.cpu }} - /dumps/$DATE.dump - - echo "[+] Database restore completed in $((($(date +%s)-$start)/60)) minutes" - - restartPolicy: Never - resources: - # You can allocate more resources to increase restore speed - # (the dump performance depends on your source database) - requests: - cpu: {{ .Values.migration.cpu }} -``` - -## Checking integrity - -Due to the migration being often quite large, errors can occur that can break the database. Those can be identified by: - -- Tailing the logs of the migration job with `kubectl logs -f`. Some error may occur due to network issues, lack of space on the destination database, etc.. -- Trying to load the frontendapps or frontendbugs, you'll notice a huge performance dip (it could take up to 60s for simple queries instead of 5-6s max) -- Accessing postgres and checking from inside the database with: -`kubectl exec -it postgres-master-0 psql -c 'SELECT pg_size_pretty( pg_database_size('dbname'))'` diff --git a/kubernetes/helm/docs/PopulatingDatabase.md b/kubernetes/helm/docs/PopulatingDatabase.md deleted file mode 100644 index 1c635a2d2..000000000 --- a/kubernetes/helm/docs/PopulatingDatabase.md +++ /dev/null @@ -1,46 +0,0 @@ -# Populating database inside the Kubernetes cluster - -This guide is destined to those who want to populate their vulnerability databases with the open sourced [knowledge base](https://github.com/SAP/vulnerability-assessment-kb). -This can be automated using the utils packaged with this chart (which can be installed by following this [guide](../utils/README.md)). You can run the following command, once the module is built: - -```sh -utils load \ - --concurrent { Concurrent } \ - --releaseName { releaseName } \ - --namespace { namespace } \ - --skip - -# for more info and flags -utils load --help - -# for cleaning up the pods after a run -kubectl delete pods -l 'app.kubernetes.io/part-of=bugs-loader' -n { namespace } -``` - -## . Configuration -As off utils release v0.0.1 the bug file has to be a **yaml** file following this structure: -```yaml -bugs: -- reference: bug1 # vulnerability identifier - repo: repo # URL of the VCS repository hosting the library project - - # One or multiple revisions (multiple ones must be comma-separated w/o blanks). - # In the case of Git repositories, the revision can be optionally - # concatenated with ,) - commit: "id" - - # (optional, it must be provided for vulnerabilities not available from the NVD) ) - # Comma-separated list of links to comprehensive vulnerability information - links: "links" - - # (optional) - description: "Lorem ipsum dolor sit amet..." -``` - -## . Behind the scenes - -This module uses Golang routines to split the bugs list into **n** (the amount of concurrent jobs) equal chunks. In short, these will be fed into the patch-analyzer which will then analyze the codes and push it into the restbackend accordingly. - -In reality, this module generates a shell script which contains call to the patchanalyzer jar and mounts it via configmap to a list of jobs, each having different configmaps corresponding to the chunk that they're in charge of. - -Then it generates a list of routines that watch the job for event changes and cleans up if the job fails, succeedes or gets deleted diff --git a/kubernetes/helm/docs/SchemaChanges.md b/kubernetes/helm/docs/SchemaChanges.md deleted file mode 100644 index 8f4b72f0d..000000000 --- a/kubernetes/helm/docs/SchemaChanges.md +++ /dev/null @@ -1,65 +0,0 @@ - -# Handling schema changes - -This guide is destined to help migrating versions with schema changes without hiccups. This assumes all three charts have been installed independently within their designated namespaces with the core chart having major release name : `alpha` migrating towards major release `beta`. - - -## TL;DR - -This upgrade can be automated using the utils packaged with this chart (which can be installed by following this [guide](BuildingUtils.md)). You can run the following command, once the module is built: - -```sh -utils upgrade --kubeconfig={ kubeconfig } \ - --coreNamespace={ coreNamespace } \ - --adminNamespace={ adminNamespace } \ - --currentRelease={ currentRelease } \ - --futureRelease={ futureRelease } - -# for more info and flags -utils upgrade --help -``` - -Once the new release has been properly spun up and tested, you can use the utils package to automatically update the admin chart to point at the newest release with: - -```sh -utils route --kubeconfig={ kubeconfig } \ - --coreNamespace={ coreNamespace } \ - --coreRelease={ coreRelease } \ - --adminNamespace={ adminNamespace } \ - --adminRelease={ adminRelease } - - -# for more info and flags -utils route --help -``` - - -## Detailed actions - -![schema_change](../../../docs/public/content/images/helm_database_change.png) - -The Golang migrator utils uses the given `kubeconfig` to communicate directly with the cluster's Kubernetes API through the Kubernetes Go-client. And does the following actions (see previous image): - -- Fetches the replicas amount of the postgres slave statefulset within the cluster -- Scales down one replicas if possible which will be promoted to master in the future release -- Gets the PVC associated with the pod that's getting scaled down -- Creates an ephemeral Job that mounts said PVC and deletes recovery.conf -- Uses helm to create a new release named `beta` with **.Values.database.postgres.master.existingClaims** = Name of old PVC. This spins up a whole new core chart and allows the restbackend to apply schema changes without threatening data loss due to failure (as the `alpha` release is still present) and at a very quick pace (data already mounted, no need to create and copy new PVC). -- Once the user validates the new release's viability, uses helm to upgrade the admin chart to serve release `beta`. - -*Note*: During the migration, both releases can coexist without an issue - -*Note*: the monitoring chart does not get affected due to it being agnostic to releases and the modification on the admin chart affects only ingresses, thus, allowing for switching in less then 15s. - - -## Rollback - -Rolling back to a previous release (assuming you have not deleted the `alpha` chart) can be done with the following commands: - -```console -# Services should be back to normal, serving old release straight away -$ helm rollback `$ADMIN_CHART` - -# Free up resources by delete new release -$ helm delete `$BETA_CORE_CHART` -``` diff --git a/kubernetes/helm/utils/Makefile b/kubernetes/helm/utils/Makefile deleted file mode 100644 index a8312e438..000000000 --- a/kubernetes/helm/utils/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -all: lint build test - -build: - go build ./... - -lint: - find . -name '*.go' | xargs gofmt -w -s - -test: - go test -cover diff --git a/kubernetes/helm/utils/README.md b/kubernetes/helm/utils/README.md deleted file mode 100644 index 8d7d2d95b..000000000 --- a/kubernetes/helm/utils/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# utils: An utility module to manage the vulnerability-assessment-tool helm chart - -**Warning**: This module uses helm 3 to manage the helm chart. - -A CLI that is meant to help automatically manage the vulnerability-assessment-tool helm chart by allowing for the following features: -- Upgrading releases with database schema changes -- Configure the admin chart to serve a specific release -- Load up data into the vulnerability database (either by dumps or manual) - -## Installation -You can either download a release or assuming you already have a recent version of Go installed, pull down the code with `go get`: -```sh -go get -u github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils -``` - -## Building the utils package from source - -```sh -go build -o bin/utils main.go -chmod +x bin/utils -mv bin/utils /usr/local/bin/utils -``` diff --git a/kubernetes/helm/utils/build.sh b/kubernetes/helm/utils/build.sh deleted file mode 100755 index 93a38a22f..000000000 --- a/kubernetes/helm/utils/build.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash - -build() { - PLATFORMS="darwin/amd64" # amd64 only as of go1.5 - PLATFORMS="$PLATFORMS linux/amd64 linux/386 windows/amd64" - - SCRIPT_NAME=`basename "$0"` - FAILURES="" - SOURCE_FILE=`echo $@ | sed 's/\.go//'` - CURRENT_DIRECTORY=${PWD##*/} - OUTPUT=${SOURCE_FILE:-$CURRENT_DIRECTORY} # if no src file given, use current dir name - - type setopt >/dev/null 2>&1 - - for PLATFORM in $PLATFORMS; do - GOOS=${PLATFORM%/*} - GOARCH=${PLATFORM#*/} - BIN_FILENAME="${OUTPUT}-${GOOS}-${GOARCH}" - if [[ "${GOOS}" == "windows" ]]; then BIN_FILENAME="${BIN_FILENAME}.exe"; fi - CMD="GOOS=${GOOS} GOARCH=${GOARCH} go build -o ${BIN_FILENAME} $@" - echo "${CMD}" - eval $CMD || FAILURES="${FAILURES} ${PLATFORM}" - - mv $BIN_FILENAME $(pwd)/bin/$BIN_FILENAME - done - - # eval errors - if [[ "${FAILURES}" != "" ]]; then - echo "" - echo "${SCRIPT_NAME} failed on: ${FAILURES}" - exit 1 - fi -} - -build diff --git a/kubernetes/helm/utils/cmd/load.go b/kubernetes/helm/utils/cmd/load.go deleted file mode 100644 index a9ce7e77e..000000000 --- a/kubernetes/helm/utils/cmd/load.go +++ /dev/null @@ -1,99 +0,0 @@ -/* -Copyright © 2019 ichbinfrog - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package cmd provides a cli module to interact with utils -package cmd - -import ( - "log" - "os" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/internal/load" - "github.com/spf13/cobra" -) - -// loadCmd represents the load command -var loadCmd = &cobra.Command{ - Use: "load", - Short: "command to populate vulnerability database", - Long: `This subcommand allows for an user to load cve datas into the vulnerability -assessement tool database hosted inside a kubernetes cluster. - -In short, in creates a number of concurrent go routines which launch and watch a series -of jobs, each in charge of loading a small chunk of the given bugs (thus allowing for more -efficient loading). As of this release, files must be a yaml file following this structure: - -bugs: -- reference: { bug cve } ( vulnerability identifier ) - repo: { github repo } ( URL of the VCS repository hosting the library project ) - commit: { commit id } ( One or multiple revisions (multiple ones must be comma-separated w/o blanks). - In the case of Git repositories, the revision can be optionally concatenated with ) - links: { optional links to cve ref } ( Comma-separated list of links to comprehensive vulnerability information - (optional, it must be provided for vulnerabilities not available from the NVD) ) - description: { optional descriptions } -`, - Args: cobra.MinimumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { - sourceFile := args[0] - if _, err := os.Stat(sourceFile); err != nil { - log.Fatal(err) - } - - // Concurrent amount check - if concurrent < 1 { - log.Fatalf("Concurrent values cannot be less then 1") - } - - // Release name check - if releaseName == "" { - log.Fatalf("Release name cannot be empty") - } - - // Namespace check - if coreNamespace == "" { - log.Fatalf("Namespace cannot be empty") - } - - context := load.Context{ - Concurrent: concurrent, - Source: sourceFile, - ReleaseName: releaseName, - Namespace: coreNamespace, - DryRun: noUpload, - Skip: skipIfExist, - } - - list, _ := load.SplitCVE(&context) - load.UploadBugs(&context, list) - }, -} - -var ( - releaseName string - concurrent int - skipIfExist, noUpload bool -) - -func init() { - rootCmd.AddCommand(loadCmd) - - // Here you will define your flags and configuration settings. - loadCmd.PersistentFlags().StringVarP(&coreNamespace, "namespace", "n", "vulnerability-assessment-tool-core", "core namespace") - loadCmd.PersistentFlags().IntVarP(&concurrent, "concurrent", "c", 5, "amount of parallel jobs handling the load") - loadCmd.PersistentFlags().StringVarP(&releaseName, "release", "r", "canary", "release name of core chart") - loadCmd.PersistentFlags().BoolVarP(&noUpload, "dry-run", "d", false, "does not upload to the backend") - loadCmd.PersistentFlags().BoolVarP(&skipIfExist, "skip", "s", false, "skip if already exists") -} diff --git a/kubernetes/helm/utils/cmd/migrate.go b/kubernetes/helm/utils/cmd/migrate.go deleted file mode 100644 index 9bc9edea1..000000000 --- a/kubernetes/helm/utils/cmd/migrate.go +++ /dev/null @@ -1,97 +0,0 @@ -/* -Copyright © 2019 ichbinfrog - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package cmd provides a cli module to interact with utils -package cmd - -import ( - "fmt" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/internal/restore" - "github.com/spf13/cobra" -) - -var ( - kubeconfig string - coreNamespace string - sourceHost, sourceUser, sourcePassword, sourcePort, sourcePath string - destinationHost, destinationUser, destinationPassword, destinationDb, destinationPort string -) - -// migrateCmd represents the migrate command -var migrateCmd = &cobra.Command{ - Use: "migrate", - Short: "Migrate dump to new cluster", - Long: `This subcommand allows an user to load from a non local dump (using curl) and -load it into the vulnerability-assessment-tool database. It generates a job within the cluster -which manages the migration on its own (thus not forcing the user to migrate using his own machine)`, - Run: func(cmd *cobra.Command, args []string) { - fmt.Println(restore.Context{ - Kubeconfig: kubeconfig, - Source: restore.DatabaseAccess{ - Host: sourceHost, - Port: sourcePort, - User: sourceUser, - Password: sourcePassword, - Path: sourcePath, - }, - Destination: restore.DatabaseAccess{ - Host: destinationHost, - Port: destinationPort, - User: destinationUser, - Password: destinationPassword, - Database: destinationDb, - }, - Namespace: coreNamespace, - }) - - restore.LoadDumps(&restore.Context{ - Kubeconfig: kubeconfig, - Source: restore.DatabaseAccess{ - Host: sourceHost, - Port: sourcePort, - User: sourceUser, - Password: sourcePassword, - Path: sourcePath, - }, - Destination: restore.DatabaseAccess{ - Host: destinationHost, - Port: destinationPort, - User: destinationUser, - Password: destinationPassword, - Database: destinationDb, - }, - Namespace: coreNamespace, - }) - }, -} - -func init() { - rootCmd.AddCommand(migrateCmd) - - // Here you will define your flags and configuration settings. - migrateCmd.PersistentFlags().StringVarP(&coreNamespace, "namespace", "n", "vulnerability-assessment-tool-core", "core namespace") - migrateCmd.PersistentFlags().StringVar(&sourceHost, "sh", "localhost", "source host for dumps") - migrateCmd.PersistentFlags().StringVar(&sourceUser, "su", "postgres", "source user for dumps") - migrateCmd.PersistentFlags().StringVar(&sourcePassword, "spw", "postgres", "source password for dumps") - migrateCmd.PersistentFlags().StringVar(&sourcePort, "sp", "5432", "source port for dumps") - migrateCmd.PersistentFlags().StringVar(&sourcePath, "spa", "/dumps/latest.dump", "source path for dumps") - migrateCmd.PersistentFlags().StringVar(&destinationHost, "dh", "localhost", "destination host for dumps") - migrateCmd.PersistentFlags().StringVar(&destinationUser, "du", "postgres", "destination user for dumps") - migrateCmd.PersistentFlags().StringVar(&destinationPassword, "dpw", "postgres", "destination password for dumps") - migrateCmd.PersistentFlags().StringVar(&destinationDb, "dd", "vulas", "destination db for dumps") - migrateCmd.PersistentFlags().StringVar(&destinationPort, "dp", "5432", "destination port for dumps") -} diff --git a/kubernetes/helm/utils/cmd/root.go b/kubernetes/helm/utils/cmd/root.go deleted file mode 100644 index 1ffab6257..000000000 --- a/kubernetes/helm/utils/cmd/root.go +++ /dev/null @@ -1,93 +0,0 @@ -/* -Copyright © 2019 ichbinfrog - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package cmd provides a cli module to interact with utils -package cmd - -import ( - "fmt" - "os" - - "github.com/spf13/cobra" - - homedir "github.com/mitchellh/go-homedir" - "github.com/spf13/viper" -) - -var ( - cfgFile string -) - -// rootCmd represents the base command when called without any subcommands -var rootCmd = &cobra.Command{ - Use: "utils", - Short: "utility CLI for managing the vulnerability-assessment-tool in k8s", - Long: `This command allows for an user with access to a kubernetes cluster hosting -the vulnerability assessment tool helm chart to automate part of that management`, - // Uncomment the following line if your bare application - // has an action associated with it: - // Run: func(cmd *cobra.Command, args []string) { }, -} - -// Execute adds all child commands to the root command and sets flags appropriately. -// This is called by main.main(). It only needs to happen once to the rootCmd. -func Execute() { - if err := rootCmd.Execute(); err != nil { - fmt.Println(err) - os.Exit(1) - } -} - -func init() { - cobra.OnInitialize(initConfig) - - // Here you will define your flags and configuration settings. - // Cobra supports persistent flags, which, if defined here, - // will be global for your application. - - rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.utils.yaml)") - rootCmd.PersistentFlags().StringVar(&kubeconfig, "kubeconfig", "", "kubecontext to execute query") - - // Cobra also supports local flags, which will only run - // when this action is called directly. - rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle") -} - -// initConfig reads in config file and ENV variables if set. -func initConfig() { - if cfgFile != "" { - // Use config file from the flag. - viper.SetConfigFile(cfgFile) - } else { - // Find home directory. - home, err := homedir.Dir() - if err != nil { - fmt.Println(err) - os.Exit(1) - } - - // Search config in home directory with name ".utils" (without extension). - viper.AddConfigPath(home) - viper.SetConfigName(".utils") - } - - viper.AutomaticEnv() // read in environment variables that match - - // If a config file is found, read it in. - if err := viper.ReadInConfig(); err == nil { - fmt.Println("Using config file:", viper.ConfigFileUsed()) - } -} diff --git a/kubernetes/helm/utils/cmd/route.go b/kubernetes/helm/utils/cmd/route.go deleted file mode 100644 index 71066d84f..000000000 --- a/kubernetes/helm/utils/cmd/route.go +++ /dev/null @@ -1,68 +0,0 @@ -/* -Copyright © 2019 ichbinfrog - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package cmd provides a cli module to interact with utils -package cmd - -import ( - "log" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/internal/promote" - "github.com/spf13/cobra" -) - -// routeCmd represents the route command -var routeCmd = &cobra.Command{ - Use: "route", - Short: "reconfigures the admin chart", - Long: `This subcommand allows for upgrading the vulnerability assessment tool -admin chart hosted on k8s to serve the latest release. In short, this upgrade -the ingresses (not the entire chart along with the NGINX Ingress controller) allowing -for a ~zero downtime upgrade.`, - Args: cobra.MinimumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { - chartDir := args[0] - - if oldRelease == "" { - log.Fatal("Admin release name required") - } - - if newRelease == "" { - log.Fatal("Core release name required") - } - - promote.Reroute(&promote.Context{ - OldRelease: oldRelease, - NewRelease: newRelease, - ChartDir: chartDir, - Kubeconfig: kubeconfig, - DryRun: dryRun, - CoreNamespace: coreNamespace, - AdminNamespace: adminNamespace, - }) - - }, -} - -func init() { - rootCmd.AddCommand(routeCmd) - - // Here you will define your flags and configuration settings. - routeCmd.PersistentFlags().StringVar(&adminNamespace, "adminNamespace", "", "admin namespace") - routeCmd.PersistentFlags().StringVar(&coreNamespace, "coreNamespace", "", "core namespace") - routeCmd.PersistentFlags().StringVar(&oldRelease, "adminRelease", "", "current admin release name") - routeCmd.PersistentFlags().StringVar(&newRelease, "coreRelease", "", "current core chart release name") -} diff --git a/kubernetes/helm/utils/cmd/upgrade.go b/kubernetes/helm/utils/cmd/upgrade.go deleted file mode 100644 index c18665469..000000000 --- a/kubernetes/helm/utils/cmd/upgrade.go +++ /dev/null @@ -1,77 +0,0 @@ -/* -Copyright © 2019 ichbinfrog - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package cmd provides a cli module to interact with utils -package cmd - -import ( - "log" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/internal/promote" - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/pkg/release" - "github.com/spf13/cobra" -) - -// upgradeCmd represents the upgrade command -var upgradeCmd = &cobra.Command{ - Use: "upgrade", - Short: "Automates upgrades that require schema changes", - Long: `A longer description that spans multiple lines and likely contains examples -and usage of using your command. For example: - -Cobra is a CLI library for Go that empowers applications. -This application is a tool to generate the needed files -to quickly create a Cobra application.`, - Args: cobra.MinimumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { - chartDir := args[0] - - if oldRelease == "" { - log.Fatal("old release required") - } - - if newRelease == "" { - newRelease = *release.GenerateNonConflictRelease(&oldRelease) - log.Printf("new release name not provided, automatically generated (%s)", newRelease) - } - - promote.HelmUpgrade(&promote.Context{ - OldRelease: oldRelease, - NewRelease: newRelease, - ChartDir: chartDir, - Kubeconfig: kubeconfig, - DryRun: dryRun, - CoreNamespace: coreNamespace, - AdminNamespace: adminNamespace, - }) - - }, -} - -var ( - oldRelease, newRelease, adminNamespace string - dryRun bool -) - -func init() { - rootCmd.AddCommand(upgradeCmd) - - // Here you will define your flags and configuration settings. - upgradeCmd.PersistentFlags().StringVarP(&coreNamespace, "namespace", "n", "", "core namespace") - upgradeCmd.PersistentFlags().StringVarP(&oldRelease, "oldrelease", "o", "", "old release name") - upgradeCmd.PersistentFlags().StringVarP(&newRelease, "futurerelease", "f", "", "(optional) new release name") - upgradeCmd.PersistentFlags().BoolVarP(&dryRun, "dryrun", "d", true, "plans the migration out") -} diff --git a/kubernetes/helm/utils/go.mod b/kubernetes/helm/utils/go.mod deleted file mode 100644 index 77a2c36be..000000000 --- a/kubernetes/helm/utils/go.mod +++ /dev/null @@ -1,27 +0,0 @@ -module github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils - -go 1.13 - -require ( - github.com/gogo/protobuf v1.3.1 // indirect - github.com/googleapis/gnostic v0.3.1 // indirect - github.com/imdario/mergo v0.3.8 // indirect - github.com/magiconair/properties v1.8.1 // indirect - github.com/mitchellh/go-homedir v1.1.0 - github.com/pelletier/go-toml v1.5.0 // indirect - github.com/spf13/cobra v0.0.5 - github.com/spf13/jwalterweatherman v1.1.0 // indirect - github.com/spf13/pflag v1.0.5 // indirect - github.com/spf13/viper v1.4.0 - golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect - golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 // indirect - golang.org/x/sys v0.0.0-20191010194322-b09406accb47 // indirect - golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 // indirect - google.golang.org/appengine v1.6.5 // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v3 v3.0.0-20191010095647-fc94e3f71652 - k8s.io/api v0.0.0-20191016225839-816a9b7df678 - k8s.io/apimachinery v0.0.0-20191016225534-b1267f8c42b4 - k8s.io/client-go v0.0.0-20191005115821-b1fd78950135 - k8s.io/utils v0.0.0-20191010214722-8d271d903fe4 // indirect -) diff --git a/kubernetes/helm/utils/go.sum b/kubernetes/helm/utils/go.sum deleted file mode 100644 index fc3f5f091..000000000 --- a/kubernetes/helm/utils/go.sum +++ /dev/null @@ -1,343 +0,0 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -github.com/Azure/go-autorest/autorest v0.9.0 h1:MRvx8gncNaXJqOoLmhNjUAKh33JJF8LyxPhomEtOsjs= -github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= -github.com/Azure/go-autorest/autorest/adal v0.5.0 h1:q2gDruN08/guU9vAjuPWff0+QIrpH6ediguzdAzXAUU= -github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= -github.com/Azure/go-autorest/autorest/date v0.1.0 h1:YGrhWfrgtFs84+h0o46rJrlmsZtyZRg470CqAXTZaGM= -github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= -github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.2.0 h1:Ww5g4zThfD/6cLb4z6xxgeyDa7QDkizMkJKe0ysZXp0= -github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/logger v0.1.0 h1:ruG4BSDXONFRrZZJ2GUXDiUyVpayPmb1GnWeHDdaNKY= -github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= -github.com/Azure/go-autorest/tracing v0.5.0 h1:TRn4WjSnkcSy5AEG3pnbtFSwNtwzjr4VYyQflFE619k= -github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= -github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= -github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY= -github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= -github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= -github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= -github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= -github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= -github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= -github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= -github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= -github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= -github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= -github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I= -github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= -github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= -github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d h1:7XGaL1e6bYS1yIonGp9761ExpPPV1ui0SAC59Yube9k= -github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk= -github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= -github.com/gophercloud/gophercloud v0.1.0 h1:P/nh25+rzXouhytV2pUHBb65fnds26Ghl8/391+sT5o= -github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= -github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= -github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= -github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ= -github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.7 h1:KfgG9LzI+pYjr4xvmz/5H4FXjokeP+rlHLhv3iH62Fo= -github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= -github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY= -github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4= -github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= -github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= -github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= -github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= -github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/pelletier/go-toml v1.5.0 h1:5BakdOZdtKJ1FFk6QdL8iSGrMWsXgchNJcrnarjbmJQ= -github.com/pelletier/go-toml v1.5.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys= -github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw= -github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= -github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= -github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= -github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI= -github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= -github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8= -github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s= -github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= -github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk= -github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= -github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= -github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= -github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= -github.com/spf13/viper v1.4.0 h1:yXHLWeravcrgGyFSyCgdYpXQ9dR9c/WED3pg1RhxqEU= -github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= -go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3 h1:XQyxROzUlZH+WIQwySDgnISgOivlhjIEwaQaJEJrrN0= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc h1:gkKoSkUmnU6bpS/VhkuO27bzQeSA51uaEfbOW5dNb68= -golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 h1:p9xBe/w/OzkeYVKm234g55gMdD1nSIooTir5kV11kfA= -golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191010194322-b09406accb47 h1:/XfQ9z7ib8eEJX2hdgFTZJ/ntt0swNk5oYBziWeTCvY= -golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 h1:xQwXv67TxFo9nC1GJFyab5eq/5B590r6RlnL/G8Sz7w= -golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312170243-e65039ee4138 h1:H3uGjxCR/6Ds0Mjgyp7LMK81+LvmbvWWEnJhzk1Pi9E= -golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c= -google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o= -gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= -gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v3 v3.0.0-20191010095647-fc94e3f71652 h1:VKvJ/mQ4BgCjZUDggYFxTe0qv9jPMHsZPD4Xt91Y5H4= -gopkg.in/yaml.v3 v3.0.0-20191010095647-fc94e3f71652/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.0.0-20191005115622-2e41325d9e4b h1:j1mSRwavnCC3Q5QpgH0ldhap5qeCnRuf7xl0l1VUzdM= -k8s.io/api v0.0.0-20191005115622-2e41325d9e4b/go.mod h1:V9fqJJO3eGaWUKb9e6wH3fx7JXl1IaSC1VhSLk7GJjA= -k8s.io/api v0.0.0-20191016225839-816a9b7df678 h1:z/0BV/tMBIvdwZvqBH/f7TWjQX9y3dj1nMNhrSK0h/8= -k8s.io/api v0.0.0-20191016225839-816a9b7df678/go.mod h1:LZQaT8MvVpl7Bg2lYFcQm7+Mpdxq8p1NFl3yh+5DCwY= -k8s.io/apimachinery v0.0.0-20191005115455-e71eb83a557c/go.mod h1:92mWDd8Ji2sw2157KIgino5wCxffA8KSvhW2oY4ypdw= -k8s.io/apimachinery v0.0.0-20191016225534-b1267f8c42b4 h1:XRoHQDFMktgtZM+TTvV8nYcp2hXHhnx1E0RJOUX3t/E= -k8s.io/apimachinery v0.0.0-20191016225534-b1267f8c42b4/go.mod h1:92mWDd8Ji2sw2157KIgino5wCxffA8KSvhW2oY4ypdw= -k8s.io/client-go v0.0.0-20191005115821-b1fd78950135 h1:KRmmu0QoQRZxRuQVyzWs3fMyZ85ZJf7PpnnpH4FvuyU= -k8s.io/client-go v0.0.0-20191005115821-b1fd78950135/go.mod h1:y9Rvsae8RfW0HpclmE1lCx4wUxrLDRhXv9gh8SWYhvc= -k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= -k8s.io/kube-openapi v0.0.0-20190816220812-743ec37842bf/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= -k8s.io/utils v0.0.0-20190920012459-5008bf6f8cd6 h1:rfepARh/ECp66dk9TTmT//1PBkHffjnxhdOrgH4m+eA= -k8s.io/utils v0.0.0-20190920012459-5008bf6f8cd6/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -k8s.io/utils v0.0.0-20191010214722-8d271d903fe4 h1:Gi+/O1saihwDqnlmC8Vhv1M5Sp4+rbOmK9TbsLn8ZEA= -k8s.io/utils v0.0.0-20191010214722-8d271d903fe4/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= -sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= -sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/kubernetes/helm/utils/internal/isolate/clean.go b/kubernetes/helm/utils/internal/isolate/clean.go deleted file mode 100644 index fc974f812..000000000 --- a/kubernetes/helm/utils/internal/isolate/clean.go +++ /dev/null @@ -1,108 +0,0 @@ -// Package isolate provides a module to isolate a pod from the vulnerability-assessment-tool-core -// chart into a new release in order to allow for a migration with schema changes -package isolate - -import ( - "fmt" - "log" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/pkg/convert" - batchv1 "k8s.io/api/batch/v1" - apiv1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func cleanUpJob(namespace *string, claimName *string) { - name := "database-master-promotion" - jobClient := clientset.BatchV1().Jobs(*namespace) - - job := &batchv1.Job{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: batchv1.JobSpec{ - Parallelism: convert.Int32Ptr(1), - ActiveDeadlineSeconds: convert.Int64Ptr(100), - BackoffLimit: convert.Int32Ptr(0), - - Template: apiv1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{ - "app.kubernetes.io/name": name, - }, - }, - Spec: apiv1.PodSpec{ - RestartPolicy: "Never", - Volumes: []apiv1.Volume{ - { - Name: *claimName, - VolumeSource: apiv1.VolumeSource{ - PersistentVolumeClaim: &apiv1.PersistentVolumeClaimVolumeSource{ - ClaimName: *claimName, - }, - }, - }, - }, - Containers: []apiv1.Container{ - { - Name: name, - Image: "postgres:11.5-alpine", - Command: []string{ - "sh", - "-c", - "rm -f /var/lib/postgresql/data/pgdata/recovery.conf", - }, - VolumeMounts: []apiv1.VolumeMount{ - { - Name: *claimName, - MountPath: "/var/lib/postgresql/data", - }, - }, - SecurityContext: &apiv1.SecurityContext{ - RunAsUser: convert.Int64Ptr(999), - }, - }, - }, - }, - }, - }, - } - - _, err := jobClient.Create(job) - if err != nil { - log.Fatal(err) - } - - // Watch job progression through events - labelSelector := fmt.Sprintf("app.kubernetes.io/name=%s", name) - watcher, err := jobClient.Watch(metav1.ListOptions{ - LabelSelector: labelSelector, - }) - - if err != nil { - log.Fatal(err) - } - fmt.Println("Master promotion job launched, watching for changes in the cluster") - jobChange := watcher.ResultChan() - - for event := range jobChange { - fmt.Printf("Job %s: encountered event %v\n", job.Name, event.Type) - jobWatch, ok := event.Object.(*batchv1.Job) - if !ok { - log.Fatal("Unexpected error") - } - - status := jobWatch.Status - if status.Succeeded >= 1 || status.Failed >= 1 || event.Type == "DELETED" { - fmt.Println(status.Conditions) - fmt.Printf("Deleting job...") - deleteErr := jobClient.Delete(job.Name, &metav1.DeleteOptions{}) - - if deleteErr != nil { - log.Fatal(deleteErr) - } - fmt.Println("Successfully deleted job (Pod is maintained to allow for further log viewing)") - return - } - } -} diff --git a/kubernetes/helm/utils/internal/isolate/isolate.go b/kubernetes/helm/utils/internal/isolate/isolate.go deleted file mode 100644 index e5124b5eb..000000000 --- a/kubernetes/helm/utils/internal/isolate/isolate.go +++ /dev/null @@ -1,117 +0,0 @@ -package isolate - -import ( - "fmt" - "log" - "strings" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/pkg/connect" - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/pkg/convert" - v1 "k8s.io/api/apps/v1" - apiv1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" - interfacev1 "k8s.io/client-go/kubernetes/typed/apps/v1" - "k8s.io/client-go/util/retry" -) - -func getClient() *kubernetes.Clientset { - clientset, clientErr := connect.GetClient("") - if clientErr != nil { - log.Fatal(clientErr) - } - return clientset -} - -var ( - clientset = getClient() -) - -func getStatefulSets(name *string, namespace *string) (interfacev1.StatefulSetInterface, *v1.StatefulSet, error) { - statefulsetClient := clientset.AppsV1().StatefulSets(*namespace) - statefulset, getErr := statefulsetClient.Get(*name, metav1.GetOptions{}) - - if getErr != nil { - return nil, nil, getErr - } - - return statefulsetClient, statefulset, nil -} - -func getPVC(pod *apiv1.Pod) *string { - if pod != nil { - for _, volume := range pod.Spec.Volumes { - if strings.Contains(volume.Name, "volume-claim") { - claimName := volume.VolumeSource.PersistentVolumeClaim.ClaimName - fmt.Printf("Reallocating PVC %s bound to pod %s\n", claimName, pod.ObjectMeta.Name) - return &claimName - } - } - } - return nil -} - -func getPods(name *string, namespace *string) (*apiv1.Pod, error) { - podClient := clientset.CoreV1().Pods(*namespace) - statefulSetSelector := fmt.Sprintf("app.kubernetes.io/instance=%s", *name) - fmt.Printf("Constructing label selector %s\n", statefulSetSelector) - - podList, listErr := podClient.List(metav1.ListOptions{ - LabelSelector: statefulSetSelector, - Limit: 100, - }) - - if listErr != nil { - return nil, listErr - } - if len(podList.Items) != 0 { - isolatedPod := podList.Items[len(podList.Items)-1] - return &isolatedPod, nil - } - return nil, nil -} - -func scaleDown(name *string, namespace *string) error { - statefulsetClient, statefulset, getErr := getStatefulSets(name, namespace) - - if getErr != nil { - return getErr - } - - fmt.Printf("Found statefulset %s in namespace %s\n", *name, *namespace) - if *statefulset.Spec.Replicas <= int32(1) { - return (fmt.Errorf("Statefulset has %d replicas, which is not enough for migration (at least 2 required)", *statefulset.Spec.Replicas)) - } - - retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { - statefulset.Spec.Replicas = convert.Int32Ptr(*statefulset.Spec.Replicas - 1) - _, updateErr := statefulsetClient.Update(statefulset) - return updateErr - }) - - if retryErr != nil { - return retryErr - } - fmt.Printf("Successfully scaled down replicas to %d\n", *statefulset.Spec.Replicas) - return nil -} - -// Isolate helps scale down replicas for the postgres slaves whilst also keeping -// old PersistentVolumeClaim for optimal migration speed -func Isolate(name *string, namespace *string) *string { - pod, _ := getPods(name, namespace) - if pod == nil { - log.Fatalf("Did not find any matching master instance") - } - pvcName := getPVC(pod) - - if pvcName == nil { - log.Fatalf("Failed to find PVC mounted to pod %s", *pvcName) - } - - if scaleErr := scaleDown(name, namespace); scaleErr != nil { - log.Fatal(scaleErr) - } - cleanUpJob(namespace, pvcName) - return pvcName -} diff --git a/kubernetes/helm/utils/internal/load/load.go b/kubernetes/helm/utils/internal/load/load.go deleted file mode 100644 index c5ac7c070..000000000 --- a/kubernetes/helm/utils/internal/load/load.go +++ /dev/null @@ -1,248 +0,0 @@ -// Package load provides multithreading job and config creation that uses -// patchanalyzer to load vulnerabilities into the vulnerability database -package load - -import ( - "fmt" - "io/ioutil" - apiv1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - corev1 "k8s.io/client-go/kubernetes/typed/core/v1" - "log" - "os" - "strconv" - "strings" - "sync" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/pkg/connect" - "gopkg.in/yaml.v3" - watchapi "k8s.io/apimachinery/pkg/watch" -) - -// CVE represents a simplified vulnerability to be loaded -type CVE struct { - Reference string `yaml:"reference"` - Repo string `yaml:"repo"` - Commit string `yaml:"commit"` - Description string `yaml:"description"` - Links string `yaml:"links"` -} - -// Context represents the Context passed to execute the loading job -type Context struct { - KubeConfig string `yaml:"kubeconfig"` - Concurrent int `yaml:"concurrent"` - ReleaseName string `yaml:"release"` - Namespace string `yaml:"namespace"` - Skip bool `yaml:"skip"` - DryRun bool `yaml:"dryrun"` - Source string `yaml:"source"` -} - -func getCVEList(source *string) ([]CVE, error) { - if _, err := os.Stat(*source); err != nil { - return nil, err - } - yamlFile, readErr := ioutil.ReadFile(*source) - if readErr != nil { - return nil, readErr - } - - cveList := make(map[string][]CVE) - if unmarshallErr := yaml.Unmarshal(yamlFile, cveList); unmarshallErr != nil { - fmt.Println(unmarshallErr) - return nil, unmarshallErr - } - if cveList["bugs"] != nil { - return cveList["bugs"], nil - } - - return nil, fmt.Errorf("Malformed source file") -} - -// SplitCVE splits loaded bugs into equal chunks to be distributed -func SplitCVE(context *Context) ([][]CVE, error) { - cveList, err := getCVEList(&context.Source) - if err != nil { - return nil, err - } - - var distributedCve [][]CVE - chunkSize := (len(cveList) + context.Concurrent - 1) / context.Concurrent - - for i := 0; i < len(cveList); i += chunkSize { - end := i + chunkSize - if end > len(cveList) { - end = len(cveList) - } - - distributedCve = append(distributedCve, cveList[i:end]) - } - - return distributedCve, nil -} - -// UploadBugs helps upload the bugs into the desired restbackend -func UploadBugs(context *Context, bugs [][]CVE) { - var wg sync.WaitGroup - - clientset, connectErr := connect.GetClient(context.KubeConfig) - if connectErr != nil { - log.Fatal(connectErr) - } - podClient := clientset.CoreV1().Pods(context.Namespace) - - for chunkID, cveList := range bugs { - wg.Add(1) - go func(context *Context, podClient corev1.PodInterface, bugs []CVE, chunkID int) { - defer wg.Done() - failed := []CVE{} - bugLength := len(bugs) - - for progress, bug := range bugs { - pod := createPod(podClient, chunkID, bug, *context) - if _, err := podClient.Create(&pod); err != nil { - fmt.Printf("Chunk %d [%d/%d]: Pod creation failed %s\n", chunkID, progress+1, bugLength, err) - } else { - fmt.Printf("Chunk %d [%d/%d]: Pod to analyze bug %s started \n", chunkID, progress+1, bugLength, bug.Reference) - - // Watches pod for completion - watch, _ := podClient.Watch(metav1.ListOptions{ - LabelSelector: fmt.Sprintf("app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s", getPodName(bug), strconv.Itoa(chunkID)), - }) - - for event := range watch.ResultChan() { - podStatus, ok := event.Object.(*apiv1.Pod) - - if !ok { - log.Fatalf("Chunk %d [%d/%d]: Encountered unknown event type\n", progress+1, bugLength, chunkID) - watch.Stop() - } - - if event.Type == watchapi.Deleted { - fmt.Printf("Chunk %d [%d/%d]: Bug analysis %s deleted by user, stopping execution\n", progress+1, bugLength, chunkID, bug.Reference) - watch.Stop() - wg.Done() - } - - if podStatus.Status.Phase == apiv1.PodFailed || podStatus.Status.Phase == apiv1.PodUnknown { - fmt.Printf("Chunk %d [%d/%d]: Bug analysis %s failed\n", chunkID, progress+1, bugLength, bug.Reference) - failed = append(failed, bug) - watch.Stop() - } - - if podStatus.Status.Phase == apiv1.PodSucceeded { - // Checks container status for proper exit code - lastState := podStatus.Status.ContainerStatuses[0].State.Terminated - - // Error on code execution - if lastState.ExitCode != 0 { - fmt.Printf("Chunk %d [%d/%d]: Bug analysis %s failed (to see log use `kubectl get logs -n %s %s`)\n", chunkID, progress+1, bugLength, bug.Reference, context.Namespace, getPodName(bug)) - failed = append(failed, bug) - } else { - // Only succeeded containers are deleted - if deleteErr := podClient.Delete(pod.Name, &metav1.DeleteOptions{}); err != nil { - fmt.Printf("Chunk %d [%d/%d]: Bug analysis %s could not be delete because (%s)", chunkID, progress+1, bugLength, bug.Reference, deleteErr) - } - fmt.Printf("Chunk %d [%d/%d]: Bug analysis %s succeeded \n", chunkID, progress+1, bugLength, bug.Reference) - } - watch.Stop() - } - } - } - } - fmt.Printf(` ---- -Chunk %d: completed with %d failed analysis / %d bugs ---- - -`, chunkID, len(failed), bugLength) - }(context, podClient, cveList, chunkID) - } - wg.Wait() -} - -func getChunkName(chunkID int) string { - return "bugs-loader-" + strconv.Itoa(chunkID) -} - -func getPodName(bug CVE) string { - return "bugs-loader-" + strings.ToLower(bug.Reference) -} - -func getBackendService(release *string) string { - return "http://" + *release + "-restbackend:8091/backend" -} - -func createPod(podClient corev1.PodInterface, chunkID int, bug CVE, context Context) apiv1.Pod { - pod := &apiv1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: getPodName(bug), - Labels: map[string]string{ - "app.kubernetes.io/name": getPodName(bug), - "app.kubernetes.io/part-of": "bugs-loader", - "app.kubernetes.io/instance": strconv.Itoa(chunkID), - }, - }, - Spec: apiv1.PodSpec{ - RestartPolicy: "Never", - Containers: []apiv1.Container{ - { - Name: getPodName(bug), - Image: "vulas/vulnerability-assessment-tool-patch-analyzer:3.1.7-SNAPSHOT", - ImagePullPolicy: "Always", - Args: []string{ - "com.vulas.sap.psr.vulas.patcha.PatchAnalyzer", - "-b", - bug.Reference, - "-r", - bug.Repo, - "-e", - bug.Commit, - "-descr", - strconv.Quote(bug.Description), - "-links", - strconv.Quote(bug.Links), - }, - Env: []apiv1.EnvVar{ - { - Name: "vulas.shared.backend.serviceUrl", - Value: getBackendService(&context.ReleaseName), - }, - }, - }, - }, - }, - } - - if !context.DryRun { - pod.Spec.Containers[0].Args = append(pod.Spec.Containers[0].Args, "-u") - } - - if context.Skip { - pod.Spec.Containers[0].Args = append(pod.Spec.Containers[0].Args, "-sie") - } - - return *pod -} - -// CleanLoad deletes all pods associated with the bug loader in the given namespace -func CleanLoad(context *Context) { - clientset, connectErr := connect.GetClient(context.KubeConfig) - if connectErr != nil { - log.Fatal(connectErr) - } - podClient := clientset.CoreV1().Pods(context.Namespace) - podList, listErr := podClient.List(metav1.ListOptions{ - LabelSelector: "app.kubernetes.io/part-of=bugs-loader", - }) - - if listErr != nil { - log.Fatal(listErr) - } - - for _, pod := range podList.Items { - fmt.Printf("CLEANUP: Deleting pod %s\n", pod.Name) - podClient.Delete(pod.Name, &metav1.DeleteOptions{}) - } -} diff --git a/kubernetes/helm/utils/internal/promote/helm.go b/kubernetes/helm/utils/internal/promote/helm.go deleted file mode 100644 index 6255bbd38..000000000 --- a/kubernetes/helm/utils/internal/promote/helm.go +++ /dev/null @@ -1,82 +0,0 @@ -package promote - -import ( - "fmt" - "log" - "os" - "os/exec" - "strings" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/internal/isolate" -) - -func checkPrereqs() string { - path, err := exec.LookPath("helm") - if err != nil { - log.Fatal(err) - } - fmt.Printf("helm binary found on path %s\n", path) - result, _ := exec.Command("helm", "version", "--short").Output() - fmt.Printf("current helm version %s\n", string(result)) - if !strings.Contains(string(result), "v3") { - log.Fatal("requires helm 3") - } - - return path -} - -var ( - path = checkPrereqs() -) - -func checkErr(result []byte) bool { - return strings.Contains(strings.ToUpper(string(result)), "ERROR") -} - -func helmLint(ChartDir string) { - fmt.Println("Checking if new chart is valid") - result, _ := exec.Command("helm3", "lint", ChartDir).Output() - if checkErr(result) { - log.Fatal(string(result)) - } -} - -func helmList(release string, namespace string) error { - fmt.Println("Checking for given helm release existence") - result, _ := exec.Command("helm3", "ls", "--short", "--namespace", namespace).Output() - if checkErr(result) { - log.Fatal(string(result)) - } - if !strings.Contains(string(result), release) { - log.Fatalf("Did not find given release %s in namespace %s", release, namespace) - } - fmt.Printf("Found charts %s\n", result) - return nil -} - -// HelmUpgrade performs the upgrade with schema migration -func HelmUpgrade(context *Context) error { - if err := os.Chdir(context.ChartDir); err != nil { - return err - } - - helmLint(".") - if listErr := helmList(context.OldRelease, context.CoreNamespace); listErr != nil { - return listErr - } - - statefulsetName := fmt.Sprintf("%s-database-slave", context.OldRelease) - claimName := isolate.Isolate(&statefulsetName, &context.CoreNamespace) - if claimName != nil { - replaceFiles(context, *claimName) - fmt.Printf("Installing new release %s\n", context.NewRelease) - result, _ := exec.Command("helm3", "install", context.NewRelease, ".").Output() - if checkErr(result) { - log.Fatal(string(result)) - } - } else { - return fmt.Errorf("Encountered unknown error with fetching claimName") - } - - return nil -} diff --git a/kubernetes/helm/utils/internal/promote/promote.go b/kubernetes/helm/utils/internal/promote/promote.go deleted file mode 100644 index 4154880ec..000000000 --- a/kubernetes/helm/utils/internal/promote/promote.go +++ /dev/null @@ -1,93 +0,0 @@ -// Package promote provides a module to promote a pod from the vulnerability-assessment-tool-core -// chart into a new release in order to allow for a migration with schema changes -package promote - -import ( - "fmt" - "io/ioutil" - "log" - "os" - - "gopkg.in/yaml.v3" -) - -// Context passed onto the promotion subcommand -type Context struct { - OldRelease string `yaml:"oldRelease"` - NewRelease string `yaml:"newRelease"` - ChartDir string `yaml:"ChartDir"` - CoreNamespace string `yaml:"coreNamespace"` - AdminNamespace string `yaml:"coreNamespace"` - Kubeconfig string `yaml:"kubeconfig"` - DryRun bool `yaml:"dryRun"` -} - -func fileExists(name *string) bool { - if _, err := os.Stat(*name); err == nil { - return true - } - return false -} - -func backup(src, dst string, overwrite bool) error { - fmt.Printf("Backing up file %s into %s\n", src, dst) - srcFile, readErr := ioutil.ReadFile(src) - if readErr != nil { - return readErr - } - - if _, err := os.Stat(dst); err == nil { - if !overwrite { - return fmt.Errorf("promote.backup : cannot overwrite file") - } - } - if writeErr := ioutil.WriteFile(dst, srcFile, 0644); writeErr != nil { - return writeErr - } - return nil -} - -func alterValues(src, dst, claimName string, overwrite bool) error { - fmt.Printf("Rotating values from file %s to %s\n", src, dst) - yamlFile, err := ioutil.ReadFile(src) - if err != nil { - return err - } - - oldValues := make(map[string]interface{}) - unmarshalErr := yaml.Unmarshal(yamlFile, &oldValues) - if unmarshalErr != nil { - return unmarshalErr - } - - if global := oldValues["global"]; global != nil { - existingClaim := global.(map[string]interface{})["existingClaim"] - if !overwrite && existingClaim != nil { - return fmt.Errorf("promote.Copy : existing value cannot be overwritten") - } - global.(map[string]interface{})["existingClaim"] = claimName - } - - newValues, marshalErr := yaml.Marshal(&oldValues) - if marshalErr != nil { - return marshalErr - } - - if writeErr := ioutil.WriteFile(dst, newValues, 0644); writeErr != nil { - return writeErr - } - return nil -} - -func replaceFiles(context *Context, claimName string) { - valuesName := "values.yaml" - currentName := context.OldRelease + "-values.yaml" - futureName := context.NewRelease + "-values.yaml" - if ok := fileExists(&valuesName); ok { - backup(valuesName, currentName, true) - backup(valuesName, futureName, true) - alterValues(futureName, valuesName, claimName, true) - } else { - log.Fatal("values.yaml not found") - } -} diff --git a/kubernetes/helm/utils/internal/promote/reroute.go b/kubernetes/helm/utils/internal/promote/reroute.go deleted file mode 100644 index 73d5a8cdf..000000000 --- a/kubernetes/helm/utils/internal/promote/reroute.go +++ /dev/null @@ -1,75 +0,0 @@ -package promote - -import ( - "fmt" - "io/ioutil" - "log" - "os" - "os/exec" - - "gopkg.in/yaml.v3" -) - -func alterWatch(src, dst, nextRelease string, overwrite bool) error { - fmt.Printf("Rotating values from file %s to %s\n", src, dst) - yamlFile, err := ioutil.ReadFile(src) - if err != nil { - return err - } - - oldValues := make(map[string]interface{}) - unmarshalErr := yaml.Unmarshal(yamlFile, &oldValues) - if unmarshalErr != nil { - return unmarshalErr - } - - if global := oldValues["global"]; global != nil { - managedRelease := global.(map[string]interface{})["managedRelease"] - if !overwrite && managedRelease != nil { - return fmt.Errorf("promote.Copy : existing value cannot be overwritten") - } - global.(map[string]interface{})["managedRelease"] = nextRelease - } - - newValues, marshalErr := yaml.Marshal(&oldValues) - if marshalErr != nil { - return marshalErr - } - - if writeErr := ioutil.WriteFile(dst, newValues, 0644); writeErr != nil { - return writeErr - } - return nil -} - -// Reroute modifies the vulnerability-assessment-tool-admin chart to point the -// ingress controller to serve the newest release -func Reroute(context *Context) error { - if err := os.Chdir(context.ChartDir); err != nil { - return err - } - valuesName := "values.yaml" - currentName := context.OldRelease + "-values.yaml" - - if ok := fileExists(&valuesName); ok { - backup(valuesName, currentName, true) - alterWatch(currentName, valuesName, context.NewRelease, true) - } else { - log.Fatal("values.yaml not found") - } - - helmLint(".") - if listErr := helmList(context.OldRelease, context.AdminNamespace); listErr != nil { - return listErr - } - if listErr := helmList(context.NewRelease, context.CoreNamespace); listErr != nil { - return listErr - } - - fmt.Printf("Upgrading old release %s\n", context.OldRelease) - result, _ := exec.Command("helm3", "upgrade", context.OldRelease, ".").Output() - if checkErr(result) { - log.Fatal(string(result)) - } - return nil -} diff --git a/kubernetes/helm/utils/internal/restore/restore.go b/kubernetes/helm/utils/internal/restore/restore.go deleted file mode 100644 index c9f0909c4..000000000 --- a/kubernetes/helm/utils/internal/restore/restore.go +++ /dev/null @@ -1,236 +0,0 @@ -package restore - -import ( - "bytes" - "fmt" - "io" - "log" - - "time" - - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/pkg/connect" - "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/pkg/convert" - batchv1 "k8s.io/api/batch/v1" - apiv1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/client-go/kubernetes" -) - -// Context passed for the restore command -type Context struct { - Kubeconfig string `yaml:"kubeconfig"` - Source DatabaseAccess `yaml:"source,omitempty"` - Destination DatabaseAccess `yaml:"destination,omitempty"` - Namespace string `yaml:"namespace"` - Purge bool `yaml:"purge"` -} - -// DatabaseAccess to model the source and destination accesses -type DatabaseAccess struct { - Host string `yaml:"host"` - Port string `yaml:"port"` - User string `yaml:"user"` - Password string `yaml:"password"` - Path string `yaml:"path"` - Database string `yaml:"db"` -} - -func getClient() *kubernetes.Clientset { - clientset, clientErr := connect.GetClient("") - if clientErr != nil { - log.Fatal(clientErr) - } - return clientset -} - -var ( - clientset = getClient() -) - -func createJob(context *Context) *batchv1.Job { - return &batchv1.Job{ - ObjectMeta: metav1.ObjectMeta{ - Name: "database-migrator", - }, - Spec: batchv1.JobSpec{ - Parallelism: convert.Int32Ptr(1), - BackoffLimit: convert.Int32Ptr(0), - - Template: apiv1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{ - "app.kubernetes.io/name": "database-migrator", - }, - }, - Spec: apiv1.PodSpec{ - RestartPolicy: "Never", - Containers: []apiv1.Container{ - { - Name: "database-migrator-container", - Image: "postgres:11.5-alpine", - Command: []string{ - "sh", - "-c", - ` - #!/bin/bash - DUMP_URL="${SOURCE_HOST}:${SOURCE_PORT}${SOURCE_PATH}" - DROP_CMD="'DROP SCHEMA public CASCADE; CREATE SCHEMA public;'" - - echo "Installing prerequisites { curl }" - apk add --no-cache curl - - START_TIME=$(date +%s) - curl -kso /tmp/tmp.dump -u $SOURCE_USER:$SOURCE_PASSWORD $DUMP_URL - - if [ $? -ne 0 ]; then - echo "[-] Could not fetch any $s dump. Exiting" - exit 1 - fi - - echo "[+] Fetched in $((($(date +%s)-$START_TIME))) seconds." - START_TIME=$(date +%s) - - if [ $PURGE ]; then - sh -c "echo $DROP_CMD | psql --host $DESTINATION_HOST -U $DESTINATION_USER --dbname $DESTINATION_DB" - fi - - pg_restore --verbose --clean --if-exists --no-acl --host $DESTINATION_HOST -U $DESTINATION_USER --dbname $DESTINATION_DB /tmp/tmp.dump - echo "[+] Restored in $((($(date +%s)-$START_TIME))) seconds." - exit 0 - `, - }, - Env: []apiv1.EnvVar{ - { - Name: "SOURCE_HOST", - Value: context.Source.Host, - }, - { - Name: "SOURCE_PORT", - Value: string(context.Source.Port), - }, - { - Name: "SOURCE_PATH", - Value: context.Source.Path, - }, - { - Name: "SOURCE_USER", - Value: context.Source.User, - }, - { - Name: "SOURCE_PASSWORD", - Value: context.Source.Password, - }, - { - Name: "DESTINATION_HOST", - Value: context.Destination.Host, - }, - { - Name: "DESTINATION_USER", - Value: context.Destination.User, - }, - { - Name: "DESTINATION_PASSWORD", - Value: context.Destination.Password, - }, - { - Name: "DESTINATION_DB", - Value: context.Destination.Database, - }, - { - Name: "PGPASSWORD", - Value: context.Destination.Password, - }, - }, - }, - }, - }, - }, - }, - } -} - -func fetchJobPods(label *string, namespace *string) (*apiv1.Pod, error) { - podClient := clientset.CoreV1().Pods(*namespace) - list, err := podClient.List(metav1.ListOptions{ - LabelSelector: *label, - }) - - if err != nil { - return nil, err - } - - // Should launch only a single job - for _, pod := range list.Items { - return &pod, nil - } - return nil, fmt.Errorf("restore.fetchJobPods: No pod has been launched") -} - -func getPodLogs(pod apiv1.Pod) (string, error) { - podLogOpts := apiv1.PodLogOptions{ - SinceSeconds: convert.Int64Ptr(2), - } - req := clientset.CoreV1().Pods(pod.Namespace).GetLogs(pod.Name, &podLogOpts) - podLogs, err := req.Stream() - if err != nil { - return "", fmt.Errorf("restore.getPodLogs : error in opening stream") - } - defer podLogs.Close() - - buf := new(bytes.Buffer) - _, err = io.Copy(buf, podLogs) - if err != nil { - return "", fmt.Errorf("restore.getPodLogs : error in copy information from podLogs to buf") - } - str := buf.String() - - return str, nil -} - -// LoadDumps loads a dump according to the context passed -func LoadDumps(context *Context) { - jobClient := clientset.BatchV1().Jobs(context.Namespace) - job := createJob(context) - - _, err := jobClient.Create(job) - if err != nil { - log.Fatal(err) - } - - if err != nil { - log.Fatal(err) - } - - fmt.Println("Migration launched") - // Get pods associated with this job - labelSelector := fmt.Sprintf("app.kubernetes.io/name=database-migrator") - - fmt.Println("Sleeping for 10s to wait for pod to spin up") - time.Sleep(10000 * time.Millisecond) - pod, fetchErr := fetchJobPods(&labelSelector, &context.Namespace) - if fetchErr != nil { - log.Fatal(fetchErr) - } - - fmt.Printf("Log tailing started on pod %s\n", pod.Name) - for { - time.Sleep(2000 * time.Millisecond) - podLog, podLogerr := getPodLogs(*pod) - if podLogerr != nil { - cleanUpJob(job, &context.Namespace) - } - if podLog != "" { - fmt.Println(podLog) - } - } -} - -func cleanUpJob(job *batchv1.Job, namespace *string) { - jobClient := clientset.BatchV1().Jobs(*namespace) - deleteErr := jobClient.Delete(job.Name, &metav1.DeleteOptions{}) - if deleteErr != nil { - log.Fatal(deleteErr) - } - fmt.Printf("Successfully delete job...") -} diff --git a/kubernetes/helm/utils/main.go b/kubernetes/helm/utils/main.go deleted file mode 100644 index e6ba92462..000000000 --- a/kubernetes/helm/utils/main.go +++ /dev/null @@ -1,7 +0,0 @@ -package main - -import "github.com/ichbinfrog/vulnerability-assessment-tool/kubernetes/helm/utils/cmd" - -func main() { - cmd.Execute() -} diff --git a/kubernetes/helm/utils/pkg/connect/client.go b/kubernetes/helm/utils/pkg/connect/client.go deleted file mode 100644 index 6ff435cb5..000000000 --- a/kubernetes/helm/utils/pkg/connect/client.go +++ /dev/null @@ -1,31 +0,0 @@ -package connect - -import ( - "path/filepath" - - "k8s.io/client-go/kubernetes" - _ "k8s.io/client-go/plugin/pkg/client/auth" - "k8s.io/client-go/tools/clientcmd" - "k8s.io/client-go/util/homedir" -) - -// GetClient returns a kubernetes client built from a kubeconfig string -func GetClient(kubeconfig string) (*kubernetes.Clientset, error) { - if kubeconfig == "" { - if home := homedir.HomeDir(); home != "" { - kubeconfig = filepath.Join(home, ".kube", "config") - } - } - - config, configErr := clientcmd.BuildConfigFromFlags("", kubeconfig) - if configErr != nil { - return nil, configErr - } - - clientset, clientErr := kubernetes.NewForConfig(config) - if clientErr != nil { - return nil, clientErr - } - - return clientset, nil -} diff --git a/kubernetes/helm/utils/pkg/convert/convert.go b/kubernetes/helm/utils/pkg/convert/convert.go deleted file mode 100644 index 3ecd444a7..000000000 --- a/kubernetes/helm/utils/pkg/convert/convert.go +++ /dev/null @@ -1,10 +0,0 @@ -package convert - -// Int32Ptr converts an int32 to an int32 pointer -func Int32Ptr(i int32) *int32 { return &i } - -// Int64Ptr converts an int64 to an int64 pointer -func Int64Ptr(i int64) *int64 { return &i } - -// BoolPtr converts a bool to a boolean pointer -func BoolPtr(b bool) *bool { return &b } diff --git a/kubernetes/helm/utils/pkg/release/release.go b/kubernetes/helm/utils/pkg/release/release.go deleted file mode 100644 index 98eea836d..000000000 --- a/kubernetes/helm/utils/pkg/release/release.go +++ /dev/null @@ -1,39 +0,0 @@ -package release - -import ( - "math/rand" - "time" -) - -var ( - names = [...]string{ - "archimedes", - "austin", - "banzai", - "beaver", - "blackwell", - "bohr", - "cerf", - "cohen", - "feynman", - "hamilton", - } -) - -func init() { - rand.Seed(time.Now().UTC().UnixNano()) -} - -func generateReleaseName() *string { - return &names[rand.Intn(len(names))] -} - -// GenerateNonConflictRelease generates a releasename different from the old one -func GenerateNonConflictRelease(oldRelease *string) *string { - for { - name := generateReleaseName() - if name != oldRelease { - return name - } - } -} diff --git a/kubernetes/helm/utils/tests/bugs.yaml b/kubernetes/helm/utils/tests/bugs.yaml deleted file mode 100644 index 89cc7a0c9..000000000 --- a/kubernetes/helm/utils/tests/bugs.yaml +++ /dev/null @@ -1,7582 +0,0 @@ -bugs: -- reference: CVE-2016-6816 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1767645:trunk,1767675:trunk,1767645:master,1767653:trunk,1767641:trunk,1767683:trunk - description: "" - links: "" - -- reference: CVE-2014-2059 - repo: https://github.com/jenkinsci/jenkins.git - commit: ad38d8480f20ce3cbf8fec3e2003bc83efda4f7d:master - description: "" - links: "" - -- reference: CVE-2018-8013 - repo: https://github.com/apache/batik/ - commit: f91125b26a6ca2b7a1195f1842360bed03629839:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-8013,https://xmlgraphics.apache.org/security.html" - - -- reference: AMQP-590 - repo: https://github.com/spring-projects/spring-amqp - commit: 462dcb6f1f93d54923daffb9729c1c8519576c08:master,4150f107e60cac4a7735fcf7cb4c1889a0cbab6:1.5.x - description: "Deserialization vulnerability. Add Class/Package White List to Deserializing Message Converters. Related to CVE-2016-6194. Fixed in 1.6 M2, 1.5.5 (see https://jira.spring.io/browse/AMQP-590)" - links: "https://github.com/spring-projects/spring-amqp/pull/388" - - -- reference: APACHE-COMMONS-001 - repo: https://github.com/apache/commons-compress/ - commit: a080293da69f3fe3d11d5214432e1469ee195870:master - description: "Overview: org.apache.commons:commons-compress defines an API for working with compression and archive formats. Affected versions of this package are vulnerable to Directory Traversal.\n Remediation: Upgrade org.apache.commons:commons-compress to version 1.18-RC1 or higher." - links: "https://github.com/apache/commons-compress/commit/a080293da69f3fe3d11d5214432e1469ee195870,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-72275" - -- reference: CVE-2018-12418 - repo: https://github.com/junrar/junrar/ - commit: ad8d0ba8e155630da8a1215cee3f253e0af45817:master - description: "" - links: "https://github.com/junrar/junrar/pull/8,https://snyk.io/vuln/SNYK-JAVA-COMGITHUBJUNRAR-32372" - - -- reference: CVE-2017-5929 - repo: https://github.com/qos-ch/logback - commit: f46044b805bca91efe5fd6afe52257cd02f775f8:master - description: "" - links: "" - - -- reference: CVE-2015-1839 - repo: https://github.com/saltstack/salt/ - commit: 22d2f7a1ec93300c34e8c42d14ec39d51e610b5c:master,b49d0d4b5ca5c6f31f03e2caf97cef1088eeed81:master - description: "" - links: "https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175568.html,https://www.cvedetails.com/cve/CVE-2015-1839/" - - -- reference: CVE-2017-9096 - repo: https://github.com/itext/itext7 - commit: 930a1c81f8ea4952df540f041befbfa2d6757838:master - description: "" - links: "" - - -- reference: CVE-2018-12537 - repo: https://github.com/eclipse/vert.x - commit: 1bb6445226c39a95e7d07ce3caaf56828e8aab72:master - description: "" - links: "" - - -- reference: CVE-2019-0225 - repo: https://github.com/apache/jspwiki/ - commit: 88d89d6523802c044cfcb7930cba40d8eeb21da2:master - description: "Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure Severity High Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M2 description A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki, which could be used by an attacker to obtain registered users' details. ref: JSPWIKI-1095 Mitigation Apache JSPWiki users should upgrade to 2.11.0.M3 or later." - links: "https://issues.apache.org/jira/browse/JSPWIKI-1095,https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225,https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9@%3Cuser.jspwiki.apache.org%3E" - - -- reference: CVE-2009-0039 - repo: https://github.com/apache/geronimo - commit: f8a612df7b06729bfd6c826e1a110d4bb40dc1f5:2.1,aa0c2c26dde8930cad924796af7c17a13d236b16:2.1.4,67dda0760bb0925ead201ddd5d809ff53686d63f:trunk - description: "" - links: "" - - -- reference: CVE-2016-1000340 - repo: https://github.com/bcgit/bc-java - commit: 790642084c4e0cadd47352054f868cc8397e2c00:master - description: "Static ECDH vulnerable to carry propagation bug. Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers." - links: "https://www.bouncycastle.org/releasenotes.html" - - -- reference: CVE-2017-8028 - repo: https://github.com/spring-projects/spring-ldap - commit: 08e8ae289bbd1b581986c7238604a147119c1336:master - description: "When connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect. Affectes Spring-LDAP versions 1.3.0 - 2.3.1. Upgrade to Spring-LDAP version 2.3.2.RELEASE+" - links: "https://github.com/spring-projects/spring-ldap/issues/430,https://pivotal.io/security/cve-2017-8028" - - -- reference: CVE-2018-10903 - repo: https://github.com/pyca/cryptography/ - commit: d4378e42937b56f473ddade2667f919ce32208cb:master - description: "A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1602931,https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-42164" - - -- reference: CVE-2019-1003033 - repo: https://github.com/jenkinsci/groovy-plugin/ - commit: 40777c212d45031324685b54816212299fbe434f:master - description: "A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003033,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1338" - - -- reference: CVE-2018-8008 - repo: https://github.com/apache/storm/ - commit: 1117a37b01a1058897a34e11ff5156e465efb69:master,f61e5daf299d6c37c7ad65744d02556c94a16a4:1.1,0fc6b522487c061f89e8cdacf09f722d3f20589:1.0.x,efad4cca2d7d461f5f8c08a0d7b51fabeb82d0a:1.2 - description: "" - links: "http://seclists.org/oss-sec/2018/q2/159,https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58@%3Cdev.storm.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTORM-32346" - - -- reference: CVE-2011-1183 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1087643:trunk - description: "" - links: "" - - -- reference: CVE-2018-8088 - repo: https://github.com/qos-ch/slf4j/ - commit: c15d3c1dab0c3398011dec3a16ad3e45b75ae70d:master - description: "" - links: "https://github.com/spring-projects/spring-security/issues/7023,https://pivotal.io/security/cve-2019-11272" - - -- reference: CVE-2015-3268 - repo: https://github.com/apache/ofbiz - commit: 1c5d3856559d1eb4cdff5c0531346b4633541fa1:release12.04,5440c26c6b8dbc040a411391ee5a3180b2a91e6e:release14.12,c3cc66f1da0d54f918179c342280219024f64bc2:trunk,6612b5a3a18c05e16d902af263c277fa0177baa1:release13.07 - description: "" - links: "" - - -- reference: CVE-2014-3604 - repo: http://juliusdavies.ca/svn/not-yet-commons-ssl - commit: 172:trunk - description: "" - links: "" - - -- reference: CVE-2018-1002150 - repo: https://pagure.io/koji - commit: ab1ade7:master - description: "" - links: "https://pagure.io/koji/issue/850" - - -- reference: CVE-2018-1999020 - repo: https://github.com/opennetworkinglab/onos/ - commit: 4b19da6ce94de4865a365c200d6e8169ffb2184f:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999020" - - -- reference: CVE-2017-15691 - repo: https://github.com/apache/uima-uimaj/ - commit: 39909bf21fd694f4fb792d1de8adc72562ead25e:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEUIMA-32235,https://uima.apache.org/security_report#CVE-2017-15691" - - -- reference: CVE-2019-1003048 - repo: https://github.com/jenkinsci/prqa-plugin/ - commit: f6d8492a8279fdfe9e3652bd01a6809fb5f296b6:master,6df96d7bd96dd9ef69575f43dc0e06a168d59b37:master - description: "PRQA Plugin stored password in plain text SECURITY-1089 / CVE-2019-1003048 PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system. The plugin now stores the password encrypted in the configuration files on disk." - links: "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1089" - - -- reference: CVE-2015-2913 - repo: https://github.com/orientechnologies/orientdb.git - commit: 668ece96be210e742a4e2820a3085b215cf55104:master - description: "" - links: "" - - -- reference: CVE-2015-0264 - repo: https://github.com/apache/camel - commit: 1df559649a96a1ca0368373387e542f46e4820da:master - description: "" - links: "" - - -- reference: CVE-2018-1261 - repo: https://github.com/spring-projects/spring-integration-extensions/ - commit: a5573eb232ff85199ff9bb28993df715d9a19a25:master - description: "" - links: "https://pivotal.io/security/cve-2018-1261,https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKINTEGRATION-31675" - - -- reference: CVE-2017-13098 - repo: https://github.com/bcgit/bc-java/ - commit: a00b684465b38d722ca9a3543b8af8568e6bad5c:master - description: "" - links: "" - - -- reference: CVE-2015-1326 - repo: https://github.com/martinpitt/python-dbusmock/ - commit: 4e7d0df9093:master - description: "python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1326" - - -- reference: CVE-2013-6447 - repo: https://github.com/seam2/jboss-seam.git - commit: 090aa6252affc978a96c388e3fc2c1c2688d9bb5:master - description: "" - links: "" - - -- reference: CVE-2018-10936 - repo: https://github.com/pgjdbc/pgjdbc - commit: cdeeaca47dc3bc6f727c79a582c9e4123099526e:master - description: "" - links: "" - - -- reference: CVE-2016-4464 - repo: https://github.com/apache/cxf-fediz - commit: 0006581e9cacbeef46381a223e5671e524d416b6:master - description: "" - links: "" - - -- reference: CVE-2012-2098 - repo: https://github.com/apache/commons-compress - commit: 0600296ab8f8a0bbdfedd483f51b38005eb8e34e:trunk,fdd7459bc5470e90024dbe762249166481cce769:trunk,1ce57d976c4f25fe99edcadf079840c278f3cb84:trunk,6e95697e783767f3549f00d7d2e1b002eac4a3d4:trunk,cca0e6e5341aacddefd4c4d36cef7cbdbc2a8777:trunk,654222e628097763ee6ca561ae77be5c06666173:trunk,8f702469cbf4c451b6dea349290bc4af0f6f76c7:trunk,b06f7b41c936ef1a79589d16ea5c1d8b93f71f66:trunk,6ced422bf5eca3aac05396367bafb33ec21bf74e:trunk,020c03d8ef579e80511023fb46ece30e9c3dd27d:trunk - description: "" - links: "" - - -- reference: CVE-2017-8031 - repo: https://github.com/cloudfoundry/uaa - commit: 20808046de8bbdc6fb2ac62829d4cc9d7a19f37:4.5.x,66166d17781aa257ff77a2fb7c69f72d0b611be:4.7.x,1e2a746968cdac5b53164ca8955646e4257ecc7:3.20.x - description: "In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service. Fixed in versions: 3.20.1, 4.5.3, 4.7.1" - links: "https://www.cloudfoundry.org/cve-2017-8031/" - - -- reference: CVE-2015-0886 - repo: https://github.com/djmdjm/jBCrypt - commit: 0c28b698e79b132391be8333107040d774c79995:master - description: "" - links: "" - - -- reference: CVE-2019-10330 - repo: https://github.com/jenkinsci/gitea-plugin/ - commit: 7555cb7c168cfa49d31271e7d65d76c1fab311f7:master - description: "" - links: "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1046" - - -- reference: CVE-2014-9601 - repo: https://github.com/wiredfool/Pillow/ - commit: 0b75526ffe41a4697231beb8b5740617c98f290b:master,44286ba3c9bfa6ed565d11bd61460d8ec215e1ea:master - description: "" - links: "https://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html,https://www.cvedetails.com/cve/CVE-2014-9601/" - - -- reference: CVE-2019-10243 - repo: https://github.com/eclipse/kura/ - commit: 4ce772e57eb939dd6c03d99fc12e434bb08b352d:master - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=545834,https://github.com/eclipse/kura/pull/2305" - - -- reference: CVE-2016-10006 - repo: https://github.com/nahsra/antisamy.git - commit: 7313931dc3c0d1377b010f07faef2063dd359a36:master - description: "" - links: "" - - -- reference: CVE-2018-1337 - repo: https://github.com/apache/directory-ldap-api/ - commit: 5faa6a71606a22a7503d401911875ec3a355cac:1.0.x,075b70a733d7af150b3d85684149ff5f029f7fd:2.0 - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1599886,https://lists.apache.org/thread.html/d66081195e9a02ee7cc20fb243b60467d1419586eed28297d820768f@%3Cdev.directory.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEDIRECTORYAPI-32413" - - -- reference: CVE-2019-10317 - repo: https://github.com/jenkinsci/sitemonitor-plugin/ - commit: a7210254b4dc9df15115e94ec8dba62b1e86493a:master - description: "SiteMonitor Plugin globally and unconditionally disables SSL/TLS certificate validation SECURITY-930 / CVE-2019-10317 SiteMonitor Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins master JVM. SiteMonitor Plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually. Affected Versions: SiteMonitor Plugin up to and including 0.5 Fix: SiteMonitor Plugin should be updated to version 0.6" - links: "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-930" - - -- reference: CVE-2009-3555-JETTY - repo: https://github.com/eclipse/jetty.project - commit: b90ad09443e1771e37d23e393afe842759c20454:master,b4390f98529fce165e6394b94122b427fdfb8a5e:master,102625b86c8e82e0e3d02a71028ba62795aff52b:master - description: "Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors. This vulnerability affects JVM<1.6u19. Please upgrade to jetty-7.01.v20091125, jetty-6.1.22 (see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 and http://www.kb.cert.org/vuls/id/120541)" - links: "https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc" - - -- reference: NEO-PYTHON-001 - repo: https://github.com/CityOfZion/neo-python/ - commit: 8e9c488bc0506f13424dc4208b64f250dff2818d:master - description: "neo-python is a Python Node and SDK for the NEO blockchain. Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. Due to an unlimited amount of free operations, an attacker could perform attacks over RPC invoke. Remediation: Upgrade neo-python to version 0.7.8 or higher." - links: "https://snyk.io/vuln/SNYK-PYTHON-NEOPYTHON-72647" - - -- reference: CVE-2014-3682 - repo: https://github.com/kiegroup/jbpm-designer - commit: 69d8f6b7a099594bd0536f88d52875387585708:6.2.x,be3968d51299f6de0011324be60223ede49ecb1:6.0.x,e4691214a100718c3b1c9b93d4db466672ba0be:6.2.x,5641588c730cc75dc3b76c34b76271fbd407fb8:6.0.x - description: "" - links: "" - - -- reference: CVE-2015-0201 - repo: https://github.com/spring-projects/spring-framework.git - commit: d63cfc8eebc396be009e733a81ebb4c984811f6e:master,dc5b5ca8ee09c890352f89b2dae58bc0132d6545:master - description: "" - links: "" - - -- reference: KNOWLEDGE-REPO-001 - repo: https://github.com/airbnb/knowledge-repo/ - commit: 5d6668206f0b3fa90c091e682b93867460501f11:master - description: "knowledge-repo is focused on facilitating the sharing of knowledge between data scientists and other technical roles using data formats and tools that make sense in these professions. Affected versions of this package are vulnerable to Arbitrary Code Execution. knowledge-repo read their configuration from the repository itself, by default from a python module called knowledge_repo_config.py. A malicious user with appropriate permissions could submit arbitrary code that will be executed at runtime on users machines, potentially leading to unwanted data loss, corruption or dissemination. With this change, only YAML configuration files will be read from the repository, mitigating this security vulnerability. Remediation: Upgrade knowledge-repo to version 0.8.0 or higher." - links: "https://github.com/airbnb/knowledge-repo/pull/382,https://snyk.io/vuln/SNYK-PYTHON-KNOWLEDGEREPO-72646" - - -- reference: PYRO4-001 - repo: https://github.com/irmen/Pyro4/ - commit: a9544e05ff175201187ff1530364dd4d77ee0d3d:master - description: "pyro4 is a library that enables you to build applications in which objects can talk to eachother over the network, with minimal programming effort. Affected versions of this package are vulnerable to Information Exposure. The HMAC encryption key used with the -k command line option was plainly visible. Remediation: Upgrade pyro4 to version 4.72 or higher." - links: "https://github.com/irmen/Pyro4/issues/199,https://snyk.io/vuln/SNYK-PYTHON-PYRO4-42168" - - -- reference: CVE-2019-10334 - repo: https://github.com/jenkinsci/electricflow-plugin/ - commit: d0b807d5e2de07a90d902401bae033c2907b850a:master - description: "" - links: "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1411" - - -- reference: CVE-2019-1003016 - repo: https://github.com/jenkinsci/job-import-plugin/ - commit: 1d81e59330d371d15d3672dabc17d35dcd9fb824:master - description: "An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, src/main/java/org/jenkins/ci/plugins/jobimport/model/JenkinsSite.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003016,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(2)" - - -- reference: CVE-2014-0112 - repo: https://github.com/apache/struts.git - commit: 74e26830d2849a84729b33497f729e0f033dc147:master - description: "Fix for ue CVE-2014-0094, CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116" - links: "https://github.com/apache/struts/pull/70" - - -- reference: CVE-2018-1000134 - repo: https://github.com/pingidentity/ldapsdk - commit: 8471904a02438c03965d21367890276bc25fa5a6:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1557531,https://nawilson.com/2018/03/19/cve-2018-1000134-and-the-unboundid-ldap-sdk-for-java/,https://snyk.io/vuln/SNYK-JAVA-COMUNBOUNDID-32143" - - -- reference: CVE-2018-9159 - repo: https://github.com/perwendel/spark - commit: db45b5640ab577057e630b1c14bd537517aa5a29:master,030e9d00125cbd1ad759668f85488aba1019c668:master - description: "" - links: "https://github.com/perwendel/spark/issues/981,https://snyk.io/vuln/SNYK-JAVA-ORGSONATYPEOSS-32152" - - -- reference: CVE-2018-8038 - repo: https://github.com/apache/cxf-fediz/ - commit: b6ed9865d0614332fa419fe4b6d0fe81bc2e660d:master - description: "Apache CXF Fediz is vulnerable to DTD based XML attacks This vulnerability affects all versions of Apache CXF Fediz prior to 1.4.4. description: Apache CXF Fediz is a subproject of Apache CXF which implements the WS-Federation Passive Requestor Profile for SSO specification. In 2015, a security advisory CVE-2015-5175 was issued for Apache CXF Fediz, titled \"Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks\". This was due to the fact that Document Type Declarations (DTDs) were not disabled when parsing the response from the Identity Provider (IdP). The fix for advisory CVE-2015-5175 in Apache CXF Fediz 1.1.3 and 1.2.1 prevented DoS style attacks via DTDs. However, it did not fully disable DTDs, meaning that the Fediz plugins could potentially be subject to a DTD-based XML attack. In addition, the Apache CXF Fediz IdP is also potentially subject to DTD-based XML attacks for some of the WS-Federation request parameters. This has been fixed in revision: https://github.com/apache/cxf-fediz/commit/b6ed9865d0614332fa419fe4b6d0fe81bc2e660d Migration: Apache CXF Fediz users should upgrade to 1.4.4 as soon as possible." - links: "https://cxf.apache.org/security-advisories.data/CVE-2018-8038.txt.asc?version=1&modificationDate=1530712328121&api=v2,https://cxf.apache.org/security-advisories.html" - - -- reference: CVE-2016-4000 - repo: https://github.com/jythontools/jython/ - commit: 4c337213bd2964bb36cef2d31509b49647ca6f2a:master - description: "" - links: "http://bugs.jython.org/issue2454,http://www.debian.org/security/2017/dsa-3893,https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864859,https://hg.python.org/jython/file/v2.7.1rc1/NEWS,https://hg.python.org/jython/rev/d06e29d100c0,https://security-tracker.debian.org/tracker/CVE-2016-4000,https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451" - - -- reference: CVE-2018-17194 - repo: https://github.com/apache/nifi/ - commit: 748cf745628dab20b7e71f12b5dcfe6ed0bbf134:master - description: "" - links: "https://issues.apache.org/jira/browse/NIFI-5628,https://nifi.apache.org/security.html#CVE-2018-17194,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHENIF-72714" - - -- reference: CVE-2014-3678 - repo: https://github.com/jenkinsci/monitoring-plugin/ - commit: f0f6aeef2032696c97d4b015dd51fa2b841b0473:master - description: "" - links: "https://jenkins.io/security/advisory/2014-10-01/,https://snyk.io/vuln/SNYK-JAVA-ORGJVNETHUDSONPLUGINS-32325" - - -- reference: CVE-2018-1282 - repo: https://github.com/apache/hive/ - commit: 63df42966cf44ffdd20d3fcdcfb70738c0432ab:2.3,0330c1c0b62f3c2e6a4744048578dea55193b62:2.6 - description: "" - links: "https://issues.apache.org/jira/browse/HIVE-18788,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHIVE-32204" - - -- reference: CVE-2018-1263 - repo: https://github.com/spring-projects/spring-integration-extensions/ - commit: d10f537283d90eabd28af57ac97f860a3913bf9b:master - description: "Unsafe Unzip with spring-integration-zip. description: spring-integration-zip , versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. The previous CVE-2018-1261 prevented the framework itself from writing the file. While the framework itself now does not write such files, it does present the errant path to the user application, which could inadvertently write the file using that path. This specifically applies to the unzip transformer. This can only happen if an application using this library accepts and unpacks zip files from untrusted sources. Affected Pivotal Products and Versions: Spring Integration Zip Community Extension Project versions 1.0.1.RELEASE and earlier. Mitigation: Upgrade to the 1.0.2.RELEASE Or do not unzip untrusted zip files." - links: "https://pivotal.io/security/cve-2018-1263" - - -- reference: CVE-2016-6793 - repo: https://github.com/apache/wicket.git - commit: 134686ef7185d3f96fec953136ab4847cd36b68:1_5_x - description: "" - links: "" - - -- reference: CVE-2015-5346 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1723414:trunk,1723506:trunk,1713184:trunk,1713185:trunk,1713187:trunk - description: "" - links: "" - - -- reference: CVE-2019-9710 - repo: https://github.com/marshmallow-code/webargs/ - commit: a4a228bb58031d1cbe0c4a9b180f44f06b202f76:master - description: "webargs is a python library for parsing and validating HTTP request objects, with built-in support for popular web frameworks, including Flask, Django, Bottle, Tornado, Pyramid, webapp2, Falcon, and aiohttp. Affected versions of this package are vulnerable to Race Condition. Json parsing uses a short-lived cache to store the parsed Json body. This cache is not thread-safe, meaning that incorrect Json payloads could have been parsed for concurrent requests. Remediation Upgrade webargs to version 5.1.3 or higher." - links: "https://github.com/marshmallow-code/webargs/commit/a4a228bb58031d1cbe0c4a9b180f44f06b202f76,https://github.com/marshmallow-code/webargs/issues/371,https://snyk.io/vuln/SNYK-PYTHON-WEBARGS-173773,https://webargs.readthedocs.io/en/latest/changelog.html" - - -- reference: CVE-2009-2693 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 902650:trunk,892815:trunk,892795:trunk - description: "" - links: "" - - -- reference: CVE-2018-1067 - repo: https://github.com/undertow-io/undertow/ - commit: f404cb68448c188f4d51b085b7fe4ac32bde26e:2.0.7,85d4478e598105fe94ac152d3e11e388374e8b8:1.4 - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-32300" - - -- reference: CVE-2015-1836 - repo: https://github.com/apache/hbase - commit: 942e09b71eef5bd9fdb1c8711125c4bc1193bcdc:master - description: "" - links: "" - - -- reference: CVE-2016-6798 - repo: https://github.com/apache/sling - commit: fb2719e8299fadddae62245482de112052a0e08c:master - description: "In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application. (see https://issues.apache.org/jira/browse/SLING-5954)" - links: "https://nvd.nist.gov/vuln/detail/CVE-2016-6798" - - -- reference: CVE-2018-19859 - repo: https://github.com/OpenRefine/OpenRefine/ - commit: e243e73e4064de87a913946bd320fbbe246da656:master - description: "" - links: "https://github.com/OpenRefine/OpenRefine/issues/1840,https://snyk.io/vuln/SNYK-JAVA-ORGOPENREFINE-72693" - - -- reference: CVE-2018-11761 - repo: https://github.com/apache/tika/ - commit: 4e67928412ad56333d400f3728ecdb59d07d9d63:master - description: "" - links: "https://lists.apache.org/thread.html/5553e10bba5604117967466618f219c0cae710075819c70cfb3fb421@%3Cdev.tika.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETIKA-72400" - - -- reference: CVE-2016-3674 - repo: https://github.com/x-stream/xstream - commit: 5b5cd6d8137f645c5d57b648afb1a305967aa7f:v-1.4.x,25c6704bea149ee93c294ae5b6e0aecd182fea88:master,c9b121a88664988ccbabd83fa27bfc2a5e0bd139:master,e4f1457e681e015be83c6b0b84947676980e29d:v-1.4.x,87172cfc1dd7f8f6e137963c778b03efd14ac446:master,7c77ac0397a1f93c69d2776a13c31957f55d1647:master,696ec886a23dae880cf12e34e1fe09c5df8fe94:v-1.4.x,806949e1b3c22a3b31819a37402489a0303221a:v-1.4.x - description: "" - links: "" - - -- reference: BUILDBOT-001 - repo: https://github.com/buildbot/buildbot/ - commit: e159e4ed0a2fee9c7e41e81ae81333b0c9557256:master - description: "buildbot is an open-source continuous integration framework for automating software build, test, and release processes. Affected versions of this package are vulnerable to Timing Attack. It implemented a character to character comparison !=, and not a time constant string comparison. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the encryption key one character at a time. Remediation: Upgrade buildbot to version 1.3.0 or higher." - links: "https://github.com/buildbot/buildbot/issues/4180,https://snyk.io/vuln/SNYK-PYTHON-BUILDBOT-42177" - - -- reference: CVE-2015-3162 - repo: https://github.com/beaker-project/beaker/ - commit: 36809a80741d572af124f2a15b1fdf5c581cde46:master - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-BEAKER-42072" - - -- reference: CVE-2014-0033 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 1558822:trunk - description: "" - links: "" - - -- reference: CVE-2013-4322 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1521834:trunk,1556540:trunk,1549522:trunk,1521864:trunk,1549523:trunk - description: "" - links: "" - - -- reference: CVE-2015-3189 - repo: https://github.com/cloudfoundry/uaa - commit: a79b89f6e4f66626914b029b7a15a423491f8013:master - description: "" - links: "" - - -- reference: CVE-2016-1000338 - repo: https://github.com/bcgit/bc-java - commit: 843c2e60f67d71faf81d236f448ebbe56c62c647:master - description: "DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of invisible data into a signed structure." - links: "https://www.bouncycastle.org/releasenotes.html" - - -- reference: CVE-2012-6119 - repo: https://github.com/candlepin/candlepin.git - commit: f4d93230e58b969c506b4c9778e04482a059b08c:master - description: "" - links: "" - - -- reference: CVE-2017-16228 - repo: https://github.com/dulwich/dulwich - commit: 7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6:master - description: "" - links: "" - - -- reference: CVE-2010-0684 - repo: https://github.com/apache/activemq - commit: fed39c3619825bd92990cf1aa7a4e85119e00a6e:master,9dc43f3ffe85c9c56faee235a21f23bfceb865c8:master,2895197d0dad246757d8d1d9eea181cbf0543ae9:master - description: "" - links: "" - - -- reference: CVE-2018-1258 - repo: https://github.com/spring-projects/spring-security/ - commit: 7b8fa90d96aaf751a3256fa755d5f17e081c20f:5.0.5,fed15f2b01b763158f6650afa13059203366974:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31651,https://spring.io/blog/2018/05/09/spring-project-vulnerability-reports-published" - - -- reference: CVE-2019-0201 - repo: https://github.com/apache/zookeeper/ - commit: af741cb319d4760cfab1cd3b560635adacd8dec:master,5ff19e3672987bdde2843a3f031e2bf0010e35f:3.4.14,17c6b264f4e79ddb6e9d27b968d48456024d18c:3.5.5 - description: "" - links: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392,https://zookeeper.apache.org/security.html#CVE-2019-0201" - - -- reference: CVE-2017-15720 - repo: https://github.com/apache/airflow/ - commit: daa281c0364609d6812921123cf47e4118b40484:master - description: "" - links: "https://github.com/apache/airflow/pull/2184,https://issues.apache.org/jira/browse/AIRFLOW-1007,https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3E,https://snyk.io/vuln/SNYK-PYTHON-APACHEAIRFLOW-73586" - - -- reference: CVE-2012-2379 - repo: https://github.com/apache/cxf - commit: 4500bf901cb2a7312291b6663045f28a95d2a0c4:trunk - description: "" - links: "" - - -- reference: CVE-2017-14949 - repo: https://github.com/restlet/restlet-framework-java - commit: 97a8d1d62612683817c785e99c4166bcde8cf1c:2.4,fe75aff3af23b879b984db7a2b6824cee0ef0fc:2.3 - description: "" - links: "" - - -- reference: CVE-2015-5171 - repo: https://github.com/cloudfoundry/uaa - commit: 9730cd6a3bbb481ee4e400b51952b537589c469d:master - description: "Password change does not expire existing sessions. After a password reset link is requested and a user’s password is then changed, not all existing sessions are logged out automatically. Logging in with the new password doesn’t invalidate the older session either. Deployments enabled for integration via SAML or LDAP are not affected." - links: "https://www.cloudfoundry.org/cve-2015-5170-5173/" - - -- reference: CVE-2019-10868 - repo: https://github.com/tryton/trytond/ - commit: 0ab5ef4631b1ed9a7cc1091bc0b841b3c014f668:master - description: "Information Disclosure Overview tryton is a business software. Affected versions of this package are vulnerable to Information Disclosure. via the trytond/model/modelstorage.py path. An authenticated user could order records based on a field for which he had no access right. This may allow the user to guess these values. Remediation Upgrade tryton to version 5.0.6, 4.8.10, 4.6.14, 4.4.19, 4.2.21 or higher. " - links: "https://bugs.tryton.org/issue8189,https://discuss.tryton.org/t/security-release-for-issue8189/1262,https://hg.tryton.org/trytond/rev/f58bbfe0aefb" - - -- reference: CVE-2018-14371 - repo: https://github.com/eclipse-ee4j/mojarra/ - commit: 1b434748d9239f42eae8aa7d37d7a0930c061e24:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14371,https://github.com/javaserverfaces/mojarra/issues/4364" - - -- reference: CVE-2014-4172 - repo: https://github.com/apereo/java-cas-client - commit: ab6cbdc3daa451b4fef89c0bd0f4e6568f3aa9ef:master,ae37092100c8eaec610dab6d83e5e05a8ee58814:master - description: "It was found that URL encoding used in the back-channel ticket validation of the JA-SIG CAS client was improper. A remote attacker could exploit this flaw to bypass security constraints by injecting URL parameters. Fixed In Version: 3.1.13, 3.2.2, 3.3.2 (see https://github.com/apereo/java-cas-client/pull/73)" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-4172" - - -- reference: CVE-2019-7722 - repo: https://github.com/pmd/pmd/ - commit: e295711343cc155cb64ea0ae29ce9d69201469b3:master - description: "PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)" - links: "https://github.com/pmd/pmd/issues/1650,https://github.com/pmd/pmd/pull/592,https://snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPMD-173681" - - -- reference: CVE-2014-0113 - repo: https://github.com/apache/struts.git - commit: 74e26830d2849a84729b33497f729e0f033dc147:master - description: "Fix for ue CVE-2014-0094, CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116" - links: "https://github.com/apache/struts/pull/70" - - -- reference: CVE-2019-1003037 - repo: https://github.com/jenkinsci/azure-vm-agents-plugin/ - commit: e36c8a9b0a436d3b79dc14b5cb4f7f6032fedd3f:master - description: "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003037,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1332" - - -- reference: CVE-2016-0784 - repo: https://github.com/apache/openmeetings/ - commit: 6e5b1828f7813eedab08a31a46018a86bf715775:master - description: "" - links: "http://openmeetings.apache.org/security.html" - - -- reference: CVE-2017-12794 - repo: https://github.com/django/django - commit: 46e2b9e059e617afe6fe56da9f132568a7e6b198:master,58e08e80e362db79eb0fd775dc81faad90dca47:1.10,e35a0c56086924f331e9422daa266e907a4784c:1.11 - description: "" - links: "" - - -- reference: CVE-2018-12544 - repo: https://github.com/vert-x3/vertx-web/ - commit: d814d22ade14bafec47c4447a4ba9bff090f05e:3.5.1,ac8692c618d6180a9bc012a2ac8dbec821b1a97:3.5.3 - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568,https://github.com/vert-x3/vertx-web/issues/1021,https://snyk.io/vuln/SNYK-JAVA-IOVERTX-72440" - - -- reference: CVE-2019-0191 - repo: https://github.com/apache/karaf/ - commit: e36a7a66fa08eb5eb253b2b0cec262ffbdef072:4.1,fef9a618f11a670dc040d903a4b0f9bbc9f3e9c:4.2 - description: "" - links: "https://issues.apache.org/jira/browse/KARAF-6090,https://lists.apache.org/thread.html/6856aa7ed7dd805eaf65d0e5e95027dda3b2307aacd1ab4a838c5cd1@%3Cuser.karaf.apache.org%3E" - - -- reference: CVE-2016-6796 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1763233:trunk,1758496:trunk,1763232:trunk,1758494:trunk,1763233:master,1758493:trunk,1763236:trunk,1758495:trunk,1758487:trunk,1763237:trunk,1763234:trunk - description: "A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. Affects: 6.0.0 to 6.0.45,7.0.0 to 7.0.70,, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36,9.0.0.M1 to 9.0.0.M9" - links: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796" - - -- reference: CVE-2014-0086 - repo: https://github.com/pslegr/core-1.git - commit: 8131f15003f5bec73d475d2b724472e4b87d0757:master - description: "" - links: "" - - -- reference: CVE-2018-11041 - repo: https://github.com/cloudfoundry/uaa/ - commit: f6362a8f1865314aa507fc5de772848b7e55236:4.19.0,7d750e036cd52c5d30e73e28cbcae23126d7154:4.10.x,7a8f157f7e2feed2d0ebb63b163ff735b6340b9:4.19.0,8a599448781acd481aa9dab1b0bde3424e00ced:4.10.x,57a15dfb7e0e3a59019ebe951793b586512b196:4.7.x,d17b23fc3bf9b86f111774925afadfced75315c:4.7.x - description: "UAA open redirect Severity. \ndescription: Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.\nAffected Cloud Foundry Products and Versions:\nYou are using uaa versions later than 4.6.0 and prior to 4.19.0, except 4.10.1 and 4.7.5\nYou are using uaa-release versions later than v48 and prior to v60, except v55.1 and v52.9\nMitigation:\nReleases that have fixed this issue include\n- uaa versions 4.19.0, 4.10.1, 4.7.5\n- uaa-release versions v60, v55.1, v52.9\n" - links: "https://www.cloudfoundry.org/blog/cve-2018-11041/" - - -- reference: CVE-2012-0393 - repo: https://github.com/apache/struts - commit: 9cad25f258bb2629d263f828574d2671366c238d:master - description: "" - links: "" - - -- reference: CVE-2015-8320 - repo: https://github.com/apache/cordova-android - commit: 032ea8a8d386d8bcffc5de7fd3e4202478effb7d:master - description: "" - links: "" - - -- reference: CVE-2018-10237 - repo: https://github.com/google/guava/ - commit: f89ece5721b2f637fe754937ff1f3c86d80bb196:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237,https://groups.google.com/forum/#!topic/guava-announce/xqWALw4W1vs/discussion" - - -- reference: CVE-2013-2067 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 1417891:trunk - description: "" - links: "" - - -- reference: CVE-2019-10339 - repo: https://github.com/jenkinsci/jx-resources-plugin/ - commit: f0d9fb76230b65e851095da936a439d953c5f64d:master - description: "" - links: "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1379" - - -- reference: CVE-2011-4367 - repo: http://svn.apache.org/repos/asf/myfaces - commit: 1236039:2.0.x,1212649:trunk,1238150:trunk,1212640:trunk,1238151:2.0.x,1212603:2.0.x,1236038:trunk,1212602:trunk,1212641:2.0.x,1212648:2.0.x - description: "" - links: "" - - -- reference: CVE-2009-2625 - repo: https://github.com/apache/xerces2-j - commit: 0bdf77af1d4fd26ec2e630fb6d12e2dfa77bc12b:trunk - description: "" - links: "https://issues.apache.org/jira/browse/XERCESJ-1412." - - -- reference: CVE-2016-2402 - repo: https://github.com/square/okhttp - commit: 784fabac7d1586a5614bd4bc8854fd62850dbe26:master,5377f25d9eed755328216912ef5e922c93e14f3:2.x,3ccb46dd16b6ec98f70b0ee53eafe5ed6380891e:master - description: "" - links: "" - - -- reference: CVE-2019-1003045 - repo: https://github.com/jenkinsci/ecs-publisher-plugin/ - commit: e901c02a43bfd41ea1736ba1ed24cb614d821569:master - description: "ECS Publisher Plugin stored and displayed API token in plain text SECURITY-846 / CVE-2019-1003045 ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml files and its global configuration file on the Jenkins master. This token could be viewed by users with Extended Read permission, or access to the master file system. Additionally, the API token was not masked from view using a password form field. The plugin now stores the API token encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text." - links: "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-846" - - -- reference: CVE-2016-5001 - repo: https://github.com/apache/hadoop/ - commit: 82ec5dbb2505066da8a6ed008d943b5ada027b1:2.7.2,04b8a19f81ee616c315eec639642439b3a18ad9:2.6.4 - description: "" - links: "https://nvd.nist.gov/vuln/detail/CVE-2016-5001,https://seclists.org/oss-sec/2016/q4/698" - - -- reference: CVE-2014-0054 - repo: https://github.com/spring-projects/spring-framework.git - commit: edba32b3093703d5e9ed42b5b8ec23ecc1998398:master,1c5cab2a4069ec3239c531d741aeb07a434f521b:master - description: "" - links: "" - - -- reference: CVE-2018-8037 - repo: https://github.com/apache/tomcat/ - commit: ed4b9d791f9470e4c3de691dd0153a9ce431701b:master - description: "Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up. A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection." - links: "https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2017-12614 - repo: https://github.com/apache/incubator-airflow/ - commit: 8f9bf94d82abc59336e642db64e575cee0cc5df0:master - description: "apache-airflow is a platform to programmatically author, schedule and monitor workflows. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via 404 pages. Note Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack." - links: "https://lists.apache.org/thread.html/2c72480c76619c5e7793f0d213c34082f0598eaa4d212172f068940f@%3Cdev.airflow.apache.org%3E,https://snyk.io/vuln/SNYK-PYTHON-APACHEAIRFLOW-42180" - - -- reference: CVE-2014-0230 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1603775:trunk,1603779:trunk,1603770:trunk,1603781:trunk,1659537:trunk - description: "" - links: "" - - -- reference: CVE-2019-1003006 - repo: https://github.com/jenkinsci/groovy-plugin/ - commit: 212e048a319ae32dad4cfec5e73a885a9f4781f0:master - description: "A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003006,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293" - - -- reference: CVE-2016-5018 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1754904:master,1754902:trunk,1760300:trunk,1754714:trunk,1760309:trunk,1754904:trunk,1754901:trunk,1754900:trunk,1761718:trunk,1760307:trunk,1754900:master,1760305:trunk - description: "A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. Affects: 6.0.0 to 6.0.45,7.0.0 to 7.0.70,, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36,9.0.0.M1 to 9.0.0.M9." - links: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018" - - -- reference: CVE-2013-6408 - repo: https://github.com/apache/lucene-solr - commit: 7239a57a51ea0f4d05dd330ce5e15e4f72f72747:master - description: "" - links: "" - - -- reference: CVE-2019-0194 - repo: https://github.com/apache/camel/ - commit: 15a1f10fb532bdcba184cda17be602a2358bd5e:2.23.1,68f2de31b7752bd49b7898d7098b3bfe8e0d0bd:2.16.0,5e1d70c6957703cdebbfe5d796462e5a89c8bc2:2.21.5,05ff65d5cebf1fa5172c59dd16359ed583c099c:3.0.0,a8a2b8c0a37e348981a4cf41fd2b329b6079f40:2.16.0,2d399aa6062fccd6af496bd776314d1944f7090:2.23.2,5b64969d37cf2906efd4623cfd473041ce5132f:3.0.0,f337a98e86ef18611b14570e6780053fe3ddcc0:2.21.5,53185f0b221b899aacb3c379647a866a8f408a8:2.23.2,e030f6665db037a2f73f30b9125fb770f29a7bd:2.23.1 - description: "Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected." - links: "https://github.com/apache/camel/pull/2700,https://issues.apache.org/jira/browse/CAMEL-13042,https://lists.apache.org/thread.html/0a163d02169d3d361150e8183df4af33f1a3d8a419b2937ac8e6c66f@%3Cusers.camel.apache.org%3E" - - -- reference: CVE-2016-5007-SEC - repo: https://github.com/spring-projects/spring-security.git - commit: e4c13e3c0ee7f06f59d3b43ca6734215ad7d8974:master - description: "Both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences." - links: "https://pivotal.io/security/cve-2016-5007" - - -- reference: CVE-2016-6797 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1757285:trunk,1757272:trunk,1757273:trunk,1757275:trunk,1757271:trunk - description: "The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. Affects: 6.0.0 to 6.0.45, 7.0.0 to 7.0.70, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 9.0.0.M1 to 9.0.0.M9." - links: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797" - - -- reference: CVE-2018-1000111 - repo: https://github.com/jenkinsci/subversion-plugin - commit: 25f6afbb02a5863f363b0a2f664ac717ace743b4:master - description: "" - links: "" - - -- reference: CVE-2017-2638 - repo: https://github.com/infinispan/infinispan/ - commit: f2d54c4ecb75c7264d4160ca7c461135712201a9:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638,https://issues.jboss.org/browse/ISPN-7485,https://snyk.io/vuln/SNYK-JAVA-ORGINFINISPAN-32418" - - -- reference: CVE-2013-1879 - repo: https://github.com/apache/activemq - commit: 148ca81dcd8f14cfe2ff37012fd1aa42518f02dc:master - description: "" - links: "" - - -- reference: CVE-2012-6153 - repo: https://github.com/apache/httpcomponents-client - commit: 6e14fc146a66e0f3eb362f45f95d1a58ee18886a:trunk - description: "" - links: "" - - -- reference: CVE-2019-10255 - repo: https://github.com/jupyter/notebook/ - commit: 08c4c898182edbe97aadef1815cce50448f975cb:master,70fe9f0ddb3023162ece21fbb77d5564306b913b:master - description: "" - links: "https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4,https://nvd.nist.gov/vuln/detail/CVE-2019-10255" - - -- reference: CVE-2018-1313 - repo: https://github.com/apache/derby/ - commit: a2027c64e185a9ce46929f352e2db03371c1f95:10.14,4da5b2db5f3a60c1fa8ef616d88a7efe28b0c9d:trunk - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1313,https://markmail.org/message/akkappppxcdqrgxk" - - -- reference: CVE-2019-9740 - repo: https://github.com/urllib3/urllib3/ - commit: 9b76785331243689a9d52cef3db05ef7462cb02d:master,efddd7e7bad26188c3b692d1090cba768afa9162:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740,https://github.com/urllib3/urllib3/" - - -- reference: CVE-2018-8026 - repo: https://github.com/apache/lucene-solr/ - commit: e5407c5a9710247e5f728aae36224a245a51f0b:7.x,d1baf6ba593561f39e2da0a71a8440797005b55:6.6.5,1880d4824e6c5f98170b9a00aad1d437ee2aa12:6.x,3aa6086ed99fa7158d423dc7c33dae6da466b09:7.4,e21d4937e0637c7b7949ac463f331da9a42c07f:master - description: "" - links: "https://issues.apache.org/jira/browse/SOLR-12450,https://mail-archives.apache.org/mod_mbox/lucene-solr-user/201807.mbox/%3C0cdc01d413b7%24f97ba580%24ec72f080%24%40apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESOLR-32408" - - -- reference: CVE-2009-0033 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 742915:trunk,781362:trunk - description: "" - links: "" - - -- reference: CVE-2019-3772 - repo: https://github.com/spring-projects/spring-integration/ - commit: 59c69ed40d3755ef59f80872e0ea711adbb13620:master - description: "" - links: "https://pivotal.io/security/cve-2019-3772,https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKINTEGRATION-73517,https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKINTEGRATION-73518" - - -- reference: CVE-2017-2654 - repo: https://github.com/jenkinsci/email-ext-plugin/ - commit: af2cc9bf649781c3c84c6891298db0d8601b193d:master - description: "" - links: "https://jenkins.io/security/advisory/2017-03-20/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32468" - - -- reference: CVE-2016-9015 - repo: https://github.com/Lukasa/urllib3/ - commit: 5e36a7096455ea94fb28b623d64e1f1bad97f82:1.19,c32cdbc16a9634fa0f8c829d127030157015871:1.18 - description: "" - links: "https://github.com/openssl/openssl/pull/1793,https://nvd.nist.gov/vuln/detail/CVE-2016-9015" - - -- reference: CVE-2017-9804 - repo: https://github.com/apache/struts - commit: 744c1f409d983641af3e8e3b573c2f2d2c2c6d9:support-2-3,3fddfb6eb562d597c935084e9e81d43ed6bcd02:support-2-3,8a04e80f01350c90f053d71366d5e0c2186fded:master,a05259ed69a5a48379aa91650e4cd1cb4bd6e5a:master,418a20c0594f23764fe29ced400c1219239899a:master,9d47af6ffa355977b5acc713e6d1f25fac260a2:master - description: "A regular expression Denial of Service when using URLValidator." - links: "https://cwiki.apache.org/confluence/display/WW/S2-050" - - -- reference: CVE-2012-2316 - repo: http://svn.code.sf.net/p/openkm/code - commit: 7406:5.1.8-2 - description: "" - links: "" - - -- reference: CVE-2015-7337_JUPYTER - repo: https://github.com/jupyter/notebook/ - commit: 9e63dd89b603dfbe3a7e774d8a962ee0fa30c0b:4.0.x - description: "The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types." - links: "https://www.cvedetails.com/cve/CVE-2015-7337/" - - -- reference: CVE-2017-12626 - repo: https://github.com/apache/poi/ - commit: df3910135fd9c442b4e746e4b156362fd2e8d755:master,cd6236c74b55763a27e3e9b5f269c28bc9c98419:master,c7db66a30dfb6cbbd5812ff3ae4c90ed2d9b9a27:master,a07ed9e86474da98f204efadfd5b9327009a0d21:master - description: "" - links: "" - - -- reference: CVE-2019-3775 - repo: https://github.com/cloudfoundry/uaa/ - commit: daeedbe499453b06856556f5e9f7e80d2d1ceb03:master - description: "" - links: "https://www.cloudfoundry.org/blog/cve-2019-3775/" - - -- reference: CVE-2018-1000056 - repo: https://github.com/jenkinsci/junit-plugin/ - commit: 15f39fc49d9f25bca872badb48e708a8bb815ea7:master - description: "" - links: "https://jenkins.io/security/advisory/2018-02-05/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32161" - - -- reference: CVE-2018-7750 - repo: https://github.com/paramiko/paramiko - commit: fa29bd8446c8eab237f5187d28787727b4610516:master - description: "" - links: "https://github.com/paramiko/paramiko/issues/1175" - - -- reference: CVE-2015-5344 - repo: https://github.com/apache/camel - commit: 4491c080cb6c8659fc05441e49307b7d4349aa56:master,8386d8f7260143802553bc6dbae2880d6c0bafda:master - description: "" - links: "" - - -- reference: CVE-2017-15695 - repo: https://github.com/apache/geode/ - commit: aa469239860778eb46e09dd7b390aee08f152480:master,49d28f93fd2ef069693ce15d124ef3a29f22fb7d:master,90f8f6242927c5e16da64f38bba9abf3d450a305:master,740289c61d60256c6270756bc84b9e24b76e4913:master,6df14c8b1e3c644f9f810149e80bba0c2f073dab:master,00be4f9774e1adf8e7ccc2664da8005fc30bb11d:master,954ccb545d24a9c9a35cbd84023a4d7e07032de0:master - description: "" - links: "https://issues.apache.org/jira/browse/GEODE-3974,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEGEODE-32373" - - -- reference: CVE-2012-4387 - repo: https://github.com/apache/struts - commit: 87935af56a27235e9399308ee1fcfb74f8edcefa:master - description: "" - links: "" - - -- reference: CVE-2017-1000388 - repo: https://github.com/jenkinsci/depgraph-view-plugin/ - commit: d442ff671965c279770b28e37dc63a6ab73c0f0e:master - description: "" - links: "https://jenkins.io/security/advisory/2017-10-23/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32193" - - -- reference: CVE-2018-1000425 - repo: https://github.com/jenkinsci/sonarqube-plugin/ - commit: d1fe7cf3c46b2cf9f3629af87a7126a4007a52fd:master - description: "" - links: "https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Maven,https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1163" - - -- reference: CVE-2017-1000503 - repo: https://github.com/jenkinsci/jenkins/ - commit: ccc374a7176d7704941fb494589790b7673efe2:master,eec0188cc45d75fd519a5d831b54781ac801dac:2.89.2,9b39411b1ae07ce8bf6c7df457bde1c6dabba9f:2.95 - description: "" - links: "https://jenkins.io/security/advisory/2017-12-14/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32173" - - -- reference: CVE-2018-1999045 - repo: https://github.com/jenkinsci/jenkins - commit: ef9583a24abc4de157e1570cb32d7a273d327f36:master - description: "" - links: "" - - -- reference: CVE-2019-3498 - repo: https://github.com/django/django/ - commit: 1cd00fcf52d089ef0fe03beabd05d59df8ea052:1.11.x,1ecc0a395be721e987e8e9fdfadde952b6dee1c:master,64d2396e83aedba3fcc84ca40f23fbd22f0b9b5:2.1.x,9f4ed7c94c62e21644ef5115e393ac426b886f2:2.0.x - description: "Content spoofing possibility in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view. The URL path is no longer displayed in the default 404 template and the request_path context variable is now quoted to fix the issue for custom templates that use the path. Remediation: Upgrade to Django 1.11.18, 2.0.10 or 2.1.5" - links: "https://docs.djangoproject.com/en/2.1/releases/1.11.18/,https://docs.djangoproject.com/en/2.1/releases/2.0.10/,https://docs.djangoproject.com/en/2.1/releases/2.1.5/" - - -- reference: CVE-2017-0906 - repo: https://github.com/recurly/recurly-client-python - commit: 049c74699ce93cf126feff06d632ea63fba36742:master - description: "" - links: "" - - -- reference: CVE-2018-1000089 - repo: https://github.com/jenkinsci/pipeline-build-step-plugin/ - commit: 3dfefdec1f7b2a4ee0ef8902afdea720b1572cb3:master - description: "" - links: "https://jenkins.io/security/advisory/2017-07-10/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32153" - - -- reference: CVE-2018-11777 - repo: https://github.com/apache/hive/ - commit: 00c0ee7bc4b8492476b377a6edafcc33411f14b:master,1a1d6ca1bc3ae840238dc345fa1eb2c7c28c8cb:branch-2.3,f0419dfaabe31dd7802c37aeebab101265907e1:branch-3.1 - description: "" - links: "https://lists.apache.org/thread.html/963c8e2516405c9b532b4add16c03b2c5db621e0c83e80f45049cbbb@%3Cdev.hive.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHIVE-72580" - - -- reference: CVE-2018-5382 - repo: https://github.com/bcgit/bc-java/ - commit: 81b00861cd5711e85fe8dce2a0e119f684120255:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-31659,https://www.kb.cert.org/vuls/id/306792" - - -- reference: CVE-2019-10306 - repo: https://github.com/jenkinsci/ontrack-plugin/ - commit: 7f0f806c18fdd6043103d848ba4c813cb805dd85:master - description: "Sandbox bypass in ontrack Jenkins Plugin SECURITY-1341 / CVE-2019-10306 ontrack Jenkins Plugin supports sandboxed Groovy expressions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the plugin’s job-specific configuration to bypass the sandbox protection and execute arbitrary code on the Jenkins master. ontrack Jenkins Plugin now uses Script Security APIs that apply sandbox protection during these phases" - links: "https://jenkins.io/security/advisory/2019-04-17/#SECURITY-1341" - - -- reference: CVE-2014-7809 - repo: https://github.com/apache/struts/ - commit: 1f301038a751bf16e525607c3db513db835b2999:master - description: "" - links: "https://cwiki.apache.org/confluence/display/WW/S2-023" - - -- reference: CVE-2019-9636 - repo: https://github.com/python/cpython/ - commit: e37ef41289b77e0f0bb9a6aedb0360664c55bdd:2.7,c0d95113b070799679bcb9dc49d4960d82e8bb0:3.5,62d36547f97210a26cc6051da78714fd078e158:3.4,daad2c482c91de32d8305abbccc76a5de8b3a8b:3.7,16e6f7dee7f02bb81aa6b385b982dcdda5b9928:master - description: "urlsplit does not handle NFKC normalization URLs encoded with Punycode/IDNA use NFKC normalization to decompose characters. This can result in some characters introducing new segments into a URL. See Unicode® Technical Standard #46: Unicode IDNA Compatibility Processing. Disclosure date: 2019-03-06 (Python issue bpo-36216 reported) Reported at: 2019-02-16 (email to PSRT) Reported by: Jonathan Birch of Microsoft Corporation and Panayiotis Panayiotou Vulnerable Versions Python 2.7 Python 3.4 Python 3.5 Python 3.6 Python 3.7" - links: "https://bugs.python.org/issue36216,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636,https://github.com/python/cpython/commit/16e6f7dee7f02bb81aa6b385b982dcdda5b99286,https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html" - - -- reference: CVE-2015-6524 - repo: https://github.com/apache/activemq - commit: 0b5231ada5ce365b41832ba8752ee210145d1cbe:master - description: "" - links: "" - - -- reference: CVE-2015-0250 - repo: https://github.com/apache/batik - commit: 1e12686194370b22420da705d71af66161affa33:trunk - description: "" - links: "" - - -- reference: CVE-2019-10315 - repo: https://github.com/jenkinsci/github-oauth-plugin/ - commit: 8d51832643e60c6b60b3280febcdb61c23278989:master - description: "CSRF vulnerability in OAuth callback in GitHub Authentication Plugin SECURITY-443 / CVE-2019-10315 GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account. The state parameter is now correctly managed. Affected versions: GitHub Authentication Plugin up to and including 0.31 Fix: GitHub Authentication Plugin should be updated to version 0.32" - links: "https://github.com/jenkinsci/github-oauth-plugin/pull/107,https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443" - - -- reference: CVE-2019-0226 - repo: https://github.com/apache/karaf/ - commit: fe3bc4108e5a8b3c804e5da91ec0d5695588eb25:master - description: "Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later." - links: "https://github.com/apache/karaf/pull/805,https://lists.apache.org/thread.html/1baa6f1df0e95fb1cd679067117354af2ab4423277d9a0ff6e8bf790@%3Cdev.karaf.apache.org%3E" - - -- reference: CVE-2018-16167 - repo: https://github.com/JPCERTCC/LogonTracer/ - commit: 2bb79861dbaf7e8a9646fcd70359523fdb464d9c:master - description: "" - links: "https://jvn.jp/en/vu/JVNVU98026636/index.html" - - -- reference: CVE-2011-0534 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1065939:trunk - description: "" - links: "" - - -- reference: CVE-2017-2617 - repo: https://github.com/hawtio/hawtio/ - commit: 8cf6848f4d4d4917a4551c9aa49dc00f699eb569:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2617,https://snyk.io/vuln/SNYK-JAVA-IOHAWT-32303" - - -- reference: CVE-2016-3081 - repo: https://github.com/apache/struts - commit: f238cf4f1091be19fbcfd086b042c86a1bcaa7fc:master - description: "" - links: "" - - -- reference: PYCRYPTODOME-001 - repo: https://github.com/Legrandin/pycryptodome/ - commit: f80debf2d26cfd7f30dae95f2b2a893d3a34ee8c:master - description: "Affected versions of the package are vulnerable to Deprecated Cypher. It contained the quick check feature of PGP block cipher mode, which was deprecated. Remediation: Upgrade pycryptodome to version 3.4.4 or higher." - links: "https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst#344-1-february-2017,https://snyk.io/vuln/SNYK-PYTHON-PYCRYPTODOME-40784" - - -- reference: CVE-2019-3799 - repo: https://github.com/spring-cloud/spring-cloud-config/ - commit: 9617f2922ee2ae27f08676716224933f0d869719:master - description: "Directory Traversal with spring-cloud-config-server description Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack." - links: "https://pivotal.io/security/cve-2019-3799" - - -- reference: CVE-2016-8629 - repo: https://github.com/keycloak/keycloak - commit: a78cfa4b2ca979a1981fb371cfdf2c7212f7b6e2:master - description: "" - links: "" - - -- reference: CVE-2019-10156 - repo: https://github.com/bcoca/ansible/ - commit: da3a703213e47d87682f6970ca2db8d05a4ada2:unsafer28,2c8d5ca68a2d728dc2c0f681ec630186bd27438:unsafer26,9736bfd039e27c7179aad120909ebc20aff692f:unsafer27 - description: "Ansible: unsafe template evaluation of returned module data can lead to information disclosure A flaw was discovered in the way Ansible templating was implemented, causing the possibility of information disclosure through unexpected variable substitution." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1717311#0,https://github.com/ansible/ansible/pull/57188" - - -- reference: CVE-2019-1003029 - repo: https://github.com/jenkinsci/script-security-plugin/ - commit: f2649a7c0757aad0f6b4642c7ef0dd44c8fea434:master - description: "A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003029,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(1)" - - -- reference: CVE-2018-1306 - repo: https://github.com/apache/portals-pluto/ - commit: 89f6a59a740d0a8318640ca6015e9a381c5c6b50:master - description: "" - links: "http://portals.apache.org/pluto/security.html,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEPORTALSPLUTO-32393" - - -- reference: CVE-2019-10328 - repo: https://github.com/jenkinsci/workflow-remote-loader-plugin/ - commit: 6f9d60f614359720ec98e22b80ba15e8bf88e712:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1716794,https://jenkins.io/security/advisory/2019-05-31/#SECURITY-921" - - -- reference: CVE-2014-3527 - repo: https://github.com/spring-projects/spring-security.git - commit: 2cb99f079152ac05cee5c90457c7feb3bb2de55:3_2,934937d9c1dc20c396b96c08310b72cfa627acb:3_1 - description: "" - links: "" - - -- reference: CVE-2018-1309 - repo: https://github.com/apache/nifi/ - commit: 28067a29fd13cdf8e21b440fc65c6dd67872522f:master - description: "" - links: "https://github.com/apache/nifi/pull/2466,https://nifi.apache.org/security.html#CVE-2018-1309,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHENIFI-32306" - - -- reference: CVE-2017-1000481 - repo: https://github.com/plone/Products.CMFPlone/ - commit: 236b62b756ff46a92783b3897e717dfb15eb07d8:master - description: "" - links: "" - - -- reference: CVE-2016-4800 - repo: https://github.com/eclipse/jetty.project - commit: 97af3d663fd22343129e8364d601640649d9eaea:master - description: "Jetty 9.3.0 to 9.3.8 inclusive is vulnerable to an aliasing issue when running on Windows platform. The vulnerability allows raw file resources protected by security constraints or in WEB-INF to be revealed. It was reported that Jetty path normalization mechanism implemented in PathResource class and introduced in Jetty versions 9.3.x is vulnerable to malicious URL requests containing specific escaped characters. Malicious user can gain access to protected resources (e.g. WEB-INF and META-INF folders and their contents) and defeat application filters or other security constraints implemented in the servlet configuration. Only affected Jetty 9.3.0-9.3.8, please upgrade to 9.3.9. (see http://www.ocert.org/advisories/ocert-2016-001.html)" - links: "http://www.ocert.org/advisories/ocert-2016-001.html" - - -- reference: CVE-2016-3092-FU - repo: https://github.com/apache/commons-fileupload - commit: 774ef160d591b579f703c694002e080f99bcd28b:trunk - description: "Specially crafted input can trigger a DoS (slow uploads), if the size of the MIME boundary is close to the size of the buffer in MultipartStream." - links: "https://commons.apache.org/proper/commons-fileupload/security-reports.html" - - -- reference: CVE-2010-1244 - repo: https://github.com/apache/activemq - commit: 1f464b9412e1b1c08d40c8ffac40edd52731da48:master - description: "" - links: "" - - -- reference: CVE-2010-0432 - repo: https://github.com/apache/ofbiz - commit: 13c980be3edf51dee1a3e5acfbeaa5101ee27834:release09.04,eef44e37a15f5850171c3aae15b1777ce8de847d:trunk,5aa135f01ddcaa227c3db72bb08715bbb2ca19d2:trunk,232fb428b7c6b11a518bca942613e458f1960f94:release09.04,8bf8fbddc409167774ae425b17d81928481a9ae0:release09.04,34125e42d1db74064482c296c871e11c92dc4527:trunk,50983b72a329851f88a013630b718efbd4c291bf:trunk,e47a65896bd12e23e090436c0b6e2478f162ae3e:release09.04 - description: "" - links: "" - - -- reference: CVE-2018-20318 - repo: https://github.com/Wechat-Group/WxJava/ - commit: 6272639f02e397fed40828a2d0da66c30264bc0e:master - description: "" - links: "https://github.com/Wechat-Group/WxJava/issues/889,https://snyk.io/vuln/SNYK-JAVA-COMGITHUBBINARYWANG-72732" - - -- reference: CVE-2015-5253 - repo: https://github.com/apache/cxf.git - commit: 845eccb6484b43ba02875c71e824db23ae4f20c0:master - description: "" - links: "" - - -- reference: CVE-2019-6802 - repo: https://github.com/pypiserver/pypiserver/ - commit: 1375a67c55a9b8d4619df30d2a1c0b239d7357e6:master - description: "CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI." - links: "https://github.com/pypiserver/pypiserver/issues/237,https://snyk.io/vuln/SNYK-PYTHON-PYPISERVER-73607" - - -- reference: CVE-2016-4970 - repo: https://github.com/netty/netty - commit: 524156f164a910b8b0978d27a2c700a19cd8048:4.0,9e2c400f89c5badc39919f811179d3d42ac5257c:master - description: "" - links: "" - - -- reference: CVE-2019-1003003 - repo: https://github.com/jenkinsci/jenkins/ - commit: 07c09bebb8396a48063c1da4fc4b628acddd72a8:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003003,https://jenkins.io/security/advisory/2019-01-16/#SECURITY-868" - - -- reference: CVE-2012-5885 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 1380829:trunk - description: "" - links: "" - - -- reference: CVE-2005-3164 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 535543:trunk - description: "" - links: "" - - -- reference: FLASK-IPBAN-001 - repo: https://github.com/Martlark/flask-ipban/ - commit: 7ab2820a2dcac4f7602a5fc2bd3f07f701203076:master - description: "Arbitrary Code Execution Overview flask-ipban is a Flask extension that helps protect against potential Denial of Service (DoS) attempts through IP banning. Affected versions of this package are vulnerable to Arbitrary Code Execution via the yaml.load in flask_ipban/ip_ban.py. Remediation Upgrade flask-ipban to version 0.2.2 or higher. " - links: "https://github.com/Martlark/flask-ipban/commit/7ab2820a2dcac4f7602a5fc2bd3f07f701203076" - - -- reference: CVE-2016-10750 - repo: https://github.com/hazelcast/hazelcast/ - commit: 5a47697519018eb4918df33a21faae811e85f01a:master - description: "In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10750,https://github.com/hazelcast/hazelcast/issues/8024" - - -- reference: CVE-2018-6356 - repo: https://github.com/jenkinsci/jenkins - commit: 9de62915807deab61d6e780eed660428f9889b51:master,eb03a42078f29dbed3742b8740c95e02890e4545:master - description: "" - links: "" - - -- reference: CVE-2016-0763 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1725929:trunk,1725926:trunk,1725931:trunk - description: "" - links: "" - - -- reference: CVE-2015-2156 - repo: https://github.com/netty/netty/ - commit: 2caa38a2795fe1f1ae6ceda4d69e826ed7c55e5:3.10,97d871a7553a01384b43df855dccdda5205ae77:4.1,31815598a2af37f0b71ea94eada70d6659c2375:3.9 - description: "" - links: "https://github.com/netty/netty/pull/3748,https://github.com/netty/netty/pull/3754,https://nvd.nist.gov/vuln/detail/CVE-2015-2156" - - -- reference: CVE-2014-3625 - repo: https://github.com/spring-projects/spring-framework.git - commit: 9beae9ae4226c45cd428035dae81214439324676:master,9cef8e3001ddd61c734281a7556efd84b6cc2755:master,3f68cd633f03370d33c2603a6496e81273782601:master - description: "" - links: "" - - -- reference: CVE-2016-0762 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1758499:trunk,1758501:trunk,1758500:trunk,1758506:trunk,1758502:trunk - description: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. Affects: 6.0.0 to 6.0.45,7.0.0 to 7.0.70,, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36,9.0.0.M1 to 9.0.0.M9." - links: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762" - - -- reference: CVE-2016-4436 - repo: https://github.com/apache/struts - commit: 27ca165ddbf81c84bafbd083b99a18d89cc49ca7:master,237432512df0e27013f7c7b9ab59fdce44ca34a5:master - description: "The method used to clean up action name can produce vulnerable payload based on crafted input which can be used by attacker to perform unspecified attack. Upgrade to latest version of the Apache Struts, 2.3.29 or 2.5.1." - links: "https://struts.apache.org/docs/s2-035" - - -- reference: CVE-2016-6812 - repo: https://github.com/apache/cxf - commit: 1f824d80:3.1.x:3.1.x,45b1b5b9:master,1be97cb1:3.0.x:3.0.x,a30397b0:3.0.x:3.0.x,a23c615b:master,32e89366:3.1.x:3.1.x - description: " XSS risk in Apache CXF FormattedServiceListWriter when a request URL contains matrix parameters. This vulnerability affects all versions of Apache CXF prior to 3.0.12, 3.1.9. CXF 3.0.x users should upgrade to 3.0.12 or later as soon as possible. CXF 3.1.x users should upgrade to 3.1.9 or later as soon as possible." - links: "http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc" - - -- reference: CVE-2017-15703 - repo: https://github.com/apache/nifi/ - commit: 9e2c7be7d3c6a380c5f61074d9a5a690b617c3dc:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15703,https://github.com/apache/nifi/pull/2134" - - -- reference: CVE-2017-4991 - repo: https://github.com/cloudfoundry/uaa - commit: bbf6751bc0d87c4a3aaf21b54e26ce328ab998b:3.6.x,7db5e5846961e08295b1ef7af909f267eebe5da:2.7.4.x,eb3f86054489039e11eabd54a8ec9a46c22abfc:2.7.4.x - description: "It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user." - links: "https://www.cloudfoundry.org/cve-2017-4992/" - - -- reference: CVE-2012-6092 - repo: https://github.com/apache/activemq - commit: 51eb87a84be88d28383ea48f6e341ffe1203c5ba:master - description: "" - links: "" - - -- reference: CVE-2018-12036 - repo: https://github.com/jeremylong/DependencyCheck/ - commit: c106ca919aa343b95cca0ffff0a0b5dc20b2baf7:master - description: "" - links: "https://github.com/snyk/zip-slip-vulnerability" - - -- reference: CVE-2015-0263 - repo: https://github.com/apache/camel - commit: 7d19340bcdb42f7aae584d9c5003ac4f7ddaee36:master - description: "" - links: "" - - -- reference: CVE-2017-1000486 - repo: https://github.com/primefaces/primefaces/ - commit: 26e44eb7962cbdb6aa2f47eca0f230f3274358f0:master - description: "" - links: "https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html,https://cryptosense.com/blog/weak-encryption-flaw-in-primefaces,https://github.com/primefaces/primefaces/issues/1152,https://snyk.io/vuln/SNYK-JAVA-ORGPRIMEFACES-32045,https://www.exploit-db.com/exploits/43733" - - -- reference: CVE-2018-1000531 - repo: https://github.com/inversoft/prime-jwt/ - commit: abb0d479389a2509f939452a6767dc424bb5e6ba:master - description: "" - links: "https://github.com/inversoft/prime-jwt/issues/3,https://snyk.io/vuln/SNYK-JAVA-COMINVERSOFT-32386" - - -- reference: CVE-2016-1000001 - repo: https://github.com/puiterwijk/flask-oidc/ - commit: f2ef8b4ffa445be00f6602e446e60916f4ee4d30:master - description: "" - links: "https://www.cvedetails.com/cve/CVE-2016-1000001/" - - -- reference: CVE-2018-1000519 - repo: https://github.com/aio-libs/aiohttp-session/ - commit: 6b7864004d3442dbcfaf8687f63262c1c629f569:master - description: "" - links: "https://github.com/aio-libs/aiohttp-session/issues/272,https://github.com/aio-libs/aiohttp-session/pull/273,https://snyk.io/vuln/SNYK-PYTHON-AIOHTTPSESSION-42161" - - -- reference: CVE-2011-1419 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1079752:trunk - description: "" - links: "" - - -- reference: CVE-2019-12781 - repo: https://github.com/django/django/ - commit: 77706a3e4766da5d5fb75c4db22a0a59a28e6cd:2.2.x,54d0f5e62f54c29a12dd96f44bacd810cbe03ac:master,32124fc41e75074141b05f10fc55a4f01ff7f05:1.11.x,1e40f427bb8d0fb37cc9f830096a97c36c97af6:2.1.x - description: "Incorrect HTTP detection with reverse-proxy connecting via HTTPS When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT. HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests. If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying on scheme, is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT. " - links: "https://docs.djangoproject.com/en/2.2/releases/2.2.3/" - - -- reference: CVE-2013-2135 - repo: https://github.com/apache/struts - commit: cfb6e9afbae320a4dd5bdd655154ab9fe5a92c1:STRUTS_2_3_14_3,01e6b251b4db78bfb7971033652e81d1af4cb3e:STRUTS_2_3_14_3,8b4fc81daeea3834bcbf73de5f48d0021917aa3:STRUTS_2_3_14_3,711cf0201cdd319a38cf29238913312355db29ba:master,54e5c912ebd9a1599bfcf7a719da17c28127bbe:STRUTS_2_3_14_3 - description: "" - links: "" - - -- reference: CVE-2018-1999046 - repo: https://github.com/jenkinsci/jenkins - commit: 6867e4469525d16319b1bae9c840b933fe4e23c4:master - description: "" - links: "" - - -- reference: CVE-2017-4995 - repo: https://github.com/spring-projects/spring-security - commit: 947d11f433b78294942cb5ea56e8aa5c3a0ca43:4.2.x,5dee8534cd1b92952d10cc56335b5d5856f48f3b:master - description: "Spring Security configures Jackson with global default typing enabled which means it inherits a Jackson deserialization vulnerability that could lead to arbitrary code execution. (see https://github.com/spring-projects/spring-security/issues/4370)" - links: "https://pivotal.io/security/cve-2017-4995" - - -- reference: CVE-2019-10141 - repo: https://github.com/openstack/ironic-inspector/ - commit: 9d107900b2e0b599397b84409580d46e0ed16291:master - description: "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data There is an SQL-injection vulnerability in the inpector's node_cache.find_node(). This function makes an SQL query using unescaped data received on the wire from a server reporting inspection results (specifically, via a POST to the /v1/continue endpoint). The unescaped data should not be trusted - the API is unauthenticated and it's likely that anything with access to the network on which ironic-inspector is listening could exploit the vulnerability. Because of how the results of the query are used, there appears to be no way to exploit this vulnerability to exfiltrate data. It could be exploited for destructive ends by passing malicious data (e.g. \"\'; DROP DATABASE;\'\")." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1711722" - - -- reference: CVE-2018-20157 - repo: https://github.com/OpenRefine/OpenRefine/ - commit: 6a0d7d56e4ffb420316ce7849fde881344fbf881:master - description: "" - links: "https://github.com/OpenRefine/OpenRefine/issues/1907,https://snyk.io/vuln/SNYK-JAVA-ORGOPENREFINE-72721" - - -- reference: CVE-2019-1003010 - repo: https://github.com/jenkinsci/git-plugin/ - commit: f9152d943936b1c6b493dfe750d27f0caa7c0767:master - description: "A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003010,https://github.com/jenkinsci/git-plugin/commit/f9152d943936b1c6b493dfe750d27f0caa7c0767,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095" - - -- reference: CVE-2017-5644 - repo: https://github.com/apache/poi - commit: 3a328aa220f6979f9805f658ae33244d153beaa7:master - description: "" - links: "" - - -- reference: CVE-2015-8034 - repo: https://github.com/saltstack/salt/ - commit: 097838ec0c52b1e96f7f761e5fb3cd7e79808741:master - description: "" - links: "https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html,https://github.com/saltstack/salt/issues/28455,https://www.cvedetails.com/cve/CVE-2015-8034/" - - -- reference: CVE-2018-1000615 - repo: https://github.com/opennetworkinglab/onos/ - commit: 1a783729a1d7e0cd59d59a8dd3a73cdd6ac0f30d:master - description: "" - links: "http://gms.cl0udz.com/OVSDB_DOS.pdf,https://snyk.io/vuln/SNYK-JAVA-ORGONOSPROJECT-32421" - - -- reference: CVE-2019-1003023 - repo: https://github.com/jenkinsci/warnings-ng-plugin/ - commit: 58d4cd85a7fc68ded989b6019c8c0cba3a457d15:master - description: "A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003023,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1271" - - -- reference: CVE-2018-1270 - repo: https://github.com/spring-projects/spring-framework/ - commit: e0de9126ed8cf25cf141d3e66420da94e350708:5.x,d3acf45ea4db51fa5c4cbd0bc0e7b6d9ef805e6:4.x,1db7e02de3eb0c011ee6681f5a12eb9d166fea8:5.x - description: "Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, as well as older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. Affected : Spring Framework 5.0 to 5.0.4, Spring Framework 4.3 to 4.3.15, Older unsupported versions are also affected" - links: "https://pivotal.io/security/cve-2018-1270" - - -- reference: CVE-2015-5258 - repo: https://github.com/spring-projects/spring-social.git - commit: 5151e1158e1ed51369e7aba9e8092930d28c31d3:master - description: "When authorizing an application against an OAuth 2 API provider, Spring Social is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The attack involves a malicious user beginning an OAuth 2 authorization flow using a fake account with an OAuth 2 API provider, but completing it by tricking the victim into visiting the callback request in their browser. As a consequence, the attacker will have access to the victim's account on the vulnerable site by way of the fake provider account." - links: "https://pivotal.io/security/cve-2015-5258" - - -- reference: CVE-2018-1272 - repo: https://github.com/spring-projects/spring-framework/ - commit: e02ff3a0da50744b0980d5d665fd242eedea767:4.3.x,ab2410c754b67902f002bfcc0c3895bd7772d39:5.0.5 - description: "" - links: "https://jira.spring.io/browse/SPR-16635,https://pivotal.io/security/cve-2018-1272" - - -- reference: CVE-2017-7481 - repo: https://github.com/ansible/ansible/ - commit: ed56f51f185a1ffd7ea57130d260098686fcc7c2:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481,https://snyk.io/vuln/SNYK-PYTHON-ANSIBLE-42165" - - -- reference: CVE-2014-1830 - repo: https://github.com/requests/requests/ - commit: f1893c835570d72823c970fbd6e0e42c13b1f0f2:master,7ba5a534ae9fc24e40b3ae6c480c9075d684727e:master,97cf16e958a948ecf30c3019ae94f2e7ec7dcb7f:master,fe4c4f146124d7fba2e680581a5d6b9d98e3fdf8:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830,https://github.com/requests/requests/issues/1885,https://github.com/requests/requests/pull/1951" - - -- reference: CVE-2018-11784 - repo: https://github.com/apache/tomcat/ - commit: efb860b3ff8ebcf606199b8d0d432f76898040da:master - description: "When the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This issue was reported to the Apache Tomcat Security Team by Sergey Bobrov on 28 August 2018 and made public on 3 October 2018. Affects: 9.0.0.M1 to 9.0.11 Affects: 8.5.0 to 8.5.33 Affects: 7.0.23 to 7.0.90" - links: "https://tomcat.apache.org/security-7.html,https://tomcat.apache.org/security-8.html,https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2016-3093 - repo: https://github.com/jkuhnert/ognl/ - commit: ae43073fbf38db8371ff4f8bf2a966ee3b5f7e92:master - description: "" - links: "" - - -- reference: CVE-2008-1232 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 673834:trunk - description: "" - links: "" - - -- reference: CVE-2016-6194 - repo: https://github.com/rabbitmq/rabbitmq-jms-client - commit: 95ae7401c0f007d5c8e6618ab009c171ce633916:master - description: "ObjectMessage#getObject deserializes any value without performing input validation. Patched by limiting supported classes via a white list of package prefixes. By default all packages are trusted for backwards compatibility. Fixed in release 1.5.0 (see https://github.com/rabbitmq/rabbitmq-jms-client/issues/3)" - links: "https://github.com/rabbitmq/rabbitmq-jms-client/pull/4" - - -- reference: CVE-2018-11775 - repo: https://github.com/apache/activemq/ - commit: bde7097fb8173cf871827df7811b3865679b963d:master - description: "" - links: "http://activemq.apache.org/security-advisories.html" - - -- reference: CVE-2016-2426 - repo: https://android.googlesource.com/platform/frameworks/base.git - commit: 63363af721650e426db5b0bdfb8b2d4fe36abdb0:master - description: "" - links: "" - - -- reference: CVE-2017-7536 - repo: https://github.com/hibernate/hibernate-validator/ - commit: 0778a5c98b817771a645c6f4ba0b28dd8b5437b:5.4,0ed45f37c4680998167179e631113a2c9cb5d11:5.2,0886e89900d343ea20fde5137c9a3086e6da9ac:5.3 - description: "" - links: "https://access.redhat.com/security/cve/cve-2017-7536,https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885577,https://bugzilla.redhat.com/show_bug.cgi?id=1465573" - - -- reference: CVE-2010-4476 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1066318:trunk,1066315:trunk,1066244:trunk - description: "" - links: "" - - -- reference: CVE-2017-12852 - repo: https://github.com/numpy/numpy - commit: 01718a9feb7f949b091e4f95320c1a60116e77a5:master,11593aa176d491beb0cc5ffcc393956a5435a2bf:master,ba443cedf6e0194ab85f362f7d7ca89dca432e7:1.13.x,d57ada7c0c9900bfe8dfa139fa6419c4307ecb2:1.13.x - description: "" - links: "" - - -- reference: CVE-2009-2902 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 902650:trunk,892815:trunk,892795:trunk - description: "" - links: "" - - -- reference: CVE-2016-10127 - repo: https://github.com/rohe/pysaml2/ - commit: 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b:master - description: "" - links: "" - - -- reference: CVE-2013-7330 - repo: https://github.com/jenkinsci/jenkins.git - commit: 36342d71e29e0620f803a7470ce96c61761648d8:master - description: "" - links: "" - - -- reference: CVE-2018-1271 - repo: https://github.com/spring-projects/spring-framework/ - commit: 98ad23bef8e2e04143f8f5b201380543a8d8c0c:5.0.5,b9ebdaaf3710db473a2e1fec8641c316483a22a:4.3.x,695bf2961feffd35b5560ccc982a2189dcca611:5.05,91b803a2310344d925e5d4b1709bbcea9037554:5.0.5,13356a7ee2240f740737c5c83bdccdacc30603a:5.0.5,0e28bee0f155b9bf240b4bafc4646e4810cb23f:5.0.5,f59ea610dfcf55cd0b42f6dd76a9b3dab0218aa:5.0.5 - description: "" - links: "https://pivotal.io/security/cve-2018-1271,https://www.securityfocus.com/bid/103699" - - -- reference: CVE-2018-14642 - repo: https://github.com/undertow-io/undertow/ - commit: dc22648efe16968242df5d793e3418afafcb36c:1.4.27,c46b7b49c5a561731c84a76ee52244369af1af8:2.0.15 - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14642,https://nvd.nist.gov/vuln/detail/CVE-2018-14642" - - -- reference: CVE-2016-6581 - repo: https://github.com/python-hyper/hpack/ - commit: 4529c1632a356cc1ab6a7fdddccd2de60a21e366:master - description: "" - links: "https://github.com/python-hyper/hpack/pull/56,https://python-hyper.org/hpack/en/latest/security/CVE-2016-6581.html" - - -- reference: CVE-2019-12395 - repo: https://github.com/webbukkit/dynmap/ - commit: 641f142cd3ccdcbfb04eda3059be22dd9ed93783:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12395,https://github.com/webbukkit/dynmap/issues/2474,https://github.com/webbukkit/dynmap/pull/2475" - - -- reference: CVE-2019-10078 - repo: https://github.com/apache/jspwiki/ - commit: 46cd981dfb431730da3f9249f5db858aacf11e52:master - description: "" - links: "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078,https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7@%3Cdev.jspwiki.apache.org%3E" - - -- reference: CVE-2015-3271 - repo: https://github.com/apache/tika - commit: 98672cdd92b6325ff78c763955a7c045b364095b:master - description: "Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header. (see also https://issues.apache.org/jira/browse/TIKA-1690) " - links: "https://nvd.nist.gov/vuln/detail?vulnId=2015-3271" - - -- reference: CVE-2016-9013 - repo: https://github.com/django/django - commit: 4844d86c7728c1a5a3bbce4ad336a8d32304072:1.9,34e10720d81b8d407aa14d763b6a7fe8f13b4f2:1.10,70f99952965a430daf69eeb9947079aae535d2d:1.8 - description: "" - links: "" - - -- reference: CVE-2018-8032 - repo: https://github.com/apache/axis1-java/ - commit: e7ce8a92bc02be54da102efb64c99aeee21a2106:master - description: "" - links: "http://mail-archives.apache.org/mod_mbox/axis-java-dev/201807.mbox/%3CJIRA.13170716.1531060536000.93536.1531060560060@Atlassian.JIRA%3E,https://issues.apache.org/jira/browse/AXIS-2924,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEAXIS-32456" - - -- reference: CVE-2016-0731 - repo: https://github.com/apache/ambari - commit: eaf8cc4cd2015456307ff3fcf98e49f2826fa270:master - description: "" - links: "" - - -- reference: CVE-2016-1000346 - repo: https://github.com/bcgit/bc-java - commit: 1127131c89021612c6eefa26dbe5714c194e7495:master - description: "Other party DH public key not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of this release the key parameters are checked on agreement calculation." - links: "https://www.bouncycastle.org/releasenotes.html" - - -- reference: CVE-2016-2048 - repo: https://github.com/django/django/ - commit: adbca5e4db42542575734b8e5d26961c8ada7265:master - description: "" - links: "https://nvd.nist.gov/vuln/detail/CVE-2016-2048,https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/" - - -- reference: CVE-2014-3529 - repo: https://github.com/apache/poi - commit: 6050a68d5adfb4ffef1edb778add09bcee32d1c3:trunk,236c3c52a9b90688b2e57ec503559409e29f33ed:trunk,d72bd78c19dfb7b57395a66ae8d9269d59a87bd2:trunk,eabb6a924be24abb879372d0bc967e0d316b2cf8:trunk,103b45073c7b504236588b3acc146530205af53c:REL_3_10_BRANCH - description: "" - links: "" - - -- reference: CVE-2013-2250 - repo: https://github.com/apache/ofbiz - commit: 0187743b1ef3c847a2d6b8687070c909316936a6:trunk - description: "" - links: "" - - -- reference: CVE-2019-6975 - repo: https://github.com/django/django/ - commit: 402c0caa851e265410fbcaa55318f22d2bf22ee2:master - description: "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function." - links: "https://docs.djangoproject.com/en/2.1/releases/2.1.6/" - - -- reference: CVE-2014-0034 - repo: https://github.com/apache/cxf - commit: b4b9a010bb23059251400455afabddee15b46127:trunk - description: "" - links: "" - - -- reference: CVE-2011-1088 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1076587:trunk,1076586:trunk,1079769:trunk,1077995:trunk,1079752:trunk - description: "" - links: "" - - -- reference: CVE-2019-11236 - repo: https://github.com/urllib3/urllib3/ - commit: 9b76785331243689a9d52cef3db05ef7462cb02:1.24.x,efddd7e7bad26188c3b692d1090cba768afa916:1.24.x,0aa3e24fcd75f1bb59ab159e9f8adb44055b2271:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236,https://github.com/urllib3/urllib3/issues/1553" - - -- reference: CVE-2014-8125 - repo: https://github.com/droolsjbpm/drools.git - commit: c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3:master - description: "" - links: "" - - -- reference: CVE-2018-1999027 - repo: https://github.com/jenkinsci/saltstack-plugin/ - commit: 5306bcc438ff989e4b1999a0208fd6854979999b:master - description: "" - links: "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1009,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32448" - - -- reference: CVE-2012-2417 - repo: https://github.com/Legrandin/pycrypto/ - commit: 9f912f13df99ad3421eff360d6a62d7dbec755c2:master - description: "" - links: "https://www.cvedetails.com/cve/CVE-2012-2417/" - - -- reference: CVE-2013-1880 - repo: https://github.com/apache/activemq - commit: fafd12dfd4f71336f8e32c090d40ed1445959b40:master - description: "" - links: "" - - -- reference: CVE-2012-5633 - repo: https://github.com/apache/cxf - commit: db11c9115f31e171de4622149f157d8283f6c720:trunk,94a98b3fe9c79e2cf3941acbbad216ba54999bc0:trunk,1a6b532d53a7b98018871982049e4b0c80dc837c:trunk - description: "" - links: "" - - -- reference: CVE-2012-2138 - repo: https://github.com/apache/sling-old-svn-mirror - commit: 96e84960ac90e966f0f6cb6d4dfa8046eeeea8a0:trunk - description: "" - links: "" - - -- reference: CVE-2016-3082 - repo: https://github.com/apache/struts - commit: 6bd694b7980494c12d49ca1bf39f12aec3e03e2f:master - description: "" - links: "" - - -- reference: CVE-2016-1000111 - repo: https://github.com/twisted/twisted/ - commit: 69707bb1aa55b3a6cec5e02df01d34d2a93c2519:master - description: "" - links: "https://raw.githubusercontent.com/twisted/twisted/trunk/NEWS.rst" - - -- reference: CVE-2018-1000820 - repo: https://github.com/neo4j-contrib/neo4j-apoc-procedures/ - commit: 45bc09c8bd7f17283e2a7e85ce3f02cb4be4fd1a:master - description: "" - links: "https://0dd.zone/2018/10/27/neo4f-apoc-procedures-XXE/,https://github.com/neo4j-contrib/neo4j-apoc-procedures/compare/3.4.0.3...3.4.0.4,https://github.com/neo4j-contrib/neo4j-apoc-procedures/issues/931" - - -- reference: CVE-2019-1003085 - repo: https://github.com/jenkinsci/zephyr-enterprise-test-management-plugin/ - commit: a2a698660c12d78e06f78c813c3ff10b4c30db16:master - description: "" - links: "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-993" - - -- reference: CVE-2015-7337 - repo: https://github.com/ipython/ipython/ - commit: 0a8096adf165e2465550bd5893d7e352544e596:3.x - description: "" - links: "https://www.cvedetails.com/cve/CVE-2015-7337/" - - -- reference: CVE-2018-1317 - repo: https://github.com/apache/zeppelin/ - commit: eb7969b0c60bc82658e3033ba7a40741b7204fce:master - description: "In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication." - links: "https://github.com/apache/zeppelin/pull/2925,https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E" - - -- reference: CVE-2018-18531 - repo: https://github.com/penggle/kaptcha/ - commit: b73a2123ad911b7df4eb917a2126c6d9464e5a6d:master - description: "" - links: "https://github.com/penggle/kaptcha/issues/3,https://github.com/penggle/kaptcha/pull/4,https://github.com/penggle/kaptcha/pull/4/commits/b32c5ac580bf078e9065c84ccddd8c5914f68262" - - -- reference: PYPISERVER-001 - repo: https://github.com/pypiserver/pypiserver/ - commit: 1375a67c55a9b8d4619df30d2a1c0b239d7357e6:master - description: "" - links: "https://github.com/pypiserver/pypiserver/commit/1375a67c55a9b8d4619df30d2a1c0b239d7357e6,https://github.com/pypiserver/pypiserver/issues/237,https://snyk.io/vuln/SNYK-PYTHON-PYPISERVER-173983" - - -- reference: CVE-2019-10337 - repo: https://github.com/jenkinsci/token-macro-plugin/ - commit: 004319f1b6e2a0f097a096b9df9dc19a5ac0d9b0:master - description: "" - links: "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399" - - -- reference: CVE-2018-17186 - repo: https://github.com/apache/syncope/ - commit: bdb6a180dcae6f1baaff16619cb906b7292da0d:master,979c28abf2587c73b57d20e4b892410fdd336f0:2.0.11,a0f35f45f8ca5c98853ae8477fb2db81a84709a:2.1.2 - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESYNCOPECLIENT-72569,https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions" - - -- reference: CVE-2016-10075 - repo: https://github.com/tqdm/tqdm - commit: 7996430e92ca0babec510fcf18d62c9f9c4e6b4d:master - description: "" - links: "https://www.cvedetails.com/cve/CVE-2016-10075/,https://www.openwall.com/lists/oss-security/2016/12/28/8" - - -- reference: CVE-2017-1000354 - repo: https://github.com/jenkinsci/jenkins/ - commit: 02d24053bdfeb219d2387a19885a60bdab510479:master - description: "" - links: "https://jenkins.io/security/advisory/2017-04-26/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32181" - - -- reference: CVE-2019-10353 - repo: https://github.com/jenkinsci/jenkins/ - commit: 772152315aa0a9ba27b812a4ba0f3f9b64af78d9:master - description: "" - links: "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626" - - -- reference: CVE-2013-6448 - repo: https://github.com/seam2/jboss-seam.git - commit: 090aa6252affc978a96c388e3fc2c1c2688d9bb5:master - description: "" - links: "" - - -- reference: CVE-2014-0107 - repo: https://github.com/apache/xalan-j - commit: cbfd906cc5a1f1566fa1a98400c82e56077fae0c:xalan-j_2_7_1_maint - description: "" - links: "" - - -- reference: CVE-2018-8097 - repo: https://github.com/pyeve/eve - commit: 29e436117ca52cc494465a833ae10d4587dd2755:master - description: "" - links: "https://github.com/pyeve/eve/issues/1101" - - -- reference: CVE-2017-12629 - repo: https://github.com/apache/lucene-solr/ - commit: f9fd6e9e26224f26f1542224ce187e04c27b268:6.6.2,d28baa3fc5566b47f1ca7cc2ba1aba658dc634a:7.2,926cc4d65b6d2cc40ff07f76d50ddeda947e3cc:master,d8000beebfb13ba0b6e754f84c760e11592d8d1:5.5.5,3bba91131b5257e64b9d0a2193e1e32a145b2a2:7.1 - description: "" - links: "https://lucene.apache.org/solr/news.html,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELUCENE-31569,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESOLR-32013,https://snyk.io/vuln/SNYK-LINUX-LUCENESOLR-115218" - - -- reference: CVE-2018-1000130 - repo: https://github.com/rhuss/jolokia - commit: 1b360b8889f0ed51165a8d1ac55dd8e0aa2dfd4:master,fd7b93da30c61a45bac10d8b311f1b79a74910f:master - description: "" - links: "" - - -- reference: CVE-2019-1003043 - repo: https://github.com/jenkinsci/slack-plugin/ - commit: 0268bbefdcc283effd27be5318770f7e75c6f102:master - description: "CSRF vulnerability and missing permission checks in Slack Notification Plugin allowed capturing credentials SECURITY-976 / CVE-2019-1003043 (missing permission check) and CVE-2019-1003044 (CSRF) Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability. This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration)" - links: "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-976" - - -- reference: CVE-2013-4347 - repo: https://github.com/joestump/python-oauth2/ - commit: 82dd2cdd4954cd7b8983d5d64c0dfd9072bf4650:master - description: "" - links: "https://github.com/joestump/python-oauth2/issues/9,https://github.com/joestump/python-oauth2/pull/146,https://www.cvedetails.com/cve/CVE-2013-4347/" - - -- reference: CVE-2018-17184 - repo: https://github.com/apache/syncope/ - commit: 36fb466afd64894170fa5e2e030ce6895120b1a:master,b25a8834db2cc7ea45707a1218e85e047568427:2.1.0,73aed0a741b1255f45893e3cada650147335073:2.0.11 - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESYNCOPE-72568,https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS" - - -- reference: CVE-2018-11771 - repo: https://github.com/apache/commons-compress - commit: a41ce6892cb0590b2e658704434ac0dbcb6834c8:master - description: "" - links: "" - - -- reference: CVE-2017-12196 - repo: https://github.com/undertow-io/undertow - commit: facb33a5cedaf4b7b96d3840a08210370a806870:master,8804170ce3186bdd83b486959399ec7ac0f59d0f:master - description: "Overview: io.undertow:undertow-core is a Java web server based on non-blocking IO. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) attacks. When using a Digest authentication, the server does not ensure that value of the URI attribute in the Authorization header matches URI in HTTP request line. An attacker can use this attack vector in order to access desired content on a server. Remediation: Upgrade io.undertow:undertow-core to version 2.0.3 or higher." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1503055,https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-32142" - - -- reference: CVE-2016-8744 - repo: https://github.com/apache/brooklyn-server - commit: 3ae4a4d156341a53e54a2fe07192f46b15763d06:master - description: "" - links: "" - - -- reference: CVE-2019-10241 - repo: https://github.com/eclipse/jetty.project/ - commit: ca77bd384a2970cabbbdab25cf6251c6fb76cd21:master,b929f5c2db9faae0164d94a33f9ec919c78e7673:master - description: "In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents." - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121,https://github.com/eclipse/jetty.project/issues/3319" - - -- reference: CVE-2015-5204 - repo: https://github.com/apache/cordova-plugin-file-transfer - commit: ad6647120db12f0e67ee4a952a71ea494a39a475:master,8fcdb1aa3deb892691b44bdf57e8d780da09e2a4:master,2b31723708256c08c5209308eb6ccfb03e2ab990:master - description: "" - links: "" - - -- reference: CVE-2019-10342 - repo: https://github.com/jenkinsci/docker-plugin/ - commit: 6ad27199f6fad230be72fd45da78ddac85c075db:master - description: "" - links: "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1400,https://wiki.jenkins.io/display/JENKINS/Docker+Plugin" - - -- reference: CVE-2018-11047 - repo: https://github.com/cloudfoundry/uaa/ - commit: 81aeb7a3aa048ea086c494f725d643e48dd9266:4.10.2,a1d523c7f150e56bf06df8b83ed1d416d6c1d3b:4.5.7,bbbba5aec514ad88e7d1e168a2519c80229f02f:4.12.4,aba1fb5f18e0d628628b2d960fc6d0cc62d86f5:4.7.6,2906057dae995024576ce6afdc20abd85569514:4.19.2 - description: "UAA accepts refresh token as access token on admin endpoints" - links: "https://www.cloudfoundry.org/blog/cve-2018-11047/" - - -- reference: CVE-2013-6440 - repo: https://svn.shibboleth.net/java-xmltooling - commit: 815:REL_1,812:REL_1 - description: "The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration. All versions of XMLTooling-J before 1.4.1 and distributions of OpenSAML Java before 2.6.1 are affected by this flaw." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1043332" - - -- reference: CVE-2018-1308 - repo: https://github.com/apache/lucene-solr - commit: 02c693f3713add1b4891cbaa87127de3a55c10f:master,dd3be31f7062dcb2f3b2d7f0e89df29e197dee6:6.3.3,739a79338856599084617d44b6a1b424af059aa:7.3.0 - description: "" - links: "https://issues.apache.org/jira/browse/SOLR-11971,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESOLR-32208" - - -- reference: CVE-2018-12023 - repo: https://github.com/FasterXML/jackson-databind/ - commit: 28badf7ef60ac3e7ef151cd8e8ec010b8479226:2.7.9,7487cf7eb14be2f65a1eb108e8629c07ef45e0a:2.8.11 - description: "Block polymorphic deserialization of types from Oracle JDBC driver. description: There is a potential remote code execution (RCE) vulnerability, if user is 1. handling untrusted content (where attacker can craft JSON) 2. using \"Default Typing\" feature (or equivalent; polymorphic value with base type of java.lang.Object 3. has oracle JDBC driver jar in classpath 4. allows connections from service to untrusted hosts (where attacker can run an LDAP service). (note: steps 1 and 2 are common steps as explained in https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062). To solve the issue, 2 types from JDBC driver are blacklisted to avoid their use as \"serialization gadgets\"." - links: "https://github.com/FasterXML/jackson-databind/issues/2058,https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8" - - -- reference: CVE-2018-8009 - repo: https://github.com/apache/hadoop/ - commit: 745f203e577bacb35b042206db94615141fa5e6:trunk,e3236a9680709de7a95ffbc11b20e1bdc95a860:trunk,65e55097da2bb3f2fbdf9ba1946da25fe58bec9:3.0,12258c7cff8d32710fbd8b9088a930e3ce27432:2.8,bd98d4e77cf9f7b2f4b1afb4d5e5bad0f6b2fde:3.0,cedc28d4ab2a27ba47e15ab2711218d96ec88d2:2,eaa2b8035b584dfcf7c79a33484eb2dffd3fdb1:2.7,45a1c680c276c4501402f7bc4cebcf85a6fbc7f:2.7,11a425d11a329010d0ff8255ecbcd1eb51b642e:3.1,fc4c20fc3469674cb584a4fb98bac7e3c2277c9:3.1,1373e3d8ad60e4da721a292912cb69243bfdf47:2.9,6d7d192e4799b51931e55217e02baec14d49607:2,6a4ae6f6eeed1392a4828a5721fa1499f65bdde:2.9 - description: "Zip-Slip vulnerability for Apache Hadoop." - links: "https://snyk.io/research/zip-slip-vulnerability" - - -- reference: CVE-2016-5388 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1756942:trunk,1756941:trunk,1756943:trunk,1756940:trunk,1756939:trunk - description: "" - links: "" - - -- reference: CVE-2017-7525 - repo: https://github.com/FasterXML/jackson-databind - commit: ddfddfba6414adbecaff99684ef66eebd3a92e92:master,60d459cedcf079c6106ae7da2ac562bc32dcabe1:master,e8f043d1aac9b82eee907e0f0c3abbdea723a935:master - description: "When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known 'deserialization gadgets'. This solves an incomplete fix for CVE-2017-4995-JK (main description at: https://github.com/FasterXML/jackson-databind/issues/1599 Issues not addressed by the incomplete fix of CVE-2017-4995-JK: https://github.com/FasterXML/jackson-databind/issues/1680 and https://github.com/FasterXML/jackson-databind/issues/1737)" - links: "https://github.com/FasterXML/jackson-databind/issues/1723" - - -- reference: CVE-2017-8109 - repo: https://github.com/saltstack/salt/ - commit: 6e34c2b5e5e849302af7ccd00509929c3809c658:master - description: "" - links: "https://github.com/saltstack/salt/issues/40075,https://snyk.io/vuln/SNYK-PYTHON-SALT-42127" - - -- reference: CVE-2014-0012 - repo: https://github.com/pallets/jinja/ - commit: acb672b6a179567632e032f547582f30fa2f4aa7:master - description: "" - links: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747,https://www.cvedetails.com/cve/CVE-2014-0012/" - - -- reference: ZEPPELIN-2769 - repo: https://github.com/apache/zeppelin - commit: 709c5a70a8f37277c9eea0a1c0c9195b5eb21a74:master - description: "" - links: "" - - -- reference: CVE-2010-3260 - repo: https://github.com/orbeon/orbeon-forms.git - commit: aba6681660f65af7f1676434da68c10298c30200:master - description: "" - links: "" - - -- reference: CVE-2017-1000498 - repo: https://github.com/BigBadaboom/androidsvg - commit: 44e4fbf1d0f6db295df34601972741d4cf706cbd:master - description: "" - links: "" - - -- reference: CVE-2018-1199 - repo: https://github.com/spring-projects/spring-security - commit: cb8041ba67635edafcc934498ef82707157fd22:4.2.x,65da28e4bf62f58fb130ba727cbbd621b44a36d:4.1.x,0eef5b4b425ab42b9fa0fde1a3f36a37b92558f:master - description: "Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed." - links: "https://pivotal.io/security/cve-2018-1199" - - -- reference: CVE-2008-1947 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 662582:trunk,662585:trunk,662583:master - description: "" - links: "" - - -- reference: CVE-2015-5174 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1696284:trunk,1700898:trunk,1700897:trunk,1696281:trunk,1700900:trunk - description: "" - links: "" - - -- reference: CVE-2018-11040 - repo: https://github.com/spring-projects/spring-framework/ - commit: 874859493bbda59739c38c7e52eb3625f247b93:4.3.x,b80c13b722bb207ddf43f53a007ee3ddc1dd2e2:5.0.x - description: "JSONP enabled by default in MappingJackson2JsonView. description: Spring Framework, versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot. However when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the jsonp and callback JSONP parameters, enabling cross-domain requests.\nAllowing cross-domain requests from untrusted origins may expose user information to 3rd party browser scripts.\nThis vulnerability applies to applications that:\n - Explicitly configure MappingJackson2JsonView.\n - And do not set the jsonpParameterNames property of MappingJackson2JsonView to an empty set.\n - And expose sensitive user information over endpoints that can render content with JSONP.\n\nAffected Pivotal Products and Versions: Spring Framework 5.0 to 5.0.6. pring Framework 4.1 to 4.3.17. Mitigation: Users of affected versions should apply the following mitigation:\n- 5.0.x users should upgrade to 5.0.7.\n- 4.3.x users should upgrade to 4.3.18.\n- Older versions should upgrade to a supported branch, or otherwise set MappingJacksonJsonViews jsonpParameterNames property to an empty set.\n\nApplications that do require JSONP support will need to explicitly configure the jsonpParameterNames property of MappingJacksonJsonView following the upgrade. It is recommended that applications switch to using CORS instead of JSONP to enable cross-domain requests. JSONP support in the Spring Framework is deprecated as of 5.0.7 and 4.3.18 and will be removed in 5.1." - links: "https://jira.spring.io/browse/SPR-16798,https://pivotal.io/security/cve-2018-11040" - - -- reference: CVE-2019-12741 - repo: https://github.com/jamesagnew/hapi-fhir/ - commit: 8f41159eb147eeb964cad68b28eff97acac6ea9a:master - description: "" - links: "https://github.com/jamesagnew/hapi-fhir/issues/1335,https://github.com/jamesagnew/hapi-fhir/releases/tag/v3.8.0" - - -- reference: CVE-2012-4431 - repo: http://svn.apache.org/repos/asf/tomcat/tc7.0.x - commit: 1393088:trunk - description: "" - links: "" - - -- reference: CVE-2013-0158 - repo: https://github.com/jenkinsci/jenkins.git - commit: 3dc13b957b14cec649036e8dd517f0f9cb21fb04:master,a9aff088f327278a8873aef47fa8f80d3c5932fd:master,4895eaafca468b7f0f1a3166b2fca7414f0d5da5:master,c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2:master,94a8789b699132dd706021a6be1b78bc47f19602:master - description: "" - links: "" - - -- reference: CVE-2011-2730 - repo: https://github.com/spring-projects/spring-framework.git - commit: 9772eb8410e37cd0bdec0d1b133218446c778beb:master,c8649087792d07df209fc75e0f9e2e3284e09fe:3.1.x,d95cbe23ee462245c5c2482e175f7b2a921b31c:3.0.x - description: "" - links: "" - - -- reference: CVE-2018-8025 - repo: https://github.com/apache/hbase/ - commit: 30e98b4455f971c9cb3c02ac7b2daeebe4ee6f2:1.4,0c42acbdf86d08af3003105a26a2201f75f2e2c:master,7fe07075b35a816725ba18f6dd43d3fa84e08f9:2.0,bf25c1cb7221178388baaa58f0b16a408e151a6:1.3,625d4d002620139f49c8201f95b789b6a715cd4:1.2 - description: "" - links: "https://issues.apache.org/jira/browse/HBASE-20664,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHBASE-32391" - - -- reference: CVE-2017-3156 - repo: https://github.com/apache/cxf.git - commit: 1338469:3.0.x,e66ce235:master,555843f:3.1.x - description: "" - links: "" - - -- reference: PT-2013-65 - repo: https://github.com/eclipse/jetty.project - commit: 0fac295cd82b59085d4aae5ca6792b2cda752455:master,458e511ce2f2b47fd216f68c0e385fc06a5f1d2f:master - description: "The system does not consider that NTFS allows users to address files with extended syntax, while matching the requested resource URL with locations defined in web server configuration. This vulnerability allows attackers to obtain JSP script source code and to bypass access restrictions set for certain resources. Fixed in 7.6.14, 8.1.14, 9.0.6, 9.1.0. (see https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014)" - links: "http://en.securitylab.ru/lab/PT-2013-65" - - -- reference: CVE-2014-0074 - repo: https://github.com/apache/shiro - commit: 9137e6cc45922b529fb776c6857647a3935471bb:trunk - description: "" - links: "" - - -- reference: SONARQUBE-001 - repo: https://github.com/SonarSource/sonarqube/ - commit: 08438a2c47112f2fce1e512f6c843c908abed4c7:master - description: "Overview org.sonarsource.sonarqube:sonar-plugin-api provides the capability to not only show health of an application but also to highlight issues newly introduced. Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA \"Zip Slip\"). Remediation Upgrade org.sonarsource.sonarqube:sonar-plugin-api to version 6.7.4 or higher." - links: "https://snyk.io/research/zip-slip-vulnerability,https://snyk.io/vuln/SNYK-JAVA-ORGSONARSOURCESONARQUBE-72656" - - -- reference: CVE-2016-7401 - repo: https://github.com/django/django/ - commit: d1bc980db1c0fffd6d60677e62f70beadb9fe64:1.9,6118ab7d0676f0d622278e5be215f14fb5410b6:1.8 - description: "" - links: "https://www.cvedetails.com/vulnerability-list/vendor_id-10199/product_id-18211/year-2016/Djangoproject-Django.html" - - -- reference: HTTPCLIENT-1803 - repo: https://github.com/apache/httpcomponents-client - commit: 0554271750599756d4946c0d7ba43d04b1a7b22:4.x - description: "When using URIBuilder's constructor with a malformed url argument, host passed in by setHost call not honored. The string passed into the constructor is treated as path, not verifying the presence of a leading / character. This causes a security vulnerability where the user-provided path can be used to override the host, resulting in giving network access to a sensitive environment. Fixed in version 4.5.3" - links: "https://issues.apache.org/jira/browse/HTTPCLIENT-1803" - - -- reference: CVE-2018-1335 - repo: https://github.com/apache/tika/ - commit: ffb48dd29d0c2009490caefda75e5b57c7958c51:master,b2d3932b847a171a85e356aa230af461a0f80d91:master,302f22aff7a836868b270038e1d66002a2004869:master,5d983aad0b68a228f180686a4135ed8c7cd589f1:master,d1bc09386405d28d6b0f0a29ce8c3e7efd72d6c7:master,e82c2efd2b1ac731b6954634741b70ecf0ed6f01:master,4fdc51a40bf9532d7db57d0b08c1aec3931468ad:master - description: "" - links: "https://github.com/apache/tika,https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETIKA-32232" - - -- reference: CVE-2016-0818 - repo: https://android.googlesource.com/platform//external/conscrypt.git - commit: 4c9f9c2201116acf790fca25af43995d29980ee0:master,c4ab1b959280413fb11bf4fd7f6b4c2ba38bd779:master - description: "" - links: "" - - -- reference: CVE-2016-7043 - repo: https://github.com/kiegroup/droolsjbpm-integration/ - commit: 652be539fa8a1d66d47212758ca9b75799a1cb34:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7043,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7043,https://github.com/kiegroup/droolsjbpm-integration/pull/1273" - - -- reference: CVE-2016-0831 - repo: https://android.googlesource.com/platform/frameworks/opt/telephony.git - commit: 79eecef63f3ea99688333c19e22813f54d4a31b1:master - description: "" - links: "" - - -- reference: CVE-2018-17197 - repo: https://github.com/apache/tika/ - commit: 0c49c851979163334ea05cbebdd11ff87feba62d:master - description: "" - links: "https://lists.apache.org/thread.html/7c021a4ea2037e52e74628e17e8e0e2acab1f447160edc8be0eae6d3@%3Cdev.tika.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETIKA-72870,https://www.securityfocus.com/bid/106293" - - -- reference: CVE-2016-2192 - repo: https://github.com/tada/pljava - commit: f0a41359ede67335c5ef3fe73a9f10da96d71760:master - description: "" - links: "" - - -- reference: CVE-2018-1000410 - repo: https://github.com/jenkinsci/jenkins/ - commit: 7366cc50106442a021c5178cd101057ecc08f2c2:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000410,https://jenkins.io/security/advisory/2018-10-10/#SECURITY-765" - - -- reference: CVE-2015-5211 - repo: https://github.com/spring-projects/spring-framework.git - commit: a95c3d820dbc4c3ae752f1b3ee22ee860b162402:4.1.x,03f547eb9868f48f44d59b56067d4ac4740672c3:master,2bd1daa75ee0b8ec33608ca6ab065ef3e1815543:master,03f547eb9868f48f44d59b56067d4ac4740672c3:3.2.x - description: "Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response." - links: "https://pivotal.io/security/cve-2015-5211" - - -- reference: CVE-2018-7749 - repo: https://github.com/ronf/asyncssh - commit: 16e6ebfa893167c7d9d3f6dc7a2c0d197e47f43a:master - description: "" - links: "" - - -- reference: JAVAMELODY-252 - repo: https://github.com/javamelody/javamelody - commit: 00ff3490878e78f3f8c9eb65efb054f85f6058f8:master - description: "A cross site scripting vulnerability has been identified in this package. Particulary, URL parameters such as SessionID are output to HTML unescaped, which allows the injection of malicious javascript." - links: "https://github.com/javamelody/javamelody/issues/252" - - -- reference: CVE-2018-14658 - repo: https://github.com/keycloak/keycloak/ - commit: a957e118e6efb35fe7ef3a62acd66341a6523cb7:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14658,https://snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-72619" - - -- reference: GEODE-4270 - repo: https://github.com/apache/geode - commit: 80ad2d70435fb255a8a2d08c8866fbb30a7bedd3:master - description: "GEODE-4270: remove race condition where CacheClientProxy could be asked to authorize a message prior to receiving its security subject. Affected versions of this package are vulnerable to Authentication Bypass. The CacheClientProxy could be asked to authorize a message prior to receiving its security subject. Remediation: Upgrade org.apache.geode:geode-core to version 1.4.0 or higher." - links: "https://issues.apache.org/jira/browse/GEODE-4270" - - -- reference: CVE-2016-6651 - repo: https://github.com/cloudfoundry/uaa - commit: 96f702681676d829628a23db171ffa79a32f03af:master,1368817fe4f4899c06089c940830525bc0327ee:2.7.4.x,6ed7dc22beafeaa054713e63125044332729baa:3.4.5,0ed081c9b515014a21954db0dc03a3ddbb30fac:3.3.0.6 - description: "A privilege escalation vulnerability has been identified with the /oauth/token endpoint in UAA allowing users to elevate the privileges in the token issued." - links: "https://www.cloudfoundry.org/cve-2016-6651/" - - -- reference: CVE-2019-3774 - repo: https://github.com/spring-projects/spring-batch/ - commit: 8dc3bb7d3c3d0b1487e3ef3dcbdebda865d2b20e:master - description: "" - links: "https://pivotal.io/security/cve-2019-3774,https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBATCH-73519" - - -- reference: CVE-2019-10246 - repo: https://github.com/eclipse/jetty.project/ - commit: 3d028ab2ca76086a742bac7409a3620e81ec4791:master - description: "In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories." - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576" - - -- reference: CVE-2014-3584 - repo: https://github.com/apache/cxf - commit: 0b3894f57388b9955f2c33b2295223f2835cd7b3:master - description: "" - links: "" - - -- reference: CVE-2018-1999042 - repo: https://github.com/jenkinsci/jenkins - commit: 727d58f690abf64f543407e1de3545eca76ad30e:master - description: "" - links: "" - - -- reference: CVE-2014-3576 - repo: https://github.com/apache/activemq.git - commit: 00921f22ff9a8792d7663ef8fadd4823402a6324:master - description: "" - links: "" - - -- reference: CVE-2017-18361 - repo: https://github.com/Pylons/colander/ - commit: d4f4f77a2cfa518426178bd69d2b29dee57f770d:master,1a17b237fed2fdd3ac0e04ec8bfb4b206c7fe046:master - description: "In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis." - links: "https://github.com/Pylons/colander/issues/290,https://github.com/Pylons/colander/pull/323,https://snyk.io/vuln/SNYK-PYTHON-COLANDER-73636" - - -- reference: CVE-2014-1859 - repo: https://github.com/numpy/numpy - commit: 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15:master,961c43da78bf97ce63183b27c338db7ea77bed8:1.8.x - description: "" - links: "" - - -- reference: CVE-2014-0227 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1603628:trunk,1601333:trunk,1600984:trunk - description: "" - links: "" - - -- reference: CVE-2014-0193 - repo: https://github.com/netty/netty - commit: 8599ab5bdb761bb99d41a975d689f74c12e4892b:master - description: "" - links: "" - - -- reference: CVE-2019-10311 - repo: https://github.com/jenkinsci/ansible-tower-plugin/ - commit: b63a047281c2389217c9404f2f4bd4c9e66364fe:master - description: "" - links: "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1355%20(1)" - - -- reference: ND4J-001 - repo: https://github.com/deeplearning4j/deeplearning4j/ - commit: f51f4242d67eed9c97a46051cc0c6c72d0830a27:master - description: "Arbitrary File Write via Archive Extraction (Zip Slip) Overview: org.nd4j:nd4j-common is a Deeplearning4j, ND4J, DataVec and more - deep learning & linear algebra for Java/Scala with GPUs + Spark - From Skymind. Details: Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA \"Zip Slip\"). It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a \"../../file.exe\" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. Remediation: A fix was pushed into the master branch but not yet published (2018-10-31)." - links: "https://github.com/deeplearning4j/deeplearning4j/pull/6630,https://snyk.io/vuln/SNYK-JAVA-ORGND4J-72550" - - -- reference: CVE-2007-5731 - repo: http://svn.apache.org/repos/asf/jakarta/slide - commit: 590976:trunk - description: "" - links: "" - - -- reference: CVE-2014-0119 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1589837:trunk,1589985:trunk,1593815:trunk,1589640:trunk,1590036:trunk,1588199:trunk,1589990:trunk,1593821:trunk,1589980:trunk,1589997:trunk,1590028:trunk,1589983:trunk,1588193:trunk,1589992:trunk - description: "" - links: "" - - -- reference: CVE-2018-11788 - repo: https://github.com/apache/karaf/ - commit: 1ffa6d1c4555cab9737d76b49142528b57cfdfc:4.1.7,0c36c50bc158739c8fc8543122a6740c54adafc:4.2.2 - description: "" - links: "http://karaf.apache.org/security/cve-2018-11788.txt,https://github.com/apache/karaf/commit/cc3332e97fa53a579312894d08e383f321a96aed,https://issues.apache.org/jira/browse/KARAF-5911?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEKARAFSPECS-72887" - - -- reference: CVE-2014-1904 - repo: https://github.com/spring-projects/spring-framework.git - commit: 741b4b229ae032bd17175b46f98673ce0bd2d485:form,75e08695a04980dbceae6789364717e9d8764d58:form,75e08695a04980dbceae6789364717e9d8764d58:master - description: "" - links: "" - - -- reference: CVE-2019-1003009 - repo: https://github.com/jenkinsci/active-directory-plugin/ - commit: 520faf5bb1078d75e5fed10b7bf5ac6241fe2fc4:master - description: "An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003009,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-859" - - -- reference: CVE-2018-1000805 - repo: https://github.com/paramiko/paramiko/ - commit: 56c96a659658acdbb873aef8809a7b508434dcce:master - description: "" - links: "https://github.com/paramiko/paramiko/issues/1283" - - -- reference: CVE-2019-10310 - repo: https://github.com/jenkinsci/ansible-tower-plugin/ - commit: b63a047281c2389217c9404f2f4bd4c9e66364fe:master - description: "" - links: "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1355%20(1)" - - -- reference: CVE-2014-0225 - repo: https://github.com/spring-projects/spring-framework.git - commit: c6503ebbf7c9e21ff022c58706dbac5417b2b5eb:master,8e096aeef55287dc829484996c9330cf755891a1:master - description: "When processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack." - links: "http://pivotal.io/security/cve-2014-0225" - - -- reference: HADOOP-14246 - repo: https://github.com/apache/hadoop/ - commit: 88d951e30bb34d9a6e1e2a181419a7fcc88ebfd:2.7,f20aa38a1de73dd4a0b3a5b30636e8af246cd36:2.9,4dd6206547de8f694532579e37ba8103bafaeb1:3.x - description: "Authentication Tokens should use SecureRandom instead of Random and 256 bit secrets. description: RandomSignerSecretProvider and ZKSignerSecretProvider currently use a long generated by Random (which is then converted to a String and is 160 bits) for secrets. We should improve this to use 256 bit secrets generated by SecureRandom. Fixed Version/s: 2.9.0, 3.0.0-alpha4, 2.8.4, 2.7.6" - links: "http://hadoop.apache.org/docs/r2.7.6/hadoop-project-dist/hadoop-common/releasenotes.html,https://issues.apache.org/jira/browse/HADOOP-14246" - - -- reference: CVE-2018-1000167 - repo: https://github.com/OISF/suricata-update - commit: 76270e73128ca1299b4e33e7e2a74ac3d963a97a:master - description: "" - links: "https://github.com/OISF/suricata-update/pull/23" - - -- reference: CVE-2008-6682 - repo: https://github.com/apache/struts/ - commit: dae026a0f0511f83852053bae9d5a622e7f8048:2.1.1,dbc620f84ffb626c6e6738afe0578d617a2b3d3:2.0.x,93866341ec5396d07b5829be55110ff09dc81bc:2.0.x,bd3f2f59c9b09f70aed3ebab6bb69b464ee2d6c:2.1.1,09147ffad2b3046ed21af0f524c5088e2ac551e:2.1.1 - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6682,https://issues.apache.org/jira/browse/WW-2414,https://issues.apache.org/jira/browse/WW-2427" - - -- reference: CVE-2018-1999036 - repo: https://github.com/jenkinsci/ssh-agent-plugin/ - commit: 3a8abe1889d25f9a73cdba202cf27212b273de4d:master - description: "" - links: "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-704,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32452" - - -- reference: HADOOP-12001 - repo: https://github.com/apache/hadoop/ - commit: 98f9d6fee112d95aab680fc7f27b815b2e698a5:2.7,722aa1db1f2ac3db0e70063022436a90f90643f:3.1,58d3a9aaf65310aba9b4300ef0cacd58ebfdb6e:2.8 - description: "Fixed LdapGroupsMapping to include configurable Posix UID and GID attributes during the search. description: In HADOOP-9477, posixGroup support was added. In HADOOP-10626, a limit on the returned attributes was added to speed up queries. Limiting the attributes can break the SEARCH_CONTROLS object in the context of the isPosix block, since it only asks LDAP for the groupNameAttr. Fixed Version/s: 2.8.0, 3.0.0-alpha1, 2.7.6." - links: "http://hadoop.apache.org/docs/r2.7.6/hadoop-project-dist/hadoop-common/releasenotes.html,https://issues.apache.org/jira/browse/HADOOP-12001" - - -- reference: CVE-2017-1000433 - repo: https://github.com/rohe/pysaml2/ - commit: 6312a41e037954850867f29d329e5007df1424a5:master - description: "" - links: "" - - -- reference: CVE-2017-12795 - repo: https://github.com/openmrs/openmrs-module-htmlformentry/ - commit: 86f35221c8a57cdd7557ce731a56b90db216c8e0:master - description: "OpenMRS openmrs-module-htmlformentry 3.3.2 is affected by: (Improper Input Validation)." - links: "https://nvd.nist.gov/vuln/detail/CVE-2017-12795" - - -- reference: CVE-2014-2065 - repo: https://github.com/jenkinsci/jenkins.git - commit: a0b00508eeb74d7033dc4100eb382df4e8fa72e7:master - description: "" - links: "" - - -- reference: CVE-2019-10327 - repo: https://github.com/jenkinsci/pipeline-maven-plugin/ - commit: e7cb858852c05d2423e3fd9922a090982dcd6392:master - description: "" - links: "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409" - - -- reference: CVE-2013-7315 - repo: https://github.com/spring-projects/spring-framework.git - commit: 7576274874deeccb6da6b09a8d5bd62e8b5538b7:master - description: "" - links: "" - - -- reference: CVE-2019-10352 - repo: https://github.com/jenkinsci/jenkins/ - commit: 18fc7c0b466553cbd4f790db3270964305bee7f9:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10352,https://jenkins.io/security/advisory/2019-07-17/#SECURITY-1424,https://www.openwall.com/lists/oss-security/2019/07/17/2,https://www.tenable.com/security/research/tra-2019-35" - - -- reference: DJANGONEWSLETTER-001 - repo: https://github.com/dokterbob/django-newsletter/ - commit: bea5a5100cc40717995dafc65ff011bc76696ebd:master - description: "django-newsletter is a Newsletter application for the Django web framework. Affected versions of this package are vulnerable to Authorization Bypass. A user can change their email address without confirmation by receiving an update URL via email, accessing the form and changing the email address. Remediation: Upgrade django-newsletter to version 0.7 or higher." - links: "https://github.com/dokterbob/django-newsletter/issues/108,https://snyk.io/vuln/SNYK-PYTHON-DJANGONEWSLETTER-42172" - - -- reference: CVE-2019-5312 - repo: https://github.com/Wechat-Group/WxJava/ - commit: 8ec61d1328f50e23cd14285a950ca57a088b32b2:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5312,https://github.com/Wechat-Group/WxJava/issues/903" - - -- reference: CVE-2012-2378 - repo: https://svn.apache.org/repos/asf/cxf - commit: 1337150:trunk - description: "" - links: "" - - -- reference: CVE-2017-11610 - repo: https://github.com/Supervisor/supervisor - commit: aac3c21893cab7361f5c35c8e20341b298f6462:3.2-branch,dbe0f55871a122eac75760aef511efc3a8830b8:3.1-branch,83060f3383ebd26add094398174f1de34cf7b7f:3.0-branch,058f46141e346b18dee0497ba11203cb81ecb19:3.3.-branch - description: "" - links: "https://github.com/Supervisor/supervisor/issues/964" - - -- reference: CVE-2019-12308 - repo: https://github.com/django/django/ - commit: afddabf8428ddc89a332f7a78d0d21eaf2b5a67:2.2.2,deeba6d92006999fee9adfbd8be79bf0a59e800:master,c238701859a52d584f349cce15d56c8e8137c52:1.11.21,09186a13d975de6d049f8b3e05484f66b01ece6:2.1.9 - description: "" - links: "https://docs.djangoproject.com/en/2.1/releases/2.1.9/,https://docs.djangoproject.com/en/2.2/releases/1.11.21/,https://docs.djangoproject.com/en/2.2/releases/2.2.2/" - - -- reference: CVE-2019-10348 - repo: https://github.com/jenkinsci/gogs-webhook-plugin/ - commit: 55e00bc409a43f30539b0df5a3f20476268ece27:master,34de11fe0822864c4c340b395dadebca8cb11844:master - description: "" - links: "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1438,https://plugins.jenkins.io/gogs-webhook" - - -- reference: CVE-2017-12610 - repo: https://github.com/apache/kafka/ - commit: 0b4daa4bf48517b4b3e9cda11692e80ade620b0:0.10.2,9f3468645b968761ca9141d18337cb6adadbae9:0.11.0,47c2753496875db2849065ad91ee03c7c842c8e:master - description: "" - links: "https://lists.apache.org/thread.html/b6157be1a09df332294213bd21e90dcf9fe4c1810193be54620e4210@%3Cusers.kafka.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEKAFKA-32449,https://www.securityfocus.com/bid/104899" - - -- reference: CVE-2019-3787 - repo: https://github.com/cloudfoundry/uaa/ - commit: 3a7749a6d327cacbc7bf93cd50a0e2dee0b935ba:master - description: "UAA defaults email address to an insecure domain Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user’s email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user’s account." - links: "https://www.cloudfoundry.org/blog/cve-2019-3787/" - - -- reference: CVE-2016-4432 - repo: http://svn.apache.org/repos/asf/qpid - commit: 1743161:trunk - description: "" - links: "" - - -- reference: CVE-2017-12615 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1804729:trunk,1804604:trunk - description: "" - links: "" - - -- reference: CVE-2018-20227 - repo: https://github.com/eclipse/rdf4j/ - commit: df15a4d7a8f2789c043b27c9eafe1b30316cfa79:master - description: "" - links: "https://github.com/eclipse/rdf4j/issues/1210,https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSERDF4J-72708" - - -- reference: CVE-2016-2415 - repo: https://android.googlesource.com/platform/packages/apps/Exchange.git - commit: 0d1a38b1755efe7ed4e8d7302a24186616bba9b2:master - description: "" - links: "" - - -- reference: CVE-2016-1000345 - repo: https://github.com/bcgit/bc-java/ - commit: 21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32367" - - -- reference: CVE-2016-1000341 - repo: https://github.com/bcgit/bc-java - commit: acaac81f96fec91ab45bd0412beaf9c3acd8defa:master - description: "DSA signature generation vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55 or earlier, may allow an attacker to gain information about the signatures k value and ultimately the private value as well." - links: "https://www.bouncycastle.org/releasenotes.html" - - -- reference: CVE-2017-8046 - repo: https://github.com/spring-projects/spring-data-rest - commit: 8f269e28fe8038a6c60f31a1c36cfda04795ab45:master,824e51a1304bbc8334ac0b96ffaef588177e6cc:2.6.x - description: "Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code. Releases that have fixed this issue include: Spring Data REST 2.5.12, 2.6.7, 3.0 RC3, Spring Boot 2.0.0.M4,Spring Data release train Kay-RC3." - links: "https://pivotal.io/security/cve-2017-8046" - - -- reference: CVE-2019-10648 - repo: https://github.com/robo-code/robocode/ - commit: 836c84635e982e74f2f2771b2c8640c3a34221bd:master - description: "Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL." - links: "https://nvd.nist.gov/vuln/detail/CVE-2019-10648" - - -- reference: CVE-2018-16837 - repo: https://github.com/ansible/ansible/ - commit: a0aa53d1a1d6075a7ae98ace138712ee6cb45ae:devel,77928e6c3a2ad878b20312ce5d74d9d7741e0df:2.5.11,f50cc0b8cb399bb7b7c1ad23b94c9404f0cc6d2:2.6.7,b618339c321c387230d3ea523e80ad47af3de5c:2.7 - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1640642,https://github.com/ansible/ansible/pull/47436,https://snyk.io/vuln/SNYK-PYTHON-ANSIBLE-72546" - - -- reference: CVE-2019-1003046 - repo: https://github.com/jenkinsci/fortify-on-demand-uploader-plugin/ - commit: e555f8d62ef793ce221f471d7172cad847fb9252:master - description: "SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin SECURITY-992 / CVE-2019-1003046 (CSRF) and CVE-2019-1003047 (missing permission check) A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation methods did not require POST requests, resulting in a CSRF vulnerability. The form validation methods now require POST requests and perform a permission check" - links: "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-992" - - -- reference: CVE-2010-3718 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1027610:trunk,1022560:trunk,1022134:trunk - description: "" - links: "" - - -- reference: CVE-2015-1833 - repo: https://github.com/apache/jackrabbit - commit: 6191b366c607e65325a0116097aca8a359b36486:2.2,26e601934d0f439f0a61d62265f52936d79df40d:2.0,ddf9a3cd408397d0805917299c4114b09449373d:2.8,3903739363b79deb7579802fbc27b9b7448218b2:trunk,89c5c4ed6ab250ad609829517f167d2dbe0abdd0:2.6,b7fa1ae39641936872617ff95363353b0345b777:2.0,17e9f68f5a3f05ded20569777a7b07422680612d:2.4 - description: "" - links: "" - - -- reference: CVE-2019-10332 - repo: https://github.com/jenkinsci/electricflow-plugin/ - commit: 0a934493290773a953fa7b29c19b555971b1144b:master - description: "" - links: "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1410%20(1)" - - -- reference: CVE-2017-12197 - repo: https://github.com/letonez/libpam4j - commit: 84f32f4001fc6bdcc125ccc959081de022d18b6d:master - description: "" - links: "" - - -- reference: CVE-2015-5254 - repo: https://github.com/apache/activemq - commit: 73a0caf758f9e4916783a205c7e422b4db27905:activemq-5.11.x,6f03921b31d9fefeddb0f4fa63150ed1f94a14b:activemq-5.11.x,e100638244c4ca5eb2a1f16bcdc671c9859c2694:master,d7a3b9406b8496c3f1508bebf3c7ff5367374b90:master,a7e2a44fe8d4435ae99532eb0ab852e6247f7b16:master,7eb9b218b2705cf9273e30ee2da026e43b6dd4e:activemq-5.12.x,e7a4b53f799685e337972dd36ba0253c04bcc01:activemq-5.12.x - description: "" - links: "" - - -- reference: 2012-05-05 - repo: https://github.com/google/gson - commit: 1103bda23acb1719364e834a4545739ec2f76cd0:master - description: "Security bug related to denial of service attack with Java HashMap String collisions. Fixed in release 2.2." - links: "https://github.com/google/gson/blob/master/CHANGELOG.md" - - -- reference: CVE-2012-4386 - repo: https://github.com/apache/struts/ - commit: 1081c52be93abfd2f33ba8453c676e3edcedec8b:master - description: "" - links: "https://cwiki.apache.org/confluence/display/WW/S2-010,https://issues.apache.org/jira/browse/WW-3858" - - -- reference: CVE-2018-11307 - repo: https://github.com/FasterXML/jackson-databind/ - commit: 051bd5e447fbc9539e12a4fe90eb989dba0c656:2.8.11.2,27b4defc270454dea6842bd9279f17387eceb73:2.7.9.4 - description: "Potential information exfiltration with default typing, serialization gadget from MyBatis. description: A new potential gadget type from MyBatis (https://github.com/mybatis/mybatis-3) has been reported. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. Versions 2.9.5, 2.8.11.1, 2.7.9.3 (as well as earlier minor versions) are affected." - links: "https://github.com/FasterXML/jackson-databind/issues/2032,https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8" - - -- reference: CVE-2019-3828 - repo: https://github.com/sivel/ansible/ - commit: a6b0143b11c7790d697f42f23948df59c16c05d:2.7.x,b629315a9dcf7e6c401e7c2d30d31a27b0aff5a:2.6.x,4be3215d2f9f84ca283895879f0c6ce1ed7dd33:2.6,f3edc091523fbe301926b7a0db25fbbd96940d9:2.5,3118599e2ef6a3c73b2c06f13fbc2a928860891:2.5.x,396a2f74717477d80600450e2b7e45349d7b511:2.7 - description: "Affected versions of this package are vulnerable to Directory Traversal. It allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path. Upgrade ansible to version 2.5.15, 2.6.14, 2.7.8 or higher." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828,https://github.com/ansible/ansible/pull/52133" - - -- reference: CVE-2018-14627 - repo: https://github.com/wildfly/wildfly/ - commit: 883115ea2168343e870745f538a80b1ddc360914:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627,https://github.com/wildfly/wildfly/pull/10675,https://issues.jboss.org/browse/WFLY-9107,https://snyk.io/vuln/SNYK-JAVA-ORGWILDFLY-72289" - - -- reference: CVE-2016-8747 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1774166:trunk,1774161:trunk - description: "" - links: "" - - -- reference: CVE-2019-10307 - repo: https://github.com/jenkinsci/analysis-core-plugin/ - commit: 3d7a0c7907d831c58541508b893dcea2039809c5:master - description: "CSRF vulnerability and missing permission check allowed changing default graph configuration in Static Analysis Utilities Plugin SECURITY-1100 / CVE-2019-10307 (CSRF) and CVE-2019-10308 (permission check) Static Analysis Utilities Plugin has the capability to allow other plugins to display trend graphs for their static analysis results. Static Analysis Utilities Plugin provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing attackers with Job/Read access to change the per-job graph configuration defaults for all users. Additionally, the form submission handler did not require POST requests, resulting in a cross-site request forgery vulnerability. Static Analysis Utilities Plugin now requires Job/Configure permission and POST requests to configure the per-job graph defaults for all users." - links: "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1100" - - -- reference: CVE-2008-6505 - repo: https://github.com/apache/struts/ - commit: 04fcefa44bae1263c7cad6986a9dafed67f0164:2.1.x,ff8b655c4b04cae41e5ad00df0a7482333e7a25:2.0.x - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6505,https://cwiki.apache.org/confluence/display/WW/S2-004,https://issues.apache.org/jira/browse/WW-2779" - - -- reference: CVE-2016-2173 - repo: https://github.com/spring-projects/spring-amqp.git - commit: 4150f107e60cac4a7735fcf7cb4c1889a0cbab6c:master - description: "The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved." - links: "https://pivotal.io/security/cve-2016-2173" - - -- reference: CVE-2018-9856 - repo: https://github.com/Kotti/Kotti - commit: 00b56681fa9fb8587869a5e00dcd56503081d3b9:master - description: "" - links: "https://github.com/Kotti/Kotti/issues/551" - - -- reference: CVE-2017-12617 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1809978:trunk,1809992:trunk,1809673:trunk,1809669:trunk,1809675:trunk,1810026:trunk,1809673:master,1809896:trunk,1809921:trunk - description: "When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server." - links: "https://tomcat.apache.org/security-7.html" - - -- reference: CVE-2014-3574 - repo: https://github.com/apache/poi - commit: b350d5c5edbf2fa4312ab0f46194a733194ddf55:trunk,236c3c52a9b90688b2e57ec503559409e29f33ed:trunk,07771c3d8c7204c14a7a597b4db04a7e828a956f:trunk,103b45073c7b504236588b3acc146530205af53c:REL_3_10_BRANCH - description: "" - links: "" - - -- reference: CVE-2017-7658 - repo: https://github.com/eclipse/jetty.project - commit: a285deea42fcab60d9edcf994e458c238a348b55:master - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669,https://github.com/eclipse/jetty.project/issues/2529,https://github.com/eclipse/jetty.project/issues/2572,https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-32385" - - -- reference: CVE-2016-1000339 - repo: https://github.com/bcgit/bc-java - commit: 413b42f4d770456508585c830cfcde95f9b0e93b:master - description: "AESFastEngine has a side channel leak if table accesses can be observed. The use of lookup large static lookup tables in AESFastEngine means that where data accesses by the CPU can be observed, it is possible to gain information about the key used to initialize the cipher. We now recommend not using AESFastEngine where this might be a concern. The BC provider is now using AESEngine by default." - links: "https://www.bouncycastle.org/releasenotes.html" - - -- reference: CVE-2018-1190 - repo: https://github.com/cloudfoundry/uaa - commit: 96fe26711f8f8855d2994a531447f730afd61844:master - description: "A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management. Users of affected versions should apply the following mitigation or upgrade: cf-release: 270, UAA release: 3.20.2, UAA bosh release: 30.8, 45.0" - links: "https://www.cloudfoundry.org/cve-2018-1190/" - - -- reference: CVE-2019-1003032 - repo: https://github.com/jenkinsci/email-ext-plugin/ - commit: 53776779d3dba539facc7e3380c22671b71aad3e:master - description: "A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003032,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1340" - - -- reference: CVE-2015-8031 - repo: https://git.eclipse.org/r/hudson/org.eclipse.hudson.core - commit: 6362c295e80a651dcb6c7e8647984d52a974786b:master - description: "Prior to version 3.3.2 Hudson exhibits a flaw in it's XML API processing that can allow access to potentially sensitive information on the filesystem of the Hudson master server." - links: "https://wiki.eclipse.org/Hudson-ci/alerts/CVE-2015-8031" - - -- reference: CVE-2011-2204 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1140072:trunk,1140071:trunk,1140070:trunk - description: "" - links: "" - - -- reference: CVE-2013-4002 - repo: https://github.com/apache/xerces2-j/ - commit: 628cbc7142ef9acfb61b8e571aab63504235849:Xerces-J_2_12_0-xml-schema-1.1,266e837852e0f0e3c8c1ad572b6fc4dbb4ded17:Xerces-J_2_12_0 - description: "" - links: "https://issues.apache.org/jira/browse/XERCESJ-1679" - - -- reference: CVE-2018-1000110 - repo: https://github.com/jenkinsci/git-plugin - commit: a3d3a7eb7f75bfe97a0291e3b6d074aafafa86c9:master - description: "" - links: "" - - -- reference: CVE-2014-2068 - repo: https://github.com/jenkinsci/jenkins.git - commit: 0530a6645aac10fec005614211660e98db44b5eb:master - description: "" - links: "" - - -- reference: CVE-2017-4974 - repo: https://github.com/cloudfoundry/uaa - commit: 5dc5ca9176ed5baa870680d99f37e7e559dddc5:3.6.x,b6d6526cb89120043d390bf0274cd062e9fc452:3.9.x,01edea6337c8ddb2ab80906aa1254d3c1dc02fb:2.7.4.x,74b9b270787aa602196d59d58893c3a6e09816f9:master - description: "An authorized user can use a blind SQL injection attack to query the contents of the UAA database." - links: "https://cloudfoundry.org/cve-2017-4974/" - - -- reference: CVE-2019-10301 - repo: https://github.com/jenkinsci/gitlab-plugin/ - commit: f028c65539a8892f2d1f738cacc1ea5830adf5d3:master - description: "CSRF vulnerability and missing permission checks in GitLab Plugin allowed capturing credentials SECURITY-1357 / CVE-2019-10300 (CSRF) and CVE-2019-10301 (permission check) GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability. This form validation method now requires POST requests and Overall/Administer permissions." - links: "https://jenkins.io/security/advisory/2019-04-17/#SECURITY-1357" - - -- reference: CVE-2017-7661 - repo: https://github.com/apache/cxf-fediz.git - commit: acdbe8c213576792dd95d87315bcc181ea61b57f:master - description: "" - links: "" - - -- reference: CVE-2013-4517 - repo: https://github.com/apache/santuario-java - commit: a09b9042f7759d094f2d49f40fc7bcf145164b25:1.5.x-fixes - description: "" - links: "" - - -- reference: CVE-2019-0200 - repo: https://github.com/apache/qpid-broker-j/ - commit: adb2a34306d67559ee81db155826dc67a02cc85e:master,a1fbde2bac77c9305a4347876c6a27409361ec77:master,94de25eb9fb8be6e6deba38a72afcf7b14ce1d0b:master - description: "org.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol is a AMQP 0-8, 0-9 and 0-9-1 protocol broker plug-in. Affected versions of this package are vulnerable to Denial of Service (DoS). An unauthenticated attacker could crash a broker instance by sending specially crafted commands using AMQP protocol versions below 1.0. Affected Versions org.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol artifact, versions [6.0.0, 7.0.7) Remediation Upgrade org.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol to version 7.0.7 or higher." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1685179,https://issues.apache.org/jira/browse/QPID-8273,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEQPID-173747" - - -- reference: CVE-2013-7397 - repo: https://github.com/AsyncHttpClient/async-http-client - commit: df6ed70e86c8fc340ed75563e016c8baa94d7e72:master - description: "" - links: "" - - -- reference: CVE-2018-12536 - repo: https://github.com/eclipse/jetty.project - commit: a51920d650d924cc2cea011995624b394437c6e:9.4.x,53e8bc2a636707e896fd106fbee3596823c2cdc:9.3.x - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670,https://github.com/CVEProject/cvelist/pull/655,https://github.com/eclipse/jetty.project/issues/2560,https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-32392" - - -- reference: CVE-2014-8152 - repo: https://github.com/apache/santuario-java - commit: 55857fd4cdfdb1af4069170ecdac448c078f544e:trunk - description: "" - links: "" - - -- reference: CVE-2016-8745 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1777469:trunk,1771853:trunk,1777472:trunk,1777471:trunk,1771857:trunk - description: "" - links: "" - - -- reference: CVE-2017-5664 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1793488:trunk,1793469:master,1793468:trunk,1793470:trunk,1793469:trunk,1793489:trunk,1793471:trunk,1793491:trunk,1793487:trunk - description: "" - links: "" - - -- reference: CVE-2015-5172 - repo: https://github.com/cloudfoundry/uaa - commit: cd31cc397fe17389d95b83d6a9caa46eebc54faf:master - description: "Password Reset Link not expiring. Old password reset links working even after a password change. Deployments enabled for integration via SAML or LDAP are not affected." - links: "https://www.cloudfoundry.org/cve-2015-5170-5173/" - - -- reference: CVE-2014-0110 - repo: https://github.com/apache/cxf - commit: 8f4799b5bc5ed0fe62d6e018c45d960e3652373e:master - description: "" - links: "" - - -- reference: CVE-2016-0785 - repo: https://github.com/apache/struts - commit: 15857a69e7baf3675804495a5954cd0756ac8364:master - description: "" - links: "" - - -- reference: CVE-2015-5081 - repo: https://github.com/divio/django-cms - commit: f77cbc607d6e2a62e63287d37ad320109a2cc78a:master - description: "" - links: "" - - -- reference: PDFBOX-3341 - repo: https://github.com/apache/pdfbox - commit: f0c0fb1af3c0419bdea2fe3d0ab1fe36a6d9dc2c:trunk,d4018e7a1cd8154efcbcf1d61d68f62ecc5c8871:trunk,3b154ef4fe221abb7819696c3adb6180a636eaf4:2.0,e981ef70920073e3d4062b5bee504ca06d628cc0:1.8 - description: "Affected versions of the package are vulnerable to Authentication Bypass. The ReadOnly permissions are not called in the StandardSecurityHandler, allowing all users to edit the PDF file although the are not the owners. (see https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEPDFBOX-30694)" - links: "https://issues.apache.org/jira/browse/PDFBOX-3341" - - -- reference: SCAPY-1407 - repo: https://github.com/secdev/scapy/ - commit: 905c80d6ed435477224c53de8850f763b04d495d:master - description: "Python Network Tool is Vulnerable to Denial of Service (DoS) Attack CVE pending When Scapy parses a UDP Radius packet that has an AVP with a length byte equal to zero, the getfield function doesn’t shorten the remain value in the while loop. This causes the loop to continue forever, resulting in a Denial of Service (DoS) to Scapy, causing Scapy to crash. This can potentially affect the health of an enterprise network – for instance, if Scapy is being used by IT to monitor network traffic, the monitoring process will stop functioning." - links: "https://github.com/secdev/scapy/issues/1407,https://github.com/secdev/scapy/pull/1409,https://www.imperva.com/blog/scapy-sploit-python-network-tool-is-vulnerable-to-denial-of-service-dos-attack-cve-pending/" - - -- reference: CVE-2017-1000398 - repo: https://github.com/jenkinsci/jenkins/ - commit: da06fd471cea79123821c778228eeb08e1cedcc7:master - description: "" - links: "https://jenkins.io/security/advisory/2017-10-11/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32185" - - -- reference: ANSIBLE-RUNNER-237 - repo: https://github.com/ansible/ansible-runner/ - commit: 4af02527634046b80245face235d3d6e2f0e9f3a:master - description: "set safer default permissions when writing job events" - links: "https://github.com/ansible/ansible-runner/pull/237" - - -- reference: CVE-2019-11772 - repo: https://github.com/eclipse/openj9/ - commit: f1244665be5ac08b1e16f6ed80574529a62392cb:master - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=549075,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11772" - - -- reference: CVE-2014-0111 - repo: http://svn.apache.org/repos/asf/syncope - commit: 1586317:1_1_X,1586349:1_0_X - description: "" - links: "" - - -- reference: CVE-2019-3788 - repo: https://github.com/cloudfoundry/uaa/ - commit: 31f85da7dafe569dd386fca092670847cbfca3aa:master,7ffadabf7a9084bd613b59f048b355c27723037a:master,83d4b9fa418b8144272b3727a6a70d06997b5680:master - description: "UAA redirect-uri allows wildcard in the subdomain Affected Cloud Foundry Products and Versions UAA Release (OSS) - All versions prior to v71.0 description Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri’s subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim. Mitigation Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases: UAA Release (OSS) - Upgrade All versions to v71.0 or greater" - links: "https://www.cloudfoundry.org/blog/cve-2019-3788/" - - -- reference: CVE-2015-5531 - repo: https://github.com/elastic/elasticsearch - commit: df1427a2935237fb61fc641984f9c76478627fec:master - description: "" - links: "" - - -- reference: CVE-2017-12611 - repo: https://github.com/apache/struts - commit: 637ad1c3707266c33daabb18d7754e795e6681f:master,2306f5f7fad7f0157f216f34331238feb0539fa:support-2-3 - description: "A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals." - links: "https://cwiki.apache.org/confluence/display/WW/S2-053" - - -- reference: CVE-2018-1000518 - repo: https://github.com/tornadoweb/tornado - commit: 7bd3ef349214843141c0f1c3286ee8ad5e98aac3:master - description: "" - links: "" - - -- reference: CVE-2007-5712 - repo: https://github.com/django/django/ - commit: 412ed22502e11c50dbfee854627594f0e7e2c23:0.95,7dd2dd08a79e388732ce00e2b5514f15bd6d0f6:0.96,8bc36e726c9e8c75c681d3ad232df8e882aaac8:0.91 - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-DJANGO-42158,https://www.djangoproject.com/weblog/2007/oct/26/security-fix/" - - -- reference: CVE-2019-10907 - repo: https://github.com/airsonic/airsonic/ - commit: 3e07ea52885f88d3fbec444dfd592f27bfb65647:master,268dc6e13dd1d84f309db3a4bd7d0d864c4b5bf1:master - description: "" - links: "https://github.com/airsonic/airsonic/pull/951" - - -- reference: CVE-2006-0847 - repo: https://github.com/cherrypy/cherrypy/ - commit: 7e6187ee19a90ebe7f8597296bfa942cd1eb1864:master - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-CHERRYPY-449897" - - -- reference: CVE-2015-7559 - repo: https://github.com/apache/activemq - commit: 338a74dfa42a7b19d39adecacfa5f626a050e807:master,b8fc78ec6c367cbe2a40a674eaec64ac3d7d1ec:5.14.x - description: "It was found that Apache ActiveMQ client exposed a remote shutdown command in the ActiveMQConnection class. An attacker could use this flaw to achieve denial of service on a client. Versions Affected: Apache ActiveMQ 5.0.0 - 5.14.4. Mitigation: Upgrade to Apache ActiveMQ 5.14.5. (see https://issues.apache.org/jira/browse/AMQ-6470)" - links: "http://activemq.apache.org/security-advisories.data/CVE-2015-7559-announcement.txt" - - -- reference: CVE-2018-1000866 - repo: https://github.com/jenkinsci/groovy-sandbox/ - commit: 0cd7ec12b7c56cfa3167d99c5f43147ce05449d3:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000866,https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186" - - -- reference: CVE-2019-1003036 - repo: https://github.com/jenkinsci/azure-vm-agents-plugin/ - commit: 6cf1e11778993988ded08eb15ea051541341ec12:master - description: "A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003036,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1331" - - -- reference: HADOOP-12751 - repo: https://github.com/apache/hadoop/ - commit: 092b1997418c8042224d24751a8fdde7d39a9ed:2.9,829a2e4d271f05afb209ddc834cd4a0e85492ed:3.1,d13cd394e553a1ffe74ccfb5bc4032409c4e5c3:2.8,d2531df1e87064be388e6fa6cb85f3729e87a2f:2.7 - description: "While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple. description: In the scenario of a trust between two directories, eg. FreeIPA (ipa.local) and Active Directory (ad.local) users can be made available on the OS level by something like sssd. The trusted users will be of the form 'user@ad.local' while other users are will not contain the domain. Executing 'id -Gn user@ad.local' will successfully return the groups the user belongs to if configured correctly. However, it is assumed by Hadoop that users of the format with '@' cannot be correct. This code is in KerberosName.java and seems to be a validator if the 'auth_to_local' rules are applied correctly. In my opinion this should be removed or changed to a different kind of check or maybe logged as a warning while still proceeding, as the current behavior limits integration possibilities with other standard tools. Workaround are difficult to apply (by having a rewrite by system tools to for example user_ad_local) due to down stream consequences. Fixed Version/s: 2.8.0, 3.0.0-alpha1, 2.7.6" - links: "http://hadoop.apache.org/docs/r2.7.6/hadoop-project-dist/hadoop-common/releasenotes.html,https://issues.apache.org/jira/browse/HADOOP-12751" - - -- reference: CVE-2019-1003001 - repo: https://github.com/jenkinsci/jenkins/ - commit: fa832c58b06556d9d3e0224be28f9c8673f3230b:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003001,https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266" - - -- reference: CVE-2019-1003005 - repo: https://github.com/jenkinsci/script-security-plugin/ - commit: 35119273101af26792457ec177f34f6f4fa49d99:master - description: "A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003005,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1292" - - -- reference: CVE-2010-1632 - repo: https://github.com/apache/axis2-java - commit: dbb2a3d37baf651f34b3bb064badb0e2c377f46b:master,026d9037c3040580c2b04d8d8e4691c33a933418:master - description: "" - links: "" - - -- reference: CVE-2013-4330 - repo: https://github.com/apache/camel - commit: 27a9752a565fbef436bac4fcf22d339e3295b2a:camel-2.9.x,ce19353f1297c5d3dc59be21a1ead89c0a44907:camel-2.11.x,3215fe50dd42c83a7a454dd36486843fe36eae4:camel-2.10.x,2281b1f365c50ee1a470fb9990b753eadee9095:camel-2.12.x,5ba8f63f78f82b0cddf6cecbf59ac444a0cae2a6:master - description: "" - links: "" - - -- reference: CVE-2018-1114 - repo: https://github.com/undertow-io/undertow/ - commit: 882d5884f2614944a0c2ae69bafd9d13bfc5b64:2.0.5,7f22aa0090296eb00280f878e3731bb71d40f9e:1.4.x - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1114,https://issues.jboss.org/browse/UNDERTOW-1338,https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-72304" - - -- reference: CVE-2012-3451 - repo: https://github.com/apache/cxf - commit: 9c70abe28fbf2b4c4df0b93ed12295ea5a012554:trunk - description: "" - links: "" - - -- reference: CVE-2016-4433 - repo: https://github.com/apache/struts - commit: b28b78c062f0bf3c79793a25aab8c9b6c12bce6e:master - description: "" - links: "" - - -- reference: CVE-2017-2670 - repo: https://github.com/undertow-io/undertow/ - commit: 9bfe9fbbb595d51157b61693f072895f7dbadd1d:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670,https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-32442" - - -- reference: CVE-2018-17192 - repo: https://github.com/apache/nifi/ - commit: dbf259508c2b8e176d8cb837177aaadbf44f0670:master - description: "" - links: "https://issues.apache.org/jira/browse/NIFI-5258,https://nifi.apache.org/security.html#CVE-2018-17192,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHENIFI-72711" - - -- reference: CVE-2011-0013 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1057279:trunk,1057518:trunk,1057270:trunk - description: "" - links: "" - - -- reference: CVE-2018-8718 - repo: https://github.com/jenkinsci/mailer-plugin - commit: 98e79cf904769907f83894e29f50ed6b3e7eb135:master - description: "" - links: "http://www.openwall.com/lists/oss-security/2018/03/26/3" - - -- reference: CVE-2019-3559 - repo: https://github.com/facebook/fbthrift/ - commit: a56346ceacad28bf470017a6bda1d5518d0bd943:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3559,https://www.facebook.com/security/advisories/cve-2019-3559" - - -- reference: CVE-2018-16984 - repo: https://github.com/django/django/ - commit: bf39978a53f117ca02e9a0c78b76664a41a54745:master - description: "" - links: "https://docs.djangoproject.com/en/2.1/releases/2.1.2/" - - -- reference: CVE-2019-11324 - repo: https://github.com/urllib3/urllib3/ - commit: 1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1:master - description: "The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324" - - -- reference: CVE-2018-7537 - repo: https://github.com/django/django/ - commit: 94c5da1d17a6b0d378866c66b605102c19f7988:2.0,a91436360b79a6ff995c3e5018bcc666dfaf153:1.11,d17974a287a6ea2e361daff88fcc004cbd6835f:1.8,97b7dd59bb8d6163239061e2022153c3415d146:master - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-DJANGO-40779" - - -- reference: CVE-2015-4165 - repo: https://github.com/elastic/elasticsearch - commit: f5cfb2a1869d1a52930cbd3138278a6e2c1b22e6:master - description: "" - links: "" - - -- reference: CVE-2014-0229 - repo: https://github.com/apache/hadoop/ - commit: 957c56dbe5b1490490c09ddfbca9a4204c7c9d00:master - description: "" - links: "https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#concept_i1q_xvk_2r" - - -- reference: CVE-2005-4838 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 532571:tc5.0.x - description: "" - links: "" - - -- reference: CVE-2013-0239 - repo: https://github.com/apache/cxf - commit: 295a4e2f9eb3e7e0513980202949ccc424dee2d4:trunk - description: "" - links: "" - - -- reference: CVE-2019-1003026 - repo: https://github.com/jenkinsci/mattermost-plugin - commit: 51ebae2c57977193b45cd60fc70595a0e6df4cb2:master - description: "org.jenkins-ci.plugins:mattermost is a mattermost plugin for Jenkins. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message. Remediation Upgrade org.jenkins-ci.plugins:mattermost to version 2.6.3 or higher." - links: "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-985,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-173719" - - -- reference: CVE-2018-16168 - repo: https://github.com/JPCERTCC/LogonTracer/ - commit: 2bb79861dbaf7e8a9646fcd70359523fdb464d9c:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16168,https://jvn.jp/en/vu/JVNVU98026636/index.html" - - -- reference: CVE-2017-4992 - repo: https://github.com/cloudfoundry/uaa - commit: 4f942064d85454a4bcc4da04cd482d114816c14a:master,96a294013c0c9a13ef32afc49d2b759f5107dc4:2.7.4.x,1c9c6dd88266cfa7d333e5d8be1031fa31c5c93:3.9.x,3ce42a4c75828cb58287c3c7495dde3f5261f12:3.6.x - description: "It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user." - links: "https://www.cloudfoundry.org/cve-2017-4992/" - - -- reference: CVE-2015-0899 - repo: https://github.com/kawasima/struts1-forever - commit: 212bb0f7c57617b7b9c44cb1e056bd1e597c8e16:master - description: "" - links: "" - - -- reference: DJANGO-STORAGES-001 - repo: https://github.com/jschneier/django-storages/ - commit: 6ee6a739752923c60eaa1e82262c1d07208ec7f6:master - description: "django-storages is a project to provide a variety of storage backends in a single library. Affected versions of this package are vulnerable due to an Insecure Default behavior of S3BotoStorage. Remediation: Upgrade django-storages to version 1.7 or higher." - links: "https://snyk.io/vuln/SNYK-PYTHON-DJANGOSTORAGES-72415" - - -- reference: CVE-2019-1003017 - repo: https://github.com/jenkinsci/job-import-plugin/ - commit: 8f826a684ba0969697d2a92a6f448aef8f03b66c:master - description: "A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003017,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1302" - - -- reference: CVE-2019-0228 - repo: https://github.com/apache/pdfbox/ - commit: 072d68ec99a71bf271ec0f879e5cd71511e89093:master - description: "Apache PDFBox XML External Entity vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache PDFBox 2.0.14 description: Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Mitigation: Upgrade to Apache PDFBox 2.0.15" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1699740,https://www.openwall.com/lists/oss-security/2019/04/12/1" - - -- reference: CVE-2018-11786 - repo: https://github.com/apache/karaf - commit: 24fb477ea886e8f294dedbad98d2a2c4cb2a44f9:master - description: "" - links: "https://issues.apache.org/jira/browse/KARAF-5427,https://lists.apache.org/thread.html/5b7ac762c6bbe77ac5d9389f093fc6dbf196c36d788e3d7629e6c1d9@%3Cdev.karaf.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEKARAFSHELL-72392" - - -- reference: CVE-2008-5518 - repo: https://github.com/apache/geronimo - commit: f8a612df7b06729bfd6c826e1a110d4bb40dc1f5:2.1,aa0c2c26dde8930cad924796af7c17a13d236b16:2.1.4,67dda0760bb0925ead201ddd5d809ff53686d63f:trunk - description: "" - links: "" - - -- reference: CVE-2018-7753 - repo: https://github.com/mozilla/bleach - commit: c5df5789ec3471a31311f42c2d19fc2cf21b35ef:master - description: "" - links: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892252,https://github.com/mozilla/bleach/releases/tag/v2.1.3" - - -- reference: CVE-2018-1000008 - repo: https://github.com/jenkinsci/pmd-plugin - commit: f88399a021c22e30cb8fbac5200471d69f1b6224:master - description: "" - links: "https://jenkins.io/security/advisory/2018-01-22/,https://snyk.io/vuln/SNYK-JAVA-ORGJVNETHUDSONPLUGINS-32170" - - -- reference: CVE-2014-2067 - repo: https://github.com/jenkinsci/jenkins.git - commit: 5d57c855f3147bfc5e7fda9252317b428a700014:master - description: "" - links: "" - - -- reference: CVE-2014-3490 - repo: https://github.com/ronsigal/Resteasy.git - commit: 9b7d0f574cafdcf3bea5428f3145ab4908fc6d83:master - description: "" - links: "" - - -- reference: DJANGO-REST-001 - repo: https://github.com/florimondmanca/djangorestframework-api-key/ - commit: fc51137e056ff3fa3fee7c30f46429f4ab0007c2:master - description: "Overview: djangorestframework-api-key is an API Key permissions for the Django REST Framework. Affected versions of this package are vulnerable to Information Exposure. The API key was stored in plaintext in database. Remediation: Upgrade djangorestframework-api-key to version 0.2.0 or higher." - links: "https://snyk.io/vuln/SNYK-PYTHON-DJANGORESTFRAMEWORKAPIKEY-72560" - - -- reference: HUDSON-483532 - repo: https://git.eclipse.org/r/hudson/org.eclipse.hudson.core - commit: 6cae5b7f9f88ac0afdc13ae8ea1c2f5070441b9e:master - description: "The use of the Hudson Command line Interface is now disabled by default and we recommend that it not be re-enabled unless Hudson is running inside of a controlled environment. An option is available on the main Hudson settings screen to explicitly enable the CLI should it be required. Update to 3.3.3" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=483532" - - -- reference: CVE-2014-2064 - repo: https://github.com/jenkinsci/jenkins.git - commit: fbf96734470caba9364f04e0b77b0bae7293a1ec:master - description: "" - links: "" - - -- reference: CVE-2018-1000613 - repo: https://github.com/bcgit/bc-java/ - commit: 4092ede58da51af9a21e4825fbad0d9a3ef5a223:master,cd98322b171b15b3f88c5ec871175147893c31e6:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613" - - -- reference: CVE-2018-1000054 - repo: https://github.com/jenkinsci/ccm-plugin/ - commit: 066cb43b4413b3490d822ec8b8a32072ebd213ca:master - description: "" - links: "https://jenkins.io/security/advisory/2018-02-05/,https://snyk.io/vuln/SNYK-JAVA-ORGJVNETHUDSONPLUGINS-32163" - - -- reference: CVE-2019-10242 - repo: https://github.com/eclipse/kura/ - commit: eb1f778e41bf8e7596c2a097fe54ada9dcd6a408:master - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=545833,https://github.com/eclipse/kura/pull/2327/files" - - -- reference: CVE-2017-5647 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1789024:trunk,1788932:trunk,1788999:trunk,1789008:trunk,1789856:trunk,1789155:trunk,1788890:trunk - description: "" - links: "" - - -- reference: CVE-2018-12585 - repo: https://github.com/OPCFoundation/UA-Java/ - commit: 83fe7a9f9a510f35e3903bef907d22889f99b08b:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12585,https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-12585.pdf,https://snyk.io/vuln/SNYK-JAVA-ORGOPCFOUNDATIONUA-72369" - - -- reference: CVE-2019-9658 - repo: https://github.com/checkstyle/checkstyle/ - commit: 180b4fe37a2249d4489d584505f2b7b3ab162ec6:master - description: "Overview com.puppycrawl.tools:checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection because it loads external DTDs by default. Remediation Upgrade com.puppycrawl.tools:checkstyle to version 8.18 or higher. " - links: "https://checkstyle.org/releasenotes.html#Release_8.18,https://github.com/checkstyle/checkstyle/issues/6474,https://github.com/checkstyle/checkstyle/issues/6478,https://snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-173770" - - -- reference: CVE-2019-1003020 - repo: https://github.com/jenkinsci/kanboard-plugin/ - commit: 01b6e508ccfa26b73974c988a5ba4c7aed9126e9:master - description: "A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003020,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-818" - - -- reference: CVE-2012-0394 - repo: https://github.com/apache/struts - commit: 9cad25f258bb2629d263f828574d2671366c238d:master - description: "" - links: "" - - -- reference: CVE-2014-0002 - repo: https://github.com/apache/camel - commit: 341d4e6cca71c53c90962d1c3d45fc9e05cc50c6:master,2ec54fa0c13ae65bdcccff764af081a79fcc05f:camel-2.11.x,54b65c1d30848835f26bd138c0ba407bc1e560d:camel-2.12.x - description: "The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. (see also https://issues.apache.org/jira/browse/CAMEL-7129)" - links: "https://nvd.nist.gov/vuln/detail/CVE-2014-0002" - - -- reference: CVE-2019-1003044 - repo: https://github.com/jenkinsci/slack-plugin/ - commit: 0268bbefdcc283effd27be5318770f7e75c6f102:master - description: "CSRF vulnerability and missing permission checks in Slack Notification Plugin allowed capturing credentials SECURITY-976 / CVE-2019-1003043 (missing permission check) and CVE-2019-1003044 (CSRF) Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability. This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration)" - links: "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-976" - - -- reference: APACHE-HTTPCLIENT-1976 - repo: https://github.com/apache/httpcomponents-client/ - commit: c8068487fb65ba8ba3f3c74d7da101fc118b8b43:master - description: "Unsafe deserialization in DefaultHttpCacheEntrySerializer Apache HttpClient contains DefaultHttpCacheEntrySerializer class which uses the default Java serialization mechanism to store cache entries. DefaultHttpCacheEntrySerializer is used by default by EhcacheHttpCacheStorage class. It looks like there is a way how malicious data can reach DefaultHttpCacheEntrySerializer which as a result can lead to arbitrary code execution. Please check https://issues.apache.org/jira/browse/HTTPCLIENT-1976 for details about revelance prerequisites" - links: "https://issues.apache.org/jira/browse/HTTPCLIENT-1976" - - -- reference: CVE-2017-5648 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1785775:master,1785776:trunk,1785775:trunk,1785777:trunk,1785774:trunk - description: "" - links: "" - - -- reference: CVE-2008-2938 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 678137:trunk,681029:master,1451933:trunk,681065:trunk - description: "" - links: "" - - -- reference: DJANGO-CA-001 - repo: https://github.com/mathiasertl/django-ca/ - commit: d19009faecbad3f8a95f8a66a8fe3cfce14d14ce:master - description: "Overview: django-ca is a tool to manage TLS certificate authorities and easily issue and revoke certificates. Affected versions of this package are vulnerable to Arbitrary Code Injection. It did not properly escape the x509 extensions. Remediation: Upgrade django-ca to version 1.9.0 or higher." - links: "https://snyk.io/vuln/SNYK-PYTHON-DJANGOCA-72284" - - -- reference: CVE-2015-2296 - repo: https://github.com/requests/requests - commit: 3bd8afbff29e50b38f889b2f688785a669b9aafc:master - description: "" - links: "" - - -- reference: OIC-363 - repo: https://github.com/schlenk/pyoidc/ - commit: b9279ae488500fb669e9a46324adee21040692f5:master,eee497ccec8219321dddcf5b7aaa4fa0334d397a:master - description: "Improve cookie crypto for CookieDealer. Fixed IV reuse for CookieDealer class. Replaced the encrypt-then-mac construction with a proper AEAD (AES-SIV). Remediation: Upgrade oic to version 0.11.0.0 or higher." - links: "https://github.com/OpenIDC/pyoidc/blob/master/CHANGELOG.md#security,https://github.com/OpenIDC/pyoidc/issues/363" - - -- reference: CVE-2019-10331 - repo: https://github.com/jenkinsci/electricflow-plugin/ - commit: 0a934493290773a953fa7b29c19b555971b1144b:master - description: "" - links: "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1410%20(1)" - - -- reference: CVE-2018-14637 - repo: https://github.com/keycloak/keycloak/ - commit: 0fe0b875d63cce3d2855d85d25bb8757bce13eb1:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14637,https://snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-72652" - - -- reference: CVE-2016-6817 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1765798:master,1765794:trunk - description: "The HTTP/2 header parser entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible. Affects: 8.5.0 to 8.5.6, 9.0.0.M1 to 9.0.0.M11 (see https://tomcat.apache.org/security-8.html, https://tomcat.apache.org/security-9.html)" - links: " https://tomcat.apache.org/security-8.html" - - -- reference: CVE-2018-1000864 - repo: https://github.com/jenkinsci/jenkins/ - commit: 73afa0ca786a87f05b5433e2e38f863826fcad17:master - description: "" - links: "https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1193,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-72668" - - -- reference: CVE-2017-3586 - repo: https://github.com/mysql/mysql-connector-j/ - commit: aeba57264966b0fd329cdb8170ba772fd8fd4de2:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1444406,https://nvd.nist.gov/vuln/detail/CVE-2017-3586" - - -- reference: CVE-2018-1304 - repo: https://github.com/apache/tomcat/ - commit: 723ea6a5bc5e7bc49e5ef84273c3b3c164a6a4fd:master - description: "" - links: "https://bz.apache.org/bugzilla/show_bug.cgi?id=62067,https://tomcat.apache.org/security-7.html,https://tomcat.apache.org/security-8.html,https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2018-1000614 - repo: https://github.com/opennetworkinglab/onos/ - commit: d59f36ce062b31be67221f6b668abaeb54011d49:master - description: "" - links: "http://gms.cl0udz.com/ONOS_Vul.pdf,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000614,https://snyk.io/vuln/SNYK-JAVA-ORGONOSPROJECT-32420" - - -- reference: CVE-2014-2062 - repo: https://github.com/jenkinsci/jenkins.git - commit: 5548b5220cfd496831b5721124189ff18fbb12a3:master - description: "" - links: "" - - -- reference: CVE-2018-1322 - repo: https://github.com/apache/syncope/ - commit: 44a5ca0fbd357b8b5d81aa9313fb01cca30d8ad:1.2.11,735579b6f987b407049ac1f1da08e675d957c3e:2.0.8,7b168c142b09c3b03e39f1449211e7ddf026a14:master - description: "" - links: "http://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESYNCOPE-32139" - - -- reference: CVE-2015-5256 - repo: https://github.com/apache/cordova-android - commit: af2969dec58ca89150b84b5d57edcf63d4ce1302:master - description: "" - links: "" - - -- reference: SPR-7779 - repo: https://github.com/spring-projects/spring-framework - commit: f4a2282d9d9f6e58029022c58311a1db07f7defc:master - description: "In versions before 3.0.6 and 3.1 M1, LocaleChangeInterceptor does not validate locale values which may lead to XSS vulnerability" - links: "https://jira.spring.io/browse/SPR-7779" - - -- reference: CVE-2016-6814 - repo: https://github.com/apache/groovy/ - commit: 4df8b652aa018a5d5d1cda8fba938bf3422db31c:master - description: "" - links: "" - - -- reference: CVE-2018-14574 - repo: https://github.com/django/django/ - commit: a656a681272f8f3734b6eb38e9a88aa0d91806f1:master - description: "If the CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks. CommonMiddleware now escapes leading slashes to prevent redirects to other domains. Issue is to be fixed in 1.11.15 and 2.0.8" - links: "https://docs.djangoproject.com/en/2.0/releases/1.11.15/,https://docs.djangoproject.com/en/2.0/releases/2.0.8/,https://www.djangoproject.com/weblog/2018/aug/01/security-releases/" - - -- reference: CVE-2017-4960 - repo: https://github.com/cloudfoundry/uaa - commit: 5eab756eaf4bb397302f00fbd0273f2470009d38:master,78731f8aa37a53385d0194821a5356ab66e2138:3.9.8 - description: "" - links: "" - - -- reference: CVE-2018-11762 - repo: https://github.com/apache/tika/ - commit: a09d853dbed712f644e274b497cce254f3189d57:master - description: "" - links: "https://lists.apache.org/thread.html/ab2e1af38975f5fc462ba89b517971ef892ec3d06bee12ea2258895b@%3Cdev.tika.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETIKA-72393" - - -- reference: CVE-2017-7893 - repo: https://github.com/saltstack/salt/ - commit: 0a0f46fb1478be5eb2f90882a90390cb35ec43cb:master - description: "" - links: "https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html,https://github.com/saltstack/salt/issues/48939,https://github.com/saltstack/salt/pull/39855,https://www.cvedetails.com/cve/CVE-2017-7893/" - - -- reference: CVE-2019-1003024 - repo: https://github.com/jenkinsci/script-security-plugin/ - commit: 3228c88e84f0b2f24845b6466cae35617e082059:master - description: "org.jenkins-ci.plugins:script-security allows Jenkins administrators to control what in-process scripts can be run by less-privileged users. Affected versions of this package are vulnerable to Arbitrary Code Execution in RejectASTTransformsCustomizer.java. It is possible for attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. Remediation Upgrade org.jenkins-ci.plugins:script-security to version 1.5.3 or higher." - links: "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1320,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-173716" - - -- reference: CVE-2018-1295 - repo: https://github.com/apache/ignite/ - commit: 340569b8f4e14a4cb61a9407ed2d9aa4a20bdf49:master - description: "" - links: "https://lists.apache.org/thread.html/45e7d5e2c6face85aab693f5ae0616563132ff757e5a558da80d0209@%3Cdev.ignite.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEIGNITE-32200" - - -- reference: CVE-2013-0177 - repo: https://github.com/apache/ofbiz - commit: 5f186ec923d91612d0873bf0d92609d6a379511a:release10.04,72cb46f63957833d39dd91659db9a78357ea4ac1:release12.04,ec9b4d668aa2211379588e33190936597ae562d0:trunk,914c5783c4e268e2584f9713e3784f848c494aa1:release11.04 - description: "" - links: "" - - -- reference: CVE-2014-1829 - repo: https://github.com/requests/requests/ - commit: f1893c835570d72823c970fbd6e0e42c13b1f0f2:master,7ba5a534ae9fc24e40b3ae6c480c9075d684727e:master,97cf16e958a948ecf30c3019ae94f2e7ec7dcb7f:master,fe4c4f146124d7fba2e680581a5d6b9d98e3fdf8:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829,https://github.com/requests/requests/issues/1885,https://github.com/requests/requests/pull/1951" - - -- reference: CVE-2016-9879 - repo: https://github.com/spring-projects/spring-security.git - commit: 666e356ebc479194ba51e43bb99fc42f849b6175:master - description: "" - links: "" - - -- reference: CVE-2016-9909 - repo: https://github.com/html5lib/html5lib-python/ - commit: 9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7:master - description: "" - links: "https://www.cvedetails.com/cve/CVE-2016-9909/" - - -- reference: CVE-2014-0116 - repo: https://github.com/apache/struts.git - commit: 74e26830d2849a84729b33497f729e0f033dc147:master - description: "Fix for ue CVE-2014-0094, CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116" - links: "https://github.com/apache/struts/pull/70" - - -- reference: CVE-2018-17202 - repo: https://github.com/apache/commons-imaging/ - commit: 6a79d35d6654d895d0a4b73b3a9282ec9aaeeb06:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17202,https://issues.apache.org/jira/browse/IMAGING-220,https://lists.apache.org/thread.html/48a64566999f44290e4fb3b0d2e9a0e1c996902db51258e7aff00dda@%3Cdev.commons.apache.org%3E,https://lists.apache.org/thread.html/69204376d12205b0d2d90e6fcbeebb99b894e6db88c8ff565c4e1efa@%3Cdev.commons.apache.org%3E" - - -- reference: CVE-2018-11248 - repo: https://github.com/lingochamp/FileDownloader/ - commit: ff240b883490a84744705f9b4165719d7633f902:master - description: "" - links: "https://github.com/lingochamp/FileDownloader/issues/1028,https://snyk.io/vuln/SNYK-JAVA-COMLIULISHUOFILEDOWNLOADER-32291" - - -- reference: CVE-2013-2185 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1470435:trunk - description: "" - links: "" - - -- reference: CVE-2016-0714 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1727034:trunk,1726196:trunk,1725914:trunk,1726923:trunk,1726203:trunk,1725263:trunk,1727166:trunk,1727182:trunk - description: "" - links: "" - - -- reference: CVE-2013-4590 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1558828:trunk,1549528:trunk,1549529:trunk - description: "" - links: "" - - -- reference: CVE-2017-1000502 - repo: https://github.com/jenkinsci/ec2-plugin/ - commit: 180f7d0eae6031d67259a5d86d9d7d382f9eb05b:master - description: "" - links: "https://jenkins.io/security/advisory/2017-12-06/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32174" - - -- reference: CVE-2013-2193 - repo: https://github.com/apache/hbase - commit: 408eb243ad51bbad593d83ad2cfd35cc0e90b38e:master - description: "" - links: "" - - -- reference: CVE-2018-10862 - repo: https://github.com/wildfly/wildfly-core/ - commit: 40996ae6d5d3b6c1602a15f96b86a8d8a39b53eb:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGWILDFLYCORE-32441" - - -- reference: CVE-2018-1000009 - repo: https://github.com/jenkinsci/checkstyle-plugin/ - commit: 365d6164ebce7b65ae010c71016924ef8b98c1a0:master - description: "" - links: "https://jenkins.io/security/advisory/2018-01-22/,https://snyk.io/vuln/SNYK-JAVA-ORGJVNETHUDSONPLUGINS-32169" - - -- reference: CVE-2015-8103 - repo: https://github.com/jenkinsci/jenkins - commit: 5bd9b55a2a3249939fd78c501b8959a804c1164b:master - description: "Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting (see https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/) Jenkins main line users should update to 1.638. Jenkins LTS users should update to 1.625.2." - links: "https://jenkins.io/security/advisory/2015-11-11/" - - -- reference: CVE-2018-12538 - repo: https://github.com/eclipse/jetty.project/ - commit: a0b8321ef452dddff9bc6c14e3ac0108239bfa2c:master - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018,https://github.com/CVEProject/cvelist/pull/637,https://github.com/eclipse/jetty.project/issues/2038,https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-32381" - - -- reference: CVE-2012-3439 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1392248:trunk,1377807:trunk,1380829:trunk - description: "Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved: Tomcat tracked client rather than server nonces and nonce count. When a session ID was present, authentication was bypassed. The user name and password were not checked before when indicating that a nonce was stale. These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances." - links: "http://seclists.org/fulldisclosure/2012/Nov/35" - - -- reference: CVE-2008-2370 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 680949:master,673839:trunk,680950:tc4.1.x - description: "" - links: "" - - -- reference: CVE-2017-7660 - repo: https://github.com/apache/lucene-solr - commit: 9f91c619a35db89544f5c85795df4128c9f0d96:branch_5x,2f5ecbcf9ed7a3a4fd37b5c55860ad8eace1bea:branch_5_5,e3b0cfff396a7f92a4f621d598780116da916f3:branch_6x,e912b7cb5c68fbb87b874d41068cf5a3aea17da0:master - description: "" - links: "" - - -- reference: CVE-2016-1494 - repo: https://github.com/sybrenstuvel/python-rsa/ - commit: ab5d21c3b554f926d51ff3ad9c794bcf32e95b3c:master - description: "" - links: "https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff,https://snyk.io/vuln/SNYK-PYTHON-RSA-40377" - - -- reference: CVE-2018-8017 - repo: https://github.com/apache/tika/ - commit: 62926cae31a02d4f23d21148435804b96c543cc:1.19,8a6a9e1344f5b10ebfa1a189dc3c30d0da2b9d4:1.x - description: "" - links: "https://lists.apache.org/thread.html/72df7a3f0dda49a912143a1404b489837a11f374dfd1961061873a91@%3Cdev.tika.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETIKA-72394" - - -- reference: CVE-2017-17835 - repo: https://github.com/apache/airflow/ - commit: 6aca2c2d395952341ab1b201c59011920b5a5c77:master - description: "" - links: "https://github.com/apache/airflow/pull/2054,https://issues.apache.org/jira/browse/AIRFLOW-836,https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3E,https://snyk.io/vuln/SNYK-PYTHON-APACHEAIRFLOW-73592" - - -- reference: CVE-2017-12159 - repo: https://github.com/keycloak/keycloak - commit: 9b75b603e3a5f5ba6deff13cbb45b070bf2d2239:master - description: "" - links: "" - - -- reference: CVE-2018-20244 - repo: https://github.com/apache/airflow/ - commit: 27a4a888e946728d9bb33b78ec604e08d4a93f89:master - description: "" - links: "https://lists.apache.org/thread.html/f656fddf9c49293b3ec450437c46709eb01a12d1645136b2f1b8573b@%3Cdev.airflow.apache.org%3E" - - -- reference: CVE-2019-1003093 - repo: https://github.com/jenkinsci/nomad-plugin/ - commit: 3331d24896b815c375e528207c5572e18631c49d:master - description: "" - links: "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1058" - - -- reference: CVE-2018-8030 - repo: https://github.com/apache/qpid-broker-j/ - commit: 025b48f3193e2b10b1c41d2bc3bcfc9cfc238a27:master - description: "" - links: "https://issues.apache.org/jira/browse/QPID-8203,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEQPID-32380" - - -- reference: CVE-2018-11776 - repo: https://github.com/apache/struts - commit: 6e87474f9ad0549f07dd2c37d50a9ccd0977c6e:2.5.x,b3bad5ea44f3fd9edb2cb491192c5900f46d45d:2.5.x,4a3917176de2df7f33a85511d067f31e50dcc1b:2.3.x,6efaf900d4ffb7be8a74065af5553bad2389f72:2.5.x - description: "" - links: "" - - -- reference: CVE-2017-1000391 - repo: https://github.com/jenkinsci/jenkins/ - commit: 566a8ddb885f0bef9bc848e60455c0aabbf0c1d3:master - description: "" - links: "https://jenkins.io/security/advisory/2017-11-08/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32191" - - -- reference: CVE-2013-4366 - repo: https://github.com/apache/httpcomponents-client - commit: 08140864e3e4c0994e094c4cf0507932baf6a66:master - description: "" - links: "" - - -- reference: CVE-2018-1284 - repo: https://github.com/apache/hive/ - commit: b0a58d245875dc1b3ac58a7cf1a61d3b17805e96:master - description: "" - links: "https://issues.apache.org/jira/browse/HIVE-18879,https://lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868f73ccfdff46c7174b4@%3Cdev.hive.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHIVE-32203" - - -- reference: CVE-2019-1003092 - repo: https://github.com/jenkinsci/nomad-plugin/ - commit: 3331d24896b815c375e528207c5572e18631c49d:master - description: "" - links: "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1058" - - -- reference: CVE-2018-8768 - repo: https://github.com/jupyter/notebook/ - commit: e321c80776542b8d6f3411af16f9e21e51e27687:master - description: "" - links: "https://github.com/jupyter/notebook/pull/3341,https://www.openwall.com/lists/oss-security/2018/03/15/2" - - -- reference: CVE-2013-6407 - repo: https://github.com/apache/lucene-solr - commit: f230486ce6707762c1a6e81655d0fac52887906d:master - description: "" - links: "" - - -- reference: CVE-2018-1000109 - repo: https://github.com/jenkinsci/google-play-android-publisher-plugin - commit: f81b058289caf3332ae40d599a36a3665b1fa13c:master - description: "" - links: "" - - -- reference: CVE-2019-1003022 - repo: https://github.com/jenkinsci/monitoring-plugin/ - commit: ad99b20cecd1a084d93e707bb29fa9557d2f4382:master - description: "A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003022,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1153" - - -- reference: CVE-2018-1262 - repo: https://github.com/cloudfoundry/uaa/ - commit: 14c745aa293b8d3ce9cdd6bfbc6c0ef3f269b21:4.12.2,dccd3962f969913996ee88f653fce3b108c0205:4.13.4,4178762a49f547534b13539ca65e1d370772c38:4.12.2,3633a832885ebf33b2e22cc1c0c8ce605e2c657:4.13.4 - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGCLOUDFOUNDRYIDENTITY-32287,https://www.cloudfoundry.org/blog/cve-2018-1262/" - - -- reference: CVE-2017-3163 - repo: https://github.com/apache/lucene-solr - commit: 3a4f885b18bc963a8326c752bd229497908f1db:branch_6_4,6f598d24692a89da9b5b671be6cf4b947aa39266:master,7088137d52256354a52ed86547b9faa0e704293:branch_6x,ae789c252687dc8a18bfdb677f2e6cd14570e4d:branch_5_5 - description: "Apache Solr provides a \"replication\" handler which supports operations related to querying the state of an index as well as copying files associated with the index. https://cwiki.apache.org/confluence/display/solr/Index+Replication This handler supports an HTTP API (/replication?command=filecontent&file=) which is vulnerable to path traversal attack. Specifically, this API does not perform any validation of the user specified file_name parameter. This can allow an attacker to download any file readable to Solr server process even if it is not related to the actual Solr index state. https://www.owasp.org/index.php/Path_Traversal (see https://issues.apache.org/jira/browse/SOLR-10031) 4.x, 3.x and 1.4 users should upgrade to a supported version of Solr or setup proper firewalling, or disable the ReplicationHandler if not in use." - links: "https://wiki.apache.org/solr/SolrSecurity" - - -- reference: CVE-2013-4155 - repo: https://github.com/openstack/swift/ - commit: 6b9806e0e8cbec60c0a3ece0bd516e0502827515:master - description: "" - links: "https://nvd.nist.gov/vuln/detail/CVE-2013-4155,https://review.opendev.org/#/c/40643/,https://review.opendev.org/#/c/40645/,https://review.opendev.org/#/c/40646/" - - -- reference: CVE-2017-7669 - repo: https://github.com/apache/hadoop - commit: 0319e74c2512d47d47ab9df834f5b6455be7d968:master,bbe3b0857d383c5e4dc4a7ade90a88a3e24338b:branch-2.8.1 - description: "" - links: "" - - -- reference: CVE-2007-2450 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 547085:tc4.1.x,547088:tc5.0.x,547082:master,547077:trunk - description: "" - links: "" - - -- reference: CVE-2014-0168 - repo: https://github.com/rhuss/jolokia.git - commit: 2d9b168cfbbf5a6d16fa6e8a5b34503e3dc42364:master - description: "" - links: "" - - -- reference: HADOOP-14833 - repo: https://github.com/apache/hadoop/ - commit: 87f63b6479330840e9d708a729355948bb91fd4d:master - description: "" - links: "http://hadoop.apache.org/docs/r3.2.0/hadoop-project-dist/hadoop-common/release/3.2.0/CHANGELOG.3.2.0.html,http://hadoop.apache.org/docs/r3.2.0/hadoop-project-dist/hadoop-common/release/3.2.0/RELEASENOTES.3.2.0.html,https://issues.apache.org/jira/browse/HADOOP-14833" - - -- reference: CVE-2014-3577 - repo: https://github.com/apache/httpcomponents-client - commit: 51cc67567765d67f878f0dcef61b5ded454d3122:4.3.x - description: "" - links: "" - - -- reference: CVE-2015-5607 - repo: https://github.com/ipython/ipython/ - commit: 1415a9710407e7c14900531813c15ba6165f0816:master - description: "" - links: "https://www.cvedetails.com/cve/CVE-2015-5607/" - - -- reference: CVE-2019-10346 - repo: https://github.com/jenkinsci/embeddable-build-status-plugin/ - commit: 38e057b71bcd0d494b04215420919abfda93e324:master - description: "" - links: "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1419,https://plugins.jenkins.io/embeddable-build-status" - - -- reference: DJANGO-REST-002 - repo: https://github.com/encode/django-rest-framework/ - commit: 4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8:master - description: "" - links: "https://github.com/encode/django-rest-framework/pull/6330,https://www.django-rest-framework.org/community/release-notes/#release-notes" - - -- reference: CVE-2012-6612 - repo: https://github.com/apache/lucene-solr - commit: f230486ce6707762c1a6e81655d0fac52887906d:master - description: "" - links: "" - - -- reference: CVE-2019-10347 - repo: https://github.com/jenkinsci/mashup-portlets-plugin/ - commit: 05eb9bfd5c758c8c477ce6bd4315fd65d83e9a0a:master - description: "" - links: "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-775,https://plugins.jenkins.io/mashup-portlets-plugin" - - -- reference: PLEXUS-ARCHIVER-87 - repo: https://github.com/codehaus-plexus/plexus-archiver/ - commit: f8f4233508193b70df33759ae9dc6154d69c2ea8:master - description: "description: Arbitrary File Write Archive Extract. org.codehaus.plexus:plexus-archiver is a Collection of Plexus components to create archives or extract files out of an archive to a directory with a unified Archiver/UnArchiver API whatever the archive format is. Affected versions of the package are vulnerable to Arbitrary File Write through Archive Extract. It can be exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a ../../file.exe location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. Remediation: Upgrade org.codehaus.plexus:plexus-archiverto version 3.6.0 or higher." - links: "https://github.com/codehaus-plexus/plexus-archiver/pull/87,https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680" - - -- reference: CVE-2018-1000106 - repo: https://github.com/jenkinsci/gerrit-trigger-plugin - commit: a222f2d9d1bca3422e6a462a7f587ae325455b80:master - description: "" - links: "" - - -- reference: CVE-2014-1972 - repo: https://github.com/apache/tapestry-5 - commit: 95846b173d83c2eb42db75dae3e7d5e13a633946:master - description: "" - links: "" - - -- reference: CVE-2015-1832 - repo: https://svn.apache.org/repos/asf/db/derby - commit: 1691461:trunk,1684807:trunk,1690855:trunk - description: "" - links: "" - - -- reference: CVE-2018-1000873 - repo: https://github.com/FasterXML/jackson-modules-java8/ - commit: ba27ce5909dfb49bcaf753ad3e04ecb980010b0b:master,7de5c8dcd7e2f59f4f5a0c6c9b92cc9e785f9eac:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1665601,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873,https://github.com/FasterXML/jackson-modules-java8/issues/90" - - -- reference: CVE-2016-6801 - repo: https://github.com/apache/jackrabbit - commit: d6e86e4350989af3eb3eb0429d6e4d4d6bd40e5c:2.6,43accb855897b0d82393d47420e25a1e4a569211:2.12,30318d5aef7bf494e579a86f45c79b18b204a997:2.6,283df6f101676579086400e30e8dd42eacd5ef33:trunk,987168c04327fd4fbbb4fb9d13ae92d5ca888386:2.10,884ede7db1c6ca490fcbb8238762b000a25f82c3:2.4,8dde23b63151417769eaca112fbbae9a52c47ff3:trunk,db26ade17d791bbb4e4771ed9650ec1159a541ff:2.12,4908cb64317122cdd3e096ebe8c32bd98d2ed8b7:2.8,f05620fb3f4c72429c9856ab7f63a9ac8ca90acf:2.8,cab86cdfb7829b66c89196dfb6095f0faa5aa3c3:2.10,09393f93862923e4c8a2f8c7d1236e1a5d3373b5:trunk,f0bd17956647cf09cc898d30e7d58221ef409bca:2.4 - description: "" - links: "" - - -- reference: CVE-2014-3579 - repo: https://github.com/apache/activemq-apollo - commit: e5647554e6801a522c508a8eb457979a9af8c398:master - description: "It is possible for a consumer dequeuing XML message(s) to specify an XPath based selector thus causing the broker to evaluate the expression and attempt to match it against the messages in the queue while also performing an XML external entity resolution. Upgrade to Apache ActiveMQ Apollo 1.7.1 (see https://issues.apache.org/jira/browse/APLO-366)" - links: "http://activemq.apache.org/security-advisories.data/CVE-2014-3579-announcement.txt" - - -- reference: CVE-2019-10300 - repo: https://github.com/jenkinsci/gitlab-plugin/ - commit: f028c65539a8892f2d1f738cacc1ea5830adf5d3:master - description: "CSRF vulnerability and missing permission checks in GitLab Plugin allowed capturing credentials SECURITY-1357 / CVE-2019-10300 (CSRF) and CVE-2019-10301 (permission check) GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability. This form validation method now requires POST requests and Overall/Administer permissions." - links: "https://jenkins.io/security/advisory/2019-04-17/#SECURITY-1357" - - -- reference: CVE-2017-5200 - repo: https://github.com/saltstack/salt/ - commit: c59ae9a:master - description: "" - links: "https://github.com/saltstack/salt/pull/39855,https://www.cvedetails.com/cve/CVE-2017-5200/" - - -- reference: CVE-2007-5461 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 609297:master,619799:tc4.1.x,585934:trunk - description: "" - links: "" - - -- reference: CVE-2009-3695 - repo: https://github.com/django/django/ - commit: 594a28a90:1.0,e3e992e18:1.1,9f8287a3f:master - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-DJANGO-42162,https://www.djangoproject.com/weblog/2009/oct/09/security/" - - -- reference: CVE-2016-9177 - repo: https://github.com/perwendel/spark - commit: efcb46c710e3f56805b9257a63d1306882f4faf9:master - description: "" - links: "" - - -- reference: CVE-2019-10904 - repo: https://github.com/roundup-tracker/roundup/ - commit: a2edc3cba0b5d34005114f6da0251bd9ac2837df:master - description: "" - links: "https://github.com/python/bugs.python.org/issues/34" - - -- reference: CVE-2015-8557 - repo: https://github.com/sol/pygments/ - commit: 74e7ad477f7ff7a70b987fcfc5c558ec14264c13:master - description: "" - links: "https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501/fix-shell-injection-in/diff,https://www.cvedetails.com/cve/CVE-2015-8557/" - - -- reference: CVE-2017-1000400 - repo: https://github.com/jenkinsci/jenkins/ - commit: b2083a387a5bdb6f7ee7f7c81a1f6312aca2a558:master - description: "" - links: "https://jenkins.io/security/advisory/2017-10-11/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32183" - - -- reference: CVE-2011-1772 - repo: https://github.com/apache/struts/ - commit: 885ab3459e146ff830d1f7257f809f4a3dd4493a:master - description: "" - links: "http://www.ventuneac.net/security-advisories/MVSA-11-006,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1772,https://cwiki.apache.org/confluence/display/WW/S2-006,https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.2.3,https://issues.apache.org/jira/browse/WW-3579" - - -- reference: CVE-2017-5656 - repo: https://github.com/apache/cxf - commit: 66c2c5b9:master - description: "" - links: "" - - -- reference: CVE-2016-6652 - repo: https://github.com/spring-projects/spring-data-jpa - commit: b8e7fecccc7dc8edcabb4704656a7abe6352c08f:master - description: "Sort instances handed into user defined Spring Data repository query methods using manually declared JPQL queries are handed to the persistence provider as is and allow attackers to inject arbitrary JPQL into ORDER BY clauses which they might use to draw conclusions about non-exposed fields based on the query result's element order changing depending on the injected JPQL." - links: "https://pivotal.io/security/cve-2016-6652" - - -- reference: CVE-2016-6186 - repo: https://github.com/django/django/ - commit: d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d15:1.9,f68e5a99164867ab0e071a936470958ed867479:1.8 - description: "" - links: "https://www.cvedetails.com/vulnerability-list/vendor_id-10199/product_id-18211/year-2016/Djangoproject-Django.html,https://www.exploit-db.com/exploits/40129/" - - -- reference: JENKINS-RABBITMQ-PUBLISHER-848 - repo: https://github.com/jenkinsci/rabbitmq-publisher-plugin/ - commit: f0306f229a79541650f759797475ef2574b7c057:master - description: "Rabbit-MQ Publisher Plugin stored password in plain text SECURITY-848 Rabbit-MQ Publisher Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system. The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Affected versions: Rabbit-MQ Publisher Plugin up to and including 1.0 Fix: Rabbit-MQ Publisher Plugin should be updated to version 1.2.0 " - links: "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-848" - - -- reference: CVE-2014-8122 - repo: https://github.com/weld/core.git - commit: 8e413202fa1af08c09c580f444e4fd16874f9c65:master,29fd1107fd30579ad9bb23fae4dc3ba464205745:master,6808b11cd6d97c71a2eed754ed4f955acd789086:master - description: "" - links: "" - - -- reference: CVE-2013-4152 - repo: https://github.com/spring-projects/spring-framework.git - commit: 7576274874deeccb6da6b09a8d5bd62e8b5538b7:master - description: "" - links: "" - - -- reference: CVE-2016-10149 - repo: https://github.com/rohe/pysaml2/ - commit: 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10149" - - -- reference: CVE-2012-5784 - repo: http://svn.apache.org/repos/asf/axis/axis1/java/trunk/axis-rt-core - commit: 0:trunk - description: "Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. The patch is available at https://issues.apache.org/jira/browse/AXIS-2883, however the fix for this bug was incomplete. To fix the problem please use the patch at https://issues.apache.org/jira/browse/AXIS-2905 (the incomplete fix was assigned the new identifier CVE-2014-3596)." - links: "https://nvd.nist.gov/vuln/detail/CVE-2012-5784" - - -- reference: CVE-2016-0734 - repo: https://github.com/apache/activemq - commit: 028a33ea7d73fabe6161defffdbfc85578328a68:master,24ad36778534c5ac888f880837075449169578ad:master - description: "The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element. https://issues.apache.org/jira/browse/AMQ-6170" - links: "" - - -- reference: CVE-2014-3623 - repo: https://github.com/apache/wss4j - commit: 64581eabbebe7500fbddb1e279317500dc12f49a:1_6_x-fixes,9c6333a0801923c0b8d8f41bee91e6cb02ed2ab1:trunk - description: "" - links: "" - - -- reference: CVE-2014-2058 - repo: https://github.com/jenkinsci/jenkins.git - commit: b6b2a367a7976be80a799c6a49fa6c58d778b50e:master - description: "" - links: "" - - -- reference: CVE-2017-0359 - repo: https://salsa.debian.org/reproducible-builds/diffoscope.git - commit: 632a40828a54b399787c25e7fa243f732aef7e05:master - description: "" - links: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723" - - -- reference: CVE-2016-6637 - repo: https://github.com/cloudfoundry/uaa - commit: f3d8a9e1ee1acac5bf1f8487ac9461f4cf4505c:3.4.x,32569285018a464dcbd9d4c120a11cc4b767f8e:3.3.0.x,703542183b14b3ef1e04d68d83484d9eaaeb2f0:2.7.4.x - description: "The profile and authorize approval pages do not contain CSRF tokens, making an exploit to approve or deny scopes possible." - links: "https://www.cloudfoundry.org/cve-2016-6637/" - - -- reference: CVE-2011-5064 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 1158180:trunk - description: "" - links: "" - - -- reference: CVE-2012-5887 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 1380829:trunk - description: "" - links: "" - - -- reference: BEANUTILS-463 - repo: https://github.com/apache/commons-beanutils/ - commit: 4e410e068b8d367c53766a7da712b1b6f3fd8101:trunk,2412c90ba5584fed123fa6a33e752e6c8eaf74e9:trunk - description: "Class loader vulnerability in DefaultResolver caused by a missing check for the \"class\" keyword when getting nested properties. Affects versions: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1. Fixed in version 1.9.2. (see http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt)" - links: "https://issues.apache.org/jira/browse/BEANUTILS-463" - - -- reference: CVE-2015-8581 - repo: https://github.com/apache/tomee - commit: 58cdbbef9c77ab2b44870f9d606593b49cde76d9:master - description: "" - links: "" - - -- reference: CVE-2019-1003049 - repo: https://github.com/jenkinsci/jenkins/ - commit: 0eeaa087aac192fb39f52928be5a5bbf16627ea6:master - description: "Jenkins accepted cached legacy CLI authentication SECURITY-1289 / CVE-2019-1003049 The fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches. This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated. Support for the remoting-based CLI was dropped in Jenkins 2.165, so newer weekly releases are not affected. Jenkins 2.164.2 no longer supports legacy CLI authentication caches from before 2.150.2/2.160, and these users will be considered logged out." - links: "https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289" - - -- reference: CVE-2019-11808 - repo: https://github.com/ratpack/ratpack/ - commit: f2b63eb82dd71194319fd3945f5edf29b8f3a42d:master - description: "" - links: "https://github.com/ratpack/ratpack/issues/1448,https://github.com/ratpack/ratpack/releases/tag/v1.6.1" - - -- reference: CVE-2017-5662 - repo: https://github.com/apache/batik - commit: 998cabf7af08852e8305f60b5e4c0b6721c47667:trunk,6ab669f073c23a443d78a7a08aea2fd4de10da8c:trunk - description: "In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. (see https://issues.apache.org/jira/browse/BATIK-1139)" - links: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662" - - -- reference: CVE-2014-0094 - repo: https://github.com/apache/struts.git - commit: 74e26830d2849a84729b33497f729e0f033dc147:master - description: "Fix for ue CVE-2014-0094, CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116" - links: "https://github.com/apache/struts/pull/70" - - -- reference: CVE-2009-2901 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 902650:trunk,892815:trunk,892795:trunk - description: "" - links: "" - - -- reference: CVE-2019-3797 - repo: https://github.com/spring-projects/spring-data-jpa/ - commit: 9b16fef6e9a1c8f4352cb979df8ef4a9336d655:2.1.x,c47a5d09a1123ca8e77f832f8335e227b820b3f:1.11.x,417202db8e1714bdca1bd57879634866934c6f5:2.1.x,271a2814157c5de78345effdbe2a21c740880cd:1.11.x,8a5743c74b7ab1daf7cb428fee0d9b3f03fb914:1.11.x,16661f7e7e28f8ea8585a0402bd91eb6721ce55:2.1.x,899b8b0db3d40603488ad50f116ab9e68021ba3:2.0.x,b6060be66b6cbf447c0c62e5b80caa565e10f38:2.0.x,ee03f9b4a5facaee1b9d25313862e1d043f5a5d:2.0.x,ee39e8863bb43b63e34fe9ac6ec9b864cd8afca:2.1.x,4d4e6d418fe3bca14c7cff1c7161e3794026f96:2.0.x,89b18d573394c84012c58c892e9a3844fb8c7b4:1.11.x - description: "Additional information exposure with Spring Data JPA derived queries Severity Low description This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly. Affected Pivotal Products and Versions Severity is low unless otherwise noted. Spring Data JPA 2.0 to 2.0.13 Spring Data JPA 2.1 to 2.1.5 Spring Data JPA 1.11 to 1.11.19 Older unsupported versions are also affected Mitigation Users of affected versions should apply the following mitigation: 2.1.x users should upgrade to 2.1.6 (included in Spring Boot 2.1.4) 2.0.x users should upgrade to 2.0.14 (included in Spring Boot 2.0.9) 1.11.x users should upgrade to 1.11.20 (included in Spring Boot 1.5.20) Older versions should upgrade to a supported branch There are no other mitigation steps necessary. Note, that with the current releases, the 2.0 branch of both Spring Data and Spring Boot is EOL and we highly recommend to upgrade Important : It has been noticed by the Vulas team that the commit fixing the problem is already present in 1.11.19 (please notice that 1.11.19 and 1.11.20 have been released on the same day)." - links: "https://pivotal.io/security/cve-2019-3797" - - -- reference: CVE-2013-1965 - repo: https://github.com/apache/struts - commit: 7e6f641ebb142663cbd1653dc49bed725edf7f56:master - description: "" - links: "" - - -- reference: CVE-2017-12612 - repo: https://github.com/apache/spark/ - commit: 9952b53b57498852cba799b47f00238e52114c7c:master,0b25a7d93359e348e11b2e8698990a53436b3c5:2.1.x,4cba3b5a350f4d477466fc73b32cbd653eee840:2.2.x,8efc6e986554ae66eab93cd64a9035d716adbab:2.3.x,772a9b969aa179150aa216e9efd950e512e9d0b4:master,f7cbf90a72a19476ea2d3d1ddc96c45a24b9f57:2.0.x - description: "" - links: "http://seclists.org/oss-sec/2017/q3/419,https://issues.apache.org/jira/browse/SPARK-20922,https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-38954/Apache-Spark.html" - - -- reference: CVE-2016-4437 - repo: https://github.com/apache/shiro - commit: 64d9f8341e1aa7ef1a29744e16ea7c578ca5deee:master - description: "" - links: "" - - -- reference: RESTVIEW-001 - repo: https://github.com/mgedmin/restview/ - commit: ef8d9e155dc4f4ca934bd5aa26ab36fb94b6e89b:master - description: "Affected versions of this package are vulnerable to DNS rebinding attack due to improperly checking the host header in HTTP requests. Remediation: Upgrade restview to version 2.8.1 or higher." - links: "https://github.com/mgedmin/restview/issues/51,https://snyk.io/vuln/SNYK-PYTHON-RESTVIEW-42107" - - -- reference: CVE-2013-1966 - repo: https://github.com/apache/struts - commit: 7e6f641ebb142663cbd1653dc49bed725edf7f56:master - description: "" - links: "" - - -- reference: CVE-2012-2733 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 1356208:trunk - description: "" - links: "" - - -- reference: CVE-2007-5333 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 620028:trunk - description: "" - links: "" - - -- reference: CVE-2013-1768 - repo: https://github.com/apache/openjpa - commit: 4487017fbf57fb7aed4024e0991850bb89fc1c43:2.0.x,d3c68ad3bb9aa0e4e9abbfdec691abb06df642a5:2.1.x,ad5cd6fb86af8809b367f709b6e041218055de2f:2.2.1.x,7f14c7df6b7c7ef42f0671138b9b5dd062fe99aa:trunk,f4ca597b9a7000a88ad6bbe556283247e9f6bc14:1.3.x,521fecd2d9b91c27e9f90d97e5f5479d17239eb8:1.1.x,01bc0d257b38743372af91cb88269524634db7d3:1.0.x,87a4452be08b4f97274d0ccfac585ae85841e470:1.2.x,b8933dc24b84e7e7430ece56bd645d425dd89f24:2.2.x - description: "" - links: "" - - -- reference: CVE-2019-7164 - repo: https://github.com/sqlalchemy/sqlalchemy/ - commit: 30307c4616ad67c01ddae2e1e8e34fabf6028414:master - description: "1、SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. 2、exp * save the code to local: https://github.com/21k/sqlalchemy/blob/master/dal.py * exec code at shell terminal --------------------------------- python dal.py 'if(1=1,create_time,username)' python dal.py 'if(1=2,create_time,username)' python dal.py 'create_time' --------------------------------- * the vul happens at fun order_by" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1674059,https://github.com/sqlalchemy/sqlalchemy/issues/4481,https://snyk.io/vuln/SNYK-PYTHON-SQLALCHEMY-173678" - - -- reference: CVE-2018-1000112 - repo: https://github.com/jenkinsci/mercurial-plugin - commit: 54b4f82e80c89d51b12bc64258f6b59e98b0c16a:master - description: "" - links: "" - - -- reference: CVE-2019-10340 - repo: https://github.com/jenkinsci/docker-plugin/ - commit: 6ad27199f6fad230be72fd45da78ddac85c075db:master - description: "" - links: "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1010,https://wiki.jenkins.io/display/JENKINS/Docker+Plugin" - - -- reference: CVE-2017-11427 - repo: https://github.com/onelogin/python-saml/ - commit: fad881b4432febea69d70691dfed51c93f0de10f:master - description: "Affected versions of this package are vulnerable to Authentication Bypass. It incorrectly utilizes the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers." - links: "https://snyk.io/vuln/SNYK-PYTHON-PYTHON3SAML-40775" - - -- reference: CVE-2018-15756 - repo: https://github.com/spring-projects/spring-framework/ - commit: c8e320019ffe7298fc4cbeeb194b2bfd6389b6d:5.0.10,044772641d12b9281185f6cf50f8485b8747132:4.3.10,423aa28ed584b4ff6e5bad218c09beef5e91951:5.1.1 - description: "DoS Attack via Range Requests. Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. Affected Pivotal Products and Versions: - Spring Framework 5.1 - Spring Framework 5.0.0 to 5.0.9 - Spring Framework 4.3 to 4.3.19 - Older unsupported versions going back to 4.2 are also affected Mitigation: Users of affected versions should apply the following mitigation. - 5.1 users should upgrade to 5.1.1 - 5.0.x users should upgrade to 5.0.10 - 4.3.x users should upgrade to 4.3.20 - 4.2.x users should upgrade to a supported branch. No further mitigation steps are necessary. Note the following when evaluating the impact: Support for Range requests was introduced in version 4.2. Therefore versions prior to 4.2 are not affected by this issue. Support for returning an org.springfamework.core.io.Resource from an annotated controller was introduced in 5.0. Therefore versions prior to 5.0 can only be impacted through a registration to serve static resources. History: 2018-10-16: Initial vulnerability report published." - links: "https://pivotal.io/security/cve-2018-15756" - - -- reference: CVE-2017-5934 - repo: https://github.com/moinwiki/moin-1.9/ - commit: 70955a8eae091cc88fd9a6e510177e70289ec024:master - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-MOIN-72485" - - -- reference: CVE-2016-3088 - repo: https://github.com/apache/activemq - commit: 3dd86d04e8b90ba309819317d19e7260d414d9e7:master - description: "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. (see https://issues.apache.org/jira/browse/AMQ-6276) and http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt" - links: "" - - -- reference: CVE-2011-2481 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1137753:trunk,1138788:trunk,1138776:trunk - description: "" - links: "" - - -- reference: CVE-2012-3546 - repo: http://svn.apache.org/repos/asf/tomcat/tc7.0.x - commit: 1377892:trunk - description: "" - links: "" - - -- reference: CVE-2017-8045 - repo: https://github.com/spring-projects/spring-amqp - commit: 6e9e00bb5bf0aa88444146db3c2eae138cc7b0a:1.6.x,83fe9fdec2c86a57898d56c5e109debd9d5c07d:1.5.x,36e55998f6352ba3498be950ccab1d5f4d0ce655:master,296d481f980fcbecbee01244e3644e254470a86:1.7.x - description: "In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack." - links: "https://pivotal.io/security/cve-2017-8045" - - -- reference: CVE-2019-10341 - repo: https://github.com/jenkinsci/docker-plugin/ - commit: 6ad27199f6fad230be72fd45da78ddac85c075db:master - description: "" - links: "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1010,https://wiki.jenkins.io/display/JENKINS/Docker+Plugin" - - -- reference: CVE-2017-1000395 - repo: https://github.com/jenkinsci/jenkins/ - commit: 7b1f8e96a8d97dd09e5e093fcdb010b3295acc77:master - description: "" - links: "https://jenkins.io/security/advisory/2017-10-11/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32188" - - -- reference: CVE-2013-2248 - repo: https://github.com/apache/struts - commit: 630e1ba065a8215c4e9ac03bfb09be9d655c2b6e:master,3cfe34fefedcf0fdcfcb061c0aea34a715b7de6:STRUTS_2_3_15_X - description: "" - links: "" - - -- reference: CVE-2013-6348 - repo: https://github.com/apache/struts/ - commit: 01584fabc74635d63a1b2670f18d8fcd1ee046cc:master,fd27e5cc748420a53d51e0e19a10efe8c582c2c0:master - description: "" - links: "https://jira.apache.org/jira/browse/WW-4213,https://nvd.nist.gov/vuln/detail?vulnId=2013-6348" - - -- reference: CVE-2013-2186 - repo: https://github.com/apache/commons-fileupload - commit: 163a6061fbc077d4b6e4787d26857c2baba495d1:trunk - description: "" - links: "" - - -- reference: CVE-2015-1776 - repo: https://github.com/apache/hadoop.git - commit: 6b710a42e00acca405e085724c89cda016cf7442:master - description: "" - links: "" - - -- reference: CVE-2019-10289 - repo: https://github.com/jenkinsci/netsparker-cloud-scan-plugin/ - commit: cce62d7188f12ab9cf1d5272eb859beb710d521a:master - description: "" - links: "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1032" - - -- reference: CVE-2009-0783 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 781542:master,739522:trunk,681156:master,652592:trunk,781708:tc4.1.x - description: "" - links: "" - - -- reference: CVE-2019-10335 - repo: https://github.com/jenkinsci/electricflow-plugin/ - commit: 1a90ee7727f8c6925df3e410837ddf6be28cce53:master - description: "" - links: "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1412" - - -- reference: CVE-2019-1003031 - repo: https://github.com/jenkinsci/matrix-project-plugin/ - commit: 765fc39694b31f8dd6e3d27cf51d1708b5df2be7:master - description: "A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003031,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1339" - - -- reference: CVE-2015-0260 - repo: https://github.com/msabramo/kallithea/ - commit: 7ae870ffbceb932cb5fff1a7f48e88f4996db7c8:master - description: "RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the get_repo API method." - links: "http://seclists.org/oss-sec/2015/q1/505,https://kallithea-scm.org/security/cve-2015-0260.html,https://kallithea-scm.org/security/cve-2015-0260.patch" - - -- reference: CVE-2013-1777 - repo: https://github.com/apache/geronimo - commit: ee031c5e62b0d358250d06c2aa6722518579a6c5:3.0 - description: "" - links: "" - - -- reference: CVE-2017-7672 - repo: https://github.com/apache/struts.git - commit: 931df54ab379bf4eb5a625bf05066b8563c3737b:master - description: "Possible DoS attack when using URLValidator (similar to S2-044). If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution: upgrade to Apache Struts version 2.5.12. This is also known as S2-047" - links: "https://cwiki.apache.org/confluence/display/WW/S2-047" - - -- reference: CVE-2018-19351 - repo: https://github.com/jupyter/notebook/ - commit: 107a89fce5f413fb5728c1c5d2c7788e1fb17491:master - description: "" - links: "https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst,https://snyk.io/vuln/SNYK-PYTHON-NOTEBOOK-72621" - - -- reference: CVE-2013-4435 - repo: https://github.com/saltstack/salt/ - commit: aca78f314481082862e96d4f0c1b75fa382bb885:master,8e5afe59cef6743fe5dbd510dcf463dbdfca1ced:master,07972eb0a6f985749a55d8d4a2e471596591c80d:master,b73677435ba54ecfc93c1c2d840a7f9ba6f53410:master,6d8ef68b605fd63c36bb8ed96122a75ad2e80269:master,6a9752cdb1e8df2c9505ea910434c79d132eb1e2:master,1e3f197726aa13ac5c3f2416000089f477f489b5:master,7f190ff890e47cdd591d9d7cefa5126574660824:master,ebdef37b7e5d2b95a01d34b211c61c61da67e46a:master - description: "" - links: "https://docs.saltstack.com/en/latest/topics/releases/0.17.1.html" - - -- reference: CVE-2014-2061 - repo: https://github.com/jenkinsci/jenkins.git - commit: bf539198564a1108b7b71a973bf7de963a6213ef:master - description: "" - links: "" - - -- reference: CVE-2012-5886 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 1380829:trunk - description: "" - links: "" - - -- reference: CVE-2016-10320 - repo: https://github.com/deanmalmgren/textract - commit: 3aff9318001ca2689f58511facf332b12ec5bd72:master - description: "" - links: "https://github.com/deanmalmgren/textract/issues/125,https://github.com/deanmalmgren/textract/pull/114" - - -- reference: CVE-2018-1002200 - repo: https://github.com/codehaus-plexus/plexus-archiver/ - commit: 58bc24e465c0842981692adbf6d75680298989de:master - description: "A well crafted zip file may cause the code to extract outside of the destination directory. description: Arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. Fixed Version : 3.6.0" - links: "https://github.com/codehaus-plexus/plexus-archiver/pull/87,https://snyk.io/research/zip-slip-vulnerability" - - -- reference: CVE-2018-17796 - repo: https://github.com/wuweiit/mushroom/ - commit: 8b67e2d88ca8040577248491a5e6e9c806184522:master - description: "" - links: "https://github.com/wuweiit/mushroom/issues/16,https://snyk.io/vuln/SNYK-JAVA-ORGMARKER-72420" - - -- reference: CVE-2008-5515 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 734734:trunk,783291:master,783292:tc4.1.x,782757:master,782763:tc4.1.x - description: "" - links: "" - - -- reference: CVE-2011-1582 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1100832:trunk - description: "" - links: "" - - -- reference: CVE-2018-6188 - repo: https://github.com/django/django/ - commit: af33fb250e9847f1ca8c0ba0d72671d76659704f:master - description: "" - links: "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/" - - -- reference: CVE-2018-1000863 - repo: https://github.com/jenkinsci/jenkins/ - commit: 4ed66e5838476e575a83c3cd13fffb37eefa2f48:master - description: "" - links: "https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-72671" - - -- reference: CVE-2018-1000412 - repo: https://github.com/jenkinsci/jira-plugin/ - commit: 612a6ef06dbd5a63bea0b128142c726e96195eda:master - description: "" - links: "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1029" - - -- reference: MSGPACK-001 - repo: https://github.com/msgpack/msgpack-python/ - commit: 3b80233592674d18c8db7a62fa56504a5a285296:master - description: "Overview msgpack is a efficient binary serialization format. Affected versions of this package are vulnerable to Denial of Service (DoS) due to an unlimited length of maps. Remediation Upgrade msgpack to version 0.6.0 or higher. " - links: "https://github.com/msgpack/msgpack-python/pull/319,https://snyk.io/vuln/SNYK-PYTHON-MSGPACK-72872" - - -- reference: CVE-2016-6809 - repo: https://github.com/apache/tika - commit: 8a68b5d474205cc91cbbb610d4a1c05af57f0610:master - description: "" - links: "" - - -- reference: CVE-2016-3084 - repo: https://github.com/cloudfoundry/uaa - commit: b3834364ab573e9655348193780a56a602fe87b7:master,460627ed419e4227b10ff121248b3ffc009011a9:master,66132926f1bac0b878da5841be2f93fa5075d88f:master,14350228989e2aee900b8d48a848293bb5152b6f:master - description: "The UAA reset password flow is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected." - links: "https://www.cloudfoundry.org/cve-2016-3084/" - - -- reference: CVE-2018-17198 - repo: https://github.com/apache/roller/ - commit: 26764874bd1c33f3967baf74818422b6d5d8f227:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17198,https://lists.apache.org/thread.html/94a36ed9c6241558b1c6181d8dd4ff263be7903abd1d20067d4330d5@%3Cdev.roller.apache.org%3E" - - -- reference: CVE-2014-3498 - repo: https://github.com/ansible/ansible/ - commit: 8ed6350e65c82292a631f08845dfaacffe7f07f5:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1335551" - - -- reference: CVE-2017-5653 - repo: https://github.com/apache/cxf - commit: fade9b81dabe27f864ca38e7b40f28fb44d6f165:master - description: "" - links: "" - - -- reference: CVE-2014-0097 - repo: https://github.com/spring-projects/spring-security.git - commit: 7dbb8e777ece8675f3333a1ef1cb4d6b9be80395:3.2.x,a7005bd74241ac8e2e7b38ae31bc4b0f641ef973:master,88559882e967085c47a7e1dcbc4dc32c2c796868:3.1.x - description: "The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password." - links: "https://pivotal.io/security/cve-2014-0097" - - -- reference: OIC-349 - repo: https://github.com/OpenIDC/pyoidc/ - commit: 64665112587ef43a57cb09442dd5dd3d175f583e:master - description: "Affected versions of the package are vulnerable to Insecure Encryption due to using a weak key derivation function and constant (initialization vector). Remediation: Upgrade oic to version 0.11.0.0 or higher." - links: "https://github.com/OpenIDC/pyoidc/blob/master/CHANGELOG.md#security,https://github.com/OpenIDC/pyoidc/issues/349,https://github.com/OpenIDC/pyoidc/pull/354,https://snyk.io/vuln/SNYK-PYTHON-OIC-40768" - - -- reference: CVE-2018-11799 - repo: https://github.com/apache/oozie/ - commit: d50df341432df1049c6c85bf2dcda9eb0be04d73:master - description: "" - links: "https://lists.apache.org/thread.html/347e7a8cb86014b7ca37e49eb00b8d088203bdc0bcfb4799f8e5955a@%3Cuser.oozie.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEOOZIE-72718" - - -- reference: CVE-2016-3094 - repo: http://svn.apache.org/repos/asf/qpid - commit: 1744403:trunk - description: "" - links: "" - - -- reference: CVE-2019-9735 - repo: https://github.com/openstack/neutron/ - commit: f6be9d7ad9522b58b293494e2e9988ce1938727:10.0.x,558a977902c9e83aabaefe67333aee544aa8658:13.0.x,8c213e45902e21d2fe00639ef7d92b35304bde8:master,b88ab58daf12337903f3fd8a4ab4c6add6f379c:12.0.x - description: "neutron is an OpenStack project to provide “network connectivity as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). It implements the Neutron API. Affected versions of this package have a Insecure Defaults. Setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), may allow an authenticated user to block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. Note: Only deployments using the iptables security group driver are affected. Remediation Upgrade neutron to version 1.10.8, 11.0.7, 12.0.6, 13.0.3 or higher. " - links: "https://bugs.launchpad.net/neutron/+bug/1818385,https://github.com/openstack/neutron/commit/8c213e45902e21d2fe00639ef7d92b35304bde82:master,https://snyk.io/vuln/SNYK-PYTHON-NEUTRON-173777" - - -- reference: CVE-2018-20059 - repo: https://github.com/pippo-java/pippo/ - commit: 9f36e5891c0b11f840e1e1561ae96d83ba9ce759:master - description: "" - links: "https://github.com/pippo-java/pippo/issues/486,https://snyk.io/vuln/SNYK-JAVA-ROPIPPO-72692" - - -- reference: CVE-2018-1325 - repo: https://github.com/sebfz1/wicket-jquery-ui/ - commit: 2fec03dbe2f6e8808f4bdc6b3195dff3e44f520:7.10.2,4ade74d87389935dee5ba49b8cdd0abb075cc50:8.x,22e414d693e8ef679ac6da38107fbc118a63f00:6.x - description: "" - links: "https://markmail.org/message/6bxjyaolehhq7jrl,https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEWICKETJQUERYUI-32229" - - -- reference: CVE-2015-5348 - repo: https://github.com/apache/camel - commit: 44e6a3036e5a11d90b60c142cf51ed74b792de31:master,c703479f5880a099c38f2fd5e63c7d9f0567e5ff:master,0afcf721ff209eb10a24c5e4b48ca9d6727ea99a:master,a68434c258cdcd30587ae7adc5dabbac43eadbbf:master,190d7c81b7e3ce767514e319630b1bbaf27e6817:master,ec4a48d38e7335b40efcb14979fad8144eb00acf:master,e7fd5f049c2fd51a528f8062da91a1c75e33b0e8:master,735ee02c693964b5f700af13a2adfeae56b848a4:master,9cbd5867fe73ef07ecba6f16d64689632e3f2a16:master,92081b203523c5ed502ed41df43cbd8655caf9b9:master,7e28d0af471ea992eb74807a4abd1626b88d678a:master,c558f30a6d3820faa3d8c4ad5e54448914ec60d0:master,94330f99acb6f28155793b253de9956c3798f3bb:master,349109b0834764560f0be69eb74f43a16bd220b0:master,d853853469292cd54fd9662c3605030ab5a9566b:master,23655fe0c15189ca41a6e99c31a3c38001a7cdb0:master,13e43c1412ad72d99030b4eb4cb72c84fa57d5ff:master,515c822148d52de9e7cdf4f6b01f7b793f2f273f:master,f7f0b18f6924fe0b01f32a25ed1e38e29b1bf8e5:master,5ea0a6f6c6a54f1cddf9691a99b0c237afc95348:master,1b1ccbcd94860f6f1d8caf98fb59e6ab7b3940b4:master,c47cffcadabca0c588753555a386942184a33627:master,4f065fe07c1dcd7b451e6005a6dc8e96d77da43e:master - description: "" - links: "" - - -- reference: CVE-2017-16764 - repo: https://github.com/illagrenan/django-make-app - commit: acd814433d1021aa8783362521b0bd151fdfc9d2:master - description: "" - links: "" - - -- reference: CVE-2017-8038 - repo: https://github.com/cloudfoundry-incubator/credhub - commit: 632951898a2f1474f699094200367fb405397127:master,46ae8627a6887d0c810905585b40845193b9a9f8:master - description: "" - links: "" - - -- reference: S2-028 - repo: https://github.com/apache/struts - commit: 5421930b49822606792f36653b17d3d95ef106f9:master,a89bbe22cd2461748d595a89a254de888a415e6c:master,72471d7075681bea52046645ad7aa34e9c53751e:master - description: "Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. CVE-2016-4003" - links: "http://struts.apache.org/docs/s2-028.html" - - -- reference: CVE-2019-10329 - repo: https://github.com/jenkinsci/influxdb-plugin/ - commit: bfc2fcc0d8e6fb6f2dff5a45353abac5cefc0573:master - description: "" - links: "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1403" - - -- reference: CVE-2018-1000406 - repo: https://github.com/jenkinsci/jenkins/ - commit: c3351d2e7c3edfee82b9470e9aa1168982296072:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000406,https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1074" - - -- reference: CVE-2017-7657 - repo: https://github.com/eclipse/jetty.project/ - commit: a285deea42fcab60d9edcf994e458c238a348b55:master - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668,https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-32384" - - -- reference: CVE-2018-15801 - repo: https://github.com/spring-projects/spring-security - commit: c70b65c5df0e170a2d34d812b83db0b7bc71ea25:master - description: "" - links: "https://github.com/spring-projects/spring-security/issues/6073,https://pivotal.io/security/cve-2018-15801,https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-72709" - - -- reference: CVE-2012-5787 - repo: https://github.com/paypal/SDKs.git - commit: 5f2d6dd77fb4211dcde34e36f1864234526c5d64:master - description: "" - links: "" - - -- reference: CVE-2014-3503 - repo: http://svn.apache.org/repos/asf/syncope - commit: 1596537:trunk - description: "" - links: "" - - -- reference: CVE-2017-5641 - repo: https://github.com/apache/flex-blazeds/ - commit: f861f0993c35e664906609cad275e45a71e2aaf1:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5641,https://issues.apache.org/jira/browse/FLEX-35290,https://ossindex.net/resource/package/7103354225/vulnerabilities,https://www.kb.cert.org/vuls/id/307983" - - -- reference: CVE-2018-1000656 - repo: https://github.com/pallets/flask - commit: ab4142215d836b0298fc47fa1e4b75408b9c37a0:master,b178e89e4456e777b1a7ac6d7199052d0dfdbbb:0.12.x - description: "" - links: "" - - -- reference: CVE-2019-7548 - repo: https://github.com/sqlalchemy/sqlalchemy/ - commit: 30307c4616ad67c01ddae2e1e8e34fabf6028414:master - description: "SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1674059,https://github.com/sqlalchemy/sqlalchemy/issues/4473,https://snyk.io/vuln/SNYK-PYTHON-SQLALCHEMY-173678" - - -- reference: CVE-2018-17196 - repo: https://github.com/apache/kafka/ - commit: 59a0cbb98cef10ddf62d294670aa2e4eb9f8cf8c:master - description: "" - links: "http://kafka.apache.org/,https://www.mail-archive.com/dev@kafka.apache.org/msg99277.html" - - -- reference: CVE-2016-8735 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1767676:trunk,1767684:trunk,1767644:trunk,1767646:trunk,1767656:trunk,1767646:master - description: "" - links: "" - - -- reference: CVE-2018-19413 - repo: https://github.com/SonarSource/sonarqube/ - commit: 7b567ba3d15ed7dd0b0bba0330686487e35af85c:master - description: "" - links: "https://jira.sonarsource.com/browse/SONAR-11305,https://snyk.io/vuln/SNYK-JAVA-ORGSONARSOURCESONARQUBE-72697" - - -- reference: CONFIDENCE-001 - repo: https://github.com/HolmesNL/confidence/ - commit: c94f3510aabf1d8f67e58ae0d3350c98821d296b:master - description: "confidence makes it easy to load one or multiple sources of configuration values and exposes them as a simple to use Python object. Affected versions of this package are vulnerable to Arbitrary Code Execution via the insecure YAML.load() function. Remediation: Upgrade confidence to version 0.4 or higher." - links: "https://snyk.io/vuln/SNYK-PYTHON-CONFIDENCE-42173" - - -- reference: CVE-2013-7285 - repo: https://github.com/x-stream/xstream - commit: 6344867dce6767af7d0fe34fb393271a6456672d:master - description: "XStream can be used for Remote Code Execution. The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands. All versions until and including version 1.4.6 are affected, but a workaround exist." - links: "http://x-stream.github.io/CVE-2013-7285.html" - - -- reference: CVE-2017-16616 - repo: https://github.com/Stranger6667/pyanyapi - commit: 810db626c18ebc261d5f4299d0f0eac38d5eb3cf:master - description: "" - links: "" - - -- reference: CVE-2011-2087 - repo: https://github.com/apache/struts/ - commit: 1736b56db702c6639a6d5ae1146dba5a262e3344:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2087,https://issues.apache.org/jira/browse/WW-3597,https://issues.apache.org/jira/browse/WW-3608" - - -- reference: CVE-2016-9910 - repo: https://github.com/html5lib/html5lib-python - commit: 9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7:master - description: "" - links: "" - - -- reference: CVE-2018-1260 - repo: https://github.com/spring-projects/spring-security-oauth/ - commit: 6b1791179c1092553aa0690da22dac4dff2fc58:2.1.2,1c6815ac1b26fb2f079adbe283c43a7fd0885f3:2.0.15,adb1e6d19c681f394c9513799b81b527b0cb007:2.3.3,8e9792c1963f1aeea81ca618785eb8d71d1cd1d:2.2.2 - description: "" - links: "http://gosecure.net/2018/05/17/beware-of-the-magic-spell-part-2-cve-2018-1260/,https://pivotal.io/security/cve-2018-1260,https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITYOAUTH-31676" - - -- reference: CVE-2015-3192 - repo: https://github.com/spring-projects/spring-framework.git - commit: 5a711c05ec750f069235597173084c2ee796242:3.2.x - description: "" - links: "" - - -- reference: CVE-2019-0212 - repo: https://github.com/apache/hbase/ - commit: 18f07455ea9be4166dabb9b590f5a037374830b:2.0.x,7206ef6427d12785b797797a00153b5437e21cb:2.1.x - description: "HBase REST Server incorrect user authorization description: In all previously released Apache HBase 2.x versions, authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server. Versions affected: 2.0.0-2.0.4, 2.1.0-2.1.3 Mitigation: Stop the HBase REST server until your installation is upgraded to HBase 2.0.5, 2.1.4, or any other later release. Upon upgrading to a newer version, no other action is required." - links: "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E,https://www.openwall.com/lists/oss-security/2019/03/27/3" - - -- reference: CVE-2018-16407 - repo: https://github.com/mayan-edms/mayan-edms/ - commit: 076468a9225e4630a463c0bbceb8e5b805fe380c:widgets.py - description: "" - links: "https://gitlab.com/mayan-edms/mayan-edms/issues/496,https://snyk.io/vuln/SNYK-PYTHON-MAYANEDMS-72283" - - -- reference: CVE-2015-7940 - repo: https://github.com/bcgit/bc-java - commit: 5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83:master,e25e94a046a6934819133886439984e2fecb2b04:master - description: "" - links: "" - - -- reference: CVE-2015-0227 - repo: https://github.com/apache/wss4j - commit: 5ec5295c9773c9ae43fdc6c3321d0e2af1041e62:trunk - description: "" - links: "" - - -- reference: CVE-2014-3558 - repo: https://github.com/hibernate/hibernate-validator - commit: f97c2021a03c825abdeca1692f5be51e77e76a8f:master,7e7131939a4361a7cad3e77ab89a8462132c561c:master,2c95d4ea0ef20977be249e31a4a4f4f4f71c945d:master,c489416f699a46859c134796b3ccfea41ef3ce52:master,e8c42b689df8c6752d635d02c6518da3fece3870:master,fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e:master,67fdff14831c035c25e098fe14bd86523d17f726:master,c9525ca544b1281e2b7c7347e86e87c86dc1dc6e:master - description: "" - links: "" - - -- reference: CVE-2011-2088 - repo: https://github.com/apache/struts/ - commit: 885ab3459e146ff830d1f7257f809f4a3dd4493a:master - description: "" - links: "http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html,https://issues.apache.org/jira/browse/WW-3579,https://nvd.nist.gov/vuln/detail/CVE-2011-2088,https://www.securityfocus.com/archive/1/518066/100/0/threaded" - - -- reference: CVE-2018-20852 - repo: https://github.com/python/cpython/ - commit: 4749f1b69000259e23b4cc6f63c542a9bdc62f1:3.5,ca7fe5063593958e5efdf90f068582837f07bd1:3.8,e5123d81ffb3be35a1b2767d6ced1a097aaf77b:3.7,b241af861b37e20ad30533bc0b7e2e5491cc470:3.6,979daae300916adb399ab5b51410b6ebd0888f1:2.7 - description: "" - links: "https://bugs.python.org/issue35121,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852,https://python-security.readthedocs.io/vuln/cookie-domain-check.html" - - -- reference: CVE-2018-1000055 - repo: https://github.com/jenkinsci/android-lint-plugin/ - commit: 4a19f962ebde3f705880b0e8148731d8dac9db2d:master - description: "" - links: "https://jenkins.io/security/advisory/2018-02-05/,https://snyk.io/vuln/SNYK-JAVA-ORGJVNETHUDSONPLUGINS-32162" - - -- reference: CVE-2016-9243 - repo: https://github.com/pyca/cryptography/ - commit: b924696b2e8731f39696584d12cceeb3aeb2d874:master - description: "" - links: "https://www.cvedetails.com/vulnerability-list/vendor_id-16276/product_id-36638/year-2017/Cryptography.io-Cryptography.html" - - -- reference: CVE-2012-0391 - repo: https://github.com/apache/struts - commit: 5f54b8d087f5125d96838aafa5f64c2190e6885b:master,b4265d369dc29d57a9f2846a85b26598e83f3892:master - description: "" - links: "" - - -- reference: CVE-2017-5651 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1788546:master,1788546:trunk,1788544:trunk - description: "" - links: "" - - -- reference: CVE-2016-8741 - repo: http://svn.apache.org/repos/asf/qpid - commit: 1772365:trunk,1775089:6.1.x,1775092:6.0.x - description: "" - links: "" - - -- reference: CVE-2018-7206 - repo: https://github.com/jupyterhub/oauthenticator/ - commit: 30825c47e4202d73ceabe023b331f66df25c303:0.7.3,1845c0e4b1bff3462c91c3108c85205acd3c75a:master,24ad7e207bc6e30dda2261e24492a409ef58d12:0.6.2 - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-OAUTHENTICATOR-42074" - - -- reference: CVE-2018-8034 - repo: https://github.com/apache/tomcat/ - commit: 2835bb4e030c1c741ed0847bb3b9c3822e4fbc8a:master - description: "host name verification missing in WebSocket client" - links: "https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2014-0075 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1579262:trunk,1578337:trunk,1578341:trunk - description: "" - links: "" - - -- reference: CVE-2018-1002201 - repo: https://github.com/zeroturnaround/zt-zip/ - commit: 759b72f33bc8f4d69f84f09fcb7f010ad45d6fff:master - description: "This is an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder." - links: "https://snyk.io/research/zip-slip-vulnerability" - - -- reference: CVE-2018-17195 - repo: https://github.com/apache/nifi/ - commit: 246c090526143943557b15868db6e8fe3fb30cf6:master - description: "" - links: "https://issues.apache.org/jira/browse/NIFI-5595,https://nifi.apache.org/security.html#CVE-2018-17195,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHENIFI-72715" - - -- reference: CVE-2016-6805 - repo: https://github.com/apache/ignite/ - commit: 9c401b0dcfc6edb5cc83f6b35bc0d24db6f10347:master - description: "" - links: "http://mail-archives.apache.org/mod_mbox/www-announce/201704.mbox/%3CB39FC5C0-9AC5-4E84-A450-AFF690B74D9C%40apache.org%3E,https://github.com/apache/ignite/pull/1458,https://github.com/apache/ignite/pull/1459,https://seclists.org/oss-sec/2017/q2/31" - - -- reference: CVE-2018-11758 - repo: https://github.com/apache/cayenne - commit: 6fc896b65ed871be33dcf453cde924bf73cf83db:master - description: "" - links: "" - - -- reference: CVE-2019-10072 - repo: https://github.com/apache/tomcat/ - commit: 8d14c6:8.5.41,ada725:9.0.20,0bcd69:8.5.41,7f748e:9.0.20 - description: "Important: Denial of Service CVE-2019-10072 The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. This was fixed with commits 7f748eb, ada725a, 0bcd69c and 8d14c6f. This issue was reported to the Apache Tomcat Security Team by John Simpson of Trend Micro Security Research working with Trend Micro's Zero Day Initiative on 26 April 2019. The issue was made public on 20 June 2019. Affects: 8.5.0 to 8.5.40, 9.0.0.M1 to 9.0.19" - links: "https://tomcat.apache.org/security-8.html,https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2017-17485 - repo: https://github.com/FasterXML/jackson-databind/ - commit: 2235894210c75f624a3d0cd60bfb0434a20a18bf:master - description: "" - links: "https://github.com/FasterXML/jackson-databind/issues/1855" - - -- reference: CVE-2018-1000616 - repo: https://github.com/opennetworkinglab/onos/ - commit: af1fa39a53c0016e92c1de246807879c16f507d6:master - description: "" - links: "http://gms.cl0udz.com/Openconfig_xxe.pdf,https://snyk.io/vuln/SNYK-JAVA-ORGONOSPROJECT-32422" - - -- reference: CVE-2016-10516 - repo: https://github.com/pallets/werkzeug/ - commit: 1034edc7f901dd645ec6e462754111b39002bd65:master - description: "" - links: "https://github.com/pallets/werkzeug/pull/1001" - - -- reference: CVE-2013-5679 - repo: https://github.com/ESAPI/esapi-java-legacy - commit: 41138fef5f63d9cf0d5e05d2bee2c7f682ffef3f:master - description: "" - links: "" - - -- reference: CVE-2012-0022 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1221282:trunk,1229027:trunk,1206324:trunk,1195944:trunk,1195977:trunk,1224640:trunk,1195909:trunk,1200601:trunk,1195225:trunk,1228191:trunk,1198641:trunk,1195226:trunk,1194917:trunk,1189899:trunk,1190372:trunk,1195537:trunk,1195951:trunk,1190482:trunk - description: "" - links: "" - - -- reference: CVE-2010-1157 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 936540:trunk - description: "" - links: "" - - -- reference: CVE-2018-1331 - repo: https://github.com/apache/storm/ - commit: e3652b44a377436256f77a2749ed133bbafd2fb:1.2,22a962073c5f12dc5ab281a15d93eb5efc31ab6:1.1,8ffa920d3894634aa078f0fdf6b02d270262caf:master,a6bf3e421d3d37a797e3bb374fcd20a00189feb:1.0 - description: "" - links: "http://storm.apache.org/2018/06/04/storm122-released.html,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTORM-32410,https://www.securitytracker.com/id/1041273" - - -- reference: CVE-2018-8027 - repo: https://github.com/apache/camel/ - commit: 9f7376abbff7434794f2c7c2909e02bac232fb5:2.18.3,ec3d0db81ba061b27e934d5ff56e9baca0049eb:2.18.3,2e8f21dec883b083ddcdddd802847b4c378a61a:2.22,2c6964ae94d8f9a9c9a32e5ae5a0b794e8b8d3b:2.17.6,24eefa559fe6b310629d2bf00663d2679ec81b9:2.21,3fe03e361725b66c1c3eaa40bb11577fb3dc17b:2.20,8afc5d1757795fde715902067360af5d90f046d:2.20,9c6a8f61de40c20f28240fbb2af4cb425793d41:2.21,87c92b7b38890c217bc76f2c55036e6a5cca9a0:2.18.3,8467d644813a62f3a836c0c7dee8cf5a41de3c0:2.22,99cbcd78b7e64083fae1d9552ead7425a90994b:2.17.6,22c355bb4ffb500405499d189db30932ca5aac9:2.17.6 - description: "" - links: "http://camel.apache.org/security-advisories.data/CVE-2018-8027.txt.asc,https://issues.apache.org/jira/browse/CAMEL-10894,https://issues.apache.org/jira/browse/CAMEL-12444,https://lists.apache.org/thread.html/77f596fc63e63c2e9adcff3c34759b32c225cf0b582aedb755adaade@%3Cdev.camel.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECAMEL-32467" - - -- reference: CVE-2016-8640 - repo: https://github.com/geopython/pycsw - commit: 2565ab332d3ccae328591ea9054d0387a90f2e86:master - description: "" - links: "http://seclists.org/oss-sec/2016/q4/406,https://github.com/geopython/pycsw/pull/474" - - -- reference: APACHE-AXIS2-5846 - repo: https://github.com/apache/axis2-java - commit: 65aaacc779530682887bc6da4099b5ec4cfab406:master - description: "org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack. Affected versions of the package are vulnerable to Local File Inclusion (LFI). Remediation: Upgrade axis2 to version 1.7.5 or higher." - links: "https://issues.apache.org/jira/browse/AXIS2-5846,https://snyk.io/vuln/SNYK-JAVA-COMSPARKJAVA-31646,https://svn.apache.org/viewvc?view=revision&revision=1792353" - - -- reference: CVE-2017-7675 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1796091:trunk,1796091:master,1796090:trunk - description: "The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL." - links: "https://nvd.nist.gov/vuln/detail/CVE-2017-7675" - - -- reference: CVE-2018-1000807 - repo: https://github.com/pyca/pyopenssl/ - commit: e73818600065821d588af475b024f4eb518c3509:master - description: "" - links: "https://github.com/pyca/pyopenssl/pull/723,https://snyk.io/vuln/SNYK-PYTHON-PYOPENSSL-72429" - - -- reference: CVE-2018-16876 - repo: https://github.com/ansible/ansible/ - commit: e0a81d133ffc8f7067182c53cf6a28c724dd109:2.5.14,0954942dfdc563f80fd3e388f550aa165ec931d:2.7.5,424c68f15ad9f532d73e5afed33ff477f54281a:2.6.11,ba4c2ebeac9ee801bfedff05f504c71da0dd2bc:devel - description: "ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. When a retry task run with -vvv fails, it would log the raw return code, stdout and stderr from ssh which could have contained sensitive data. Remediation: Upgrade ansible to version 2.5.14, 2.6.11, 2.7.5 or higher." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1657330,https://snyk.io/vuln/SNYK-PYTHON-ANSIBLE-72696" - - -- reference: CVE-2017-4971 - repo: https://github.com/spring-projects/spring-webflow - commit: ec3d54d2305e6b6bce12f770fec67fe63008d45:2.5.x,57f2ccb66946943fbf3b3f2165eac1c8eb6b1523:master - description: "Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e. set to “false”) can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. (see https://jira.spring.io/browse/SWF-1700)" - links: "https://pivotal.io/security/cve-2017-4971" - - -- reference: CVE-2019-1003035 - repo: https://github.com/jenkinsci/azure-vm-agents-plugin/ - commit: 91bfc7d95ae1349ce2a8b6b7e73155848fdc1d82:master - description: "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003035,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1330" - - -- reference: CVE-2018-1305 - repo: https://github.com/apache/tomcat/ - commit: 3e54b2a6314eda11617ff7a7b899c251e222b1a1:master,4d637bc3986e5d09b9363e2144b8ba74fa6eac3a:master - description: "" - links: "https://tomcat.apache.org/security-7.html,https://tomcat.apache.org/security-8.html,https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2019-3895 - repo: https://github.com/openstack/octavia/ - commit: d7d062a47ab54a540d81f13a0e5f3085ebfaa0d2:master - description: "Octavia should filter an Amphora image from a specific tenant" - links: "https://bugs.launchpad.net/octavia/+bug/1620629,https://opendev.org/openstack/octavia/commit/d7d062a47ab54a540d81f13a0e5f3085ebfaa0d2" - - -- reference: CVE-2016-8738 - repo: https://github.com/apache/struts - commit: 554b9dddb0fbd1e581ef577dd62a7c22955ad0f6:master - description: "If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL." - links: "https://cwiki.apache.org/confluence/display/WW/S2-044" - - -- reference: CVE-2016-4431 - repo: https://github.com/apache/struts - commit: b28b78c062f0bf3c79793a25aab8c9b6c12bce6e:master - description: "" - links: "" - - -- reference: CVE-2018-11787 - repo: https://github.com/apache/karaf - commit: cfa213ad680ded70b70bf0c648891a06386ef63:4.1.1,434e52502528e91e20d2f87cec7732f1e6e554c:4.0.9 - description: "" - links: "https://issues.apache.org/jira/browse/KARAF-4993,https://lists.apache.org/thread.html/d9ba4c3104ba32225646879a057b75b54430f349c246c85469037d3c@%3Cdev.karaf.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEKARAFWEBCONSOLE-72391" - - -- reference: CVE-2017-7656 - repo: https://github.com/eclipse/jetty.project/ - commit: a285deea42fcab60d9edcf994e458c238a348b55:master - description: "" - links: "http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html,https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667,https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-32383" - - -- reference: CVE-2018-1324 - repo: https://github.com/apache/commons-compress - commit: 2a2f1dc48e22a34ddb72321a4db211da91aa933b:master - description: "" - links: "" - - -- reference: APACHE-JSPWIKI-1109 - repo: https://github.com/apache/jspwiki/ - commit: 46cd981dfb431730da3f9249f5db858aacf11e52:master - description: "ReferredPagesPlugin with illegal characters in parameters causes XSS vulnerability" - links: "https://issues.apache.org/jira/browse/JSPWIKI-1109" - - -- reference: CVE-2014-0109 - repo: https://github.com/apache/cxf - commit: f8ed98e684c1a67a77ae8726db05a04a4978a445:master - description: "" - links: "" - - -- reference: CVE-2010-4172 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1037778:trunk - description: "" - links: "" - - -- reference: CVE-2019-10302 - repo: https://github.com/jenkinsci/jira-ext-plugin/ - commit: e252f4084089e5cfb4c7bad389d3d20f3ec594fb:master - description: "jira-ext Plugin stored credentials in plain text SECURITY-836 / CVE-2019-10302 jira-ext Plugin stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins master. These credentials could be viewed by users with access to the master file system. jira-ext Plugin now stores credentials encrypted." - links: "https://jenkins.io/security/advisory/2019-04-17/#SECURITY-836" - - -- reference: CVE-2013-1445 - repo: https://github.com/dlitz/pycrypto/ - commit: 19dcf7b15d61b7dc1a125a367151de40df6ef175:master - description: "" - links: "http://www.openwall.com/lists/oss-security/2013/10/17/3,https://www.cvedetails.com/cve/CVE-2013-1445/" - - -- reference: CVE-2019-5427 - repo: https://github.com/swaldman/c3p0/ - commit: f38f27635c384806c2a9d6500d80183d9f09d78b:master - description: "c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. " - links: "https://hackerone.com/reports/509315" - - -- reference: CVE-2017-7662 - repo: https://github.com/apache/cxf-fediz.git - commit: c68e4820816c19241568f4a8fe8600bffb0243cd:master - description: "" - links: "" - - -- reference: CVE-2017-5645 - repo: https://github.com/apache/logging-log4j2 - commit: 5dcc19215827db29c993d0305ee2b0d8dd05939d:master - description: "" - links: "" - - -- reference: CVE-2018-15560 - repo: https://github.com/Legrandin/pycryptodome - commit: d1739c62b9b845f8a5b342de08d6bf6e2722d247:master - description: "" - links: "" - - -- reference: CVE-2008-2025 - repo: http://svn.apache.org/repos/asf/struts - commit: 1603997:STRUTS_1_2_BRANCH,1603997:trunk - description: "" - links: "" - - -- reference: CVE-2018-7489 - repo: https://github.com/FasterXML/jackson-databind - commit: ddfddfba6414adbecaff99684ef66eebd3a92e92:master,60d459cedcf079c6106ae7da2ac562bc32dcabe1:master,6799f8f10cc78e9af6d443ed6982d00a13f2e7d2:master,e8f043d1aac9b82eee907e0f0c3abbdea723a935:master - description: "" - links: "https://github.com/FasterXML/jackson-databind/issues/1931,https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" - - -- reference: CVE-2018-1000843 - repo: https://github.com/spotify/luigi/ - commit: 06e3d9163c36f347cef09d9442aff55a10660f31:master - description: "" - links: "https://groups.google.com/forum/#!topic/luigi-user/ZgfRTpBsVUY,https://snyk.io/vuln/SNYK-PYTHON-LUIGI-72726" - - -- reference: CVE-2013-4378 - repo: https://github.com/javamelody/javamelody/ - commit: aacbc46151ff4ac1ca34ce0899c2a6113071c66e:master - description: "" - links: "" - - -- reference: CVE-2014-0050 - repo: https://github.com/apache/commons-fileupload - commit: c61ff05b3241cb14d989b67209e57aa71540417a:trunk - description: "" - links: "" - - -- reference: CVE-2013-2251 - repo: https://github.com/apache/struts - commit: 630e1ba065a8215c4e9ac03bfb09be9d655c2b6e:master,3cfe34fefedcf0fdcfcb061c0aea34a715b7de6:STRUTS_2_3_15_X - description: "" - links: "" - - -- reference: CVE-2018-1000854 - repo: https://github.com/esigate/esigate/ - commit: 30cad23a8f282600c9b045e1af09f6f8a65357b1:master - description: "" - links: "https://github.com/esigate/esigate/issues/209" - - -- reference: CVE-2012-0838 - repo: https://github.com/apache/struts - commit: 5f54b8d087f5125d96838aafa5f64c2190e6885b:master,b4265d369dc29d57a9f2846a85b26598e83f3892:master - description: "" - links: "" - - -- reference: CVE-2015-5159 - repo: https://github.com/latchset/kdcproxy/ - commit: f274aa6787cb8b3ec1cc12c440a56665b7231882:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1245200,https://snyk.io/vuln/SNYK-PYTHON-KDCPROXY-72557" - - -- reference: PRIMEFACES-1194 - repo: https://github.com/primefaces/primefaces - commit: e8c0baae853c48bb1fb2d39833c5b2b6af837616:master,afcec249b82cad60978e8ecb3926822d3f51b25a:master - description: "org.primefaces:primefaces is an UI library in Java EE Ecosystem. Affected versions of [org.primefaces:primefaces] are vulnerable to Cross-site Scripting (XSS). Remediation: Upgrade org.primefaces:primefaces to version 6.2 or higher." - links: "https://github.com/primefaces/primefaces/issues/1194" - - -- reference: CVE-2018-8016 - repo: https://github.com/beobal/cassandra/ - commit: 28ee665b3c0c9238b61a871064f024d54cddcc79:master - description: "CVE-2018-8016 describes an issue with the default configuration of Apache Cassandra releases 3.8 through 3.11.1 which binds an unauthenticated JMX/RMI interface to all network interfaces allowing attackers to execute arbitrary Java code via an RMI request. This issue is a regression of the previously disclosed CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra. - The Apache Cassandra PMC" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8016,https://issues.apache.org/jira/browse/CASSANDRA-14173" - - -- reference: CVE-2019-0214 - repo: https://github.com/apache/archiva/ - commit: 796716d44183bd315dd20184a66b39ae533eb747:master - description: "Apache Archiva arbitrary file write and delete on the server It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file. Versions Affected: All versions before 2.2.4 Mitigation: It is highly recommended to upgrade to Archiva 2.2.4 or higher, where additional validations are implemented to prevent such malicious parameter values. As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user may have only write permission to the directories needed." - links: "http://archiva.apache.org/security.html#CVE-2019-0214,https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3E" - - -- reference: CVE-2017-7957 - repo: https://github.com/x-stream/xstream.git - commit: 6e546ec366419158b1e393211be6d78ab9604ab:v-1.4.x,8542d02d9ac5d384c85f4b33d6c1888c53bd55d:v-1.4.x,b3570be2f39234e61f99f9a20640756ea71b1b4:master - description: "" - links: "" - - -- reference: CVE-2016-1000352 - repo: https://github.com/bcgit/bc-java - commit: 9385b0ebd277724b167fe1d1456e3c112112be1f:master - description: "ECIES allows the use of unsafe ECB mode. This algorithm is now removed from the provider." - links: "https://www.bouncycastle.org/releasenotes.html" - - -- reference: CVE-2011-1498 - repo: https://github.com/apache/httpcomponents-client - commit: a572756592c969affd0ce87885724e74839176fb:trunk - description: "" - links: "" - - -- reference: CVE-2013-4286 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1552565:trunk,1521854:trunk,1521829:trunk - description: "" - links: "" - - -- reference: CVE-2014-0096 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1578655:trunk,1578637:trunk,1585853:trunk,1578610:trunk,1578611:trunk - description: "" - links: "" - - -- reference: CVE-2018-20433 - repo: https://github.com/swaldman/c3p0/ - commit: 7dfdda63f42759a5ec9b63d725b7412f74adb3e1:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-COMMCHANGE-451675" - - -- reference: CERULEAN-001 - repo: https://github.com/MD-Studio/cerulean/ - commit: 388b171477f909972d5dc9043ed5fcae4369e3b7:master - description: "cerulean is a Python 3 library for talking to HPC clusters and supercomputers. Affected versions of this package are vulnerable to Insecure Defaults. The directory was created with 777 mode permissions which could lead to an arbitrary file write attack. Remediation Upgrade cerulean to version 0.3.4 or higher. " - links: "https://github.com/MD-Studio/cerulean/commit/388b171477f909972d5dc9043ed5fcae4369e3b7,https://snyk.io/vuln/SNYK-PYTHON-CERULEAN-173987" - - -- reference: CVE-2014-3596 - repo: http://svn.apache.org/repos/asf/axis/axis1/java/trunk/axis-rt-core - commit: 0:trunk - description: "The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. The patch is available at https://issues.apache.org/jira/browse/AXIS-2905." - links: "https://nvd.nist.gov/vuln/detail/CVE-2014-3596" - - -- reference: CVE-2012-0803 - repo: https://github.com/apache/cxf - commit: 40f98d3448abf19fbb59a1a154ce104db650346b:2.5.x-fixes - description: "" - links: "" - - -- reference: CVE-2017-9735 - repo: https://github.com/eclipse/jetty.project - commit: 2baa1abe4b1c380a30deacca1ed367466a1a62ea:master,f3751d70787fd8ab93932a51c60514c2eb37cb58:master,042f325f1cd6e7891d72c7e668f5947b5457dc02:master - description: "" - links: "" - - -- reference: CVE-2018-8012 - repo: https://github.com/apache/zookeeper/ - commit: 5a29daedeb5ac7e9e2af87ce1a7bbfad230d5c8:3.5.4,75411ab34a3d53c43c2d508b12314a9788aa417:master,8a06bd1ccef382461c7b0a63f2012f4aeac9075:3.4.10 - description: "" - links: "https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication,https://issues.apache.org/jira/browse/ZOOKEEPER-1045,https://zookeeper.apache.org/security.html#CVE-2018-8012" - - -- reference: CVE-2017-16618 - repo: https://github.com/tadashi-aikawa/owlmixin - commit: 5d0575303f6df869a515ced4285f24ba721e0d4e:master - description: "" - links: "" - - -- reference: CVE-2015-5347 - repo: https://github.com/apache/wicket.git - commit: dffba2ce410ec7e917ad350d3528af4df67bc348:master - description: "" - links: "" - - -- reference: CVE-2018-8042 - repo: https://github.com/apache/ambari/ - commit: 6a4f98201d58d6dfe662d980e21978b5f37d2d2:master,5d1fa9d11f856a7460734244c22900dcbf314db:2.7 - description: "" - links: "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-CVE-2018-8042,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEAMBARI-32416" - - -- reference: CVE-2018-17785 - repo: https://github.com/blynkkk/blynk-server/ - commit: 806bc7847a687203a904d24feb1a0278de889e62:master - description: "" - links: "https://github.com/blynkkk/blynk-server/issues/1256,https://snyk.io/vuln/SNYK-JAVA-CCBLYNK-72416" - - -- reference: CVE-2014-9970 - repo: https://github.com/jboss-fuse/jasypt/ - commit: 8e62852a8018978ee19d39056c650fb66ffa0ff6:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGJASYPT-31668,https://www.securitytracker.com/id/1039744" - - -- reference: CVE-2018-8014 - repo: https://github.com/apache/tomcat/ - commit: d83a76732e6804739b81d8b2056365307637b42d:master - description: "" - links: "http://svn.apache.org/viewvc?view=revision&revision=1831730,https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E,https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.89" - - -- reference: CVE-2018-1000407 - repo: https://github.com/jenkinsci/jenkins/ - commit: df87e12ddcfeafdba6e0de0e07b3e21f8473ece6:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000407,https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1129" - - -- reference: CVE-2015-1775 - repo: https://github.com/apache/ambari - commit: 3ab123a109f6384f019db455f256520f4a8b85dd:master - description: "" - links: "" - - -- reference: CVE-2019-10354 - repo: https://github.com/jenkinsci/jenkins/ - commit: 279d8109eddb7a494428baf25af9756c2e33576b:master - description: "" - links: "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534" - - -- reference: CVE-2018-1273 - repo: https://github.com/spring-projects/spring-data-commons/ - commit: ae1dd2741ce06d44a0966ecbd6f47beabde2b65:2.0.x,b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432:1.13.x - description: "Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Datas projection-based request payload binding hat can lead to a remote code execution attack. Affected : Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10), Spring Data REST 2.6 to 2.6.10 (Ingalls SR10), Spring Data Commons 2.0 to 2.0.5 (Kay SR5), Spring Data REST 3.0 to 3.0.5 (Kay SR5), Older unsupported versions are also affected." - links: "https://pivotal.io/security/cve-2018-1273" - - -- reference: CVE-2018-6596 - repo: https://github.com/anymail/django-anymail - commit: c07998304b4a31df4c61deddcb03d3607a04691:v1.2.x,db586ede1fbb41dce21310ea28ae15a1cf1286c5:master - description: "" - links: "" - - -- reference: CVE-2018-1000105 - repo: https://github.com/jenkinsci/gerrit-trigger-plugin - commit: a222f2d9d1bca3422e6a462a7f587ae325455b80:master - description: "" - links: "" - - -- reference: HADOOP-15212 - repo: https://github.com/apache/hadoop/ - commit: 6ea2a9389e8bd1b5aa35d01c5b1556f892181f1:2.7,2dd960de983a30bf0d9ee957bdb09f825f9d40a:3.10.0 - description: "Add independent secret manager method for logging expired tokens. description: AbstractDelegationTokenSecretManager#removeExpiredToken has two phases. First phase synchronizes to collect expired tokens. Second phase loops over the collected tokens to log them while not holding the monitor. HDFS-13112 needs to acquire the namesystem lock during the second logging phase, which requires splitting the method apart to allow a method override. Fixed Version/s: 3.1.0, 2.10.0, 2.9.1, 3.0.1, 2.8.4, 2.7.6." - links: "http://hadoop.apache.org/docs/r2.7.6/hadoop-project-dist/hadoop-common/releasenotes.html,https://issues.apache.org/jira/browse/HADOOP-15212" - - -- reference: DJANGO-CA-002 - repo: https://github.com/mathiasertl/django-ca/ - commit: 188ec93057b1eebf0bc02056006eabd052f3aad5:master - description: "django-ca is a tool to manage TLS certificate authorities and easily issue and revoke certificates. Affected versions of this package are vulnerable to Cryptographic Issue due to storing CA private keys in an insecure format. Remediation Upgrade django-ca to version 1.10.0 or higher." - links: "https://github.com/mathiasertl/django-ca/commit/188ec93057b1eebf0bc02056006eabd052f3aad5,https://snyk.io/vuln/SNYK-PYTHON-DJANGOCA-174566" - - -- reference: SPARK-981 - repo: https://github.com/perwendel/spark - commit: 030e9d00125cbd1ad759668f85488aba1019c668:master - description: "com.sparkjava:spark-core is a micro framework for creating web applications in Kotlin and Java 8 with minimal effort. Affected versions of the package are vulnerable to Directory Traversal. A remote attacker could use this flaw to read arbitrary files that are accessible to the user running the process." - links: "https://github.com/perwendel/spark/issues/981" - - -- reference: CVE-2008-0128 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 684900:tc4.1.x - description: "" - links: "" - - -- reference: CVE-2016-1000031 - repo: https://github.com/apache/commons-fileupload - commit: 388e824518697c2c8f9f83fd964621d9c2f8fc4c:b1_3:b1_3,02f6b2c4ef9aebf9cf8e55de8b90e73430b69385:master - description: "There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application's implementation of the FileUpload library." - links: "https://issues.apache.org/jira/browse/FILEUPLOAD-279" - - -- reference: CVE-2018-1000808 - repo: https://github.com/pyca/pyopenssl/ - commit: e73818600065821d588af475b024f4eb518c3509:master - description: "" - links: "https://github.com/pyca/pyopenssl/pull/723,https://snyk.io/vuln/SNYK-PYTHON-PYOPENSSL-72430" - - -- reference: CVE-2019-1003025 - repo: https://github.com/jenkinsci/cloudfoundry-plugin/ - commit: 61208697f60b91ad7f03a4dcec391b6d2115abca:master - description: "Cross-Site Request Forgery (CSRF) description org.jenkins-ci.plugins:cloudfoundry can push apps to a Cloud Foundry platform at the end of a Jenkins build. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Remediation Upgrade org.jenkins-ci.plugins:cloudfoundry to version 2.3.2 or higher." - links: "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-876,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-173714" - - -- reference: CVE-2017-1000387 - repo: https://github.com/jenkinsci/build-publisher-plugin/ - commit: 7f80f0d7c9cd96a2d660eeb8b695297bef064059:master,e9c1b263400e42aaa3f9fcbbd0e8b1e85c76e3a0:master - description: "" - links: "https://jenkins.io/security/advisory/2017-10-23/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32180" - - -- reference: CVE-2014-6633 - repo: https://github.com/tryton/trytond - commit: 6e7fc491128bfb81f6441c018361c83787a6500:2.4,dc0c3cd5176819efdbf0d22376c8ad2f298e14a:2.6,397765e3e2b2a3b6fbba886396bf9aa047e74a99:master,13b9fce7296a6301343ab67fab2f1a1af61e4bb0:master,5781ddbc5a4383a937f9d1c56344b81933f8697:2.8,755fec183cf17816c0ded2b8e5cda89e527744b:2.6,dd0dc77c928e012497cf7a231858b5794a7b0b4:2.4,92838f6da258ad9f7344c5eb1d10951decc115a:3.2,56a8b67b94ce0d5426af5ec7e5665f9c74afb73:3.2,37cd017ce2aaa346582fb53fd418c27449e0029:2.8 - description: "" - links: "http://www.tryton.org/posts/security-release-for-issue4155.html" - - -- reference: CVE-2018-8018 - repo: https://github.com/apache/ignite/ - commit: 82a7b8209fcf56971d12cb10410a38ed632215b:2.6,bc374f85ca4a5e69572902d2167fe6bedebd40a:master - description: "" - links: "https://lists.apache.org/thread.html/e0fdf53114a321142ecfa5cfa17658090f0b4e1677de431e329b37ab@%3Cdev.ignite.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEIGNITE-32428" - - -- reference: PLANEMO-45096 - repo: https://github.com/galaxyproject/planemo/ - commit: 1facb88bb6268812901291f27444cf7cdc9b9d85:master - description: "Arbitrary Code Execution planemo is a command-line utilities library to assist in building tools for the Galaxy project. Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function. Default behavior of PyYAML's yaml.load() method is unsafe and can execute code stored/provided in yaml files. Remediation Upgrade planemo to version 0.59.0 or higher. " - links: "https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation,https://snyk.io/vuln/SNYK-PYTHON-PLANEMO-450916" - - -- reference: CVE-2018-1999040 - repo: https://github.com/jenkinsci/kubernetes-plugin/ - commit: bf7a47847dfb5ef2d1e2a537e2eb9f28063988c6:master - description: "" - links: "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1016,https://snyk.io/vuln/SNYK-JAVA-ORGCSANCHEZJENKINSPLUGINS-32458" - - -- reference: CVE-2016-4465 - repo: https://github.com/apache/struts - commit: eccc31ebce5430f9e91b9684c63eaaf885e603f9:master,a0fdca138feec2c2e94eb75ca1f8b76678b4d152:master - description: "If an application allows enter an URL field in a form and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Upgrade to Apache Struts version 2.3.29 or 2.5.1." - links: "https://struts.apache.org/docs/s2-041" - - -- reference: CVE-2013-7251 - repo: https://github.com/micromata/projectforge-webapp.git - commit: 422de35e3c3141e418a73bfb39b430d5fd74077e:master - description: "" - links: "" - - -- reference: CVE-2018-20000 - repo: https://github.com/Bedework/bw-webdav/ - commit: ccb87c2757bab531c53faf0637ee342a378caa7f:master - description: "" - links: "https://github.com/Bedework/bw-webdav/pull/1" - - -- reference: CVE-2018-8015 - repo: https://github.com/apache/orc/ - commit: d5018d309a8adc6b8e0567cb692a17371d16e108:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8015,https://github.com/apache/orc/pull/266,https://orc.apache.org/security/CVE-2018-8015/" - - -- reference: CVE-2011-1475 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1086352:trunk,1086349:trunk - description: "" - links: "" - - -- reference: CVE-2013-2134 - repo: https://github.com/apache/struts - commit: cfb6e9afbae320a4dd5bdd655154ab9fe5a92c1:STRUTS_2_3_14_3,01e6b251b4db78bfb7971033652e81d1af4cb3e:STRUTS_2_3_14_3,8b4fc81daeea3834bcbf73de5f48d0021917aa3:STRUTS_2_3_14_3,711cf0201cdd319a38cf29238913312355db29ba:master,54e5c912ebd9a1599bfcf7a719da17c28127bbe:STRUTS_2_3_14_3 - description: "" - links: "" - - -- reference: CVE-2018-17420 - repo: https://github.com/94fzb/zrlog/ - commit: 157b8fbbb64eb22ddb52e7c5754e88180b7c3d4f:master - description: "com.zrlog:zrlog is a blog/CMS program developed in Java. Affected versions of this package are vulnerable to SQL Injection in the article management search box via the keywords parameter. Remediation Upgrade com.zrlog:zrlog to version 2.0.9 or higher." - links: "https://github.com/94fzb/zrlog/issues/37,https://snyk.io/vuln/SNYK-JAVA-COMZRLOG-173757" - - -- reference: CVE-2018-1327 - repo: https://github.com/apache/struts - commit: 67ecf3a21608e20449bcb7895b22204b400fecd4:master - description: "" - links: "https://cwiki.apache.org/confluence/display/WW/S2-056" - - -- reference: CVE-2011-4905 - repo: https://github.com/apache/activemq - commit: 3a71f8e33d0309cb0ca5b5758a8f251da205e757:trunk - description: "" - links: "" - - -- reference: CVE-2019-0232 - repo: https://github.com/apache/tomcat/ - commit: 7f0221:7.0.x,5bc4e6:8.5.x - description: "Remote Code Execution on Windows CVE-2019-0232 When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disabled by default in Tomcat 9.0.x. For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog and this archived MSDN blog. This issue was identified by an external security researcher and reported to the Apache Tomcat security team via the bug bounty program sponsored by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on 10 April 2019. Affects: - 9.0.0.M1 to 9.0.17 - 8.5.0 to 8.5.39 - 7.0.0 to 7.0.93" - links: "https://tomcat.apache.org/security-7.html,https://tomcat.apache.org/security-8.html,https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2014-9527 - repo: https://svn.apache.org/repos/asf/poi - commit: 1643680:trunk - description: "" - links: "" - - -- reference: CVE-2017-14735 - repo: https://github.com/nahsra/antisamy - commit: 82da009e733a989a57190cd6aa1b6824724f6d36:master - description: "" - links: "" - - -- reference: CVE-2015-6938 - repo: https://github.com/jupyter/notebook/ - commit: 35f32dd2da804d108a3a3585b69ec3295b2677e:master,dd9876381f0ef09873d8c5f6f2063269172331e:4.0.x - description: "" - links: "https://www.cvedetails.com/cve/CVE-2015-6938/" - - -- reference: JENKINS-ACUNETIX-951 - repo: https://github.com/jenkinsci/acunetix-plugin/ - commit: b30c0e2c70df1c0c676a90cb02597e72085335f4:master - description: "Acunetix Plugin stored API key in plain text SECURITY-951 Acunetix Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins master. This key could be viewed by users with access to the master file system. The plugin now integrates with Credentials Plugin." - links: "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-951" - - -- reference: ASPEN-001 - repo: https://github.com/jaraco/aspen/ - commit: 296b1903c9a64f34b04cf7ea61a0585a36c56d2b:master - description: "aspen is a Python web framework. Simplates are the main attraction. Affected versions of this package are vulnerable to Open Redirect. Due to a lack of protection against URL redirection attacks. Remediation Upgrade aspen to version 0.42 or higher. " - links: "https://github.com/jaraco/aspen/commit/296b1903c9a64f34b04cf7ea61a0585a36c56d2b,https://snyk.io/vuln/SNYK-PYTHON-ASPEN-173985" - - -- reference: CVE-2018-1192 - repo: https://github.com/cloudfoundry/uaa/ - commit: b599af2062aad5580661e035087fdd9bd266b92:4.15,a61bfabbad22f646ecf1f00016b448b26a60daf:4.5.x - description: "" - links: "https://www.cloudfoundry.org/blog/cve-2018-1192/" - - -- reference: CVE-2018-1000164 - repo: https://github.com/benoitc/gunicorn/ - commit: 1e10a02e73c87dfadc394b361af33864d0e59e24:master - description: "" - links: "https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5,https://github.com/benoitc/gunicorn/issues/1227,https://snyk.io/vuln/SNYK-PYTHON-GUNICORN-42097" - - -- reference: AMQ-5751 - repo: https://github.com/apache/activemq - commit: a37b43cca82f108a8e3f5c2803a9b50911a60979:5.11.x:5.11.x,886e2d4d97555e2f10276616389a5d1f915bad18:master - description: "The number of topics/queues that can be created in ActiveMQ setup does not have a 'max destination' option. Each queue also creates a dispatcher thread so having tens of thousands of queues in one go can potentially cause DOS in broker setup. Fixed in 5.12.0" - links: "https://issues.apache.org/jira/browse/AMQ-5751" - - -- reference: CVE-2012-0881 - repo: https://github.com/apache/xerces2-j/ - commit: 992b5d9c24102ad20330d36c0a71162753a37449:master - description: "" - links: "https://issues.apache.org/jira/browse/XERCESJ-1685,https://nvd.nist.gov/vuln/detail/CVE-2012-0881" - - -- reference: CVE-2018-15531 - repo: https://github.com/javamelody/javamelody/ - commit: ef111822562d0b9365bd3e671a75b65bd0613353:master - description: "" - links: "https://jenkins.io/security/advisory/2018-09-25/,https://snyk.io/vuln/SNYK-JAVA-NETBULLJAVAMELODY-72410" - - -- reference: CVE-2016-9878 - repo: https://github.com/spring-projects/spring-framework.git - commit: e2d6e709c3c65a4951eb096843ee75d5200cfcad:4.3.x,a7dc48534ea501525f11369d369178a60c2f47d0:3.2.x,43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98:4.2.x - description: "" - links: "" - - -- reference: CVE-2016-7051 - repo: https://github.com/FasterXML/jackson-dataformat-xml - commit: eeff2c312e9d4caa8c9f27b8f740c7529d00524a:master - description: "" - links: "" - - -- reference: CVE-2018-1000809 - repo: https://github.com/privacyidea/privacyidea/ - commit: 189312a99b499fe405fd3df5dd03a6b19ba66d46:master - description: "" - links: "https://github.com/privacyidea/privacyidea/issues/1227,https://snyk.io/vuln/SNYK-PYTHON-PRIVACYIDEA-72432" - - -- reference: CVE-2018-1000421 - repo: https://github.com/jenkinsci/mesos-plugin/ - commit: e7e6397e30a612254e6033b94c21edb2324d648f:master - description: "" - links: "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)" - - -- reference: CVE-2018-1298 - repo: https://github.com/apache/qpid-broker-j - commit: 4b9fb37abbe882193b16595ed7b8e9d8383f59e1:master,30ca170c42c400b41340a81c6a69d33aa19bf189:master,de509dd955229a395c086a7cca874dc55306648a:master - description: "" - links: "" - - -- reference: CVE-2013-6372 - repo: https://github.com/jenkinsci/subversion-plugin.git - commit: 7d4562d6f7e40de04bbe29577b51c79f07d05ba6:master - description: "" - links: "" - - -- reference: NIFI-4436 - repo: https://github.com/apache/nifi - commit: 0127b02617530491a1a55aa72395cee583083956:master,b6117743d4c1c1a37a16ba746b9edbbdd276d69f:master - description: "NIFI-4436: Fixed bug that causes a deadlock when changing version of a PG. Before this patch, an update would obtain a write lock and then recurse downward through the child groups, obtaining write locks to update variable registries. At the same time, if a Processor is obtaining a Controller Service, it will obtain a Read Lock on the Process Group and then recurse upward through the ancestors, obtaining Read Lock. If the timing is right, we can have a group obtain a read lock, then try to obtain its parent's Read Lock. At the same time, an update to the group could hold the Write Lock on the Process Group and attempt to obtain a Write Lock on child (where the Processor lives), resulting in a deadlock. Remediation: Upgrade org.apache.nifi:nifi-framework-core to version 1.5.0 or higher." - links: "https://issues.apache.org/jira/browse/NIFI-4436" - - -- reference: CVE-2018-17187 - repo: https://github.com/apache/qpid-proton-j/ - commit: 0cb8ca03cec42120dcfc434561592d89a89a805e:master - description: "" - links: "https://issues.apache.org/jira/browse/PROTON-1962,https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEQPID-72605" - - -- reference: CVE-2019-10077 - repo: https://github.com/apache/jspwiki/ - commit: 87c89f0405d6b31fc165358ce5d5bc4536e32a8a:master - description: "" - links: "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077" - - -- reference: CVE-2016-5007 - repo: https://github.com/spring-projects/spring-framework.git - commit: a30ab30e4e9ae021fdda04e9abfc228476b846b5:master - description: "Both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences." - links: "https://pivotal.io/security/cve-2016-5007" - - -- reference: CVE-2018-12972 - repo: https://github.com/OpenTSDB/opentsdb - commit: a6a9ec4bc8a526951bc25bb19a145782bafaa8b0:master - description: "" - links: "" - - -- reference: HDFS-10276 - repo: https://github.com/apache/hadoop/ - commit: 5ea6fd85c7aff6df28b87789f607bb57ee92063:3.1,2dfaedeb4390569af2036a6e4bd8fcc18506de8:2.9,e6c162a39466755d35abed7faf2e00d28166553:2.7,3e4c7906c2cf5c3e4c708fc56b670fa788e8cec:2.8 - description: "HDFS should not expose path info that user has no permission to see. Overview: http://hadoop.apache.org/ is the primary distributed storage used by Hadoop applications. Affected versions of this package are vulnerable to Information Exposure. An attacker may retrieve information about paths that they do not have permissions to see. Remediation: Upgrade org.apache.hadoop:hadoop-hdfs to versions 2.7.4 or higher (Fixed Version/s: 2.8.0, 2.7.4, 3.0.0-alpha1)." - links: "https://issues.apache.org/jira/browse/HDFS-10276,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHADOOP-32124" - - -- reference: CVE-2019-7313 - repo: https://github.com/buildbot/buildbot/ - commit: f0ccd5fd572ea8223b48bd57d8c2548b2f7d3ecf:master - description: "www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain." - links: "https://github.com/buildbot/buildbot/pull/4584,https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code,https://snyk.io/vuln/SNYK-PYTHON-BUILDBOT-73642" - - -- reference: CVE-2018-17228 - repo: https://github.com/narkisr/nmap4j/ - commit: 06b58aa3345d2f977553685a026b93e61f0c491e:master - description: "" - links: "https://github.com/narkisr/nmap4j/issues/9,https://snyk.io/vuln/SNYK-JAVA-ORGNMAP4J-72402" - - -- reference: CVE-2019-10908 - repo: https://github.com/airsonic/airsonic/ - commit: 61c842923a6d60d4aedd126445a8437b53b752c8:master - description: "" - links: "https://github.com/airsonic/airsonic/pull/934" - - -- reference: CVE-2018-15761 - repo: https://github.com/cloudfoundry/uaa/ - commit: 95b7d9e7fae534a362b98de1df5bf501cd52c481:master,3f0730a015d10166de23b7e036743c185f0576a6:master - description: "" - links: "https://www.cloudfoundry.org/blog/cve-2018-15761/" - - -- reference: CVE-2007-1358 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 544697:tc5.0.x - description: "" - links: "" - - -- reference: CVE-2019-10247 - repo: https://github.com/eclipse/jetty.project/ - commit: 5ef8a8abfa63b26a6f978200519730f964ebee0b:master,04c994712c0b29824633598cfe0bf709f3b96f09:master,d983890d1769744e7da865de7ff34065fe491a28:master,a15534d72c0c8d84cb821c767343a91584a4fecb:master,99f3926d0546032814077cf0d0a684ed80e7bb08:master,b0f72a87d5b35ff0a814143fb1725f7c6fc4e0d7:master,9f506e4123b519adccb7df3599441f55daaff31e:master,6d847d4a73b34b8c19f43dcf221eefe6859b7d55:master - description: "In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context." - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577,https://github.com/eclipse/jetty.project/issues/3555" - - -- reference: CVE-2015-3253 - repo: https://github.com/apache/groovy.git - commit: 09e9778e8a33052d8c27105aee5310649637233d:master - description: "" - links: "" - - -- reference: APACHE-AXIS2-5683 - repo: https://github.com/apache/axis2-java - commit: 1b560264151217dae8b34b6aa4dfff4f51377656:master - description: "org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack. Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks. When using user input to perform tasks on the server, characters like < > \" ' must escaped properly. Otherwise, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-Site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. BUG: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - ListingAgent.java. Remediation: Upgrade axis2 to version 1.7.4 or higher." - links: "https://issues.apache.org/jira/browse/AXIS2-5683,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEAXIS2-31608,https://svn.apache.org/viewvc?view=revision&revision=1746886" - - -- reference: CVE-2018-1000872 - repo: https://github.com/OpenKMIP/PyKMIP/ - commit: 06c960236bcaf6717fc5cf66cf8b5179804c5a05:master - description: "" - links: "https://github.com/OpenKMIP/PyKMIP/issues/430,https://snyk.io/vuln/SNYK-PYTHON-PYKMIP-72725" - - -- reference: CVE-2017-1000504 - repo: https://github.com/jenkinsci/jenkins/ - commit: ccc374a7176d7704941fb494589790b7673efe2:master,eec0188cc45d75fd519a5d831b54781ac801dac:2.89.2,9b39411b1ae07ce8bf6c7df457bde1c6dabba9f:2.95 - description: "" - links: "https://jenkins.io/security/advisory/2017-12-14/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32172" - - -- reference: CVE-2015-7521 - repo: https://github.com/apache/hive - commit: 98f933f269e6b528ef84912b3d701ca3272ec04b:master - description: "" - links: "" - - -- reference: CVE-2019-1003008 - repo: https://github.com/jenkinsci/warnings-ng-plugin/ - commit: c3ca6a0b66b3e2958257c13c0c8e1833431fe73d:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003008,https://github.com/jenkinsci/warnings-ng-plugin/commit/c3ca6a0b66b3e2958257c13c0c8e1833431fe73d,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(2)" - - -- reference: CVE-2016-0812 - repo: https://android.googlesource.com/platform/frameworks/base.git - commit: 84669ca8de55d38073a0dcb01074233b0a417541:master - description: "" - links: "" - - -- reference: CVE-2016-2513 - repo: https://github.com/django/django/ - commit: af7d09b0c5c6ab68e629fd9baf736f9dd203b18:1.9,f4e6e02f7713a6924d16540be279909ff4091eb:1.8 - description: "" - links: "https://nvd.nist.gov/vuln/detail/CVE-2016-2513,https://www.djangoproject.com/weblog/2016/mar/01/security-releases/" - - -- reference: CVE-2019-3875 - repo: https://github.com/keycloak/keycloak/ - commit: a48698caa32933458916980ab05256f56099a337:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875,https://issues.jboss.org/browse/KEYCLOAK-6056" - - -- reference: CVE-2017-7234 - repo: https://github.com/django/django - commit: 2a9f6ef71b8e23fd267ee2be1be26dde8ab6703:1.10,a1f948b468b6621083a03b0d53432341b7a4d753:master,001ff508081a893d0cf81df1214dbd234606c36:1.11,4a6b945dffe8d10e7cec107d93e6efaebfbded2:1.8,5f1ffb07afc1e59729ce2b283124116d6c0659e:1.9 - description: "" - links: "" - - -- reference: CVE-2017-4995-JK - repo: https://github.com/FasterXML/jackson-databind - commit: 6ce32ffd18facac6abdbbf559c817b47fcb622c:2.7.x,60d459cedcf079c6106ae7da2ac562bc32dcabe1:master - description: "When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known 'deserialization gadgets'. (see https://github.com/FasterXML/jackson-databind/issues/1599). Fixed in version 2.8.8.1, 2.7.9.1" - links: "https://pivotal.io/security/cve-2017-4995" - - -- reference: CVE-2017-3523 - repo: https://github.com/mysql/mysql-connector-j/ - commit: 6189e718de5b6c6115aee45dd7a480081c129d68:master - description: "" - links: "https://nvd.nist.gov/vuln/detail/CVE-2017-3523,https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt,https://www.debian.org/security/2017/dsa-3840" - - -- reference: CVE-2018-8036 - repo: https://github.com/apache/pdfbox/ - commit: 038c09b5f361e083a00ce076c95521b73202fcb4:master - description: "In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser." - links: "https://lists.apache.org/thread.html/9f62f742fd4fcd81654a9533b8a71349b064250840592bcd502dcfb6@%3Cusers.pdfbox.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEPDFBOX-32417,https://svn.apache.org/viewvc?view=revision&revision=1834048" - - -- reference: HENOSIS-001 - repo: https://github.com/vc1492a/henosis/ - commit: 0802302430e6f6a17b22a55ce3d9360656f3c8ba:master - description: "henosis is a Python framework for deploying recommendation models for form fields. Affected versions of this package are vulnerable to Arbitrary Code Execution via the yaml.load function. It used the unsafe yaml.load() method to load the yaml file that it ultimately encrypts. If that yaml file contains a carefully coded python directive, the yaml.load() method will enable arbitrary commands to be executed. Remediation : Upgrade henosis to version 0.0.11 or higher." - links: "https://github.com/vc1492a/henosis/issues/22,https://snyk.io/vuln/SNYK-PYTHON-HENOSIS-42166" - - -- reference: CVE-2019-3558 - repo: https://github.com/facebook/fbthrift/ - commit: c5d6e07588cd03061bc54d451a7fa6e84883d62b:master - description: "description: Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. Affected Versions: This issue affects Facebook Thrift prior to v2019.02.18.00. References: https://github.com/facebook/fbthrift/commit/c5d6e07588cd03061bc54d451a7fa6e84883d62b Last Updated: 2019-02-15 " - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3558,https://www.facebook.com/security/advisories/cve-2019-3558" - - -- reference: CVE-2019-3778 - repo: https://github.com/spring-projects/spring-security-oauth/ - commit: b436f745af2be24924ecc68524fd2582bcdfdc3:2.2.4,da157a89402eeb2d5d071db3558c3b417bfc3ed:2.0.17,97e0b4ab282acbed3588e05be03d5a0c4dbf336:2.3.5,16d39adbc04bb0cdf217226803d05d6956595d8:2.1.4 - description: "Open Redirector in spring-security-oauth2 description Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \"redirect_uri\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) Uses the DefaultRedirectResolver in the AuthorizationEndpoint This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver Act in the role of a Resource Server only (e.g. @EnableResourceServer) Act in the role of a Client only (e.g. @EnableOAuthClient) Affected Pivotal Products and Versions Severity is critical unless otherwise noted. Spring Security OAuth 2.3 to 2.3.4 Spring Security OAuth 2.2 to 2.2.3 Spring Security OAuth 2.1 to 2.1.3 Spring Security OAuth 2.0 to 2.0.16 Older unsupported versions are also affected Mitigation Users of affected versions should apply the following mitigation: 2.3.x users should upgrade to 2.3.5 2.2.x users should upgrade to 2.2.4 2.1.x users should upgrade to 2.1.4 2.0.x users should upgrade to 2.0.17 Older versions should upgrade to a supported branch There are no other mitigation steps necessary. For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the patch for the CVE. In order to override the version, you need to declare/set the property spring-security-oauth.version. Below are instructions for users of Spring Boot 1.5.x. To override a property using Maven, declare the property in your pom’s section: 2.0.17.RELEASE To override a property using Gradle, configure the value in your build.gradle script: ext['spring-security-oauth.version'] = '2.0.17.RELEASE' Or in gradle.properties: spring-security-oauth.version=2.0.17.RELEASE NOTE: The same instructions apply for users of Spring IO Platform Cairo. However, the version to specify is 2.2.4.RELEASE" - links: "https://github.com/spring-projects/spring-security-oauth/issues/1585,https://pivotal.io/security/cve-2019-3778,https://spring.io/blog/2019/02/21/cve-2019-3778-spring-security-oauth-2-3-5-2-2-4-2-1-4-2-0-17-released" - - -- reference: CVE-2016-10187 - repo: https://github.com/kovidgoyal/calibre/ - commit: 3a89718664cb8cce0449d1758eee585ed0d0433c:master - description: "" - links: "https://bugs.launchpad.net/calibre/+bug/1651728,https://bugs.mageia.org/show_bug.cgi?id=20225,https://www.openwall.com/lists/oss-security/2017/01/29/8" - - -- reference: CVE-2016-5016 - repo: https://github.com/cloudfoundry/uaa - commit: bc91ccd2029e8f1cea0c647f0c9aad4585f7a2c:3.3.0.x,90b6f8c06afd96efd39f87deaaf9a94cd0fd082:2.7.4.x,0a78612f981c541ad2d997e6a365f2a0b3e799d9:master - description: "UAA uses the OpenJDK Java Runtime Environment TrustManager to store trusted certificates. TrustManager does not by default check certificates for expiration. UAA was found to accept expired certificates." - links: "https://www.cloudfoundry.org/cve-2016-5016-uaa-accepts-expired-certificates/" - - -- reference: CVE-2018-1000814 - repo: https://github.com/aio-libs/aiohttp-session/ - commit: 1b356f01bbab57d041c9a75bacd72fbbf8524728:master - description: "" - links: "https://github.com/aio-libs/aiohttp-session/issues/325,https://github.com/aio-libs/aiohttp-session/pull/331,https://snyk.io/vuln/SNYK-PYTHON-AIOHTTPSESSION-72728" - - -- reference: CVE-2019-0221 - repo: https://github.com/apache/tomcat/ - commit: 44ec74:7.x,15fcd1:9.x,4fcdf7:8.x - description: "Low: XSS in SSI printenv (CVE-2019-0221) The SSI printenv command" - links: "" - -- reference: CVE-2016-0783 - repo: https://github.com/apache/openmeetings/ - commit: 7eef674039acd587bc46c1c399d3bdf058f0919b:master - description: "" - links: "http://openmeetings.apache.org/security.html" - - -- reference: CVE-2013-2115 - repo: https://github.com/apache/struts - commit: d7804297e319c7a12245e1b536e565fcea6d650:STRUTS_2_3_14_2,d934c6e7430b7b98e43a0a085a2304bd31a75c3d:master,fed4f8e8a4ec69b5e7612b92d8ce3e476680474:STRUTS_2_3_14_2 - description: "" - links: "" - - -- reference: CVE-2017-5650 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1788480:master,1788460:trunk - description: "" - links: "" - - -- reference: CVE-2018-15758 - repo: https://github.com/spring-projects/spring-security-oauth/ - commit: ddd65cd9417ae1e4a69e4193a622300db38e2ef:2.1.3,4082ec7ae3d39198a47b5c803ccb20dacefb0b0:2.3.4,f92223afc71687bd3156298054903f50aa71fbf:2.2.3,623776689fdcc8047f5a908c71f348e1f172a97:2.0.16 - description: "Privilege Escalation in spring-security-oauth2. Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval. This scenario can happen if the application is configured to use a custom approval endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability exposes applications that meet all of the following requirements: - Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) - Use a custom Approval Endpoint that declares AuthorizationRequest as a controller method argument This vulnerability does not expose applications that: - Act in the role of an Authorization Server and use the default Approval Endpoint - Act in the role of a Resource Server only (e.g. @EnableResourceServer) - Act in the role of a Client only (e.g. @EnableOAuthClient) Affected Pivotal Products and Versions: Spring Security OAuth 2.3 to 2.3.3 Spring Security OAuth 2.2 to 2.2.2 Spring Security OAuth 2.1 to 2.1.2 Spring Security OAuth 2.0 to 2.0.15 Older unsupported versions are also affected Mitigation Users of affected versions should apply the following mitigation: 2.3.x users should upgrade to 2.3.4 2.2.x users should upgrade to 2.2.3 2.1.x users should upgrade to 2.1.3 2.0.x users should upgrade to 2.0.16 Older versions should upgrade to a supported branch There are no other mitigation steps required. History 2018-10-16: Initial vulnerability report published." - links: "https://pivotal.io/security/cve-2018-15758" - - -- reference: CVE-2013-2035 - repo: https://github.com/fusesource/hawtjni.git - commit: 92c266170ce98edc200c656bd034a237098b8aa5:master - description: "" - links: "" - - -- reference: CVE-2018-17175 - repo: https://github.com/marshmallow-code/marshmallow/ - commit: d5d9cb22dda6f39117f6f9497a6a66813cb8c64f:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17175,https://github.com/marshmallow-code/marshmallow/issues/772,https://github.com/marshmallow-code/marshmallow/pull/777,https://github.com/marshmallow-code/marshmallow/pull/782" - - -- reference: CVE-2012-5783-3x - repo: http://svn.apache.org/repos/asf/httpcomponents/oac.hc3x - commit: 1422573:trunk - description: "Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate." - links: "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783" - - -- reference: CVE-2018-1000862 - repo: https://github.com/jenkinsci/jenkins/ - commit: c19cc705688cfffa4fe735e0edbe84862b6c135f:master - description: "" - links: "https://jenkins.io/security/advisory/2018-12-05/#SECURITY-904,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-72670" - - -- reference: CVE-2017-4973 - repo: https://github.com/cloudfoundry/uaa - commit: 9d44cb0c7c25ccae95bfa1c2d59ce46200c643cb:master,24c270ce725df890727b2bd7d8a4f338a3a58b7:3.6.x,24bc5ade80560cedb9300940d2b398163ab0dc6:2.7.4.x,5eb43757d5a3a2c9e7aae1ef3d0b9b7e2a38851e:master - description: "A vulnerability has been identified with the groups endpoint in UAA allowing users to elevate their privileges." - links: "https://cloudfoundry.org/cve-2017-4973/" - - -- reference: CVE-2019-1010083 - repo: https://github.com/pallets/flask/ - commit: 465b48ed4e4af52493df1febe4687f53032a5e0a:master - description: "" - links: "https://github.com/pallets/flask/pull/2691,https://www.palletsprojects.com/blog/flask-1-0-released/" - - -- reference: CVE-2017-9805 - repo: https://github.com/apache/struts - commit: 19494718865f2fb7da5ea363de3822f87fbda26:master,6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a:support-2-3 - description: "Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads." - links: "https://cwiki.apache.org/confluence/display/WW/S2-052" - - -- reference: CVE-2014-1932 - repo: https://github.com/python-pillow/Pillow/ - commit: 4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7:master - description: "" - links: "" - - -- reference: CVE-2015-3250 - repo: http://svn.apache.org/repos/asf/directory/shared - commit: 1688300:trunk - description: "Timing attack vulnerability. Releases before Apache Directory LDAP API 1.0.0-M31 are affected." - links: "http://git.net/ml/general/2015-07/msg12550.html" - - -- reference: CVE-2018-5968 - repo: https://github.com/FasterXML/jackson-databind/ - commit: 038b471e2efde2e8f96b4e0be958d3e5a1ff1d0:2.8.11.1 - description: "It looks like the fix has been backported to 2.7.9.5 too." - links: "https://github.com/FasterXML/jackson-databind/issues/1899,https://github.com/FasterXML/jackson-databind/pull/2074,https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044" - - -- reference: CVE-2016-6794 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1754726:master,1754726:trunk,1754445:trunk,1754728:trunk,1754733:trunk,1754727:trunk - description: "When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. Affects: 6.0.0 to 6.0.45,7.0.0 to 7.0.70,, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36,9.0.0.M1 to 9.0.0.M9." - links: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794" - - -- reference: CVE-2016-1182 - repo: https://github.com/kawasima/struts1-forever - commit: eda3a79907ed8fcb0387a0496d0cb14332f250e8:master - description: "" - links: "" - - -- reference: JENKINS-RABBITMQ-PUBLISHER-970 - repo: https://github.com/jenkinsci/rabbitmq-publisher-plugin/ - commit: f0306f229a79541650f759797475ef2574b7c057:master - description: "Missing permission check allowed connecting to RabbitMQ in Rabbit-MQ Publisher Plugin SECURITY-970 A missing permission check in a form validation method of Rabbit-MQ Publisher Plugin allowed users with Overall/Read access to have Jenkins initiate a RabbitMQ connection to an attacker-specified host and port with an attacker-specified username and password. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. This form validation method now requires POST requests and Overall/Administer permissions. Affected versions: Rabbit-MQ Publisher Plugin up to and including 1.0 Fix: Rabbit-MQ Publisher Plugin should be updated to version 1.2.0 " - links: "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-970" - - -- reference: CVE-2014-0003 - repo: https://github.com/apache/camel - commit: 483b445dc77487e2d0f3d8c8bf1a7bbab04464c:camel-2.12.x,c6de749e9b3c7b61861c5480e91550290585224:camel-2.11.x,e922f89290f236f3107039de61af0375826bd96d:master - description: "The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message. (see https://issues.apache.org/jira/browse/CAMEL-7123)" - links: "https://nvd.nist.gov/vuln/detail/CVE-2014-0003" - - -- reference: CVE-2017-3159 - repo: https://github.com/apache/camel - commit: 6b979d07fd4be6ac913368f2abeae690d3325d37:master,dcb5a74a3987d2264ad195c7844bbb6c81216610:master,20e26226107f3133c87d0f5c845e02f824823f69:master - description: "" - links: "" - - -- reference: CVE-2019-1010245 - repo: https://github.com/opennetworkinglab/onos/ - commit: c6455baca3ad15813ffb4f2a78f56b897c9ee5b6:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010245,https://drive.google.com/file/d/1OkMtrMgjjINsDUQwxpGxjbATB6hiwqyv/view,https://gerrit.onosproject.org/#/c/20767/" - - -- reference: CVE-2015-1838 - repo: https://github.com/saltstack/salt/ - commit: e11298d7155e9982749483ca5538e46090caef9c:master - description: "" - links: "https://docs.saltstack.com/en/latest/topics/releases/2014.7.4.html,https://www.cvedetails.com/cve/CVE-2015-1838/" - - -- reference: CVE-2015-2080 - repo: https://github.com/eclipse/jetty.project - commit: 3e7b5f0fa918633ec24bd1bc23d6ee76d32c7729:master,4df5647f6dfdc5fa7abb812afe9290d60b17c098:master - description: "The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak. (see https://bugs.eclipse.org/bugs/show_bug.cgi?id=460642, https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md)" - links: "https://nvd.nist.gov/vuln/detail/CVE-2015-2080" - - -- reference: CVE-2016-2512 - repo: https://github.com/django/django/ - commit: 382ab137312961ad62feb8109d70a5a581fe835:1.8,fc6d147a63f89795dbcdecb0559256470fff438:1.9 - description: "" - links: "https://nvd.nist.gov/vuln/detail/CVE-2016-2512" - - -- reference: CVE-2016-5394 - repo: https://github.com/apache/sling - commit: 7d2365a248943071a44d8495655186e4f14ea294:master - description: "In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities. (see https://issues.apache.org/jira/browse/SLING-5946)" - links: "https://nvd.nist.gov/vuln/detail/CVE-2016-5394" - - -- reference: CVE-2019-1003013 - repo: https://github.com/jenkinsci/blueocean-plugin/ - commit: 62775e78532b756826bb237775b64a5052624b57:master - description: "An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003013,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1204" - - -- reference: CVE-2016-9014 - repo: https://github.com/django/django - commit: 884e113838e5a72b4b0ec9e5e87aa480f6aa447:1.10,c401ae9a7dfb1a94a8a61927ed541d6f9308958:1.8,45acd6d836895a4c36575f48b3fb36a3dae98d1:1.9 - description: "" - links: "" - - -- reference: CVE-2018-1131 - repo: https://github.com/infinispan/infinispan/ - commit: c630752604332c4cc84fc44dfbb9011a296ab966:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1576492,https://nvd.nist.gov/vuln/detail/CVE-2018-1131" - - -- reference: CVE-2018-1336 - repo: https://github.com/apache/tomcat/ - commit: 92cd494555598e99dd691712e8ee426a2f9c2e93:master - description: "A bug in the UTF-8 decoder can lead to DoS. An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Affects: 7.0.28 to 7.0.88; 8.0.0.RC1 to 8.0.51; 8.5.0 to 8.5.30; 9.0.0.M1 to 9.0.7." - links: "https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2016-4430 - repo: https://github.com/apache/struts - commit: b28b78c062f0bf3c79793a25aab8c9b6c12bce6e:master - description: "" - links: "" - - -- reference: CVE-2019-3795 - repo: https://github.com/spring-projects/spring-security/ - commit: 6f02f690ac65ccf99d8df47ac3d730a68f87c56:4.2.x,3ddcbde466c16646a3a858baa57aafd8e65f6d5:5.1.x,9c1eac79e2abb50f7b01e77c2418566f2a30532:master,1304c958bf9c38940082f3ad1558d413ed82f2b:5.0.x - description: "Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security description Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection. Affected Pivotal Products and Versions Severity is low unless otherwise noted. Spring Security 4.2 to 4.2.11 Spring Security 5.0 to 5.0.11 Spring Security 5.1 to 5.1.4 Mitigation Users of affected versions should apply the following mitigation: 4.2.x users should upgrade to 4.2.12 5.0.x users should upgrade to 5.0.12 5.1.x users should upgrade to 5.1.5 " - links: "https://github.com/spring-projects/spring-security/issues/6734,https://pivotal.io/security/cve-2019-3795" - - -- reference: CVE-2017-8032 - repo: https://github.com/cloudfoundry/uaa - commit: 2c10c43f04cf31e9f8f496cd218bfc773dfc149:3.9.15,ea8c0ce7740a5d756d9f11964f6a6b4df54cc3b2:master,4e4d653edb6b8f68e12b7c415e07e068b1574b8:3.6.13 - description: "Zone administrators are allowed to escalate their privileges when mapping permissions for an external provider." - links: "https://www.cloudfoundry.org/cve-2017-8032/" - - -- reference: CVE-2013-4316 - repo: https://github.com/apache/struts - commit: 58947c3f85ae641c1a476316a2888e53605948d1:master - description: "" - links: "" - - -- reference: CVE-2018-12542 - repo: https://github.com/vert-x3/vertx-web/ - commit: 57a65dce6f4c5aa5e3ce7288685e7f3447eb8f3b:master - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539171,https://github.com/vert-x3/vertx-web/issues/1025,https://snyk.io/vuln/SNYK-JAVA-IOVERTX-72442" - - -- reference: CVE-2012-4406 - repo: https://github.com/openstack/swift/ - commit: e1ff51c04554d51616d2845f92ab726cb0e5831a:master - description: "" - links: "https://nvd.nist.gov/vuln/detail/CVE-2012-4406" - - -- reference: CVE-2016-2510 - repo: https://github.com/beanshell/beanshell - commit: 1ccc66bb693d4e46a34a904db8eeff07808d2ced:master,7c68fde2d6fc65e362f20863d868c112a90a9b49:master - description: "" - links: "" - - -- reference: CVE-2017-12631 - repo: https://github.com/apache/cxf-fediz - commit: ccdb12b26ff89e0a998a333e84dd84bd713ac76:1.4.x-fixes,e7127129dbc0f4ee83985052085e185e750cebbf:master,48dd9b68d67c6b729376c1ce8886f52a57df6c4:1.3.x-fixes - description: "" - links: "" - - -- reference: CVE-2016-4438 - repo: https://github.com/apache/struts - commit: 76eb8f38a33ad0f1f48464ee1311559c8d52dd6d:master - description: "" - links: "" - - -- reference: CVE-2017-5637 - repo: https://github.com/apache/zookeeper/ - commit: 75411ab34a3d53c43c2d508b12314a9788aa417:master,6d9fc04c052adbc79bbbb1c63f3f00c816fb8e5:3.5.4 - description: "" - links: "https://github.com/apache/zookeeper/pull/179,https://issues.apache.org/jira/browse/ZOOKEEPER-2693,https://zookeeper.apache.org/security.html#CVE-2017-5637" - - -- reference: CVE-2017-3164 - repo: https://github.com/apache/lucene-solr/ - commit: 6d63958821232699f0a8423d9b21d4915bfba64:7.x,8b54b20fc488ae3e83f4a350a707dc0303ade23:master,e9db95831b9db69fbc0bef499b0d3f41bc6448f:8.x - description: "SSRF issue in Apache Solr. Versions Affected: Apache Solr versions from 1.3 to 7.6.0 description: The \"shards\" parameter does not have a corresponding whitelist mechanism, so it can request any URL. Mitigation: Upgrade to Apache Solr 7.7.0 or later. Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr." - links: "http://mail-archives.apache.org/mod_mbox/www-announce/201902.mbox/%3CCAECwjAVjBN%3DwO5rYs6ktAX-5%3D-f5JDFwbbTSM2TTjEbGO5jKKA%40mail.gmail.com%3E,https://issues.apache.org/jira/browse/SOLR-12770,https://wiki.apache.org/solr/SolrSecurity" - - -- reference: SHIFTBOILER-001 - repo: https://github.com/projectshift/shift-boiler/ - commit: 11b998e5f5f1ed4a5692aa36d4400693b6d4c93e:master - description: "Overview: shiftboiler is a setup of flask framework integrated with a number of libraries to quickly bootstrap app development. Affected versions of this package are vulnerable to User Impersonation attack. If the google login did not return an id, a malicious user could takeover another user's account. Remediation: Upgrade shiftboiler to version 0.6.5 or higher." - links: "https://github.com/projectshift/shift-boiler/issues/84,https://snyk.io/vuln/SNYK-PYTHON-SHIFTBOILER-72558" - - -- reference: CVE-2017-1000355 - repo: https://github.com/jenkinsci/jenkins/ - commit: 701ea95a52afe53bee28f76a3f96eb0e578852e9:master - description: "" - links: "https://jenkins.io/security/advisory/2017-04-26/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32195" - - -- reference: CVE-2019-10291 - repo: https://github.com/jenkinsci/netsparker-cloud-scan-plugin/ - commit: cce62d7188f12ab9cf1d5272eb859beb710d521a:master - description: "" - links: "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1040" - - -- reference: CVE-2016-4468 - repo: https://github.com/cloudfoundry/uaa - commit: 215bd349a63edfef15a1aa07a3969c8991e34570:master,6bf1c0ae1abc9aaba957708e0b2dfb6a70aab826:master,b384a650a122e42d75e8cbb5624d0274a65cd848:master - description: "There is the potential for a SQL injection attack in UAA for authenticated users." - links: "https://pivotal.io/security/cve-2016-4468" - - -- reference: CVE-2011-2526 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1158244:trunk,1146005:trunk,1146703:trunk,1145694:trunk,1145571:trunk,1145383:trunk - description: "" - links: "" - - -- reference: CVE-2018-16166 - repo: https://github.com/JPCERTCC/LogonTracer/ - commit: 2bb79861dbaf7e8a9646fcd70359523fdb464d9c:master - description: "" - links: "https://jvn.jp/en/vu/JVNVU98026636/index.html" - - -- reference: CVE-2015-6748 - repo: https://github.com/jhy/jsoup/ - commit: 4edb78991f8d0bf87dafde5e01ccd8922065c9b2:master - description: "" - links: "" - - -- reference: HADOOP-13105 - repo: https://github.com/apache/hadoop/ - commit: e54f073cfe485842b57d0a52330b59df0b38cb2:2.8,5e6ee5aafb9b9f200d906444e4731cfc60ac6eb:2.9,d82bc8501869be78780fc09752dbf7af918c14a:3.x - description: "LdapGroupsMapping currently does not set timeouts on the LDAP queries. This can create a risk of a very long/infinite wait on a connection. This patch adds two new config keys for supporting timeouts in LDAP query operations. The property hadoop.security.group.mapping.ldap.connection.timeout.ms is the connection timeout (in milliseconds), within which period if the LDAP provider doesn't establish a connection, it will abort the connect attempt. The property hadoop.security.group.mapping.ldap.read.timeout.ms is the read timeout (in milliseconds), within which period if the LDAP provider doesn't get a LDAP response, it will abort the read attempt. Fixed Version/s: 2.8.0, 3.0.0-alpha1, 2.7.6." - links: "http://hadoop.apache.org/docs/r2.7.6/hadoop-project-dist/hadoop-common/releasenotes.html,https://issues.apache.org/jira/browse/HADOOP-13105" - - -- reference: HOMEASSISTANT-001 - repo: https://github.com/home-assistant/home-assistant/ - commit: 0f12b37977766647dcc34a0189b37c7379b5f665:master - description: "homeassistant is a home automation platform running on Python 3. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) attacks. The SSL verification was disabled for outgoing requests that were done using the shared aiohttp session. Remediation:Upgrade homeassistant to version 0.73.2 or higher." - links: "https://snyk.io/vuln/SNYK-PYTHON-HOMEASSISTANT-42167" - - -- reference: CVE-2016-3092 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1743742:trunk,1743722:master,1743738:trunk,1743722:trunk - description: "" - links: "" - - -- reference: CVE-2018-18628 - repo: https://github.com/pippo-java/pippo/ - commit: c6b26551a82d2dd32097fcb17c13c3b830916296:master - description: "" - links: "https://github.com/pippo-java/pippo/issues/458,https://snyk.io/vuln/SNYK-JAVA-ROPIPPO-72565" - - -- reference: JENKINS-ACUNETIX-980 - repo: https://github.com/jenkinsci/acunetix-plugin/ - commit: b702b1906d3ae8a06ef6b394efe0d85d805fa738:master - description: "SSRF vulnerability due to missing permission check in Acunetix Plugin SECURITY-980 A missing permission check in a form validation method in Acunetix Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP GET request to an attacker-specified URL, adding a /me suffix, returning whether the connection could be established and whether the HTTP response code is 200. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. This form validation method now requires POST requests and performs a permission check. " - links: "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-980" - - -- reference: CVE-2019-10318 - repo: https://github.com/jenkinsci/azure-ad-plugin/ - commit: 70983d1a6528847ccd6e7f124450c578c42d194f:master - description: "Azure AD Plugin stored credentials in plain text SECURITY-1390 / CVE-2019-10318 Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master. These credentials could be viewed by users with access to the master file system. Azure AD Plugin now stores the client secret encrypted. Affected Versions: Azure AD Plugin up to and including 0.3.3 Fix: Azure AD Plugin up to and including 0.3.4" - links: "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390" - - -- reference: CVE-2018-1000548 - repo: https://github.com/umlet/umlet/ - commit: e1c4cc6ae692cc8d1c367460dbf79343e996f9bd:master - description: "" - links: "https://github.com/umlet/umlet/issues/500,https://snyk.io/vuln/SNYK-JAVA-COMUMLET-32394" - - -- reference: CVE-2015-5345 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1716894:trunk,1715206:trunk,1715207:trunk,1717209:trunk,1715213:trunk,1717216:trunk,1715216:trunk,1717212:trunk,1716882:trunk - description: "" - links: "" - - -- reference: CVE-2016-2141 - repo: https://github.com/belaban/JGroups/ - commit: c3ad22234ef84d06d04d908b3c94c0d11df8afd:2.6.22,38a882331035ffed205d15a5c92b471fd09659c:master,fba182c14075789e1d2c976d50d9018c671ad0b:3.6.10 - description: "" - links: "https://access.redhat.com/security/cve/cve-2016-2141,https://issues.jboss.org/browse/JGRP-2021" - - -- reference: CVE-2018-1275 - repo: https://github.com/spring-projects/spring-framework/ - commit: d3acf45ea4db51fa5c4cbd0bc0e7b6d9ef805e6:4.x,1db7e02de3eb0c011ee6681f5a12eb9d166fea8:5.x - description: "Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, as well as older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. Affected : Spring Framework 5.0 to 5.0.4, Spring Framework 4.3 to 4.3.15, Older unsupported versions are also affected" - links: "https://pivotal.io/security/cve-2018-1275" - - -- reference: CVE-2019-11340 - repo: https://github.com/matrix-org/sydent/ - commit: 4e1cfff53429c49c87d5c457a18ed435520044fc:master - description: "util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11340,https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/" - - -- reference: MTPROTOPROXY-001 - repo: https://github.com/alexbers/mtprotoproxy/ - commit: 372861ac6e3dd3d1d4996282f0905c36c5163fba:master - description: "mtprotoproxy is a Async mtproto proxy for Telegram. Affected versions of this package are vulnerable to Information Exposure. Remediation: Upgrade mtprotoproxy to version 1.0.0 or higher." - links: "https://snyk.io/vuln/SNYK-PYTHON-MTPROTOPROXY-42170" - - -- reference: SCRAPY-676 - repo: https://github.com/scrapy/scrapy/ - commit: c2a424daaeca851c9d4a6b930eabf2a0422fdfe3:master,43217fd698135b4795d191f8a935f3ba0b869c54:master,554102fd70b14ee83109003cf77ab3a4f91f4f58:master - description: "XML External Entity (XXE) Injection The XML reader, used by SitemapSpider to process XML sitemaps, is vulnerable to an XML External Entity (XXE) attack. Remediation Upgrade scrapy to version 0.24.0 or higher." - links: "https://github.com/scrapy/scrapy/pull/676" - - -- reference: CVE-2014-2066 - repo: https://github.com/jenkinsci/jenkins.git - commit: 8ac74c350779921598f9d5edfed39dd35de8842a:master - description: "" - links: "" - - -- reference: CVE-2016-0779 - repo: https://github.com/apache/tomee - commit: 58cdbbef9c77ab2b44870f9d606593b49cde76d9:master - description: "The EJBd protocol provided by TomEE can exploit the 0-day vulnerability. This issue only affects you if you rely on EJBd protocol (proprietary remote EJB protocol). This one one is not activated by default on the 7.x series but it was on the 1.x ones. TomEE was subject to this vulnerability until versions 1.7.3 and 7.0.0-M1." - links: "http://tomee.apache.org/security/tomee.html" - - -- reference: CVE-2018-1257 - repo: https://github.com/spring-projects/spring-framework/ - commit: ff2228fdaf131d57b5c8c5918ee8d07c6dd9bba:5.0.x,246a6db1cad205ca9b6fca00c544ab7443ba202:4.3.x - description: "" - links: "https://pivotal.io/security/cve-2018-1257,https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31674" - - -- reference: CVE-2009-0038 - repo: https://github.com/apache/geronimo - commit: f8a612df7b06729bfd6c826e1a110d4bb40dc1f5:2.1,aa0c2c26dde8930cad924796af7c17a13d236b16:2.1.4,67dda0760bb0925ead201ddd5d809ff53686d63f:trunk - description: "" - links: "" - - -- reference: CVE-2016-1000344 - repo: https://github.com/bcgit/bc-java - commit: 9385b0ebd277724b167fe1d1456e3c112112be1f:master - description: "DHIES allows the use of unsafe ECB mode. This algorithm is now removed from the provider." - links: "https://www.bouncycastle.org/releasenotes.html" - - -- reference: CVE-2014-3600 - repo: https://github.com/apache/activemq - commit: b9696ac80bb496b52d05c3884f81b0746d9af9e2:master - description: "It is possible for a consumer dequeuing XML message(s) to specify an XPath based selector thus causing the broker to evaluate the expression and attempt to match it against the messages in the queue while also performing an XML external entity resolution. Upgrade to Apache ActiveMQ 5.10.1 or 5.11.0 (see https://issues.apache.org/jira/browse/AMQ-5333)" - links: "" - - -- reference: CVE-2018-20580 - repo: https://github.com/SmartBear/soapui/ - commit: a4755e6b10c813c6efbe3b8e8a81a61027a8595a:master,429cb2142c536b40a52666d9efc72ec8e5e9235e:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20580,https://github.com/SmartBear/soapui/pull/368,https://github.com/SmartBear/soapui/pull/382,https://www.exploit-db.com/exploits/46796" - - -- reference: CVE-2018-1321 - repo: https://github.com/apache/syncope - commit: 717289bc10b6f3b204cb6d14881f530174c6235:master,726231fbf7b817bd2a9467171dcb1c0087c75bc:1.2.11,ad31479c1c543ac7d26b8c882aa14f6c00c1fd0:2.0.8 - description: "" - links: "http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements" - - -- reference: CVE-2018-1000420 - repo: https://github.com/jenkinsci/mesos-plugin/ - commit: e7e6397e30a612254e6033b94c21edb2324d648f:master - description: "" - links: "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)" - - -- reference: CVE-2017-1000393 - repo: https://github.com/jenkinsci/jenkins/ - commit: d7ea3f40efedd50541a57b943d5f7bbed046d091:master - description: "" - links: "https://jenkins.io/security/advisory/2017-10-11/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-32189" - - -- reference: CVE-2016-1000343 - repo: https://github.com/bcgit/bc-java/ - commit: 50a53068c094d6cff37659da33c9b4505becd389:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32361" - - -- reference: CVE-2019-3888 - repo: https://github.com/undertow-io/undertow/ - commit: 9bf05b765e222dd106fee9b46314061b18b7275e:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3888,https://github.com/undertow-io/undertow/pull/736" - - -- reference: CVE-2019-1000007 - repo: https://github.com/horazont/aioxmpp/ - commit: 29ff0838a40f58efe30a4bbcea95aa8dab7da475:master - description: "aioxmpp is a pure-python XMPP library using the asyncio standard library module from Python 3.4. Affected versions of this package are vulnerable to Arbitrary Code Injection due to an improper handling of structural elements in Stanza parser. A crafted stanza could be sent to an application which uses the vulnerable components to either inject data in a different context or cause the application to reconnect. Remediation Upgrade aioxmpp to version 0.10.3 or higher. " - links: "https://github.com/horazont/aioxmpp/pull/268,https://snyk.io/vuln/SNYK-PYTHON-AIOXMPP-73648" - - -- reference: CVE-2015-1831 - repo: https://github.com/apache/struts - commit: d832747d647df343ed07a58b1b5e540a05a4d51b:master - description: "" - links: "" - - -- reference: CVE-2013-5823 - repo: https://github.com/apache/santuario-java - commit: 55a48497dfbf3fe63a81e67c13160b3f41ebb1f3:1.4.x-fixes,f9a61f2df9473237aa71308c28113540b4063d33:trunk - description: "" - links: "" - - -- reference: CVE-2018-1000861 - repo: https://github.com/jenkinsci/jenkins/ - commit: 47f38d714c99e1841fb737ad1005618eb26ed852:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000861,https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-72669" - - -- reference: CVE-2019-1003004 - repo: https://github.com/jenkinsci/jenkins/ - commit: 8c490d14c4ffe6162f6e97d25a66612330fe2ace:master,da135e7ecb72469c17a47640314e424e314269b0:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003004,https://jenkins.io/security/advisory/2019-01-16/#SECURITY-901" - - -- reference: CVE-2019-1003015 - repo: https://github.com/jenkinsci/job-import-plugin/ - commit: 1d81e59330d371d15d3672dabc17d35dcd9fb824:master - description: "An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003015,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(1)" - - -- reference: CVE-2013-2071 - repo: http://svn.apache.org/repos/asf/tomcat/tc7.0.x - commit: 1471372:trunk - description: "" - links: "" - - -- reference: FLASK-ADMIN-001 - repo: https://github.com/flask-admin/flask-admin/ - commit: 0dc5a48fd0a4fdd28172e0bc508373ddb58fc50b:master - description: "Overview: flask-admin is a batteries-included, simple-to-use Flask extension that lets add admin interfaces to Flask applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. Remediation: Upgrade flask-admin to version 1.5.2 or higher" - links: "https://snyk.io/vuln/SNYK-PYTHON-FLASKADMIN-72276" - - -- reference: CVE-2017-5638 - repo: https://github.com/apache/struts - commit: 6b8272ce47160036ed120a48345d9aa884477228:master,352306493971e7d5a756d61780d57a76eb1f519a:support-2-3 - description: "It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user. This CVE refers both to https://cwiki.apache.org/confluence/display/WW/S2-045 and https://cwiki.apache.org/confluence/display/WW/S2-046" - links: "https://cwiki.apache.org/confluence/display/WW/S2-045" - - -- reference: CVE-2018-1000129 - repo: https://github.com/rhuss/jolokia - commit: 5895d5c137c335e6b473e9dcb9baf748851bbc5f:master - description: "" - links: "" - - -- reference: CVE-2018-1000067 - repo: https://github.com/jenkinsci/jenkins - commit: 2d16b459205730d85e51499c2457109b234ca9d9:master - description: "" - links: "" - - -- reference: CVE-2017-9096-2 - repo: https://github.com/itext/itextpdf - commit: ad38371c396ac5ffbfb28056809e8ffaa5a18ccd:master - description: "The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF." - links: "https://nvd.nist.gov/vuln/detail/CVE-2017-9096" - - -- reference: CVE-2015-1772 - repo: https://github.com/apache/hive - commit: 6929846a8120eaf094b914b4ca8af80b65f891c8:trunk - description: "" - links: "" - - -- reference: CVE-2018-8039 - repo: https://github.com/apache/cxf/ - commit: fae6fabf9bd7647f5e9cb68897a7d72b545b741:3.2.5,8ed6208f987ff72e4c4d2cf8a6b1ec9b27575d4:3.1.16 - description: "description: A vulnerability was reported in Apache CXF. A remote user can bypass TLS hostname verification in certain cases. The system does not properly verify TLS hostnames when used with the 'com.sun.net.ssl' implementation. A remote user that can conduct a man-in-the-middle attack can bypass the hostname verification. Impact: A remote user can bypass TLS hostname verification. Solution: The vendor has issued a fix (3.1.16, 3.2.5)." - links: "https://cxf.apache.org/security-advisories.html,https://securitytracker.com/id/1041199" - - -- reference: CVE-2017-3154 - repo: https://github.com/apache/atlas - commit: 0dcfd21bbfaac6f037f46b7aaaab0e5546fd2a7:0.7-incubating - description: "" - links: "" - - -- reference: CVE-2017-15709 - repo: https://github.com/apache/activemq - commit: 8ff18c5e254bf43395f2e0d7e3a1092b33ec646:5.14.x,d2e49be3a8f21d862726c1f6bc9e1caa6ee8b58:5.15.x,5fa0bbd5156f29d97dcf48fd9fdb6a0488a8df1a:master - description: "" - links: "" - - -- reference: CVE-2017-14158 - repo: https://github.com/wangtua1/scrapy/ - commit: af0ea54d82d72b8da28712d1b2a0e51b28476e39:master - description: "" - links: "https://github.com/scrapy/scrapy/issues/482,https://github.com/scrapy/scrapy/pull/2917,https://www.cvedetails.com/cve/CVE-2017-14158/" - - -- reference: CVE-2009-0580 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 781379:master,781382:tc4.1.x - description: "" - links: "" - - -- reference: JINJA-001 - repo: https://github.com/pallets/jinja/ - commit: 74bd64e56387f5b2931040dc7235a3509cde1611:master,9b53045c34e61013dc8f09b7e52a555fa16bed16:master - description: "In Jinja before 2.8.2, if the sandbox mode is used format expressions are now sandboxed with the same rules as in Jinja. This solves various information leakage problems that can occur with format strings." - links: "http://jinja.pocoo.org/docs/2.10/changelog/" - - -- reference: CVE-2018-1000632 - repo: https://github.com/dom4j/dom4j - commit: e598eb43d418744c4dbf62f647dd2381c9ce9387:master - description: "" - links: "" - - -- reference: CVE-2017-16763 - repo: https://github.com/bbengfort/confire - commit: 8cc86a5ec2327e070f1d576d61bbaadf861597ea:master - description: "" - links: "" - - -- reference: JETTY-1042 - repo: https://github.com/eclipse/jetty.project - commit: 02dd1975ec61052cb9a17342c9bbec289257b701:master - description: "Cookie leak between requests sharing a connection. Affects releases < = 6.1.18, < = 7.0.0.M4. Please update to 6.1.19, 7.0.0.Rc0." - links: "https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc" - - -- reference: CVE-2019-10338 - repo: https://github.com/jenkinsci/jx-resources-plugin/ - commit: f0d9fb76230b65e851095da936a439d953c5f64d:master - description: "" - links: "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1379" - - -- reference: CVE-2011-2765 - repo: https://github.com/irmen/Pyro3/ - commit: 554e095a62c4412c91f981e72fd34a936ac2bf1e:master - description: "" - links: "https://pythonhosted.org/Pyro/12-changes.html,https://snyk.io/vuln/SNYK-PYTHON-PYRO-72279" - - -- reference: CVE-2017-12634 - repo: https://github.com/apache/camel - commit: 573ebd3de810cc7e239f175e1d2d6993f1f2ad0:camel-2.20.x,adc06a78f04c8d798709a5818104abe5a8ae4b3:camel-2.19.x,ad3c1ce9d8300c339cfa7d0f4a4dea691a94798:,2ae645e90edff3bcc1b958cb53ddc5e60a7f49f:camel-2.19.x - description: "" - links: "" - - -- reference: DJANGO-REQUEST-LOGGING-95 - repo: https://github.com/Rhumbix/django-request-logging/ - commit: 4674923482908788de345389d213a8d188505839:master - description: "Information Exposure django-request-logging is a Django middleware package that logs HTTP request body. Affected versions of this package are vulnerable to Information Exposure. Sensitive information such as passwords are logged by the package by default due to not using SafeExceptionReportFilter. Remediation Upgrade django-request-logging to version 0.6.9 or higher. " - links: "https://github.com/Rhumbix/django-request-logging/pull/65" - - -- reference: CVE-2017-12624 - repo: https://github.com/apache/cxf - commit: 8bd915bfd7735c248ad660059c6b6ad26cdbcdf6:master,896bd961cbbb6b8569700e5b70229f78f94ad9d:3.1.x-fixes - description: "" - links: "" - - -- reference: CVE-2018-11087 - repo: https://github.com/spring-projects/spring-amqp/ - commit: 444b74e95bb299af5e23ebf006fbb45d574fb95:2.1.0,aff4d0aefcdb99726fd739abf3b9bb96df97b0f:1.7.10,d64e7fa3993dac577c0973e0caf8c31d27ef5e4:2.0.6 - description: "description: The Spring RabbitMQ Java Client does not perform hostname validation. This means that SSL certificates of other hosts are blindly accepted as long as they are trusted. To exploit this vulnerability an attacker has to perform a man-in-the-middle (MITM) attack between a Java application using the Spring RabbitMQ Java Client and an RabbitMQ server it's connecting to. TLS normally protects users and systems against MITM attacks, it cannot if certificates from other trusted hosts are accepted by the client. Spring AMQP uses the RabbitMQ amqp-client java library for communication with RabbitMQ. It uses the RabbitConnectionFactoryBean to create/configure the connection factory.\n Affected Versions: \n - Spring-AMQP versions prior to 1.7.10 and 2.0.6 /n - RabbitMQ amqp-client versions prior to 4.8.0 and 5.4.0 .\n Mitigation: Users of affected versions should apply the following mitigation: \n - Upgrade to the 1.7.10.RELEASE or 2.0.6.RELEASE and set the enableHostnameValidation property to true. Override the transitive amqp-client version to at least 4.8.0 and 5.4.0, respectively. \n - The upcoming 2.1.0.RELEASE will set the property to true by default.\n - If you are using the amqp-client library directly to create a connection factory, refer to its javadocs for the enableHostnameValidation() method." - links: "https://jira.spring.io/browse/AMQP-830,https://pivotal.io/security/cve-2018-11087" - - -- reference: 413684 - repo: https://github.com/eclipse/jetty.project - commit: 2f08ba29487aff6624dbf947b1fbd845cdd33464:master - description: "As Jetty is delivered, adding a trailing slash to a JSP page causes it to be served as a raw source file. This vulnerability affects releases >=7.6.9 <9.0.5. Please update to|7.6.13,8.1.13,9.0.5" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" - - -- reference: CVE-2017-8342 - repo: https://github.com/Kozea/Radicale/ - commit: 059ba8dec1f22ccbeab837e288b3833a099cee2:2.x,190b1dd795f0c552a4992445a231da760211183:1.1.x - description: "" - links: "https://nvd.nist.gov/vuln/detail/CVE-2017-8342" - - -- reference: CVE-2018-1000104 - repo: https://github.com/jenkinsci/coverity-plugin/ - commit: 34b7c2b07014b8e1e708361170146600db172491:master - description: "" - links: "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-260,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32158" - - -- reference: CVE-2011-4343 - repo: https://github.com/apache/myfaces - commit: ed925077332275b5cd652410f438bb4893566fb8:master,f4e8981e4b17cc1ee9d3c79f6cd34f7bb2201f7:2.0.x - description: "" - links: "https://github.com/javaserverfaces/mojarra/issues/2251,https://issues.apache.org/jira/browse/MYFACES-3405" - - -- reference: PYCRYPTODOME-90 - repo: https://github.com/Legrandin/pycryptodome - commit: 99c27a3b:master - description: "" - links: "https://github.com/Legrandin/pycryptodome/issues/90,https://github.com/TElgamal/attack-on-pycrypto-elgamal" - - -- reference: CVE-2019-6690 - repo: https://github.com/vsajip/python-gnupg/ - commit: 39eca266dd837e2ad89c94eb17b7a6f50b25e7cf:master,3003b654ca1c29b0510a54b9848571b3ad57df19:master - description: "python-gnupg is a command-line program which provides support for programmatic access via spawning a separate process to run it and then communicating with that process from your program. Affected versions of this package are vulnerable to Improper Input Validation. An attacker can inject data through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods when symmetric encryption is used. The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines. By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted. Remediation Upgrade python-gnupg to version 0.4.4 or higher." - links: "https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/,https://bugzilla.redhat.com/show_bug.cgi?id=1670364,https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability,https://snyk.io/vuln/SNYK-PYTHON-PYTHONGNUPG-73633" - - -- reference: CVE-2019-1003000 - repo: https://github.com/jenkinsci/jenkins/ - commit: fa832c58b06556d9d3e0224be28f9c8673f3230b:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003000,https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266" - - -- reference: CVE-2017-3166 - repo: https://github.com/apache/hadoop/ - commit: a47d8283b136aab5b9fa4c18e6f51fa799d91a29:master - description: "" - links: "https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E,https://nvd.nist.gov/vuln/detail/CVE-2017-3166" - - -- reference: CVE-2011-1184 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1158180:trunk,1087655:trunk,1159309:trunk - description: "" - links: "" - - -- reference: CVE-2011-4461 - repo: https://github.com/apache/activemq - commit: 46ccaafcfcfbfc63c1c9e0fe2cb02011991772e1:master - description: "" - links: "" - - -- reference: CVE-2012-5783 - repo: http://svn.apache.org/repos/asf/jakarta/httpcomponents/httpclient - commit: 483925:trunk - description: "" - links: "" - - -- reference: CVE-2018-6331 - repo: https://github.com/facebook/buck/ - commit: 8c5500981812564877bd122c0f8fab48d3528ddf:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6331" - - -- reference: JAVAMELODY-631 - repo: https://github.com/javamelody/javamelody - commit: dd8816863d8d943f819a3fa797c349236e7546d4:master - description: "When using the collector server, minor security issue if XML transport format with xstream is configured in the collector server parameters." - links: "https://github.com/javamelody/javamelody/issues/631" - - -- reference: CVE-2018-11039 - repo: https://github.com/spring-projects/spring-framework/ - commit: dac97f1b7dac3e70ff603fb6fc9f205b95dd6b01:master,f2694a8ed93f1f63f87ce45d0bb638478b426acd:master - description: "Cross Site Tracing (XST) with Spring Framework. description: Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. Affected Pivotal Products and Versions: Spring Framework 5.0 to 5.0.6, Spring Framework 4.3 to 4.3.17, Older unsupported versions are also affected. Mitigation: Users of affected versions should apply the following mitigation: \n- 5.0.x users should upgrade to 5.0.7. \n- 4.3.x users should upgrade to 4.3.18. \n- Older versions should upgrade to a supported branch. \nThere are no other mitigation steps necessary. This attack applies to applications that: \n1/ Use the HiddenHttpMethodFilter (it is enabled by default in Spring Boot). \n2/ Allow HTTP TRACE requests to be handled by the application server. \nThis attack is not exploitable directly because an attacker would have to make a cross-domain request via HTTP POST, which is forbidden by the Same Origin Policy. This is why a pre-existing XSS (Cross Site Scripting) vulnerability in the web application itself is necessary to enable an escalation to XST." - links: "https://jira.spring.io/browse/SPR-16836,https://pivotal.io/security/cve-2018-11039" - - -- reference: CVE-2017-1000390 - repo: https://github.com/jenkinsci/tikal-multijob-plugin/ - commit: 2424cec7a099fe4392f052a754fadc28de9f8d86:master,3e6ab85019334a5b2a438264afdebe439cfc82b4:master - description: "" - links: "https://jenkins.io/security/advisory/2017-10-23/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32192" - - -- reference: CVE-2019-9142 - repo: https://github.com/b3log/symphony/ - commit: 5a74493fe179ceb8952262f3f157e4b8a55d2d46:master - description: "" - links: "https://github.com/b3log/symphony/issues/860,https://snyk.io/vuln/SNYK-JAVA-ORGB3LOG-174528" - - -- reference: CVE-2017-18349 - repo: https://github.com/alibaba/fastjson/ - commit: f5903fa56497c00ed0703ac875b511f9bd5f1d8e:master - description: "" - links: "https://github.com/alibaba/fastjson/wiki/security_update_20170315" - - -- reference: CVE-2016-3087 - repo: https://github.com/apache/struts.git - commit: 6bd694b7980494c12d49ca1bf39f12aec3e03e2f:2_5_x:2_5_x,98d2692e434fe7f4d445ade24fe2c9860de1c13f:2_3_x:2_3_x - description: "" - links: "" - - -- reference: CVE-2018-1000114 - repo: https://github.com/jenkinsci/promoted-builds-plugin - commit: 9b99b9427cc4f692644f929e70f3e7b2180b11c5:master - description: "" - links: "" - - -- reference: CVE-2019-3802 - repo: https://github.com/spring-projects/spring-data-jpa/ - commit: 075b4bad6fbcf85237e34568b1dde5c3c896738:2.2.0,2ef1b156a7ae0aea0e78b48fa97ead78989c63d:1.1.x,ac02bc062b224d3983c7fc6806e74488acf7a53:2.2.0,d5f88165069fb53c3d034559cc2873e9a9a9563:2.1.8,33027dc370f418981f41f8fdfebc7173155960a:1.1.x,c4baa0df0cbb76ae1c56795c40f3e2715e89f5e:2.1.8 - description: "Additional information exposure with Spring Data JPA example matcher description This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. Using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied. Affected Pivotal Products and Versions - Spring Data JPA 2.1 to 2.1.7 - Spring Data JPA 2.0 to 2.0.15 - Spring Data JPA 1.11 to 1.11.21 - Older unsupported versions are also affected Mitigation Users of affected versions should apply the following mitigation: - 2.1.x users should upgrade to 2.1.8 (included in Spring Boot 2.1.5) - 2.0.x users should upgrade to 2.1.8 (included in Spring Boot 2.1.5) - 1.11.x users should upgrade to 1.11.22 (included in Spring Boot 1.5.20) - Older versions should upgrade to a supported branch - There are no other mitigation steps necessary. Note, that with the current releases, the 2.0 branch of both Spring Data and Spring Boot is EOL and we highly recommend to upgrade " - links: "https://github.com/spring-projects/spring-data-jpa/pull/377,https://pivotal.io/security/cve-2019-3802" - - -- reference: CVE-2018-14505 - repo: https://github.com/mitmproxy/mitmproxy/ - commit: 7f464b89296881f4d9ec032378c4418e832d17e3:master - description: "mitmproxy is An interactive, SSL-capable, man-in-the-middle HTTP proxy for penetration testers and software developers. Affected versions of this package are vulnerable to DNS Rebinding. The mitmweb interface did not include protection against DNS rebinding. This could be exploited by a malicious website to either access the sniffed data or run arbitrary Python scripts on the filesystem by setting the scripts config option. Remediation Upgrade mitmproxy to version 4.0.4 or higher." - links: "https://github.com/mitmproxy/mitmproxy/issues/3234,https://github.com/mitmproxy/mitmproxy/pull/3243,https://snyk.io/vuln/SNYK-PYTHON-MITMPROXY-42179" - - -- reference: CVE-2017-5591 - repo: https://github.com/poezio/slixmpp - commit: 22664ee7b86c8e010f312b66d12590fb47160ad8:master - description: "" - links: "" - - -- reference: CVE-2011-3190 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1162960:trunk,1162958:trunk,1162959:trunk,1162957:trunk - description: "" - links: "" - - -- reference: DJANGO-REGISTRATION-001 - repo: https://github.com/macropin/django-registration/ - commit: 3a2e0182ff92cc8ce39a932e463cbac37e485afa:master - description: "django-registration provides user registration functionality for Django websites. Affected versions of this package are vulnerable to Information Exposure. It leaked the password reset token through the Referrer header. Remediation: Upgrade django-registration to version 1.7 or higher." - links: "https://github.com/macropin/django-registration/pull/268,https://snyk.io/vuln/SNYK-PYTHON-DJANGOREGISTRATION-72413" - - -- reference: CVE-2017-1000243 - repo: https://github.com/jenkinsci/favorite-plugin/ - commit: b6359532fe085d9ea6b7894e997e797806480777:master - description: "" - links: "https://jenkins.io/security/advisory/2017-06-06/,https://snyk.io/vuln/SNYK-JAVA-ORGJVNETHUDSONPLUGINS-32197" - - -- reference: CVE-2018-1259 - repo: https://github.com/SvenEwald/xmlbeam/ - commit: f8e943f44961c14cf1316deb56280f7878702ee1:master - description: "" - links: "https://pivotal.io/security/cve-2018-1259,https://snyk.io/vuln/SNYK-JAVA-ORGXMLBEAM-31677" - - -- reference: CVE-2016-2175 - repo: https://github.com/apache/pdfbox - commit: 6f4a1fa0cd894ba3bbbe4a97ce11e23ec64f0d3a:1.8 - description: "" - links: "" - - -- reference: CVE-2018-18389 - repo: https://github.com/neo4j/neo4j/ - commit: 46de5d01ae2741ffe04c36270fc62c6d490f65c9:master - description: "" - links: "https://github.com/neo4j/neo4j/issues/12047,https://snyk.io/vuln/SNYK-JAVA-ORGNEO4J-72466" - - -- reference: CVE-2016-2162 - repo: https://github.com/apache/struts - commit: fc2179cf1ac9fbfb61e3430fa88b641d87253327:master - description: "" - links: "" - - -- reference: CVE-2011-4461-JETTY - repo: https://github.com/eclipse/jetty.project - commit: 979d6dbbf9416b1a0ad965e2b8a3b11a2d208627:master,d0b81a185c260ffceecb9d7470b3ddfbfeda4c11:master - description: "Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. (see https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638)" - links: "https://nvd.nist.gov/vuln/detail/CVE-2011-4461" - - -- reference: CVE-2012-4534 - repo: http://svn.apache.org/repos/asf/tomcat/tc7.0.x - commit: 1340218:trunk - description: "" - links: "" - - -- reference: CVE-2017-15694 - repo: https://github.com/apache/geode/ - commit: ed28310be814268fca72e92ebe5dd16e2f54da9a:master,4c2f9e85406cc8ce9b5da71f0231b9a4901f8e2c:master,702eb206886203c55722335c7d66fbc6604fbe22:master,320b191c8286bb52be9cf93ccdbacd3e0a9981df:master,b8d26b158cabf91983e40e72221ab135143a26e0:master - description: "" - links: "https://issues.apache.org/jira/browse/GEODE-3981,https://lists.apache.org/thread.html/311505e7b7a045aaa246f0a1935703acacf41b954621b1363c40bf6f@%3Cuser.geode.apache.org%3E" - - -- reference: CVE-2019-11272 - repo: https://github.com/spring-projects/spring-security/ - commit: b2d4fec3617c497c5a8eb9c7e5270e0c7db293ee:master - description: "PlaintextPasswordEncoder authenticates encoded passwords that are null Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”. Affected Pivotal Products and Versions - Spring Security 4.2 to 4.2.12 - Older unsupported versions are also affected - Note that Spring Security 5+ is not impacted by this vulnerability. Mitigation Users of affected versions should apply the following mitigation: - 4.2.x users should upgrade to 4.2.13 - Older versions should upgrade to a supported branch There are no other mitigation steps necessary. " - links: "https://github.com/spring-projects/spring-security/issues/7023,https://pivotal.io/security/cve-2019-11272" - - -- reference: CVE-2019-10856 - repo: https://github.com/jupyter/notebook/ - commit: 979e0bd15e794ceb00cc63737fcd5fd9addc4a99:master - description: "" - links: "https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4" - - -- reference: CVE-2014-0099 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1578812:trunk,1578814:trunk,1580473:trunk - description: "" - links: "" - - -- reference: CVE-2018-1000125 - repo: https://github.com/inversoft/prime-jwt - commit: 0d94dcef0133d699f21d217e922564adbb83a227:master - description: "" - links: "" - - -- reference: CVE-2019-1003019 - repo: https://github.com/jenkinsci/github-oauth-plugin/ - commit: 3fcc367022c58486e5f52def3edbac92ed258ba4:master - description: "An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003019,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797" - - -- reference: CVE-2019-0187 - repo: https://github.com/apache/jmeter/ - commit: a82907030db158e00d681dc5f5330085951535f3:master - description: "Overview org.apache.jmeter:ApacheJMeter_core is an Open Source application designed to load test applications and measure performance. Affected versions of this package are vulnerable to Remote Code Execution when JMeter is used in distributed mode. An attacker could establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Remediation Upgrade org.apache.jmeter:ApacheJMeter_core to version 5.0.1 or higher. " - links: "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E,https://bz.apache.org/bugzilla/show_bug.cgi?id=62743,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEJMETER-173753" - - -- reference: CVE-2018-1000159 - repo: https://github.com/tomato42/tlslite-ng - commit: 3674815d1b0f7484454995e2737a352e0a6a93d8:master - description: "" - links: "https://github.com/tomato42/tlslite-ng/pull/234" - - -- reference: CVE-2018-12022 - repo: https://github.com/FasterXML/jackson-databind/ - commit: 28badf7ef60ac3e7ef151cd8e8ec010b8479226:2.7.9,7487cf7eb14be2f65a1eb108e8629c07ef45e0a:2.8.11 - description: "Block polymorphic deserialization of types from Jodd-db library. description : There is a potential remote code execution (RCE) vulnerability, if user is 1. handling untrusted content (where attacker can craft JSON), 2. using \"Default Typing\" feature (or equivalent; polymorphic value with base type of java.lang.Object 3. has jodd-db (https://jodd.org/db/) jar in classpath 4. allows connections from service to untrusted hosts (where attacker can run an LDAP service). (note: steps 1 and 2 are common steps as explained in https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062). To solve the issue, one type from Jodd database component is blacklisted to avoid their use as \"serialization gadgets\"." - links: "https://github.com/FasterXML/jackson-databind/issues/2052,https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8" - - -- reference: CVE-2012-0213 - repo: https://github.com/apache/poi - commit: c702bc5ce58f9f11f408c7568cc96382c76641ef:trunk - description: "" - links: "" - - -- reference: CVE-2016-8739 - repo: https://github.com/apache/cxf - commit: 8e4970d9:3.0.x:3.0.x,d9e2a6e7:master,9deb2d17:3.1.x:3.1.x - description: "Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE. This vulnerability affects all versions of Apache CXF prior to 3.0.12, 3.1.9. CXF 3.0.x users should upgrade to 3.0.12 or later as soon as possible. CXF 3.1.x users should upgrade to 3.1.9 or later as soon as possible." - links: "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc" - - -- reference: CVE-2016-5641 - repo: https://github.com/swagger-api/swagger-codegen - commit: 9ee10e23977b39f4ad21445316f07271b01e02f1:master,37e1de6d725bf5c3b9c7464f6ddc4a097513a112:master,cee45bc9aa0296b35170cb10b5132491c5dbdc88:master,07a852fe78ae71261f617200459e2cdf6529068f:master,56b2b4f2ebecf788fb30d385b3a91e8e1a72296d:master,90857e898884238d61dbfbd3ede5c7cc57de483f:master,a71c0726099daf8e7b5fe8ed1cef1ec2e03b57c7:master,c5724a46d6cbbed03d292a361b3a0d07d1a64dae:master,cb53ea114ace2e0346a96c00d9403b990a6d4f5f:master - description: "Maliciously crafted Swagger documents can be used to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system. This is achieved by the fact that some parsers/generators trust insufficiently sanitized parameters within a Swagger document to generate a client code base. " - links: "https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641" - - -- reference: CVE-2018-1274 - repo: https://github.com/spring-projects/spring-data-commons/ - commit: 371f6590c509c72f8e600f3d05e110941607fba:1.13.x,3d8576fe4e4e71c23b9e6796b32fd56e51182ee:2.0.x - description: "Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption). Affected : Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10), Spring Data REST 2.6 to 2.6.10 (Ingalls SR10), Spring Data Commons 2.0 to 2.0.5 (Kay SR5), Spring Data REST 3.0 to 3.0.5 (Kay SR5),Older unsupported versions are also affected" - links: "https://pivotal.io/security/cve-2018-1274" - - -- reference: CVE-2013-5960 - repo: https://github.com/ESAPI/esapi-java-legacy - commit: b7cbc53f9cc967cf1a5a9463d8c6fef9ed6ef4f7:master - description: "" - links: "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin1.docx,https://github.com/esapi/esapi-java-legacy/issues/306" - - -- reference: CVE-2018-1062 - repo: https://gerrit.ovirt.org/ovirt-engine.git - commit: d0e33ace71b7603450fc1aa7725f53dbc545831:ovirt-engine-4.1,820888c4e8dfbe79dc55e1ba8e72edb0ebd8890:master - description: "" - links: "" - - -- reference: CVE-2016-3720 - repo: https://github.com/FasterXML/jackson-dataformat-xml - commit: f0f19a4c924d9db9a1e2830434061c8640092cc0:master - description: "" - links: "" - - -- reference: CVE-2018-1000068 - repo: https://github.com/jenkinsci/jenkins - commit: 8830d68f5fe21f344be3496984bc4470bfcd0564:master - description: "" - links: "" - - -- reference: CVE-2019-1003038 - repo: https://github.com/jenkinsci/repository-connector-plugin/ - commit: 9288f0427ef25ec2c62d1c28f5a5c21a3cdd4a7a:master - description: "An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the password stored in the plugin configuration." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003038,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-958" - - -- reference: CVE-2018-11797 - repo: https://github.com/apache/pdfbox/ - commit: a6deb9d7ffec79986cac82345db724b343ca3e5:2.0.12,4fa98533358c106522cd1bfe4cd9be2532af852:trunk,f7dc8eed7df007c88421919932e2d4de44d2ae2:1.8.16 - description: "" - links: "https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a@%3Cannounce.apache.org%3E,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEPDFBOX-72426,https://www.apache.org/dist/pdfbox/1.8.16/RELEASE-NOTES.txt,https://www.apache.org/dist/pdfbox/2.0.12/RELEASE-NOTES.txt" - - -- reference: CVE-2018-8041 - repo: https://github.com/apache/camel/ - commit: 4580e4d6c65cfd544c1791c824b5819477c583c:master,63c7c080de4d18f9ceb25843508710df2c2c6d4:2.20.4,4f401c09d22c45c94fa97746dc31905e06b19e3:2.21.2,a0d25d9582c6ee85e9567fa39413df0b4f02ef7:2.22.1 - description: "" - links: "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2,https://issues.apache.org/jira/browse/CAMEL-12630,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECAMEL-72377" - - -- reference: CVE-2015-5262 - repo: https://github.com/apache/httpcomponents-client - commit: d954cd287dfcdad8f153e61181e20d253175ca8c:4.3.x,6705924879810f617a7a21d34f16b6c0d61e8d34:4.3.x,09027e7286974bf6b61f4106395da2623121db8d:trunk - description: "" - links: "" - - -- reference: CVE-2017-11427-PY3 - repo: https://github.com/onelogin/python3-saml/ - commit: 349757d98f0b7feaee867826a0782df4307fc32e:master - description: "Affected versions of this package are vulnerable to Authentication Bypass. It incorrectly utilizes the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers." - links: "https://snyk.io/vuln/SNYK-PYTHON-PYTHON3SAML-40775" - - -- reference: DJANGO-REST-6330 - repo: https://github.com/encode/django-rest-framework/ - commit: 4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8:master - description: "XSS caused by disabled autoescaping in the default DRF Browsable API view templates" - links: "https://github.com/encode/django-rest-framework/pull/6330" - - -- reference: CVE-2016-4977 - repo: https://github.com/spring-projects/spring-security-oauth.git - commit: fff77d3fea477b566bcacfbfc95f85821a2bdc2d:master - description: "When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type." - links: "https://pivotal.io/security/cve-2016-4977" - - -- reference: CVE-2010-2227 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 958911:trunk,959428:trunk,962871:trunk,958977:trunk - description: "" - links: "" - - -- reference: CVE-2019-1003012 - repo: https://github.com/jenkinsci/blueocean-plugin/ - commit: 1a03020b5a50c1e3f47d4b0902ec7fc78d3c86ce:master - description: "A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003012,https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1201" - - -- reference: CVE-2013-5855 - repo: https://github.com/javaserverfaces/mojarra - commit: 3d476326c7ff32fe17357ac44a7fe194874df246:master,9827e56928abd657a7e7887f7e82ac9bc8a9c10b:master - description: "" - links: "" - - -- reference: CVE-2018-12541 - repo: https://github.com/eclipse-vertx/vert.x/ - commit: 269a583330695d1418a4f5578f7169350b2e1332:master - description: "" - links: "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539170,https://github.com/eclipse-vertx/vert.x/issues/2648,https://snyk.io/vuln/SNYK-JAVA-IOVERTX-72443" - - -- reference: CVE-2017-16615 - repo: https://github.com/thanethomson/MLAlchemy - commit: bc795757febdcce430d89f9d08f75c32d6989d3c:master - description: "" - links: "" - - -- reference: CVE-2014-0095 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1578392:trunk - description: "" - links: "" - - -- reference: S2-043 - repo: https://github.com/apache/struts - commit: ba0563183b128dcef88b469f46e528a12e0179e7:master - description: "Usage of the Config Browser in a production environment can lead to exposing vunerable information of the application. Please read out Security guideline and restrict access to the Config Browwser or do not use in a production environment!" - links: "https://cwiki.apache.org/confluence/display/WW/S2-043" - - -- reference: CVE-2018-12540 - repo: https://github.com/vert-x3/vertx-web/ - commit: f42b193b15a29b772fc576b2d0f2497e7474a7e:3.5.3,98891b1d9e022b467a3e4674aca4d1889849b1d:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-IOVERTX-72441,https://github.com/vert-x3/vertx-web/issues/970" - -- reference: CVE-2018-19586 - repo: https://github.com/Silverpeas/Silverpeas-Core/ - commit: 3ca3103ebc0813a3b2b4bcb89ca12f5257696e2:master,817f3c7ea3895aececff1e2e3bd3bb9f9564d04:5.15 - description: "Directory Traversal org.silverpeas.core:silverpeas-core-web is a WEB platform that improves the collaboration between the actors of a company or organization. Affected versions of this package are vulnerable to Directory Traversal. The vulnerability can be triggered during file uploads due to core/webapi/upload/FileUploadData.java mishandling a StringUtil.java call. This vulnerability enables regular users to write arbitrary files on the underlying system with privileges of the user running the application. Specifically, an attacker may leverage the vulnerability to write an executable JSP file in an exposed web directory to execute commands on the underlying system. " - links: "https://github.com/Silverpeas/Silverpeas-Core/blob/d8c3bbb0695a4907db013401bd16c6527e2b4f41/core-web/src/main/java/org/silverpeas/core/webapi/upload/FileUploadData.java#L89,https://github.com/Silverpeas/Silverpeas-Core/pull/949,https://github.com/Silverpeas/Silverpeas-Core/pull/950,https://www.bishopfox.com/news/2019/01/silverpeas-5-15-to-6-0-2-path-traversal/" - - -- reference: CVE-2011-5063 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1158180:trunk,1087655:trunk,1159309:trunk - description: "" - links: "" - - -- reference: CVE-2018-20222 - repo: https://github.com/airsonic/airsonic/ - commit: 1a88f46c18066f61e11c6a95dccd3801ec4aec55:master - description: "" - links: "https://github.com/airsonic/airsonic/blob/master/CHANGELOG.md,https://github.com/airsonic/airsonic/releases/tag/v10.2.1" - - -- reference: CVE-2015-0225 - repo: https://github.com/apache/cassandra - commit: c041ea8b3748089937168839791a6d64382b34de:master - description: "" - links: "" - - -- reference: SCRAPY-3415 - repo: https://github.com/scrapy/scrapy/ - commit: 8a58d2305f42474e5b054f1b7f13043a7afd9ab6:master - description: "Telnet console extension can be easily exploited by rogue websites POSTing content to http://localhost:6023, we haven't found a way to exploit it from Scrapy, but it is very easy to trick a browser to do so and elevates the risk for local development environment. Remediation: upgrade to scrapy 1.5.2" - links: "https://doc.scrapy.org/en/latest/news.html#scrapy-1-5-2-2019-01-22,https://github.com/scrapy/scrapy/commit/1b50b694dcf3183cc8bf670489dc262655a323f0,https://github.com/scrapy/scrapy/pull/3415" - - -- reference: CVE-2015-8213 - repo: https://github.com/django/django/ - commit: 9f83fc2f66f5a0bac7c291aec55df66050bb699:1.8.x,8a01c6b53169ee079cb21ac5919fdafcc8c5e17:1.7.x - description: "" - links: "https://docs.djangoproject.com/en/2.1/releases/security/,https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/" - - -- reference: CVE-2014-3612 - repo: https://github.com/apache/activemq - commit: 0b5231ada5ce365b41832ba8752ee210145d1cbe:master - description: "The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames. (see https://issues.apache.org/jira/browse/AMQ-5345)" - links: "" - - -- reference: CVE-2017-9787 - repo: https://github.com/apache/struts.git - commit: 0d6442bab5b44d93c4c2e63c5335f0a331333b9:STRUTS_2_5_x,086b63735527d4bb0c1dd0d86a7c0374b825ff2:STRUTS_2_3_x - description: "When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack when user was properly authenticated. Affected Software Struts 2.3.7 - Struts 2.3.32, Struts 2.5 - Struts 2.5.10.1. Upgrade to Apache Struts version 2.5.12 or 2.3.33." - links: "http://struts.apache.org/docs/s2-049.html" - - -- reference: CVE-2019-7537 - repo: https://github.com/pytroll/donfig/ - commit: 1f9dbf83b17419a06d63c14ef3fbd29dbc1b8ce5:master - description: "An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collect_yaml method in config_obj.py. It can execute arbitrary Python commands, resulting in command execution." - links: "https://github.com/pytroll/donfig/issues/5" - - -- reference: CVE-2018-17297 - repo: https://github.com/looly/hutool/ - commit: fed1a1f747a9308e2f65f8dbbff05ce62478ecc0:master,8d7d0b7fb5ea4f7447b40131bffc1ec506a6528e:master,9f8a801c7b98b75ee681c0988e1a58bcfdc21756:master - description: "" - links: "https://github.com/looly/hutool/issues/162,https://snyk.io/vuln/SNYK-JAVA-CNHUTOOL-72401" - - -- reference: CVE-2017-8039 - repo: https://github.com/spring-projects/spring-webflow.git - commit: df0ea:2_4_6,084b4:2_5_x,ed5e8:2_4_6 - description: "" - links: "" - - -- reference: CVE-2016-1000342 - repo: https://github.com/bcgit/bc-java - commit: 843c2e60f67d71faf81d236f448ebbe56c62c647:master - description: "ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of invisible data into a signed structure." - links: "https://www.bouncycastle.org/releasenotes.html" - - -- reference: CVE-2013-6430 - repo: https://github.com/spring-projects/spring-framework.git - commit: 7a7df6637478607bef0277bf52a4e0a03e20a248:master - description: "The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability." - links: "http://pivotal.io/security/cve-2013-6430" - - -- reference: CVE-2019-0199 - repo: https://github.com/apache/tomcat/ - commit: 1f80116084f7db68a34258e7702d47327d53516:8.5.x,cd9b2fbc54243b77d4dd93306298ecf0804e682:8.5.x,19bebdecbd82a3fce3187a14e0ac417ce8d9b60:8.5.x,c38033338a5d145630275ff91fef04c7dfd7807:9.0.x,2c5939e1db671c5087fc32c2472b453e3b13d78:8.5.x,2207733b82d85e354fa1a6fd114dae665816fdf:9.0.x,c16d9d810a1f64cd768ff33058936cf8907e311:9.0.x,738eef58a30f6d3ec9c9de707ba6491904fa579:8.5.x,f9d8c2591f86090e5141f73833407f7ebdffef2:9.0.x,65f4b6d18159b0d3368c42d68763769dfbcb385:8.5.x,96f351883cdc6a20919d4b98964f101d67e92aa:9.0.x,b711cf5b8841e5d239717850d1d6d3cad2382a6:9.0.x,69c57c8c5f7336b3ffefcc88fd49b51b8f5f4bf:8.5.x,4424600f427ba94058113537023c77953fcfb54:9.0.x - description: "The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. Affects: 8.5.0 to 8.5.37 Affects: 9.0.0.M1 to 9.0.14 " - links: "https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3E,https://nvd.nist.gov/vuln/detail/CVE-2019-0199,https://tomcat.apache.org/security-8.html,https://tomcat.apache.org/security-9.html" - - -- reference: CVE-2012-3506 - repo: https://github.com/apache/ofbiz - commit: 4cf0a9f20b37f977a4338ae0ccac9e8980ee1943:release12.04,da0345fe45eece674698be4bde272b467b1a473d:release10.04,5caeb525634157e10bde176f33afc60bbe3e9ef0:trunk,1dcaab7f58c3f639c9e94b77861cb8f80c546b3c:release11.04 - description: "" - links: "" - - -- reference: CVE-2017-7233 - repo: https://github.com/django/django - commit: 8339277518c7d8ec280070a780915304654e3b6:1.8,97e77b7bc14eafda704a01881cb2a3dc164947b:1.11,5ea48a70afac5e5684b504f09286e7defdd1a81a:master,254326cb3682389f55f886804d2c43f7b9f23e4:1.9,f824655bc2c50b19d2f202d7640785caabc8278:1.10 - description: "" - links: "" - - -- reference: CVE-2018-1000865 - repo: https://github.com/jenkinsci/groovy-sandbox/ - commit: 0cd7ec12b7c56cfa3167d99c5f43147ce05449d3:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000865,https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186,https://snyk.io/vuln/SNYK-JAVA-ORGKOHSUKE-72667" - - -- reference: CVE-2013-4221 - repo: https://github.com/restlet/restlet-framework-java/ - commit: b85c2ef182c69c5e2e21df008ccb249ccf80c7b:2.1,c3015e4783c2a36e7528aa611c911b7d8c4ec5b:2.0,12cc79b3953c7bd276e9f1cae2fbfdb9c1a6f07:2.4 - description: "" - links: "http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html,https://github.com/restlet/restlet-framework-java/issues/774,https://snyk.io/vuln/SNYK-JAVA-ORGRESTLET-72458" - - -- reference: CVE-2016-6802 - repo: https://github.com/apache/shiro - commit: b15ab927709ca18ea4a02538be01919a19ab65af:master - description: "" - links: "" - - -- reference: CVE-2018-20060 - repo: https://github.com/urllib3/urllib3/ - commit: 48dba048081dfcb999afcda715d17147aa15b6ea:master,2a42e70ff077006d5a6da92251ddbb2939303f94:master,6245ddddb7f80740c5c15e1750e5b9f68c5b2b5f:master,9c9dd6f3014e89bb9c532b641abcf1b24c3896ab:master,f99912beeaf230ee3634b938d3ea426ffd1f3e57:master,3d7f98b07b6e6e04c2e89cdf5afb18024a2d804c:master,63948f3a607ed8e7a3ce9ac4e20782359896e27e:master,3b5f27449e153ad05186beca8fbd9b134936fe50:master,560bd227b90f74417ffaedebf5f8d05a8ee4f532:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1649153,https://github.com/urllib3/urllib3/issues/1316,https://github.com/urllib3/urllib3/pull/1346,https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-72681" - - -- reference: CVE-2008-6879 - repo: http://svn.apache.org/repos/asf/roller - commit: 668737:trunk - description: "" - links: "" - - -- reference: CVE-2019-1003028 - repo: https://github.com/jenkinsci/jms-messaging-plugin - commit: be87ad81c8b3aac6486ca787e3953c8fb6271997:master - description: "org.jenkins-ci.plugins:jms-messaging provides the following functionality: - A build trigger to submit jenkins jobs upon receipt of a matching message. - A build and post-build step that may be used to submit a message to the topic upon the completion of a job. - A build step to wait for a specific message. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint. Remediation Upgrade org.jenkins-ci.plugins:jms-messaging to version 1.1.2 or higher." - links: "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1033,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-173718" - - -- reference: CVE-2019-12300 - repo: https://github.com/buildbot/buildbot/ - commit: e1dcfce4388bfb153428fb4078b70a7ac96fd5b:master,51339c9e29850094d8b213d9a6eb4bee8e02563:2.3.1,dd55146b73ed82814bf9fd85d847937b4f3b778:1.8.2 - description: "" - links: "https://github.com/buildbot/buildbot/pull/4763/files,https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication" - - -- reference: CVE-2009-3555 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 904851:trunk,881774:trunk,891292:trunk,882320:trunk - description: "" - links: "" - - -- reference: CVE-2014-3488 - repo: https://github.com/netty/netty - commit: 2fa9400a59d0563a66908aba55c41e7285a04994:master - description: "" - links: "" - - -- reference: CVE-2016-1181 - repo: https://github.com/kawasima/struts1-forever - commit: eda3a79907ed8fcb0387a0496d0cb14332f250e8:master - description: "" - links: "" - - -- reference: CVE-2012-1621 - repo: https://github.com/apache/ofbiz - commit: ea604f84e4a21fe081d66bbdab454b1e8a7d09b3:release10.04 - description: "" - links: "" - - -- reference: CVE-2016-2174 - repo: https://github.com/apache/ranger - commit: 8618870d1b4acfae4114dd247a362cfa8493ab9:0.5,da3a3233d5679284142eb2887c91a754a0da70b:master - description: "" - links: "" - - -- reference: CVE-2011-3376 - repo: http://svn.apache.org/repos/asf/tomcat/tc7.0.x - commit: 1176588:trunk - description: "" - links: "" - - -- reference: CVE-2019-12387 - repo: https://github.com/twisted/twisted/ - commit: 6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2:master - description: "" - links: "https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html,https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html" - - -- reference: CVE-2017-14696 - repo: https://github.com/saltstack/salt/ - commit: 5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5b:master - description: "" - links: "https://docs.saltstack.com/en/latest/topics/releases/2016.11.8.html,https://www.cvedetails.com/cve/CVE-2017-14696/" - - -- reference: CVE-2018-1000850 - repo: https://github.com/square/retrofit/ - commit: b9a7f6ad72073ddd40254c0058710e87a073047d:master - description: "" - links: "https://ihacktoprotect.com/post/retrofit-path-traversal/,https://snyk.io/vuln/SNYK-JAVA-COMSQUAREUPRETROFIT2-72720" - - -- reference: CVE-2018-8010 - repo: https://github.com/apache/lucene-solr - commit: 6c4e45e28494d4d4d04fb89852d18c86fa3d5f8:7.3.1,4ba409e0ff3dc38aad88f7b7ad69a76325272b8:6.6.4,96f079b4b47eaadff65c7aaf0e5bafe68e30ec3:7.4,6d082d5743dee7e08a86b3f2ef03bc025112512:6.x,1b760114216fcdfae138a8b37f183a9293c4911:master - description: "" - links: "https://exchange.xforce.ibmcloud.com/vulnerabilities/143557,https://issues.apache.org/jira/browse/SOLR-12316,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESOLR-32298" - - -- reference: CVE-2018-19443 - repo: https://github.com/tryton/tryton/ - commit: 8f682ef5ef477fe32dad02bcfdbe4beb6e22c96:5.0.1,f75818a834c98ff364354fbee65ae568a845b6a:dev - description: "" - links: "https://bugs.tryton.org/issue7792,https://discuss.tryton.org/t/security-release-for-issue7792/830,https://snyk.io/vuln/SNYK-PYTHON-TRYTON-72631" - - -- reference: CVE-2018-1320 - repo: https://github.com/apache/thrift/ - commit: d973409661f820d80d72c0034d06a12348c8705e:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320,https://issues.apache.org/jira/browse/THRIFT-4506,https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E" - - -- reference: CVE-2018-20245 - repo: https://github.com/apache/airflow/ - commit: 66d0d05ea0802aec407e0ef5435a962080db0926:master - description: "" - links: "https://github.com/apache/airflow/pull/4006,https://issues.apache.org/jira/browse/AIRFLOW-3164,https://lists.apache.org/thread.html/b549c7573b342a6e457e5a3225c33054244343927bbfb2a4cdc4cf73@%3Cdev.airflow.apache.org%3E,https://snyk.io/vuln/SNYK-PYTHON-APACHEAIRFLOW-73597" - - -- reference: CVE-2015-6644 - repo: https://github.com/bcgit/bc-java - commit: 25aca54734b861ef109ac4943c4a5f98c0c1b885:master,9bc10bbaa9620d691c58e2b37f31f0d31ceea61f:master,2d80e6cc6f5b78e159dba3277414e3bfea511dea:master,874bab94a5baf426545948116cabe6f4ae338c20:master - description: "" - links: "" - - -- reference: CVE-2017-1000487 - repo: https://github.com/codehaus-plexus/plexus-utils/ - commit: b38a1b3a4352303e4312b2bb601a0d7ec6e28f41:master - description: "" - links: "https://vulners.com/cve/CVE-2017-1000487" - - -- reference: CVE-2008-1728 - repo: https://github.com/igniterealtime/Openfire - commit: c9cd1e521673ef0cccb8795b78d3cbaefb8a576a:master - description: "" - links: "" - - -- reference: CVE-2015-2944 - repo: https://github.com/apache/sling-old-svn-mirror - commit: d2ba859e23e219446cdaba4a908c730e28c44959:trunk,add3a9a751f65308d7b1cf18c4d56b9e5dde5e4c:trunk,db1ccbd029e9620c12534deb6d0314738f323c66:trunk - description: "" - links: "" - - -- reference: CVE-2017-12791 - repo: https://github.com/saltstack/salt - commit: 6366e05d0d70bd709cc4233c3faf32a759d0173a:master - description: "" - links: "" - - -- reference: CVE-2017-15719 - repo: https://github.com/sebfz1/wicket-jquery-ui - commit: 936c12a2db262cf471c781f0d3c0d0ad61c35c7:8.0.0-M8.1,3e8cfdcb0f8e6e0cf0da01e74501afb5c9bff0f:6.28.1,82d81bf704bef90b42f62aecbcc7e8c460814b6:8.0.0-M8.1,cc75fdc3e610985a5f391789d33fb70c8c9114d:7.9.2,6f33727a1b4aa27d58d672a96154d9061db43fa:6.28.1,9f082950a276c8948a4078c2438e284a948ba15:7.9.2,8aebe1e49a71f10cdd6a073fd09d0d8d82352a0:7.9.2,fa0ce80f8e92c28c801773ed7c28621ae98e872:6.28.1,42294cc890536459b13cf16844cd65cccf66578:8.0.0-M8.1 - description: "" - links: "" - - -- reference: CVE-2017-1000242 - repo: https://github.com/jenkinsci/git-client-plugin/ - commit: 75ea3fe05650fc6ca09046a72493e2b3f066fb98:master - description: "" - links: "https://jenkins.io/security/advisory/2017-04-27/,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32198" - - -- reference: CVE-2015-5170 - repo: https://github.com/cloudfoundry/uaa - commit: a54f3fb8225ef7d5021ca7d4fb52bef1e884568e:master - description: "CSRF Attack on PWS. It is possible to log the user into another account instead of the account they intended to log into because of the lack of CSRF checks." - links: "https://www.cloudfoundry.org/cve-2015-5170-5173/" - - -- reference: CVE-2016-8749 - repo: https://github.com/apache/camel.git - commit: 02270ab9c90ac0d59b85dbd59fb9c1007eb44a1:camel-2.19,7567488f844f01d72840f7ab6ca18114a11f20d:camel-2.19,c93a87c36aa4d14ad6f7ee1df9507fa2ca1fd91:camel-2.17.x,10f552643d7e4565104d142bbc160db5a30f9f7:camel-2.17.x,ccf149c76bf37adc5977dc626e141a14e60b5ae:camel-2.16.x,5ae9c0dcc4843347cd01ffb58ce5dd0687755a1:camel-2.17.x,235036d2396ae45b6809b72a1983dee33b5ba32:camel-2.16.x,2b0e96117d6f01eba0c18e2ff8df6a438e81972:camel-2.19,881e5099f94316d4a66ffbff0a3e6915829d49d:camel-2.19,57d01e2fc8923263df896e9810329ee5b7f9b69:camel-2.16.x,af3f54de35a90a5a49a4af4622e8bd1011bf5ec:camel-2.19,d4102512147eca2af21c3b6ed63a67d852f4e66:camel-2.17.x - description: "Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks." - links: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2" - - -- reference: CVE-2018-7536 - repo: https://github.com/django/django/ - commit: 8618271caa0b09daba39ff3b46567d33ae1e1d3:master,e157315da3ae7005fa0683ffc9751dbeca7306c:2.0,abf89d729f210c692a50e0ad3f75fb6bec6fae1:1.1,1ca63a66ef3163149ad822701273e8a1844192c:1.8 - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-DJANGO-40778,https://www.djangoproject.com/weblog/2018/mar/06/security-releases/" - - -- reference: CVE-2019-1003027 - repo: https://github.com/jenkinsci/octopusdeploy-plugin/ - commit: 40e04160ac77190a51c8e2c3164a0151441efdf4:master - description: "SSRF vulnerability due to missing permission check in OctopusDeploy Plugin A missing permission check in a form validation method in OctopusDeploy Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP HEAD request to an attacker-specified URL, returning HTTP response code if successful, or exception error message otherwise. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. This form validation method now requires POST requests and performs a permission check. Affected Versions OctopusDeploy Plugin up to and including 1.8.1 Fix OctopusDeploy Plugin should be updated to version 1.9.0" - links: "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817,https://snyk.io/vuln/SNYK-JAVA-HUDSONPLUGINSOCTOPUSDEPLOY-173717" - - -- reference: CVE-2018-1256 - repo: https://github.com/pivotal-cf/spring-cloud-sso-connector/ - commit: ef647a2acf2363c6018e8543d665ac8862593372:master - description: "Issuer validation regression in Spring Cloud SSO Connector. description: Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan. Affected Pivotal Products and Versions: Spring Cloud SSO Connector version 2.1.2. Mitigation: Use Spring Cloud SSO Connector: 2.1.3 Or alternatively, you can perform one of the following workarounds: Bind your resource server to the SSO service plan via a service instance binding; Set sso.connector.cloud.available=true within your Spring application properties" - links: "https://pivotal.io/security/cve-2018-1256" - - -- reference: CVE-2018-17193 - repo: https://github.com/apache/nifi/ - commit: e62aa0252dfcf34dff0c3a9c51265b1d0f9dfc9f:master - description: "" - links: "https://issues.apache.org/jira/browse/NIFI-5442,https://nifi.apache.org/security.html#CVE-2018-17193,https://snyk.io/vuln/SNYK-JAVA-ORGAPACHENIFI-72713" - - -- reference: CVE-2013-7398 - repo: https://github.com/AsyncHttpClient/async-http-client - commit: a894583921c11c3b01f160ada36a8bb9d5158e9:1.9.x,3c9152e2c75f7e8b654beec40383748a14c6b51b:master - description: "" - links: "" - - -- reference: CVE-2018-16165 - repo: https://github.com/JPCERTCC/LogonTracer/ - commit: 2bb79861dbaf7e8a9646fcd70359523fdb464d9c:master - description: "" - links: "https://jvn.jp/en/vu/JVNVU98026636/index.html" - - -- reference: CVE-2018-16406 - repo: https://github.com/mayan-edms/mayan-edms/ - commit: 48dfc06e49c7f773749e063f8cc69c95509d1c32:master - description: "" - links: "https://gitlab.com/mayan-edms/mayan-edms/issues/495,https://snyk.io/vuln/SNYK-PYTHON-MAYANEDMS-72285" - - -- reference: CVE-2015-1427 - repo: https://github.com/elastic/elasticsearch.git - commit: 764fda6420a0aa10db4abef15429b5e77b9be8bf:master,4e952b2d75de6ca4caf4b6743462714f3b60d07f:1.4.x,69735b0f4ab9ad7df4b82e8c917589b52cb9978c:1.3.x - description: "" - links: "" - - -- reference: CVE-2018-1000149 - repo: https://github.com/jenkinsci/ansible-plugin/ - commit: 06d30e5b626a978e258a7f4ab473cd7f53a7cba7:master - description: "" - links: "https://jenkins.io/security/advisory/2018-03-26/#SECURITY-630,https://snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-32216" - - -- reference: CVE-2017-9803 - repo: https://github.com/apache/lucene-solr - commit: b091934f9e98568b848d0584a1145c8e514cbd21:master - description: "" - links: "" - - -- reference: CVE-2019-10326 - repo: https://github.com/jenkinsci/warnings-ng-plugin/ - commit: 38e5354161733ef9e458b44ad08676d79640fa36:master - description: "" - links: "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1391" - - -- reference: CVE-2018-1999044 - repo: https://github.com/jenkinsci/jenkins - commit: e5046911c57e60a1d6d8aca9b21bd9093b0f3763:master - description: "" - links: "" - - -- reference: CVE-2019-10305 - repo: https://github.com/jenkinsci/xldeploy-plugin/ - commit: 764d328974bb9f6e9619c2315304ec907a6bc5ac:master - description: "" - links: "https://github.com/jenkinsci/xldeploy-plugin/pull/61,https://jenkins.io/security/advisory/2019-04-17/#SECURITY-983" - - -- reference: CVE-2013-6429 - repo: https://github.com/spring-projects/spring-framework.git - commit: 7387cb990e35b0f1b573faf29d4f9ae183d7a5e:3_2_x,2ae6a6a3415eebc57babcb9d3e5505887eda6d8:4_x - description: "" - links: "" - - -- reference: CVE-2017-13309 - repo: https://github.com/google/conscrypt/ - commit: e56958e7dea05c1784317f139e2216e2e707d391:master - description: "SSLEngine bug with multiple heap buffer inputs. When the SSLEngine overload that accepts an array of ByteBuffers iscalled with heap buffers for both the source and destination, those heap buffers are converted to direct buffers for passing to JNI by way of copying them to a single temporary direct buffer. A bug in the reading of the encrypted data out of BoringSSL resulted in the data being placed at the wrong offset of the temporary buffer, meaning that the output data was prefixed in the worst case by the plaintext." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13309,https://github.com/google/conscrypt/pull/485" - - -- reference: CVE-2019-0231 - repo: https://github.com/apache/mina/ - commit: 73e881ad935e5aa6080b90585ac8dc8ddfc377e:2.1.1,294b8ce638df6e237e819537b333e02853bb612:2.0.21 - description: "MINA SSLFilter security Issue description: Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear-text messages which were supposed to be encrypted. This security issue is fixed by Apache MINA 2.0.21 or Apache MINA 2.1.1. Please migrate to those new versions." - links: "https://bugzilla.redhat.com/show_bug.cgi?id=1700016,https://www.openwall.com/lists/oss-security/2019/04/14/1" - - -- reference: CVE-2018-19787 - repo: https://github.com/lxml/lxml/ - commit: 6be1d081b49c97cfd7b3fbd934a193b668629109:master - description: "" - links: "https://snyk.io/vuln/SNYK-PYTHON-LXML-72651" - - -- reference: CVE-2012-0392 - repo: https://github.com/apache/struts - commit: 34c80dae734e70f13c0e46f9c83602fb71318e58:master - description: "" - links: "" - - -- reference: CVE-2015-5175 - repo: https://github.com/apache/cxf-fediz.git - commit: 90c898335786211d253c0503453e2f8b93e0d3fe:master,f65c961ea31e3c1851daba8e7e49fc37bbf77b19:master - description: "" - links: "" - - -- reference: CVE-2016-6795 - repo: https://github.com/apache/struts - commit: 8e67b9144aa643769b261e2492cb561e04d016ab:master,030ffa33543f8953306ed0c0dc815c7fb74d7129:master - description: "It is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. Upgrade to Apache Struts version 2.3.31 when you are using Struts 2.3.20 - 2.3.30 with the Convention plugin." - links: "https://cwiki.apache.org/confluence/display/WW/S2-042" - - -- reference: CVE-2019-1003047 - repo: https://github.com/jenkinsci/fortify-on-demand-uploader-plugin/ - commit: e555f8d62ef793ce221f471d7172cad847fb9252:master - description: "SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin SECURITY-992 / CVE-2019-1003046 (CSRF) and CVE-2019-1003047 (missing permission check) A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation methods did not require POST requests, resulting in a CSRF vulnerability. The form validation methods now require POST requests and perform a permission check" - links: "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-992" - - -- reference: CVE-2014-0035 - repo: https://github.com/apache/cxf - commit: 5df3f72f1a26b7c9ac2888ab65e41f4105706580:trunk - description: "" - links: "" - - -- reference: CVE-2019-10308 - repo: https://github.com/jenkinsci/analysis-core-plugin/ - commit: 3d7a0c7907d831c58541508b893dcea2039809c5:master - description: "CSRF vulnerability and missing permission check allowed changing default graph configuration in Static Analysis Utilities Plugin SECURITY-1100 / CVE-2019-10307 (CSRF) and CVE-2019-10308 (permission check) Static Analysis Utilities Plugin has the capability to allow other plugins to display trend graphs for their static analysis results. Static Analysis Utilities Plugin provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing attackers with Job/Read access to change the per-job graph configuration defaults for all users. Additionally, the form submission handler did not require POST requests, resulting in a cross-site request forgery vulnerability. Static Analysis Utilities Plugin now requires Job/Configure permission and POST requests to configure the per-job graph defaults for all users." - links: "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1100" - - -- reference: CVE-2013-4444 - repo: http://svn.apache.org/repos/asf/tomcat/tc7.0.x - commit: 1470437:trunk - description: "" - links: "" - - -- reference: DJANGO-30307 - repo: https://github.com/django/django/ - commit: 1279fb4a00c23ab0b9aeff8dd205661d4e9a811:2.2.x,755673e1bca7edb6bee7a958f40d9ae54d85d44:master - description: "dbshell doesn't pass password properly on Oracle 18c. description The oracle backend client erroneously backslash escapes the password field passed to the sqlplus binary when trying to execute runshell. ​https://github.com/django/django/commit/acfc650f2a6e4a79e80237eabfa923ea3a05d709#diff-54b46d05e1da568b3cc987c423e00c50R197 has the PR and line that introduced this issue. Expectation: ./manage.py dbshell opens an interactive shell when an Oracle database is configured. Actual behavior: ./manage.py dbshell fails to login yielding error ORA-01017: invalid username/password; logon denied. Additionally it will print the arguments passed to the sqlplus binary to standard error and reveal the password has unexpected backslash characters in it. " - links: "https://code.djangoproject.com/ticket/30307,https://docs.djangoproject.com/en/2.2/releases/2.2.1/" - - -- reference: CVE-2015-3208 - repo: https://github.com/apache/activemq-artemis - commit: 48d9951d879e0c8cbb59d4b64ab59d53ef88310d:master - description: "" - links: "" - - -- reference: DJOSER-001 - repo: https://github.com/sunscrapers/djoser/ - commit: 73b84926d9566df12d48245b06c5d5c986bbb272:master - description: "djoser is a REST implementation of Django authentication system. Affected versions of this package are vulnerable to Authentication Bypass. A malicious user could update other user info with user token due to a lack of permission check. Remediation Upgrade djoser to version 1.3.2 or higher. " - links: "https://github.com/sunscrapers/djoser/issues/303,https://snyk.io/vuln/SNYK-PYTHON-DJOSER-72874" - - -- reference: CVE-2019-2435 - repo: https://github.com/mysql/mysql-connector-python/ - commit: 069bc6737dd13b7f3a41d7fc23b789b659d8e20:8.0.14 - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2435" - - -- reference: CVE-2017-14063 - repo: https://github.com/AsyncHttpClient/async-http-client - commit: eb9e3347e45319be494db24d285a2aee4396f5d3:master - description: "" - links: "" - - -- reference: CVE-2017-15717 - repo: https://github.com/apache/sling-org-apache-sling-xss - commit: ec6764d165abc4df8cffd8439761bb2228887db9:master - description: "" - links: "" - - -- reference: CVE-2019-10135 - repo: https://github.com/containerbuildsystem/osbs-client/ - commit: dee8ff1ea3a17bc93ead059b9567ae0ff965592c:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10135,https://github.com/containerbuildsystem/osbs-client/pull/865,https://src.fedoraproject.org/rpms/osbs-client/c/d9795c0c8ea320096aa9a0ac410dc0d165103b0a?branch=f30" - - -- reference: CVE-2019-10333 - repo: https://github.com/jenkinsci/electricflow-plugin/ - commit: 0a934493290773a953fa7b29c19b555971b1144b:master - description: "" - links: "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1410%20(2)" - - -- reference: CVE-2018-12691 - repo: https://github.com/opennetworkinglab/onos/ - commit: 4b931a988e2f6b547769ba70c815aaea4fe6b5d0:master - description: "Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection." - links: "https://snyk.io/vuln/SNYK-JAVA-ORGONOSPROJECT-32423,https://wiki.onosproject.org/display/ONOS/Security+advisories" - - -- reference: CVE-2019-0213 - repo: https://github.com/apache/archiva/ - commit: a36035b49ba7d6514d6c386b51e1ad2512371b3d:master - description: "Apache Archiva XSS may be stored in central UI configuration It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised. Versions Affected: All versions before 2.2.4 Mitigation: Upgrade to Archiva 2.2.4 or higher Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users are assigned to admin role. " - links: "http://archiva.apache.org/security.html#CVE-2019-0213,https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E" - - -- reference: CVE-2017-5643 - repo: https://github.com/apache/camel.git - commit: 87c92b7b38890c217bc76f2c55036e6a5cca9a0:2.18,9f7376abbff7434794f2c7c2909e02bac232fb5:2.18,ec3d0db81ba061b27e934d5ff56e9baca0049eb:2.18,2c6964ae94d8f9a9c9a32e5ae5a0b794e8b8d3b:2.17,8afc5d1757795fde715902067360af5d90f046d:2.19 - description: "The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources. Versions Affected: Camel 2.17.0 to 2.17.5, Camel 2.18.0 to 2.18.2 The unsupported Camel 2.x (2.16 and earlier) versions may be also affected. Mitigation: 2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3. " - links: "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2" - - -- reference: CVE-2019-1003084 - repo: https://github.com/jenkinsci/zephyr-enterprise-test-management-plugin/ - commit: a2a698660c12d78e06f78c813c3ff10b4c30db16:master - description: "" - links: "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-993" - - -- reference: CVE-2011-5062 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1158180:trunk,1087655:trunk,1159309:trunk - description: "" - links: "" - - -- reference: CVE-2016-6497 - repo: http://svn.apache.org/repos/asf/directory/sandbox/szoerner/groovyldap/src/main/java/org/apache/directory/groovyldap - commit: 1765362:master - description: "" - links: "" - - -- reference: CVE-2019-10906 - repo: https://github.com/pallets/jinja/ - commit: a2a6c930bcca591a25d2b316fcfd2d6793897b26:master - description: "Affected versions of this package are vulnerable to Sandbox Escape via the str.format_map. Remediation Upgrade jinja2 to version 2.10.1 or higher." - links: "https://palletsprojects.com/blog/jinja-2-10-1-released/" - - -- reference: CVE-2019-9827 - repo: https://github.com/hawtio/hawtio/ - commit: e653dd5733859daf8061bd0cddca2c4c5dcba56e:master - description: "" - links: "https://www.ciphertechs.com/hawtio-advisory/" - - -- reference: CVE-2018-17201 - repo: https://github.com/apache/commons-imaging/ - commit: f5574bfe285edd79207fe8c30f53cb0af06e26bb:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17201,https://issues.apache.org/jira/browse/IMAGING-220,https://lists.apache.org/thread.html/48a64566999f44290e4fb3b0d2e9a0e1c996902db51258e7aff00dda@%3Cdev.commons.apache.org%3E,https://lists.apache.org/thread.html/cd37861963aa6d2694c8947d464c99614d3e1a9db6c1a2a8b7b5840a@%3Cdev.commons.apache.org%3E" - - -- reference: CVE-2015-1830 - repo: https://github.com/apache/activemq - commit: 729c4731574ffffaf58ebefdbaeb3bd19ed1c7b7:master,9fd5cb7dfe0fcc431f99d5e14206e0090e72f36b:master - description: "" - links: "" - - -- reference: CVE-2013-4310 - repo: https://github.com/apache/struts - commit: 0c8366cb792227d484b9ca13e537037dd0cb57dc:master - description: "" - links: "" - - -- reference: CVE-2019-10160 - repo: https://github.com/python/cpython/ - commit: 250b62acc59921d399f0db47db3b462cd6037e0:3.7,f61599b050c621386a3fc6bc480359e2d3bb93d:2.7,fd1771dbdd28709716bd531580c40ae5ed81446:3.6,8d0ef0b5edeae52960c7ed05ae8a12388324f87:3.8.0b1 - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160" - - -- reference: CVE-2014-7810 - repo: http://svn.apache.org/repos/asf/tomcat/tc8.0.x - commit: 1644018:trunk - description: "" - links: "" - - -- reference: CVE-2019-1003039 - repo: https://github.com/jenkinsci/appdynamics-plugin/ - commit: c5efd9d97babf05db31bfdbefc49c3c49b3c781f:master - description: "An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java that allows attackers without permission to obtain passwords configured in jobs to obtain them." - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003039,https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1087" - - -- reference: CVE-2016-0768 - repo: https://github.com/tada/pljava - commit: 675254b0f17b76f05e72cba2e3b8d3e548ae7a43:master - description: "" - links: "" - - -- reference: CVE-2017-7674 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1795814:master,1795816:trunk,1795815:trunk,1795813:trunk - description: "The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances." - links: "https://nvd.nist.gov/vuln/detail/CVE-2017-7674" - - -- reference: CVE-2011-3375 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1185998:trunk,1176592:trunk - description: "" - links: "" - - -- reference: CVE-2018-18074 - repo: https://github.com/requests/requests/ - commit: c45d7c49ea75133e52ab22a8e9e13173938e36ff:master - description: "" - links: "https://github.com/requests/requests/issues/4716,https://github.com/requests/requests/pull/4718,https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-72435" - - -- reference: CVE-2007-0450 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 506200:trunk - description: "" - links: "" - - -- reference: CVE-2013-2172 - repo: https://github.com/apache/santuario-java - commit: 8e8f8bf92a43608d7d5f9e357fae19244454a61f:1.5.x-fixes - description: "" - links: "" - - -- reference: CVE-2018-1000180 - repo: https://github.com/bcgit/bc-java/ - commit: 73780ac522b7795fc165630aba8d5f5729acc839:master,22467b6e8fe19717ecdf201c0cf91bacf04a55ad:master - description: "" - links: "https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32369,https://www.bouncycastle.org/jira/browse/BJA-694,https://www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-iterations-for-mr-primality-test" - - -- reference: CVE-2014-1858 - repo: https://github.com/numpy/numpy - commit: 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15:master,961c43da78bf97ce63183b27c338db7ea77bed8:1.8.x - description: "" - links: "" - - -- reference: CVE-2012-3544 - repo: http://svn.apache.org/repos/asf/tomcat/tc6.0.x - commit: 1476592:trunk - description: "" - links: "" - - -- reference: CVE-2018-1000107 - repo: https://github.com/jenkinsci/ownership-plugin/ - commit: 42487df17cd272e504d3cd3e09abb4904f80dba2:master - description: "" - links: "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-498,https://nvd.nist.gov/vuln/detail/CVE-2018-1000107" - - -- reference: CVE-2018-1000408 - repo: https://github.com/jenkinsci/jenkins/ - commit: 01157a699f611ca7492e872103ac01526a982cf2:master - description: "" - links: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000408,https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1128" - - -- reference: CVE-2019-10325 - repo: https://github.com/jenkinsci/warnings-ng-plugin/ - commit: 0b0016b5f32547c4e2f722aeb2243b4ea2e3be8b:master - description: "" - links: "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1373" - - -- reference: CVE-2014-3578 - repo: https://github.com/spring-projects/spring-framework.git - commit: c6503ebbf7c9e21ff022c58706dbac5417b2b5eb:3.2.x,8e096aeef55287dc829484996c9330cf755891a1:master - description: "" - links: "" - - -- reference: CVE-2018-16859 - repo: https://github.com/ansible/ansible/ - commit: 8c1f701e6e9df29fe991f98265e2dd76acca4b8c:master - description: "" - links: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859,https://github.com/ansible/ansible/pull/49142,https://snyk.io/vuln/SNYK-PYTHON-ANSIBLE-72650" - - -- reference: CVE-2017-12616 - repo: http://svn.apache.org/repos/asf/tomcat - commit: 1804729:trunk - description: "" - links: "" - - -- reference: CVE-2013-6397 - repo: https://github.com/apache/lucene-solr - commit: da34b18cb3092df4972e2b6fa5178d1059923910:master - description: "" - links: "" - - -- reference: COLLECTIONS-580 - repo: https://github.com/apache/commons-collections - commit: d9a00134f16d685bea11b2b12de824845e6473e3:COLLECTIONS_3_2_X,da1a5fe00d79e1840b7e52317933e9eb56e88246:trunk,e585cd0433ae4cfbc56e58572b9869bd0c86b611:trunk,bce4d022f27a723fa0e0b7484dcbf0afa2dd210a:COLLECTIONS_3_2_X,5ec476b0b756852db865b2e442180f091f8209ee:COLLECTIONS_3_2_X,1642b00d67b96de87cad44223efb9ab5b4fb7be5:COLLECTIONS_3_2_X,3eee44cf63b1ebb0da6925e98b3dcc6ef1e4d610:trunk - description: "Arbitrary remote code execution with InvokerTransformer" - links: "https://issues.apache.org/jira/browse/COLLECTIONS-580" - - -- reference: CVE-2018-1000844 - repo: https://github.com/square/retrofit/ - commit: 97057aaae42e54bfbee8acfa8af7dcf37e812342:master - description: "" - links: "https://github.com/square/retrofit/pull/2735,https://snyk.io/vuln/SNYK-JAVA-COMSQUAREUPRETROFIT2-72719" diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/.helmignore b/kubernetes/helm/vulnerability-assessment-tool-admin/.helmignore deleted file mode 100644 index dd449725e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/.helmignore +++ /dev/null @@ -1 +0,0 @@ -*.md diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/Chart.yaml deleted file mode 100644 index 5e84719c0..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/Chart.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -name: vulnerability-assessment-tool-admin -version: v0.1.1 - -kubeVersion: ">=v1.15.0" -description: Helm Chart for vulnerability-assessment-tool cluster admin services -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/README.md b/kubernetes/helm/vulnerability-assessment-tool-admin/README.md deleted file mode 100644 index 1c0398f7a..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# Vulnerability-assessment-tool-admin chart - -## Introduction -Helm Chart for vulnerability-assessment-tool cluster admin services - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -# With helm 2 -# helm install { custom name } . -$ helm install admin-release . - -# With helm 3, you need to create the desired namespace before hand -$ kubectl create namespace { namespace } -$ kubectl install admin-release . -``` - -The command deploys the vulnerability-assessment-tool-admin subchart of the vulnerability assessment tool v0.1.0 -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete admin-release -``` - -## Configuration -The following table lists the configurable parameters of the vulnerability-assessment-tool-admin chart and their default values. - -| Parameter | Description | Default | -| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | -| global.namespace | destination namespace for chart | `vulnerability-assessment-tool-monitoring` | -| global.coreNamespace | core chart namespace | `vulnerability-assessment-tool-core` | -| global.env | label for deployment environment` | `TESTING` | | -| global.managedRelease | managed release name. This should correspond to the release name of the vulnerability-assessment-tool-core helm chart | `core-release` | -| global.subPath | subpath to serve from | `""` | -| global.ingressController.ports.http.port | | `80` | -| global.ingressController.ports.http.protocol | | `TCP` | -| global.ingressController.ports.http.targetPort | | `80` | -| global.ingressController.ports.https.port | | `433` | -| global.ingressController.ports.https.protocol | | `TCP` | -| global.ingressController.ports.https.targetPort | | `433` | -| global.ingressController.ports.metrics.port | | `10254` | -| global.ingressController.ports.metrics.protocol | | `TCP` | -| global.ingressController.ports.metrics.targetPort | | `10254` | - - -### NGINX-Ingress controller subchart values -The subchart values can be configured by modifying the values directly in the subdirectory (for more configuration detail see [here](charts/nginx-ingress/README.md)) or overridden in the vulnerability-assessment-tool-admin chart by prepending values with `nginx-ingress`. For example, to modify the `managedRelease` value, you can do; -``` -nginx-ingress: - managedRelease: "canary" -``` - -## Production configuration -Every subchart contains a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. Since helm does not yet support recursive values file name, the switch can be done with this command: - -```sh -# Backup default values.yaml file into values_simplified.yaml -for file in $(find . -mindepth 2 -type f -name "values.yaml"); do - new=$(echo $file | sed -e 's/values.yaml/values_simplified.yaml/') - mv "$file" "$new" -done - -# Rename values_production.yaml to values.yaml -for file in $(find . -mindepth 2 -type f -name "values_production.yaml"); do - new=$(echo $file | sed -e 's/values_production.yaml/values.yaml/') - mv "$file" "$new" -done -``` - -To revert this operation simply do: -```sh -# Rename values.yaml file into values_production.yaml -for file in $(find . -mindepth 2 -type f -name "values.yaml"); do - new=$(echo $file | sed -e 's/values.yaml/values_production.yaml/') - mv "$file" "$new" -done - -# Rename values_simplified.yaml to values.yaml -for file in $(find . -mindepth 2 -type f -name "values_simplified.yaml"); do - new=$(echo $file | sed -e 's/values_simplified.yaml/values.yaml/') - mv "$file" "$new" -done -``` diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/Chart.yaml deleted file mode 100644 index 219a120ca..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -appVersion: 0.25.0 -name: nginx-ingress -version: v0.1.1 - -kubeVersion: ">=v1.15.0" -description: Helm Chart for vulnerability-assessment-tool-admin nginx stack -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl -tillerVersion: v2.14.2 diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/README.md b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/README.md deleted file mode 100644 index 5ebc31b26..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# Nginx-ingress: entrypoint for the vulnerability assessment tool chart - -> This chart is already included in the vulnerability-assessment-tool-admin chart - -This chart is a modified version of the stable nginx-ingress chart (see [chart-source](https://github.com/helm/charts/tree/master/stable/nginx-ingress)) with labeling scheme changes, some overall simplification, changing the google_containers/defaultbackend to an nginx container and made to serve only one release of the vulnerability-assessment-tool-core chart at a time (this restriction is soft and can be overcome simply by adding other ingresses). - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install { custom release name } . -``` - -The command deploys the nginx-ingress subchart of the vulnerability-assessment-tool-admin v0.1.0 -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete { custom release name } -``` - -## Configuration -The following table lists the configurable parameters of the nginx-ingress chart and their default values. As values in this chart are quite highly nested, this table is split into three parts for easy readability - -| Parameter | Description | Default | -| -------------- | ----------------------------------------------------------------------------------- | ------- | -| managedRelease | Sets the release name of the vulnerability assessment tool core chart to be managed | `alpha` | -| rbac.create | If set to True create the required rbac for the ingress controller to function | `True` | -| ssl.enabled | enables the reading the tls.crt and tls.key found in the files/ts | `False` | - -### .Values.defaultBackend -| Parameter | Description | Default | -| --- | --- | --- | -| enabled | bool to indicate whether or not to create default backend | `True` | -| replicas | Desired default proxy replicas | `1` | -| image.pullPolicy | This image is stable and quite simple so `IfNotPresent` is recommended | `IfNotPresent` | -| image.registry | | `{}` | -| image.name | | `nginx` | -| image.tag | | `1.17.4-alpine` | -| image.runAsUser | UID | `65534` | -| livenessProbe | | enabled: `True`
initialDelaySeconds: `2`
periodSeconds: `10`
timeoutSeconds: `3`
failureThreshold: `5` | -| readinessProbe | | enabled: `True`
initialDelaySeconds: `0`
periodSeconds: `5`
timeoutSeconds: `5`
failureThreshold: `6` | - - -### .Values.ingressController -| Parameter | Description | Default | -| --- | --- | --- | -| authIngress.enabled | enables basic auth ingress for `frontendbugs`, `kibana` as well as `prometheus` | `True` | -| authIngress.credentials.user | credentials are transfered in the clear if TLS is not instrumented due to NGINX's basic auth method | `vulas` | -| authIngress.credentials.password | | `changeme` | -| replicas | Desired nginx ingress controller deployment replicas | `2` | -| debugLevel | sets logging level for NGINX (*note*: access logs are disabled by default) | `error` | -| external | Creates a service for external LoadBalancers (should be compatible with all cloud providers) | `True` | -| electionID | Election ID to use for status update | `ingress-controller-leader` | -| ingressClass | Name of the ingress class to route through this controller | `nginx` | -| rbac | enables rbac | `True` | -| image.pullPolicy | Image maintained by kubernetes so `IfNotPresent` is the recommended pull policy | `IfNotPresent` | -| image.registry | | `quay.io` | -| image.name | | `kubernetes-ingress-controller/nginx-ingress-controller` | -| image.tag | image tag | `0.25.0` | -| image.allowPrivilegeEscalation | | `True` | -| livenessProbe | | enabled: `True`
initialDelaySeconds: `15`
periodSeconds: `10`
timeoutSeconds: `5`
failureThreshold: `10`
successThreshold: `1` | -| readinessProbe | | enabled: `True`
initialDelaySeconds: `10`
periodSeconds: `60`
timeoutSeconds: `5`
failureThreshold: `10`
successThreshold: `2`
path: `healthz` | - -Specify each parameter using the --set key=value\[,key=value\] argument to helm install. For example, -```sh -$ helm install { custom release name } \ - --set ingressController.replicas=5 . -``` -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, -```sh -$ helm install { custom release name } -f values.yaml . -``` - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` -These values can be configured as follows: - -### .Values.defaultBackend -| Parameter | Description | Default | -| --- | --- | --- | -| selfAntiAffinity | Makes defaultBackend's avoid sharing nodes with each other. Overkill, so can be disabled with `{}` | soft: `True`
weight: `100` | -| podDisruptionBudget.minAvailable | ensure availability during disruption | `1` | -| image.resources | These containers are not meant to be on high loads (serving only for redirects and static json for alerts) | requests:
 memory:`50Mi`
 cpu: `100m`
limit:
 memory: `50Mi`
 cpu: `100m` | - - -### .Values.ingressController -| Parameter | Description | Default | -| --- | --- | --- | -| selfAntiAffinity | Makes avoid sharing nodes with each other | soft: `True`
weight: `100` | -| podDisruptionBudget.minAvailable | ensure availability during disruption | `1` | -| persistentVolume.storage | storage size for PVC, useful for caching | `1Gi` | -| persistentVolume.storageG | storage size for PVC in NGINX compatible unit | `1g` | -| persistentVolume.mountPath | PVC mountpath | `/tmp/nginx-cache/` | -| persistentVolume.cache.enabled | Sets up the controller to serve static cache | `True` | - -### SSL certificate -In order to serve securely, one can generate a tls key pair and add them in the `charts/nginx-ingress/files/tls` directory (the key file as `tls.crt` and `tls.key`, see [tls secret docs](https://kubernetes.io/docs/concepts/services-networking/ingress/)) and enable them with `ssl.enabled=True`. It is highly recommended to serve the vulnerability-assessment-tool with https. diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/files/tls/.gitkeep b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/files/tls/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/_getters.tpl deleted file mode 100644 index 246ccc273..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/_getters.tpl +++ /dev/null @@ -1,153 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - nginx-ingress.name : Gets name of current component - contexts: [ . ] - usage: {{ include "nginx-ingress.name" . }} -*/}} -{{- define "nginx-ingress.name" -}} -{{ .Release.Name }}-{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - nginx-ingress.chart : Create chart name and version as used by the chart label. - contexts: [ . ] - usage: {{ include "nginx-ingress.chart" . }} -*/}} -{{- define "nginx-ingress.chart" -}} -{{- printf "%s-%s-%s" .Chart.Name .Values.app.name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - nginx-ingress.tls.secretName : tls secret name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.tls.secretName" . }} -*/}} -{{- define "nginx-ingress.tls.secretName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-tls-secret" $name -}} -{{- end -}} - -{{/* - nginx-ingress.clusterRoleName : cluster role name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.clusterRoleName" . }} -*/}} -{{- define "nginx-ingress.clusterRoleName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-%s-ingress-controller" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - nginx-ingress.clusterRoleBindingName : cluster role name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.clusterRoleBindingName" . }} -*/}} -{{- define "nginx-ingress.clusterRoleBindingName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-%s-ingress-controller" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - nginx-ingress.roleName : role name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.roleName" . }} -*/}} -{{- define "nginx-ingress.roleName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-%s-%s-scoped-ingress-controller" .Values.global.projectName .Values.global.namespace $name -}} -{{- end -}} - -{{/* - nginx-ingress.roleBindingName : role binding name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.roleBindingName" . }} -*/}} -{{- define "nginx-ingress.roleBindingName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-%s-%s-scoped-ingress-controller" .Values.global.projectName .Values.global.namespace $name -}} -{{- end -}} - -{{/* - nginx-ingress.redis.ingressName : ingress name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.redis.ingressName" . }} -*/}} -{{- define "nginx-ingress.redis.ingressName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "00-%s-redis-ingress" $name -}} -{{- end -}} - -{{/* - nginx-ingress.main.ingressName : ingress name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.main.ingressName" . }} -*/}} -{{- define "nginx-ingress.main.ingressName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "01-%s-main-ingress" $name -}} -{{- end -}} - -{{/* - nginx-ingress.auth.ingressName : ingress name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.auth.ingressName" . }} -*/}} -{{- define "nginx-ingress.auth.ingressName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "02-%s-auth-ingress" $name -}} -{{- end -}} - -{{/* - nginx-ingress.redirect.ingressName : redirection ingress name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.redirect.ingressName " . }} -*/}} -{{- define "nginx-ingress.redirect.ingressName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "07-%s-redirect-ingress" $name -}} -{{- end -}} - -{{/* - nginx-ingress.serviceAccountName : service account name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.serviceAccountName" . }} -*/}} -{{- define "nginx-ingress.serviceAccountName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-ingress-controller" $name -}} -{{- end -}} - -{{/* - nginx-ingress.pvName : pv name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.pvName" . }} -*/}} -{{- define "nginx-ingress.pvName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-persistent-volume" $name -}} -{{- end -}} - -{{/* - nginx-ingress.pvcName : pvc name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.pvcName" . }} -*/}} -{{- define "nginx-ingress.pvcName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-persistent-volume-claim" $name -}} -{{- end -}} - -{{/* - nginx-ingress.redirect.serviceName : redirection service name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.redirect.serviceName " . }} -*/}} -{{- define "nginx-ingress.redirect.serviceName" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-redirect-service" $name -}} -{{- end -}} - - - - -{{/*---------------------------- Global Templates ---------------------------*/}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/authIngress.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/authIngress.yaml deleted file mode 100644 index 9b6963aee..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/authIngress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.ingressController.authIngress }} -{{- if .Values.ingressController.authIngress.enabled }} -apiVersion: extensions/v1beta1 -kind: Ingress - -metadata: - name: {{ template "nginx-ingress.auth.ingressName" . }} - namespace: {{ .Values.global.coreNamespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - - annotations: - kubernetes.io/ingress.class: {{ .Values.ingressController.ingressClass }} - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: {{ .Values.global.namespace }}/auth-secret - nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' - {{- $subPath := .Values.global.subPath }} - - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite ^{{ $subPath }}/(.*)$ /$1 break; -spec: - rules: - - http: - paths: - - path: {{ $subPath }}/bugs/ - backend: - serviceName: {{ .Values.global.managedRelease }}-frontend-bugs - servicePort: 8080 -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/coreIngress.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/coreIngress.yaml deleted file mode 100644 index b6d0bc25f..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/coreIngress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress - -metadata: - name: {{ include "nginx-ingress.main.ingressName" . }} - namespace: {{ .Values.global.coreNamespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - - annotations: - kubernetes.io/ingress.class: {{ .Values.ingressController.ingressClass }} - - nginx.ingress.kubernetes.io/proxy-buffering: "on" - {{- $subPath := .Values.global.subPath }} - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite ^{{ $subPath }}/(.*)$ /$1 break; - - {{- with .Values.ingressController }} - {{- if .persistentVolume }} - {{- if .persistentVolume.cache }} - {{- if .persistentVolume.cache.enabled }} - nginx.ingress.kubernetes.io/server-snippet: | - aio threads; - proxy_cache_key "$request_method$host$request_uri$http_x_vulas_space"; - proxy_cache STATIC; - add_header X-Cache-Date $upstream_http_date; - add_header X-Proxy-Cache $upstream_cache_status; - {{- end }} - {{- end }} - {{- end }} - {{- end }} - -spec: - rules: - - http: - paths: - {{ $release := .Values.global.managedRelease }} - - path: {{ $subPath }}/apps/ - backend: - serviceName: {{ $release }}-frontend-apps - servicePort: 8080 - - path: {{ $subPath }}/backend/ - backend: - serviceName: {{ $release }}-restbackend - servicePort: 8091 - - path: /backend/ - backend: - serviceName: {{ $release }}-restbackend - servicePort: 8091 - - path: {{ $subPath }}/cia/ - backend: - serviceName: {{ $release }}-restlibutils - servicePort: 8092 - - path: /cia/ - backend: - serviceName: {{ $release }}-restlibutils - servicePort: 8092 - {{- if or (not .Values.ingressController.authIngress) (not .Values.ingressController.authIngress.enabled) }} - - path: {{ $subPath }}/bugs/ - backend: - serviceName: {{ $release }}-frontend-bugs - servicePort: 8080 - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/_getters.tpl deleted file mode 100644 index 0b6f33770..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/_getters.tpl +++ /dev/null @@ -1,71 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - nginx-ingress.defaultBackend.name : Gets name of current component - contexts: [ . ] - usage: {{ include "nginx-ingress.name" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.name" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-default-backend" $name -}} -{{- end -}} - -{{/* - nginx-ingress.defaultBackend.deploymentName : deploymentName getter - contexts: [ . ] - usage: {{ include "nginx-ingress.defaultBackend.deploymentName" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.deploymentName" -}} -{{- $name := include "nginx-ingress.defaultBackend.name" . -}} -{{- printf "%s-deployment" $name -}} -{{- end -}} - -{{/* - nginx-ingress.defaultBackend.podName : pod name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.defaultBackend.podName" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.podName" -}} -{{- $name := include "nginx-ingress.defaultBackend.name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - -{{/* - nginx-ingress.defaultBackend.mountedConfigMapName : mounted configmap name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.defaultBackend.mountedConfigMapName" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.mountedConfigMapName" -}} -{{- $name := include "nginx-ingress.defaultBackend.name" . -}} -{{- printf "%s-mounted-config" $name -}} -{{- end -}} - - -{{/* - nginx-ingress.defaultBackend.ingressName : ingress name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.defaultBackend.ingressName" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.ingressName" -}} -{{- $name := include "nginx-ingress.defaultBackend.name" . -}} -{{- printf "06-%s-ingress" $name -}} -{{- end -}} - -{{/* - nginx-ingress.defaultBackend.podDisruptionBudgetName : pod name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.defaultBackend.podDisruptionBudgetName" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.podDisruptionBudgetName" -}} -{{- $name := include "nginx-ingress.defaultBackend.name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - proxy.defaultBackend.serviceName : defaultBackend service name getter - contexts: [ .global ] - usage: {{ include "proxy.defaultBackend.serviceName" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.serviceName" -}} -{{ .Release.Name }}-default-backend -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/_labels.tpl deleted file mode 100644 index d12d5aa46..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/_labels.tpl +++ /dev/null @@ -1,30 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - nginx-ingress.defaultBackend.enrichedLabels : generic for apps labels - contexts: [ . ] - usage: {{ include "nginx-ingress.defaultBackend.enrichedLabels" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.enrichedLabels" -}} -{{ include "commonLabels" . }} -{{ include "nginx-ingress.defaultBackend.serviceLabel" . }} -{{- end -}} - -{{/* - nginx-ingress.defaultBackend.serviceLabels : defaultBackend service label - contexts: [ . ] - usage: {{ include "nginx-ingress.defaultBackend.serviceLabels" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "nginx-ingress.defaultBackend.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - nginx-ingress.defaultBackend.serviceLabel : defaultBackend service label - contexts: [ . ] - usage: {{ include "nginx-ingress.defaultBackend.serviceLabel" . }} -*/}} -{{- define "nginx-ingress.defaultBackend.serviceLabel" -}} -{{ .Values.global.projectName }}.admin/service: {{ .Release.Name }}-default-backend -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/deployment.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/deployment.yaml deleted file mode 100644 index 7e16ddffd..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/deployment.yaml +++ /dev/null @@ -1,91 +0,0 @@ -{{- if .Values.defaultBackend.enabled }} -apiVersion: apps/v1 -kind: Deployment - -metadata: - name: {{ template "nginx-ingress.defaultBackend.deploymentName" . }} - namespace: {{ .Values.global.coreNamespace }} - labels: - {{- include "nginx-ingress.defaultBackend.enrichedLabels" . | nindent 4 }} - -spec: - replicas: {{ .Values.defaultBackend.replicas }} - - selector: - matchLabels: - app.kubernetes.io/instance: {{ template "nginx-ingress.defaultBackend.podName" . }} - {{- include "nginx-ingress.defaultBackend.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - app.kubernetes.io/instance: {{ template "nginx-ingress.defaultBackend.podName" . }} - {{- include "nginx-ingress.defaultBackend.enrichedLabels" . | nindent 8 }} - annotations: - checksum/defaultbackend-config: {{ include (print $.Template.BasePath "/default-backend/mountedConfigMap.yaml") . | sha256sum }} - - spec: - automountServiceAccountToken: false - containers: - - name: {{ template "nginx-ingress.defaultBackend.name" . }}-container - image: {{ template "containerName" .Values.defaultBackend.image }} - imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} - ports: - - name: http - containerPort: 8080 - - {{- if and .Values.defaultBackend.livenessProbe .Values.defaultBackend.livenessProbe.enabled }} - {{- with .Values.defaultBackend.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - tcpSocket: - port: http - {{- end }} - {{- end }} - {{- if and .Values.defaultBackend.readinessProbe .Values.defaultBackend.readinessProbe.enabled }} - {{- with .Values.defaultBackend.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /healthz - port: http - scheme: HTTP - {{- end }} - {{- end }} - - volumeMounts: - - name: {{ template "nginx-ingress.defaultBackend.mountedConfigMapName" . }} - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - - name: {{ template "nginx-ingress.defaultBackend.mountedConfigMapName" . }} - mountPath: /usr/share/nginx/html/alerts/browser.json - subPath: browser.json - resources: - {{- toYaml .Values.defaultBackend.image.resources | nindent 12 }} - - volumes: - - name: {{ template "nginx-ingress.defaultBackend.mountedConfigMapName" . }} - configMap: - name: {{ template "nginx-ingress.defaultBackend.mountedConfigMapName" . }} - {{- if .Values.defaultBackend.selfAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.defaultBackend.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- end }} - - weight: {{ .Values.defaultBackend.selfAntiAffinity.weight }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "nginx-ingress.defaultBackend.podName" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/mountedConfigMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/mountedConfigMap.yaml deleted file mode 100644 index 4fe4686ec..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/mountedConfigMap.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if .Values.defaultBackend.enabled }} -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "nginx-ingress.defaultBackend.mountedConfigMapName" . }} - namespace: {{ .Values.global.coreNamespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - nginx.conf: |- - user nginx; - worker_processes 1; - - error_log /var/log/nginx/error.log warn; - pid /var/run/nginx.pid; - - events { - worker_connections 1024; - } - - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - access_log off; - sendfile on; - keepalive_timeout 65; - server { - listen 8080; - server_name localhost; - access_log off; - - location = /healthz { - return 200; - } - - location ~ ^/$ { - return 301 https://eclipse.github.io/steady; - } - - location / { - root /usr/share/nginx/html; - } - } - } - - browser.json: |- - [ - { - "text": "05 Jun 2019 – Placeholder", - "type": "Success", - "active": false - }, - ] - -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/podDisruptionBudget.yaml deleted file mode 100644 index b0edc56d6..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/podDisruptionBudget.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.defaultBackend.enabled -}} -{{- if and .Values.defaultBackend.replicas (ge (int .Values.defaultBackend.replicas) 2) -}} -{{- if .Values.defaultBackend.podDisruptionBudget -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "nginx-ingress.defaultBackend.podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{ toYaml .Values.defaultBackend.podDisruptionBudget }} - selector: - matchLabels: - {{- include "nginx-ingress.defaultBackend.enrichedLabels" . | nindent 6 }} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/service.yaml deleted file mode 100644 index 29c8febc3..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/default-backend/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.defaultBackend.enabled }} -apiVersion: v1 -kind: Service - -metadata: - name: {{ include "nginx-ingress.defaultBackend.serviceName" . }} - namespace: {{ .Values.global.coreNamespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "nginx-ingress.defaultBackend.serviceLabels" . | nindent 4 }} - - ports: - - name: "container" - port: 8080 - targetPort: 8080 - protocol: TCP -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/defaultIngress.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/defaultIngress.yaml deleted file mode 100644 index fb6af2e45..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/defaultIngress.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress - -metadata: - name: {{ include "nginx-ingress.defaultBackend.ingressName" . }} - namespace: {{ .Values.global.coreNamespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - - annotations: - kubernetes.io/ingress.class: {{ .Values.ingressController.ingressClass }} - -spec: - rules: - - http: - paths: - - path: / - backend: - serviceName: {{ include "nginx-ingress.defaultBackend.serviceName" . }} - servicePort: 8080 diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/_getters.tpl deleted file mode 100644 index f5d36762d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/_getters.tpl +++ /dev/null @@ -1,50 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - nginx-ingress.ingressController.name : Gets name of current component - contexts: [ . ] - usage: {{ include "nginx-ingress.ingressController.name" . }} -*/}} -{{- define "nginx-ingress.ingressController.name" -}} -{{- $name := include "nginx-ingress.name" . -}} -{{- printf "%s-controller" $name -}} -{{- end -}} - -{{/* - nginx-ingress.ingressController.deploymentName : deploymentName getter - contexts: [ . ] - usage: {{ include "nginx-ingress.ingressController.deploymentName" . }} -*/}} -{{- define "nginx-ingress.ingressController.deploymentName" -}} -{{- $name := include "nginx-ingress.ingressController.name" . -}} -{{- printf "%s-deployment" $name -}} -{{- end -}} - -{{/* - nginx-ingress.ingressController.podName : pod name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.ingressController.podName" . }} -*/}} -{{- define "nginx-ingress.ingressController.podName" -}} -{{- $name := include "nginx-ingress.ingressController.name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - -{{/* - nginx-ingress.ingressController.podDisruptionBudgetName : pod name getter - contexts: [ . ] - usage: {{ include "nginx-ingress.ingressController.podDisruptionBudgetName" . }} -*/}} -{{- define "nginx-ingress.ingressController.podDisruptionBudgetName" -}} -{{- $name := include "nginx-ingress.ingressController.name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - nginx-ingress.ingressController.serviceName : ingressController service name getter - contexts: [ .global ] - usage: {{ include "nginx-ingress.ingressController.serviceName" . }} -*/}} -{{- define "nginx-ingress.ingressController.serviceName" -}} -{{ .Release.Name }}-lb-service -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/_labels.tpl deleted file mode 100644 index a5704aa2d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/_labels.tpl +++ /dev/null @@ -1,30 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - nginx-ingress.ingressController.enrichedLabels : generic for apps labels - contexts: [ . ] - usage: {{ include "nginx-ingress.ingressController.enrichedLabels" . }} -*/}} -{{- define "nginx-ingress.ingressController.enrichedLabels" -}} -{{ include "commonLabels" . }} -{{ include "nginx-ingress.ingressController.serviceLabel" . }} -{{- end -}} - -{{/* - nginx-ingress.ingressController.serviceLabels : ingressController service label - contexts: [ . ] - usage: {{ include "nginx-ingress.ingressController.serviceLabels" . }} -*/}} -{{- define "nginx-ingress.ingressController.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "nginx-ingress.ingressController.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - nginx-ingress.ingressController.serviceLabel : ingressController service label - contexts: [ . ] - usage: {{ include "nginx-ingress.ingressController.serviceLabel" . }} -*/}} -{{- define "nginx-ingress.ingressController.serviceLabel" -}} -{{ .Values.global.projectName }}.admin/service: {{ .Release.Name }}-ingress-controller-service -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/clusterRole.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/clusterRole.yaml deleted file mode 100644 index 529902e44..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/clusterRole.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole - -metadata: - name: {{ template "clusterRoleName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - - apiGroups: - - "" - resources: - - namespaces - resourceNames: - - "{{ .Values.global.coreNamespace }}" - - "{{ .Values.global.namespace }}" - verbs: - - get - - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - update - - watch - - - apiGroups: - - extensions - - "networking.k8s.io" # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - - apiGroups: - - extensions - - "networking.k8s.io" # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/clusterRoleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/clusterRoleBinding.yaml deleted file mode 100644 index 44b719fd9..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/clusterRoleBinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding - -metadata: - name: {{ template "clusterRoleBindingName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -roleRef: - name: {{ template "clusterRoleName" . }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - -subjects: - - kind: ServiceAccount - name: {{ template "serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/configMap.yaml deleted file mode 100644 index ac0a92907..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/configMap.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - ssl-redirect: "false" - {{- if .Values.ingressController.debugLevel }} - error-log-level: "{{ .Values.ingressController.debugLevel }}" - {{- end }} - upstream-keepalive-timeout: "300" - upstream-keepalive-requests: "100000" - max-worker-connections: "100000" - client-body-buffer-size: "128k" - client-header-buffer-size: "1m" - large-client-header-buffers: "4 4k" - proxy-body-size: "100000M" - proxy-read-timeout: "3600" - proxy-send-timeout: "3600" - disable-access-log: "true" - enable-owasp-modsecurity-crs: "true" - - http-snippet: | - {{- with .Values.ingressController }} - {{- if .persistentVolume }} - {{- if .persistentVolume.cache }} - {{- if .persistentVolume.cache.enabled }} - proxy_cache_path {{ .persistentVolume.mountPath }} levels=1:2 keys_zone=STATIC:20m max_size={{ .persistentVolume.storageG }} inactive=10d use_temp_path=off; - {{ else }} - proxy_cache_path /tmp/nginx-cache" levels=1:2 keys_zone=STATIC:20m max_size={{ .persistentVolume.storageG }} inactive=10d use_temp_path=off; - {{- end }} - {{- end }} - {{- end }} - {{- end }} - # proxy_cache_methods GET POST; diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/deployment.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/deployment.yaml deleted file mode 100644 index 635d29234..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/deployment.yaml +++ /dev/null @@ -1,175 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment - -metadata: - name: {{ template "nginx-ingress.ingressController.deploymentName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "nginx-ingress.ingressController.enrichedLabels" . | nindent 4 }} - -spec: - replicas: {{ .Values.ingressController.replicas }} - revisionHistoryLimit: 5 - minReadySeconds: 0 - strategy: - {{- toYaml .Values.ingressController.updateStrategy | nindent 4 }} - - selector: - matchLabels: - app.kubernetes.io/instance: {{ template "nginx-ingress.ingressController.podName" . }} - {{- include "nginx-ingress.ingressController.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - app.kubernetes.io/instance: {{ template "nginx-ingress.ingressController.podName" . }} - {{- include "nginx-ingress.ingressController.enrichedLabels" . | nindent 8 }} - {{- if .Values.metrics.enabled }} - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "10254" - {{- end }} - spec: - dnsPolicy: ClusterFirst - hostNetwork: false - - serviceAccountName: {{ template "serviceAccountName" . }} - terminationGracePeriodSeconds: 10 - - containers: - - name: {{ template "nginx-ingress.ingressController.name" . }}-container - image: {{ template "containerName" .Values.ingressController.image }} - imagePullPolicy: {{ .Values.ingressController.image.pullPolicy }} - args: - - /nginx-ingress-controller - - --default-backend-service={{ if .Values.defaultBackend.enabled }}{{ .Values.global.coreNamespace }}/{{ template "nginx-ingress.defaultBackend.serviceName" . }}{{ else }}{{ printf " " }}{{ end }} - - --publish-service={{ .Values.global.namespace }}/{{ if .Values.ingressController.external }}{{ template "nginx-ingress.ingressController.serviceName" . }}{{ else }}{{ printf "" }}{{ end }} - - --election-id={{ .Values.ingressController.electionID }} - - --ingress-class={{ .Values.ingressController.ingressClass }} - - --configmap={{ .Values.global.namespace }}/{{ template "configMapName" . }} - {{- if .Values.ssl.enabled }} - - --default-ssl-certificate={{ .Values.global.namespace }}/{{ template "nginx-ingress.tls.secretName" . }} - - --enable-ssl-chain-completion=true - {{- end }} - - --metrics-per-host=true - - {{- if .Values.ingressController.persistentVolume }} - {{- if .Values.ingressController.persistentVolume.nfs }} - lifecycle: - postStart: - exec: - command: - - /bin/sh - - -c - - . /vulas/nginx-init.sh - {{- end }} - {{- end }} - - ports: - {{- range $key, $value := .Values.global.ingressController.ports }} - - name: {{ $key }} - containerPort: {{ $value.targetPort }} - protocol: {{ $value.protocol }} - {{- end }} - - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - resources: - {{- toYaml .Values.ingressController.image.resources | nindent 12 }} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - {{- if .Values.ingressController.image.runAsUser }} - runAsUser: {{ .Values.ingressController.image.runAsUser }} - {{- end }} - {{- if .Values.ingressController.image.allowPrivilegeEscalation }} - allowPrivilegeEscalation: {{ .Values.ingressController.image.allowPrivilegeEscalation }} - {{- end }} - readOnlyRootFilesystem: false - {{- if and .Values.ingressController.livenessProbe .Values.ingressController.livenessProbe.enabled }} - {{- with .Values.ingressController.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - successThreshold: {{ .successThreshold }} - tcpSocket: - port: metrics - {{- end }} - {{- end }} - {{- if and .Values.ingressController.readinessProbe .Values.ingressController.readinessProbe.enabled }} - {{- with .Values.ingressController.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - successThreshold: {{ .successThreshold }} - httpGet: - path: {{ .path }} - port: metrics - {{- end }} - {{- end }} - - volumeMounts: - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/nginx-init.sh - subPath: nginx-init.sh - {{- if .Values.ingressController.persistentVolume }} - - name: {{ template "pvcName" . }} - mountPath: {{ .Values.ingressController.persistentVolume.mountPath }} - {{- end }} - - {{- if .Values.ingressController.selfAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.ingressController.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- end }} - - weight: {{ .Values.ingressController.selfAntiAffinity.weight }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "nginx-ingress.ingressController.podName" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - - volumes: - - name: {{ template "mountedConfigMapName" . }} - configMap: - name: {{ template "mountedConfigMapName" . }} - defaultMode: 0755 - {{- if .Values.ingressController.persistentVolume }} - {{- if .Values.ingressController.persistentVolume.nfs }} - - name: {{ template "pvcName" . }} - persistentVolumeClaim: - claimName: {{ template "pvcName" . }} - {{- else }} - - volumeClaimTemplates: - - metadata: - name: {{ template "pvcName" . }} - labels: - {{- include "nginx-ingress.ingressController.enrichedLabels" . | nindent 8 }} - - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: {{ .Values.ingressController.persistentVolume.storage }} - {{- end -}} - {{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/mountedConfigMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/mountedConfigMap.yaml deleted file mode 100644 index 1676d252a..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/mountedConfigMap.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "mountedConfigMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - nginx-init.sh: |- - #!/bin/sh - CHART_NAME="{{ template "name" . }}" - LOG_ORIGIN="permission-fix.sh" - {{- include "logFunctions" . | nindent 4}} - - {{- with .Values.ingressController }} - {{- if .persistentVolume }} - {{- if .persistentVolume.cache }} - {{- if .persistentVolume.cache.enabled }} - _log "Fixing permission pvc permission" - chown -R {{ .image.runAsUser }}:{{ .image.runAsUser }} {{ .persistentVolume.mountPath }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - exit 0 diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/persistentVolume.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/persistentVolume.yaml deleted file mode 100644 index 3f58a32a1..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/persistentVolume.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.ingressController.persistentVolume }} -{{- if .Values.ingressController.persistentVolume.nfs -}} -apiVersion: v1 -kind: PersistentVolume - -metadata: - name: {{ template "pvName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - accessModes: - - "ReadWriteMany" - - capacity: - storage: {{ .Values.ingressController.persistentVolume.storage }} - - nfs: - server: {{ .Values.ingressController.persistentVolume.nfs.server }} - path: {{ .Values.ingressController.persistentVolume.nfs.path }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/persistentVolumeClaim.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/persistentVolumeClaim.yaml deleted file mode 100644 index 98c7435cd..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/persistentVolumeClaim.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.ingressController.persistentVolume -}} -{{- if .Values.ingressController.persistentVolume.nfs -}} -apiVersion: v1 -kind: PersistentVolumeClaim - -metadata: - name: {{ template "pvcName" . }} - namespace: {{ .Values.global.namespace }} - - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - accessModes: - - "ReadWriteMany" - - resources: - requests: - storage: {{ .Values.ingressController.persistentVolume.storage }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/podDisruptionBudget.yaml deleted file mode 100644 index 33955e5e5..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/podDisruptionBudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.ingressController.replicas (ge (int .Values.ingressController.replicas) 2) -}} -{{- if .Values.ingressController.podDisruptionBudget -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "nginx-ingress.ingressController.podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{ toYaml .Values.ingressController.podDisruptionBudget }} - selector: - matchLabels: - {{- include "nginx-ingress.ingressController.enrichedLabels" . | nindent 6 }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/secretGeneratorJob.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/secretGeneratorJob.yaml deleted file mode 100644 index 13e35e6de..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/secretGeneratorJob.yaml +++ /dev/null @@ -1,123 +0,0 @@ -{{- if .Values.ingressController.authIngress }} -{{- if .Values.ingressController.authIngress.enabled }} -apiVersion: batch/v1 -kind: Job - -metadata: - name: {{ template "name" . }}-secret-generator - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - backoffLimit: 0 - parallelism: 1 - ttlSecondsAfterFinished: 60 - - template: - metadata: - name: {{ template "name" . }}-secret-generator - labels: - {{- include "commonLabels" . | nindent 8 }} - spec: - serviceAccountName: {{ template "serviceAccountName" . }} - restartPolicy: Never - containers: - - name: {{ template "name" . }}-secret-generator-container - image: alpine:3.10.2 - command: - - sh - - -c - - | - #!/bin/sh - CHART_NAME="{{ template "name" . }}" - LOG_ORIGIN="password-generator.sh" - {{- include "logFunctions" . | nindent 12 }} - - _clean_up() { - _info "Cleaning up" - rm -f /root/.secrets.json || true - if [ $n $1 ]; then - exit $1 - fi - - exit 0 - } - - apk add --no-cache --quiet apache2-utils \ - curl \ - jq - - {{- $credentials := .Values.ingressController.authIngress.credentials }} - _info "Generating password for auth ingress" - NGINX_AUTH=$(htpasswd -nb {{ $credentials.user | default "vulas" }} {{ $credentials.password | default "changeme" }} | base64) - KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) - - echo " - { - \"apiVersion\": \"v1\", - \"kind\": \"Secret\", - \"metadata\": { - \"name\": \"auth-secret\", - \"namespace\": \"{{ .Values.global.namespace }}\", - \"labels\": { - \"app.kubernetes.io/name\": \"{{ .Chart.Name }}\", - \"app.kubernetes.io/part-of\": \"{{ .Values.global.projectName }}\", - \"app.kubernetes.io/version\": \"{{ .Chart.AppVersion }}\", - \"app.kubernetes.io/managed-by\": \"{{ .Release.Service }}\", - \"{{ .Values.global.projectName }}/environment\": \"{{ .Values.global.env }}\", - \"{{ .Values.global.projectName }}/release-name\": \"{{ .Release.Name }}\" - } - }, - \"type\": \"Opaque\", - \"data\": { - \"auth\": \"$NGINX_AUTH\" - } - } - " >> secrets.json - - RESULT=$(curl -sSk \ - -X POST \ - --data "@secrets.json" \ - -H "Authorization: Bearer $KUBE_TOKEN" \ - -H "Accept: application/json" \ - -H "Content-Type: application/json" \ - https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/{{ .Values.global.namespace }}/secrets - ) - RETURN_CODE=$(echo $RESULT | jq '.code') - if [ $RETURN_CODE -eq "200" ]; then - _info "Secret has been generated" - else - REASON=$(echo $RESULT | jq -r '.reason') - if [ $REASON = "AlreadyExists" ]; then - _info "Secret already exists, updating" - UPDATE_RESULT=$(curl -sSk \ - -X PUT \ - --data "@secrets.json" \ - -H "Authorization: Bearer $KUBE_TOKEN" \ - -H "Accept: application/json" \ - -H "Content-Type: application/json" \ - https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/{{ .Values.global.namespace }}/secrets/auth-secret - ) - UPDATE_RETURN=$(echo $UPDATE_RESULT | jq '.data.auth | length > 0') - if [ $UPDATE_RETURN ]; then - _info "Secret has been updated" - _clean_up 0 - else - _error "encountered error when updating secret" - _clean_up 127 - fi - else - _error "Unknown error encountered" - _clean_up 127 - fi - fi - - _clean_up 0 - - resources: - limits: - memory: "32Mi" - cpu: "40m" -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/service.yaml deleted file mode 100644 index e56d4806d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ template "nginx-ingress.ingressController.serviceName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - type: "LoadBalancer" - selector: - {{- include "nginx-ingress.ingressController.serviceLabel" . | nindent 4 }} - - ports: - {{- include "listPorts" .Values.global.ingressController.ports | indent 2 -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/serviceAccount.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/serviceAccount.yaml deleted file mode 100644 index db0145a88..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/serviceAccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - -metadata: - name: {{ template "serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/tlsSecret.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/tlsSecret.yaml deleted file mode 100644 index 956bf221b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/tlsSecret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.ssl.enabled }} -apiVersion: v1 -kind: Secret - -metadata: - name: {{ template "nginx-ingress.tls.secretName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -type: kubernetes.io/tls -data: -{{- (.Files.Glob "files/tls/*").AsSecrets | nindent 2 -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasAdminRole.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasAdminRole.yaml deleted file mode 100644 index 3c14969ea..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasAdminRole.yaml +++ /dev/null @@ -1,102 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role - -metadata: - name: {{ template "roleName" . }}-admin - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create - - update - - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - update - - watch - - - apiGroups: - - extensions - - "networking.k8s.io" # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - - apiGroups: - - extensions - - "networking.k8s.io" # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update - - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - {{ .Values.ingressController.electionID }} - - {{ .Values.ingressController.electionID }}-{{ .Values.ingressController.ingressClass }} - verbs: - - get - - update - - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - update - - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasAdminRoleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasAdminRoleBinding.yaml deleted file mode 100644 index 35c220c6b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasAdminRoleBinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding - -metadata: - name: {{ template "roleBindingName" . }}-admin - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "roleName" . }}-admin - -subjects: - - kind: ServiceAccount - name: {{ template "serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasCoreRole.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasCoreRole.yaml deleted file mode 100644 index e43e4b584..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasCoreRole.yaml +++ /dev/null @@ -1,92 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role - -metadata: - name: {{ template "roleName" . }}-core - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - update - - watch - - - apiGroups: - - extensions - - "networking.k8s.io" # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - - apiGroups: - - extensions - - "networking.k8s.io" # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update - - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - {{ .Values.ingressController.electionID }}-{{ .Values.ingressController.ingressClass }} - verbs: - - get - - update - - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - update - - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasCoreRoleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasCoreRoleBinding.yaml deleted file mode 100644 index 43f7ca5fa..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/templates/ingress-controller/vulasCoreRoleBinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding - -metadata: - name: {{ template "roleBindingName" . }}-core - namespace: {{ .Values.global.coreNamespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "nginx-ingress.roleName" . }}-core - -subjects: - - kind: ServiceAccount - name: {{ template "serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/values.yaml deleted file mode 100644 index 1c4cf2707..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -managedRelease: "alpha" - -ssl: - enabled: false - -metrics: - enabled: true - -rbac: - # This would create clusterrole and roles required for nginx ingress controller - # to perform operations accross three namespaces used by this chart - create: true - -defaultBackend: - enabled: true - # Suggestion : ~= 1 (returns 404 so useless to duplicate) - replicas: 2 - - selfAntiAffinity: {} - # soft: true - # weight: 100 - - podDisruptionBudget: {} - - image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "nginx" - tag: "1.17.4-alpine" - runAsUser: 101 - - resources: {} - # limits: - # memory: "60Mi" - # cpu: "110m" - # requests: - # memory: "50Mi" - # cpu: "100m" - - livenessProbe: - enabled: true - initialDelaySeconds: 2 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - - readinessProbe: - enabled: true - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 5 - failureThreshold: 6 - -ingressController: - authIngress: - # This enables basic auth access to (if present) kibana, frontendbugs, prometheus - enabled: true - credentials: - # These credentials are generated and encrypted with htpasswd with a - # poststart helm hook named "nginx-ingress-secret-generator" which - # communicates with the kubernetes API to modify the corresponding secret - user: vulas - password: changeme - - # Suggestion : ~= Depending on load - # (kubernetes/nginx-ingress controller has internal distribution - # mechanisms such as elections so it can handle it) - replicas: 3 - - updateStrategy: {} - - # Possible values are listed in NGINX's error_log config documentation - # (see http://nginx.org/en/docs/ngx_core_module.html#error_log) - debugLevel: error - - external: true - externalIP: {} - - electionID: ingress-controller-leader - ingressClass: nginx - - # If rbac is set to {} no clusterrole, role and rolebinding - # will be created to link up to the desired service account - rbac: true - - selfAntiAffinity: {} - # You can set selfAntiAffinity to {} in order to skip - # all affinity declarations - # soft: true - # weight: 100 - - podDisruptionBudget: {} - persistentVolume: {} - - image: - pullPolicy: "IfNotPresent" - registry: "quay.io" - registryPort: {} - name: "kubernetes-ingress-controller/nginx-ingress-controller" - tag: "0.25.0" - runAsUser: {} - allowPrivilegeEscalation: true - - resources: {} - # limits: - # memory: "500Mi" - # cpu: "500m" - # requests: - # memory: "50Mi" - # cpu: "50m" - - - livenessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 165s ~= 3min - enabled: true - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 10 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 10 - periodSeconds: 60 - timeoutSeconds: 5 - failureThreshold: 10 - successThreshold: 2 - path: /healthz diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/values_production.yaml deleted file mode 100644 index 45dad5455..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/charts/nginx-ingress/values_production.yaml +++ /dev/null @@ -1,143 +0,0 @@ - -metrics: - enabled: true - -ssl: - enabled: false - -rbac: - # This would create clusterrole and roles required for nginx ingress controller - # to perform operations accross three namespaces : vulnerability-assessment-tool-core, vulnerability-assessment-tool-admin, - # and vulnerability-assessment-tool-monitoring - create: true - -defaultBackend: - enabled: true - - # Suggestion : ~= 1 (returns 404 so useless to duplicate) - replicas: 2 - - selfAntiAffinity: - soft: true - weight: 100 - - podDisruptionBudget: - minAvailable: 1 - - image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "nginx" - tag: "1.17.4-alpine" - runAsUser: 101 - - resources: - limits: - memory: "60Mi" - cpu: "110m" - requests: - memory: "50Mi" - cpu: "100m" - - livenessProbe: - enabled: true - initialDelaySeconds: 2 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - - readinessProbe: - enabled: true - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 5 - failureThreshold: 6 - -ingressController: - authIngress: - # This enables basic auth access to (if present) kibana, frontendbugs, prometheus - enabled: true - credentials: - # These credentials are generated and encrypted with htpasswd with a - # poststart helm hook named `nginx-ingress-secret-generator` which - # communicates with the kubernetes API to modify the corresponding secret - user: vulas - password: changeme - - # Suggestion : ~= Depending on load - # (kubernetes/nginx-ingress controller has internal distribution - # mechanisms such as elections so it can handle it) - replicas: 3 - - updateStrategy: - rollingUpdate: - maxUnavailable: 1 - - # Possible values are listed in NGINX's error_log config documentation - # (see http://nginx.org/en/docs/ngx_core_module.html#error_log) - debugLevel: error - external: true - externalIP: {} - electionID: ingress-controller-leader - ingressClass: nginx - # If rbac is set to {} no clusterrole, role and rolebinding - # will be created to link up to the desired service account - rbac: true - - selfAntiAffinity: - # You can set selfAntiAffinity to {} in order to skip - # all affinity declarations - soft: true - weight: 100 - - podDisruptionBudget: - minAvailable: 1 - - persistentVolume: - storage: "1Gi" - storageG: "1g" - mountPath: /tmp/nginx-cache/ - - cache: - enabled: true - # nfs: - # server: :: - # path: /share - - image: - pullPolicy: "IfNotPresent" - registry: "quay.io" - registryPort: {} - name: "kubernetes-ingress-controller/nginx-ingress-controller" - tag: "0.25.0" - runAsUser: 33 - allowPrivilegeEscalation: true - - resources: - limits: - memory: "500Mi" - cpu: "500m" - requests: - memory: "150Mi" - cpu: "80m" - - livenessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 165s ~= 3min - enabled: true - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 10 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 10 - periodSeconds: 60 - timeoutSeconds: 5 - failureThreshold: 10 - successThreshold: 2 - path: /healthz diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_container.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_container.tpl deleted file mode 100644 index 42f07c35b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_container.tpl +++ /dev/null @@ -1,16 +0,0 @@ -{{/* - containerName : Generates containerName - contexts: [ .global ] - usage: {{ include "containerName" . }} -*/}} -{{- define "containerName" -}} -{{- if .registry -}} -{{- printf "%s" .registry -}} -{{- if .registryPort -}} -{{- printf ":%d/" (int .registryPort) -}} -{{- else -}} -{{- printf "/" -}} -{{- end -}} -{{- end -}} -{{- printf "%s:%s" .name .tag }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_getters.tpl deleted file mode 100644 index 748fbd475..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_getters.tpl +++ /dev/null @@ -1,249 +0,0 @@ -{{/* - name : Gets name of current component - contexts: [ . ] - usage: {{ include "name" . }} -*/}} -{{- define "name" -}} -{{ .Release.Name }}-{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - chart : Gets chart name of current component - contexts: [ . ] - usage: {{ include "chart" . }} -*/}} -{{- define "chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - configMapName : config map name getter - contexts: [ . ] - usage: {{ include "configMapName" . }} -*/}} -{{- define "configMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-config" $name -}} -{{- end -}} - -{{/* - cronJobName : cronJobName getter - contexts: [ . ] - usage: {{ include "cronJobName" . }} -*/}} -{{- define "cronJobName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cron-job" $name -}} -{{- end -}} - -{{/* - mountedConfigMapName : mounted config map name getter - contexts: [ . ] - usage: {{ include "mountedConfigMapName" . }} -*/}} -{{- define "mountedConfigMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-mounted-config" $name -}} -{{- end -}} - -{{/* - envConfigMapName : env config map name getter - contexts: [ . ] - usage: {{ include "envConfigMapName" . }} -*/}} -{{- define "envConfigMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-env-config" $name -}} -{{- end -}} - - -{{/* - secretName : secret name getter - contexts: [ . ] - usage: {{ include "secretName" . }} -*/}} -{{- define "secretName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-secret" $name -}} -{{- end -}} - -{{/* - deploymentName : Deployment name getter - contexts: [ . ] - usage: {{ include "deploymentName" . }} -*/}} -{{- define "deploymentName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-deployment" $name -}} -{{- end -}} - -{{/* - daemonSetName : DaemonSet name getter - contexts: [ . ] - usage: {{ include "daemonSetName" . }} -*/}} -{{- define "daemonSetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-daemon-set" $name -}} -{{- end -}} - -{{/* - statefulSetName : Statefulset name getter - contexts: [ . ] - usage: {{ include "statefulSetName" . }} -*/}} -{{- define "statefulSetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-stateful-set" $name -}} -{{- end -}} - -{{/* - pvcName : patchlibanalyzer pvc name getter - contexts: [ . ] - usage: {{ include "pvcName" . }} -*/}} -{{- define "pvcName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-volume-claim" $name -}} -{{- end -}} - -{{/* - pvName : patchlibanalyzer pv name getter - contexts: [ . ] - usage: {{ include "pvName" . }} -*/}} -{{- define "pvName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-persistent-nfs-volume" $name -}} -{{- end -}} - - -{{/* - serviceAccountName : serviceAccountName getter - contexts: [ . ] - usage: {{ include "serviceAccountName" . }} -*/}} -{{- define "serviceAccountName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-service-account" $name -}} -{{- end -}} - -{{/* - roleName : role name getter - contexts: [ . ] - usage: {{ include "roleName" . }} -*/}} -{{- define "roleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-role" $name -}} -{{- end -}} - -{{/* - roleBindingName : role binding name getter - contexts: [ . ] - usage: {{ include "roleBindingName" . }} -*/}} -{{- define "roleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-role-binding" $name -}} -{{- end -}} - -{{/* - clusterRoleName : cluster role name getter - contexts: [ . ] - usage: {{ include "clusterRoleName" . }} -*/}} -{{- define "clusterRoleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cluster-role" $name -}} -{{- end -}} - -{{/* - clusterRoleBindingName : cluster role binding name getter - contexts: [ . ] - usage: {{ include "clusterRoleBindingName" . }} -*/}} -{{- define "clusterRoleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cluster-role-binding" $name -}} -{{- end -}} - -{{/* - podName : deployment pod name getter - contexts: [ . ] - usage: {{ include "podName" . }} -*/}} -{{- define "podName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - -{{/* - podDisruptionBudgetName : deployment podDisruptionBudget name getter - contexts: [ . ] - usage: {{ include "podDisruptionBudgetName" . }} -*/}} -{{- define "podDisruptionBudgetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - -{{/* - networkPolicyName : networkPolicyName getter - contexts: [ . ] - usage: {{ include "networkPolicyName" . }} -*/}} -{{- define "networkPolicyName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-network-policy" $name -}} -{{- end -}} - -{{/* - horizontalPodAutoScalerName : horizontalPodAutoScalerName getter - contexts: [ . ] - usage: {{ include "horizontalPodAutoScalerName" . }} -*/}} -{{- define "horizontalPodAutoScalerName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-horizontal-pod-auto-scaler" $name -}} -{{- end -}} - -{{/* - verticalPodAutoScaler : verticalPodAutoScaler getter - contexts: [ . ] - usage: {{ include "verticalPodAutoScaler" . }} -*/}} -{{- define "verticalPodAutoScaler" -}} -{{- $name := include "name" . -}} -{{- printf "%s-vertical-pod-auto-scaler" $name -}} -{{- end -}} - -{{/* - podSecurityPolicyName : podSecurityPolicyName getter - contexts: [ . ] - usage: {{ include "podSecurityPolicyName" . }} -*/}} -{{- define "podSecurityPolicyName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod-security-policy" $name -}} -{{- end -}} - -{{/* - headlessServiceName : headlessServiceName getter - contexts: [ . ] - usage: {{ include "headlessServiceName" . }} -*/}} -{{- define "headlessServiceName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-headless-service" $name .Release.Name -}} -{{- end -}} - -{{/* - priorityClassName : priorityClassName getter - contexts: [ . ] - usage: {{ include "priorityClassName" . }} -*/}} -{{- define "priorityClassName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-priority-class" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_labels.tpl deleted file mode 100644 index 6bb3cc06b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_labels.tpl +++ /dev/null @@ -1,25 +0,0 @@ -{{/* - commonLabels : generic labels - contexts: [ . ] - usage: {{ include "commonLabels" . }} -*/}} - -{{- define "commonLabels" -}} -{{ if .Chart.AppVersion -}} -app.kubernetes.io/name: {{ .Chart.Name }} -app.kubernetes.io/part-of: {{ .Values.global.projectName }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{ include "projectLabels" . }} -{{- end -}} - - -{{/* - projectLabels : generic labels - contexts: [ . ] - usage: {{ include "projectLabels" . }} -*/}} -{{- define "projectLabels" -}} -{{ .Values.global.projectName }}/environment: {{ .Values.global.env }} -{{ .Values.global.projectName }}/release-name: {{ .Release.Name }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_logs.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_logs.tpl deleted file mode 100644 index 4766d9b17..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_logs.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{/* - logFunctions : generic logging function - contexts: [ . ] - usage: {{ include "logFunctions" . }} -*/}} - -{{- define "logFunctions" -}} -_log() { - echo `date "+%Y:%m:%d-%H:%M:%S"` "[$CHART_NAME|$LOG_ORIGIN]" "$1": "$2" -} - -_error() { - _log "ERROR" "$1" -} - -_info() { - if [ -z $DEBUG ]; then - _log "INFO" "$1" - fi -} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_ports.tpl b/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_ports.tpl deleted file mode 100644 index e7e76daea..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/templates/_ports.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{{/* - listPorts : lists port - contexts: [ .global ] - usage: {{ include "listPorts" . }} -*/}} -{{- define "listPorts" -}} -{{- range $key, $value := . }} -- name: {{ $key }} - {{- toYaml . | nindent 2 }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-admin/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-admin/values.yaml deleted file mode 100644 index ee5f61dbd..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-admin/values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -global: - coreNamespace: vulnerability-assessment-tool-core - env: TESTING - ingressController: - ports: - http: - port: 80 - protocol: TCP - targetPort: 80 - https: - port: 443 - protocol: TCP - targetPort: 443 - metrics: - port: 10254 - protocol: TCP - targetPort: 10254 - managedRelease: core-release - namespace: vulnerability-assessment-tool-admin - projectName: vulnerability-assessment-tool - subPath: "" diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/.helmignore b/kubernetes/helm/vulnerability-assessment-tool-core/.helmignore deleted file mode 100644 index dd449725e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/.helmignore +++ /dev/null @@ -1 +0,0 @@ -*.md diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/Chart.yaml deleted file mode 100644 index 620999e83..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -appVersion: "3.1.7-SNAPSHOT" -name: vulnerability-assessment-tool-core -version: v0.1.1 - -kubeVersion: ">=v1.15.0" -description: Helm Chart for the vulnerability assessment tool core services -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/README.md b/kubernetes/helm/vulnerability-assessment-tool-core/README.md deleted file mode 100644 index a73720107..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/README.md +++ /dev/null @@ -1,100 +0,0 @@ -# Vulnerability-assessment-tool-core - -The Vulnerability-assessment-tool-core contains everything required to have a functional instance of the vulnerability-assessment-tool up and running. - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -# With helm 2 -# helm install { custom name } . -$ helm install core-release . - -# With helm 3, you need to create the desired namespace before hand -$ kubectl create namespace { namespace } -$ kubectl install core-release . -``` - -The command deploys the vulnerability-assessment-tool-core v0.1.1 chart on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete core-release -``` - -## Configuration -The following table lists the configurable parameters of the vulnerability-assessment-tool-core chart and their default values. - -| Parameter | Description | Default | -| ------------------------------------- | --------------------------------------------------------- | ------------------------------------ | -| global.namespace | destination namespace for chart | `vulnerability-assessment-tool-core` | -| global.dbCredentials.pool_password | pgpool password | `changeme` | -| global.dbCredentials.pool_user | pgpool username | `pgpool` | -| global.dbCredentials.postgres_db | postgres dbname | `vulas` | -| global.dbCredentials.postgres_user | postgres username | `postgres` | -| global.dbCredentials.replication_user | replication username (shares password with postgres user) | `changeme` | -| global.env | label for deployment environment | `TESTING` | -| global.existingClaim | existingPVCClaim for master | `{}` | -| global.masterReplicas | amount of masters in cluster | `1` | -| global.podPriorityClass.enabled | enables built in priorityclasses | `true` | -| global.projectName | | `vulnerability-assessment-tool` | -| global.slaveReplicas | amount of slave replicas (can be set to {} for dynamic) | `2` | - - -### Frontendapps subchart values -The subchart values can be configured by modifying the values directly in the subdirectory (for more configuration detail see [here](charts/frontendapps/README.md) or overridden in the vulnerability-assessment-tool-admin chart by nesting values inside `frontendapps`. For example, to modify the `replicas` value, you can do; -``` -frontendapps: - replicas: 20 -``` - -### Frontendbugs subchart values -These values should be prepended by nesting them in `frontendbugs` and can be seen in detail [here](charts/frontendbugs/README.md) - -### Patchlibanalyzer subchart values -These values should be prepended by nesting them in `patchlibanalyzer` and can be seen in detail [here](charts/patchlibanalyzer/README.md) - -### Database subchart values -These values should be prepended by nesting them in `database` and can be seen in detail [here](charts/database/README.md) - -### Restbackend subchart values -These values should be prepended by nesting them in `restbackend` and can be seen in detail [here](charts/restbackend/README.md) - -### Restlibutils subchart values -These values should be prepended by nesting them in `restlibutils` and can be seen in detail [here](charts/restlibutils/README.md) - -## Production configuration -Every subchart contains a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. Since helm does not yet support recursive values file name, the switch can be done with this command: - -```sh -# Backup default values.yaml file into values_simplified.yaml -for file in $(find . -mindepth 2 -type f -name "values.yaml"); do - new=$(echo $file | sed -e 's/values.yaml/values_simplified.yaml/') - mv "$file" "$new" -done - -# Rename values_production.yaml to values.yaml -for file in $(find . -mindepth 2 -type f -name "values_production.yaml"); do - new=$(echo $file | sed -e 's/values_production.yaml/values.yaml/') - mv "$file" "$new" -done -``` - -To revert this operation simply do: -```sh -# Rename values.yaml file into values_production.yaml -for file in $(find . -mindepth 2 -type f -name "values.yaml"); do - new=$(echo $file | sed -e 's/values.yaml/values_production.yaml/') - mv "$file" "$new" -done - -# Rename values_simplified.yaml to values.yaml -for file in $(find . -mindepth 2 -type f -name "values_simplified.yaml"); do - new=$(echo $file | sed -e 's/values_simplified.yaml/values.yaml/') - mv "$file" "$new" -done -``` diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/Chart.yaml deleted file mode 100644 index 08b494a0b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" - -description: A Chart for a HA postgres database -name: database -version: 0.1.1 -kubeVersion: ">=v1.15.0" - -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/README.md b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/README.md deleted file mode 100644 index ae3936d50..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/README.md +++ /dev/null @@ -1,138 +0,0 @@ -# Vulnerability assessment tool database - -> This chart is already included in the vulnerability-assessment-tool-core chart - -The vulnerability assessment tool database is a postgresql database used to store a CVEs, constructs, ... - -## Prerequisites -- Kubernetes 1.9 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Introduction - -This chart bootstraps a HA [Postgresql](https://www.postgresql.org/) cluster deployment on a Kubernetes cluster comprising of a: -- Postgres master statefulset -- Postgres slave statefulset -- Pgpool statefulset - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the database subchart of the vulnerability-assessment-tool-core chart v0.1.1 chart -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration -The following table lists the configurable parameters of the database chart and their default values. -As values in this chart are quite highly nested, this table is split into two parts for easy readability - -### .Values.postgres - -| Parameter | Description | Default | -| --- | --- | --- | -| metrics.enabled | Enables prometheus exporter | `true` | -| debug | Postgres logging level (see [postgres docs](https://www.postgresql.org/docs/11/runtime-config-logging.html) | `WARNING` | -| image.initContainer.pullPolicy | To avoid cluster going out of sync `Always` is recommended if the image is subject to constant changes | `IfNotPresent` | -| image.initContainer.name | Postgresql init container image name (used for pg_basebackup) | `postgres` | -| image.initContainer.tag | Image tag for desired initcontainer image version | `11.5-alpine` | -| image.initContainer.securityContext | Postgresql init container securityContext. This container requires root execution because it needs to fix permissions on the PVC (using chown on the set `pgdata` directory) | runAsUser: `0`
privileged: `true` | -| image.mainContainer.pullPolicy | As Postgres images are stable, `IfNotPresent` is the recommended pullPolicy in this case | `IfNotPresent` | -| image.mainContainer.name | Postgres main container (actual database) image name | `postgres` | -| image.mainContainer.tag | The vulnerability database functions with any postgres 11.x version (with version 12.x to be tested soon) | `11.5` | -| image.mainContainer.securityContext | Postgresql's default container UID is 999 and requires reading to the root file system to properly operate | runAsUser: `999`
runAsGroup: `999`
privileged:`False`
readOnlyRootFilesystem:`False` | -| image.exporterContainer.pullPolicy | Since this image is maintained by a small group of individuals, image drift is possible, `Always` is recommended in production | `IfNotPresent` | -| image.exporterContainer.name | See [source code](https://github.com/wrouesnel/postgres_exporter) | `wrouesnel/postgres_exporter` | -| image.exporterContainer.tag | Latest image tag as of this chart release | `v0.5.1` | -| master.updateStrategy | | `RollingUpdate` | -| master.terminationGracePeriodSeconds | Sets the amount of time k8s allows for the database to gracefully shutdown, this window allows for Postgresql to launch `pg_ctl stop fast` | `10` | -| master.livenessProbe.enabled | readinessProbe configuration to be tuned to latency and performance of the cluster at hand | enabled: `true`
initialDelaySeconds: `60`
periodSeconds: `5`
timeoutSeconds: `3`
failureThreshold: `20` | -| master.readinessProbe.enabled | readinessProbe configuration to be tuned to latency and performance of the cluster at hand | enabled: `true`
initialDelaySeconds: `5`
periodSeconds: `5`
timeoutSeconds: `3`
failureThreshold: `3` | -| master.pvcMountPath | Set with $PG_DATA | `/var/lib/postgresql/data` | -| master.accessModes | PVC accessMode, if you want fault tolerance for the master statefulset, it is a possibility to set an nfs with `ReadWriteMany` in addition with failover | `ReadWriteOnce` | -| master.requests.storage | Storage size requests, 10Gi is the minimum requirement | `10Gi` | -| slave.backoffDuration | delay between probe attempts to wait for master node | `10` | -| slave.updateStrategy | | `RollingUpdate` | -| slave.terminationGracePeriodSeconds | Sets the amount of time k8s allows for the database to gracefully shutdown, this window allows for Postgresql to launch `pg_ctl stop fast | `10` | | -| slave.livenessProbe.enabled | readinessProbe configuration to be tuned to latency and performance of the cluster at hand | enabled: `true`
initialDelaySeconds: `60`
periodSeconds: `5`
timeoutSeconds: `3`
failureThreshold: `20` | -| slave.readinessProbe.enabled | readinessProbe configuration to be tuned to latency and performance of the cluster at hand | enabled: `true`
initialDelaySeconds: `50`
periodSeconds: `5`
timeoutSeconds: `3`
failureThreshold: `3` | -| slave.pvcMountPath | Set with $PG_DATA | `/var/lib/postgresql/data` | -| slave.accessModes | `ReadWriteOnce` is recommended here for the low cost and the fact that fault tolerance comes from the replication | `ReadWriteOnce` | -| slave.requests.storage | recommended to be ~= Master storage requests due to streaming replication | `10Gi` | - - -### .Values.pgpool - -| Parameter | Description | Default | -| --- | --- | --- | -| name | Used to determine prefix for pgpool objects in kubernetes | `pgpool` | -| debug | Sets pgpool log level to DEBUG if `true` (see [pgpool docs](https://www.pgpool.net/docs/latest/en/html/runtime-config-logging.html)) | `False` | -| replicas | The optimal number of instances should be around `master replicas + slave replicas` (see [benchmark](../../docs/BenchmarkResults.md)) | `3` | -| updateStrategy | | `RollingUpdate` | -| loadBalanceMode | Used to set distributing select queries per node. See [pgpool lb docs](https://www.pgpool.net/docs/latest/en/html/runtime-config-load-balancing.html) | `true` | -| failOverOnBackendError | | `False` | -| numInitChildren | Number of processes that pgpool preforks. This parameter can only be modified on launch so its recommended to anticipate for high usage | `100` | -| maxPool | Maximum number of cached open connection pgpool has to the PostgreSQL instance | `10` | -| clientIdleLimit | Kills inactif client after `clientIdleLimit` seconds | `920` | -| connectionLifeTime | Sets the lifespan of a cached connection in seconds. This is set to avoid the default `0` which never kills/renews connections | `500` | -| terminationGracePeriodSeconds | Allows for pgpool to gracefully terminate its connections | `15` | -| useWatchDog | Sets the `use_watchdog` configuration ([pgpool watchdog docs](https://www.pgpool.net/docs/latest/en/html/example-cluster.html)) | `true` | -| watchDog.interval | | `15` | -| healthCheck | Postgresql connection health checks. The default timeout value makes sure that during initialisation, the pgpool statefulset doesn't go into a CrashLoop | timeout: `0`
period: `30`
maxRetries: `5`
retryDelay: `5` | -| image.pullPolicy | Image maintained by company so drift shouldn't be an issue | `IfNotPresent` | -| image.name | | `crunchydata/crunchy-pgpool` | -| image.tag | | `centos7-11.4-2.4.1` | -| image.securityContext | Shares the postgres UID | runAsUser: `999`
runAsGroup: `999`
privileged: `False`
readOnlyRootFilesystem: `False` | -| image.readinessProbe | | enabled: `true`
initialDelaySeconds: `35`
periodSeconds: `10`
timeoutSeconds: `10`
failureThreshold: `3` | -| image.livenessProbe | | enabled: `true`
initialDelaySeconds: `35`
periodSeconds: `30`
timeoutSeconds: `10`
failureThreshold: `3` | - -Specify each parameter using the --set key=value\[,key=value\] argument to helm install. For example, -```sh -$ helm install { custom release name } \ - --set postgres.image.mainContainer.pullPolicy=Always . -``` -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, -```sh -$ helm install { custom release name } -f values.yaml . -``` - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` -These values can be configured as follows: - -| Parameter | Description | Default | -| --- | --- | --- | -| postgres.master.resources | Corner stone of infrastructure so high performance is required | requests:
 memory:`15Gi`
 cpu: `15`
limit:
 memory: `22Gi`
 cpu: `22` | -| postgres.slave.resources | As these are replicas their demands are lower than that of the master db | requests:
 memory:`8Gi`
 cpu: `8`
limit:
 memory: `15Gi`
 cpu: `15` | -| pgpool.image.resources | Pgpool does not consume a whole lot of resources | requests:
 memory:`1Gi`
 cpu: `1000m`
limit:
 memory: `2Gi`
 cpu: `2000m` | -| postgres.masterAntiAffinity | Makes pods (from master statefulset and slave) avoid sharing nodes with master. If set to `{}` disables this option | soft: `true`
weight: `100` | -| postgres.slaveAntiAffinity | Makes pods (from master statefulset and slave) avoid sharing nodes with slave. If set to `{}` disables this option | soft: `true`
weight: `50` | - - -- Disabling metrics: - -```diff -- postgres.metrics.enabled: False -+ postgres.metrics.enabled: true -``` - -- Disabling probres: - -```diff -- postgres.master.livenessProbe.enabled: true -- postgres.master.readinessProbe.enabled: true -+ postgres.master.livenessProbe.enabled: False -+ postgres.master.readinessProbe.enabled: False -``` diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/_getter.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/_getter.tpl deleted file mode 100644 index d67981d82..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/_getter.tpl +++ /dev/null @@ -1,71 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - pgpool.name : Gets name of current component - contexts: [ . ] - usage: {{ include "pgpool.name" . }} -*/}} -{{- define "pgpool.name" -}} -{{ .Release.Name }}-pgpool -{{- end -}} - -{{/* - pgpool.configMapName : ConfigMap getter - contexts: [ . ] - usage: {{ include "pgpool.configMapName" . }} -*/}} -{{- define "pgpool.configMapName" -}} -{{- $name := include "pgpool.name" . -}} -{{- printf "%s-config" $name -}} -{{- end -}} - -{{/* - pgpool.secretName : Secret getter - contexts: [ . ] - usage: {{ include "pgpool.secretName" . }} -*/}} -{{- define "pgpool.secretName" -}} -{{- $name := include "pgpool.name" . -}} -{{- printf "%s-secret" $name -}} -{{- end -}} - -{{/* - pgpool.podName : deployment pod name getter - contexts: [ . ] - usage: {{ include "pgpool.podName" . }} -*/}} -{{- define "pgpool.podName" -}} -{{- $name := include "pgpool.name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - - -{{/* - pgpool.priorityClassName : priorityClassName pod name getter - contexts: [ . ] - usage: {{ include "pgpool.priorityClassName" . }} -*/}} -{{- define "pgpool.priorityClassName" -}} -{{- $name := include "pgpool.name" . -}} -{{- printf "%s-priority-class" $name -}} -{{- end -}} - -{{/* - pgpool.podDisruptionBudgetName : podDisruptionBudgetName pod name getter - contexts: [ . ] - usage: {{ include "pgpool.podDisruptionBudgetName" . }} -*/}} -{{- define "pgpool.podDisruptionBudgetName" -}} -{{- $name := include "pgpool.name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - - -{{/* - pgpool.statefulSetName : statefulset name getter - contexts: [ . ] - usage: {{ include "postgres.statefulSetName" . }} -*/}} -{{- define "pgpool.statefulSetName" -}} -{{- $name := include "pgpool.name" . -}} -{{- printf "%s-stateful-set" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/_labels.tpl deleted file mode 100644 index 0d61cab8b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/_labels.tpl +++ /dev/null @@ -1,31 +0,0 @@ -{{/*----------------------------- Local Templates ----------------------------------------*/}} -{{/* - pgpool.commonLabels : generic labels - contexts: [ . ] - usage: {{ include "pgpool.commonLabels" . }} -*/}} -{{- define "pgpool.enrichedLabels" -}} -app.kubernetes.io/instance: {{ template "pgpool.podName" . }} -{{ include "commonLabels" . }} -{{ include "pgpool.serviceLabel" . }} -{{- end -}} - -{{/* - pgpool.serviceLabels : generic service label - contexts: [ .global ] - usage: {{ include "pgpool.serviceLabels" . }} -*/}} -{{- define "pgpool.serviceLabels" -}} -{{ include "commonLabels" . }} -{{ include "pgpool.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - pgpool.serviceLabel : generic service label - contexts: [ .global ] - usage: {{ include "pgpool.serviceLabel" . }} -*/}} -{{- define "pgpool.serviceLabel" -}} -{{ .Values.global.projectName }}.core/service: {{ .Release.Name }}-pgpool-service -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/configMap.yaml deleted file mode 100644 index eb1741820..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/configMap.yaml +++ /dev/null @@ -1,178 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "pgpool.configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- $release := .Release.Name }} - PG_PRIMARY_SERVICE_NAME: {{ $release }}-db-master - PG_REPLICA_SERVICE_NAME: {{ $release }}-db-slave - {{- if .Values.pgpool.debug }} - CRUNCHY_DEBUG: "true" - {{- else }} - CRUNCHY_DEBUG: "False" - {{- end }} - - {{- with .Values.global.dbCredentials }} - pool_passwd: - {{ .pool_user }}:TEXT{{ .pool_password }} - - {{ .postgres_user }}:TEXT{{ .postgres_password }} - - pool_hba.conf: | - host all {{ .pool_user }} 0.0.0.0/0 md5 - host all {{ .postgres_user }} 0.0.0.0/0 md5 - {{- end }} - - pgpool.conf: | - listen_addresses = '*' - port = 5432 - socket_dir = '/tmp' - - pcp_port = 9898 - pcp_socket_dir = '/tmp' - - master_slave_mode = 'on' - master_slave_sub_mode = 'stream' - load_balance_mode = '{{ .Values.pgpool.loadBalanceMode }}' - - port = 5432 - use_watchdog = '{{ .Values.pgpool.useWatchDog }}' - - {{- if eq ( .Values.pgpool.useWatchDog | quote ) "on" -}} - wd_hostname = {{ .Values.global.core.pgpool.service }} - wd_port = 9898 - {{- end }} - - backend_hostname0 = '{{ $release }}-db-master' - backend_port0 = 5432 - backend_flag0 = 'ALWAYS_MASTER' - - backend_hostname1 = '{{ $release }}-db-slave' - backend_port1 = 5432 - - failover_on_backend_error = '{{ .Values.pgpool.failOverOnBackendError }}' - - enable_pool_hba = on - pool_passwd = 'pool_passwd' - authentication_timeout = 60 - ssl = off - - num_init_children = {{ .Values.pgpool.numInitChildren }} - max_pool = {{ .Values.pgpool.maxPool }} - - child_life_time = {{ .Values.pgpool.connectionLifeTime }} - child_max_connections = 0 - connection_life_time = 0 - client_idle_limit = 0 - - log_destination = 'stderr' - print_timestamp = on - log_connections = on - log_hostname = on - log_statement = on - log_per_node_statement = off - log_standby_delay = 'if_over_threshold' - - syslog_facility = 'LOCAL0' - syslog_ident = 'pgpool' - debug_level = 0 - - pid_file_name = '/tmp/pgpool.pid' - logdir = '/tmp' - - connection_cache = on - reset_query_list = 'ABORT; DISCARD ALL' - - replication_mode = off - replicate_select = off - insert_lock = off - lobj_lock_table = '' - - replication_stop_on_mismatch = off - failover_if_affected_tuples_mismatch = off - - load_balance_mode = off - ignore_leading_white_space = on - white_function_list = '' - black_function_list = 'currval,lastval,nextval,setval' - - master_slave_mode = on - master_slave_sub_mode = 'stream' - - {{- with .Values.global.dbCredentials }} - sr_check_period = 10 - sr_check_user = '{{ .pool_user }}' - sr_check_password = '{{ .pool_password }}' - delay_threshold = 10000000 - - follow_master_command = '' - parallel_mode = off - pgpool2_hostname = '' - - health_check_period = 0 - health_check_timeout = 20 - health_check_user = '{{ .pool_user }}' - health_check_password = '{{ .pool_password }}' - health_check_max_retries = 0 - health_check_retry_delay = 1 - - failover_command = '' - failback_command = '' - fail_over_on_backend_error = on - search_primary_node_timeout = 10 - - recovery_user = '{{ .postgres_user }}' - recovery_password = '{{ .postgres_password }}' - {{- end }} - recovery_1st_stage_command = '' - recovery_2nd_stage_command = '' - recovery_timeout = 90 - client_idle_limit_in_recovery = 0 - use_watchdog = off - trusted_servers = '' - ping_path = '/bin' - wd_hostname = '' - wd_port = 9000 - wd_authkey = '' - delegate_IP = '' - ifconfig_path = '/sbin' - if_up_cmd = 'ifconfig eth0:0 inet $_IP_$ netmask 255.255.255.0' - if_down_cmd = 'ifconfig eth0:0 down' - arping_path = '/usr/sbin' - arping_cmd = 'arping -U $_IP_$ -w 1' - clear_memqcache_on_escalation = on - wd_escalation_command = '' - wd_lifecheck_method = 'heartbeat' - wd_interval = 10 - wd_heartbeat_port = 9694 - wd_heartbeat_keepalive = 2 - wd_heartbeat_deadtime = 30 - heartbeat_destination0 = 'host0_ip1' - heartbeat_destination_port0 = 9694 - heartbeat_device0 = '' - wd_life_point = 3 - wd_lifecheck_query = 'SELECT 1' - wd_lifecheck_dbname = 'template1' - wd_lifecheck_user = 'nobody' - wd_lifecheck_password = '' - relcache_expire = 0 - relcache_size = 256 - check_temp_table = on - memory_cache_enabled = off - memqcache_method = 'shmem' - memqcache_memcached_host = 'localhost' - memqcache_memcached_port = 11211 - memqcache_total_size = 67108864 - memqcache_max_num_cache = 1000000 - memqcache_expire = 0 - memqcache_auto_cache_invalidation = on - memqcache_maxcache = 409600 - memqcache_cache_block_size = 1048576 - memqcache_oiddir = '/var/log/pgpool/oiddir' - white_memqcache_table_list = '' - black_memqcache_table_list = '' diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/podDisruptionBudget.yaml deleted file mode 100644 index fa684a9d2..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/podDisruptionBudget.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- $pdbRequired := and .Values.pgpool.replicas (ge (int .Values.pgpool.replicas) 2) -}} -{{- $pdbRequired := and $pdbRequired .Values.pgpool.podDisruptionBudget -}} -{{- if $pdbRequired -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "pgpool.podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{- if .Values.pgpool.podDisruptionBudget.dynamic }} - minAvailable: {{ add .Values.postgres.master.replicas ( mul .Values.global.replicationFactor .Values.postgres.master.replicas) }} - {{- else }} - {{- toYaml .Values.pgpool.podDisruptionBudget | nindent 2 }} - {{ end }} - selector: - matchLabels: - {{- include "pgpool.enrichedLabels" . | nindent 6 }} -{{- else -}} -# INFO: Skipped podDisruptionBudget because replicas < 2 -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/priorityClass.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/priorityClass.yaml deleted file mode 100644 index 6d5da19e9..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/priorityClass.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.podPriorityClass.enabled -}} -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass - -metadata: - name: {{ template "pgpool.priorityClassName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.pgpool.podPriorityClass }} -{{- if .Values.pgpool.podPriorityClass.spec }} -{{- toYaml .Values.pgpool.podPriorityClass.spec | nindent 0 }} -{{- else }} -# INFO: default podPriorityClass -globalDefault: false -value: 30000 -preemptionPolicy: PreemptLowerPriority -description: "Specific priority for {{ template "pgpool.podName" . }} with preemption" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/secret.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/secret.yaml deleted file mode 100644 index df3ebb2fc..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/secret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Secret - -metadata: - name: {{ template "pgpool.secretName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- with .Values.global.dbCredentials }} - PCP_USER: {{ .pool_user | b64enc }} - PCP_PASSWORD: {{ .pool_password | b64enc }} - CHECK_USER: {{ .postgres_user | b64enc }} - CHECK_PASSWORD: {{ .postgres_password | b64enc }} - PG_USERNAME: {{ .postgres_user | b64enc }} - PG_PASSWORD: {{ .postgres_password | b64enc }} - PGUSER: {{ .postgres_user | b64enc }} - PGPASSWORD: {{ .postgres_password | b64enc }} - {{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/service.yaml deleted file mode 100644 index e1ebe1fdb..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-db-pool - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "pgpool.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 5432 - protocol: TCP - targetPort: 5432 - - - name: transport - port: 9898 - protocol: TCP - targetPort: 9898 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/statefulSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/statefulSet.yaml deleted file mode 100644 index e86385122..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/pgpool/statefulSet.yaml +++ /dev/null @@ -1,242 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet - -metadata: - name: {{ template "pgpool.statefulSetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - serviceName: {{ .Release.Name }}-db-pool -{{- if not .Values.pgpool.replicas }} - {{- $dynamicReplicas := (mul .Values.global.masterReplicas .Values.global.replicationFactor) }} - {{- if ge $dynamicReplicas 1 }} - replicas: {{ $dynamicReplicas }} - {{- else }} - replicas: 1 - {{- end }} -{{- else }} - replicas: {{ .Values.pgpool.replicas }} -{{- end }} - updateStrategy: - type: {{ .Values.pgpool.updateStrategy }} - - selector: - matchLabels: - {{- include "pgpool.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - {{- include "pgpool.enrichedLabels" . | nindent 8}} - annotations: - checksum/pgpool-config: {{ include (print .Template.BasePath "/pgpool/configMap.yaml") . | sha256sum | trunc 63 }} - - spec: - {{- if .Values.global.podPriorityClass.enabled }} - {{- if .Values.pgpool.podPriorityClass }} - priorityClassName: {{ template "pgpool.priorityClassName" . }} - {{- end }} - {{- end }} - automountServiceAccountToken: false - containers: - - name: {{ template "pgpool.name" . }}-container - image: {{ template "containerName" .Values.pgpool.image }} - imagePullPolicy: {{ .Values.pgpool.image.pullPolicy }} - ports: - - name: db - containerPort: 5432 - - name: transport - containerPort: 9898 - - envFrom: - - secretRef: - name: {{ template "pgpool.secretName" . }} - - env: - - name: PG_PRIMARY_SERVICE_NAME - valueFrom: - configMapKeyRef: - name: {{ template "pgpool.configMapName" . }} - key: PG_PRIMARY_SERVICE_NAME - - name: PG_REPLICA_SERVICE_NAME - valueFrom: - configMapKeyRef: - name: {{ template "pgpool.configMapName" . }} - key: PG_REPLICA_SERVICE_NAME - - name: CRUNCHY_DEBUG - valueFrom: - configMapKeyRef: - name: {{ template "pgpool.configMapName" . }} - key: CRUNCHY_DEBUG - - {{- with .Values.global.dbCredentials }} - - name: POSTGRES_USER - value: {{ .postgres_user }} - - name: POSTGRES_PASSWORD - value: {{ .postgres_password }} - {{- end }} - - volumeMounts: - - name: {{ template "pgpool.configMapName" . }} - mountPath: /pgconf/pgpoolconfigdir/pgpool.conf - subPath: pgpool.conf - - name: {{ template "pgpool.configMapName" . }} - mountPath: /pgconf/pgpoolconfigdir/pool_hba.conf - subPath: pool_hba.conf - - name: {{ template "pgpool.configMapName" . }} - mountPath: /pgconf/pgpoolconfigdir/pool_passwd - subPath: pool_passwd - - name: {{ template "pgpool.configMapName" . }} - mountPath: /etc/pgpool-II-11/pool_passwd - subPath: pool_passwd - - {{- if and .Values.pgpool.image.livenessProbe .Values.pgpool.image.livenessProbe.enabled }} - {{- with .Values.pgpool.image.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash - if pgrep -x pgpool > /dev/null ; then - exit 0 - else - exit 127 - fi - - {{- end }} - {{- end }} - {{- if and .Values.pgpool.image.readinessProbe .Values.pgpool.image.readinessProbe.enabled }} - {{- with .Values.pgpool.image.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash - PRIMARY_COUNT=$(PGCONNECT_TIMEOUT=$CHECK_PGCONNECT_TIMEOUT PGPASSWORD=$CHECK_PASSWORD psql -U $CHECK_USER -h 127.0.0.1 template1 -c 'show pool_nodes' | grep primary | wc -l) - - if [[ "$PRIMARY_COUNT" == "0" ]]; then - exit 127 - else - exit 0 - fi - {{- end }} - {{- end }} - {{- if .Values.pgpool.image.resources }} - resources: - {{- toYaml .Values.pgpool.image.resources | nindent 12 }} - {{- end }} - {{- if .Values.pgpool.image.securityContext }} - securityContext: - {{- toYaml .Values.pgpool.image.securityContext | nindent 12 }} - {{- end }} - volumes: - - name: {{ template "pgpool.configMapName" . }} - configMap: - name: {{ template "pgpool.configMapName" . }} - terminationGracePeriodSeconds: {{ .Values.pgpool.terminationGracePeriodSeconds }} - - {{ if or .Values.pgpool.affinity .Values.pgpool.antiAffinity }} - {{- if .Values.pgpool.antiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.pgpool.antiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- end }} - {{- if .Values.pgpool.antiAffinity.selfAntiAffinity }} - {{- if ge (int .Values.pgpool.antiAffinity.selfAntiAffinity) 1 }} - - weight: {{ .Values.pgpool.antiAffinity.selfAntiAffinity }} - {{- else }} - # ERROR: .Values.pgpool.antiAffinity.selfAntiAffinity < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: Impossible to reach edge case - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "pgpool.podName" . }}] - - key: {{ .Values.global.projectName }}/release-name - operator: In - values: [{{ .Release.Name }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - {{- if .Values.pgpool.affinity }} - {{- if or .Values.pgpool.affinity.poolmasterAffinity .Values.pgpool.affinity.poolreplicaAffinity }} - {{- if not .Values.pgpool.antiAffinity }} - affinity: - {{- end }} - podAffinity: - {{- if .Values.pgpool.affinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- end }} - {{- if .Values.pgpool.affinity.poolmasterAffinity }} - {{- if ge (int .Values.pgpool.affinity.poolmasterAffinity) 1 }} - - weight: {{ .Values.pgpool.affinity.poolmasterAffinity }} - {{- else }} - # ERROR: .Values.pgpool.antiAffinity.poolmasterAffinity < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: Impossible to reach edge case - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ include "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "postgres.master.name" . }}] - topologyKey: "kubernetes.io/hostname" - {{- if .Values.pgpool.affinity.poolreplicaAffinity }} - {{- if ge (int .Values.pgpool.affinity.poolreplicaAffinity) 1 }} - - weight: {{ .Values.pgpool.affinity.poolreplicaAffinity }} - {{- else }} - # ERROR: .Values.pgpool.antiAffinity.poolreplicaAffinity < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: Impossible to reach edge case - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ include "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "postgres.slave.name" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - {{- end }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/_getter.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/_getter.tpl deleted file mode 100644 index 7d5df6865..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/_getter.tpl +++ /dev/null @@ -1,171 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - postgres.master.name : Gets name of current component - contexts: [ . ] - usage: {{ include "postgres.master.name" . }} -*/}} -{{- define "postgres.master.name" -}} -{{ template "name" . }}-master -{{- end -}} - -{{/* - postgres.slave.name : Gets name of current component - contexts: [ . ] - usage: {{ include "postgres.slave.name" . }} -*/}} -{{- define "postgres.slave.name" -}} -{{ template "name" . }}-slave -{{- end -}} - -{{/* - postgres.master.statefulsetName : Gets name of current component - contexts: [ . ] - usage: {{ include "postgres.master.statefulsetName" . }} -*/}} -{{ define "postgres.master.statefulsetName" -}} -{{- $name := include "postgres.master.name" . }} -{{- printf "%s-stateful-set" $name -}} -{{- end -}} - -{{/* - postgres.slave.statefulsetName : Gets name of current component - contexts: [ . ] - usage: {{ include "postgres.slave.statefulsetName" . }} -*/}} -{{ define "postgres.slave.statefulsetName" -}} -{{- $name := include "postgres.slave.name" . }} -{{- printf "%s-stateful-set" $name -}} -{{- end -}} - - -{{/* - postgres.chart : Create chart name and version as used by the chart label. - contexts: [ . ] - usage: {{ include "postgres.chart" . }} -*/}} -{{- define "postgres.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - - -{{/* - postgres.configMapName : ConfigMap getter - contexts: [ . ] - usage: {{ include "postgres.configMapName" . }} -*/}} -{{- define "postgres.configMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-config" $name -}} -{{- end -}} - - -{{/* - postgres.script.configMapName : ConfigMap getter - contexts: [ . ] - usage: {{ include "postgres.script.configMapName" . }} -*/}} -{{- define "postgres.script.configMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-scripts" $name -}} -{{- end -}} - -{{/* - postgres.secretName : Secret getter - contexts: [ . ] - usage: {{ include "postgres.secretName" . }} -*/}} -{{- define "postgres.secretName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-secret" $name -}} -{{- end -}} - -{{/* - postgres.pvcName : pvc name getter - contexts: [ . ] - usage: {{ include "postgres._pvcName" .context }} -*/}} -{{- define "postgres._pvcName" -}} -{{- printf "-volume-claim" -}} -{{- end -}} - -{{/* - postgres.master.pvcName : master pvc name getter - contexts: [ . ] - usage: {{ include "postgres.master.pvcName" .context }} -*/}} -{{- define "postgres.master.pvcName" -}} -{{- include "postgres.master.name" . -}} -{{- include "postgres._pvcName" . -}} -{{- end -}} - -{{/* - postgres.slave.pvcName : slave pvc name getter - contexts: [ . ] - usage: {{ include "postgres.slave.pvcName" .context }} -*/}} -{{- define "postgres.slave.pvcName" -}} -{{- include "postgres.slave.name" . -}} -{{- include "postgres._pvcName" . -}} -{{- end -}} - - -{{/* - postgres.master.podDisruptionBudgetName : master podDisruptionBudgetName getter - contexts: [ . ] - usage: {{ include "postgres.master.podDisruptionBudgetName" . }} -*/}} -{{- define "postgres.master.podDisruptionBudgetName" -}} -{{- $name := include "postgres.master.name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} -{{/* - postgres.slave.podDisruptionBudgetName : slave podDisruptionBudgetName getter - contexts: [ . ] - usage: {{ include "postgres.slave.podDisruptionBudgetName" . }} -*/}} -{{- define "postgres.slave.podDisruptionBudgetName" -}} -{{- $name := include "postgres.slave.name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - - -{{/* - postgres.master.podName : deployment pod name getter - contexts: [ . ] - usage: {{ include "postgres.master.podName" . }} -*/}} -{{- define "postgres.master.podName" -}} -{{- $name := include "postgres.master.name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - -{{/* - postgres.slave.podName : deployment pod name getter - contexts: [ . ] - usage: {{ include "postgres.slave.podName" . }} -*/}} -{{- define "postgres.slave.podName" -}} -{{- $name := include "postgres.slave.name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - - -{{/* - postgres.master.priorityClassName : priorityClassName getter - contexts: [ . ] - usage: {{ include "postgres.master.priorityClassName" . }} -*/}} -{{- define "postgres.master.priorityClassName" -}} -{{- $name := include "postgres.master.name" . -}} -{{- printf "%s-priority-class" $name -}} -{{- end -}} - -{{/* - postgres.slave.priorityClassName : priorityClassName getter - contexts: [ . ] - usage: {{ include "postgres.slave.priorityClassName" . }} -*/}} -{{- define "postgres.slave.priorityClassName" -}} -{{- $name := include "postgres.slave.name" . -}} -{{- printf "%s-priority-class" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/_labels.tpl deleted file mode 100644 index c4ec15e45..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/_labels.tpl +++ /dev/null @@ -1,61 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - postgres.master.enrichedLabels : generic labels - contexts: [ . ] - usage: {{ include "postgres.master.enrichedLabels" . }} -*/}} -{{- define "postgres.master.enrichedLabels" -}} -app.kubernetes.io/instance: {{ template "postgres.master.name" .}} -{{ include "commonLabels" . }} -{{ include "postgres.master.serviceLabel" . }} -{{- end -}} - -{{/* - postgres.master.serviceLabels : generic service labels - contexts: [ . ] - usage: {{ include "postgres.master.serviceLabels" . }} -*/}} -{{- define "postgres.master.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "postgres.master.serviceLabel" . }} -{{- end -}} - -{{/* - postgres.slave.enrichedLabels : generic labels - contexts: [ . ] - usage: {{ include "postgres.slave.enrichedLabels" . }} -*/}} -{{- define "postgres.slave.enrichedLabels" -}} -app.kubernetes.io/instance: {{ template "postgres.slave.name" . }} -{{ include "commonLabels" . }} -{{ include "postgres.slave.serviceLabel" . }} -{{- end -}} - -{{/* - postgres.slave.serviceLabels : generic service labels - contexts: [ . ] - usage: {{ include "postgres.slave.serviceLabels" . }} -*/}} -{{- define "postgres.slave.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "postgres.slave.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - postgres.master.serviceLabel : generic service label - contexts: [ .global ] - usage: {{ include "postgres.master.serviceLabel" . }} -*/}} -{{- define "postgres.master.serviceLabel" -}} -{{ .Values.global.projectName }}.core/service: {{ .Release.Name }}-db-master -{{- end -}} - -{{/* - postgres.slave.serviceLabel : generic service label - contexts: [ .global ] - usage: {{ include "postgres.slave.serviceLabel" . }} -*/}} -{{- define "postgres.slave.serviceLabel" -}} -{{ .Values.global.projectName }}.core/service: {{ .Release.Name }}-db-slave -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/configMap.yaml deleted file mode 100644 index 6bc06e94b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/configMap.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "postgres.configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - master.conf: | - wal_level = replica - max_wal_senders = 16 - wal_keep_segments = 1024 - max_wal_size = 30GB - archive_mode = off - # archive_command = 'cp "%p" "{{ .Values.postgres.master.pvcMountPath }}/archive/%f"' - # archive_cleanup_command = 'pg_archivecleanup -d {{ .Values.postgres.master.pvcMountPath }}/archive %r' - - # INFO: extra user config - {{- if .Values.postgres.master.extraConfigs }} - {{- toYaml .Values.postgres.master.extraConfigs | nindent 2 }} - {{- end }} - - pg_hba.conf: | - # Allow any user on the local system to connect to any database with - # any database user name using Unix-domain sockets (the default for local - # connections). - # - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - {{- with .Values.global.dbCredentials }} - # Allow pgpooluser on the local system to connect to any database with - # any database user name using Unix-domain sockets (the default for local - # connections). - # - # TYPE DATABASE USER ADDRESS METHOD - local {{ .pool_user }} all trust - host {{ .pool_user }} all 127.0.0.1/32 trust - host {{ .pool_user }} all ::1/128 trust - host {{ .pool_user }} {{ .pool_user }} all md5 - - # Allow replication user on the local system to connect to any database with - # any database user name using Unix-domain sockets (the default for local - # connections). - # - # TYPE DATABASE USER ADDRESS METHOD - local {{ .replication_user }} all trust - host {{ .replication_user }} all 127.0.0.1/32 trust - host {{ .replication_user }} all ::1/128 trust - host {{ .replication_user }} {{ .replication_user }} all md5 - host all all all md5 - {{- end }} - - postgres.conf: | - listen_addresses = '*' - work_mem = 50MB - maintenance_work_mem = 1024MB - max_connections = 1000 - shared_buffers = 2048MB - random_page_cost = 2.0 - autovacuum_max_workers = 8 - log_autovacuum_min_duration = '1s' - autovacuum_vacuum_scale_factor = 0.15 - max_replication_slots = 10 - include_if_exists = 'master.conf' - include_if_exists = 'replica.conf' - {{- if .Values.postgres.debug }} - log_min_messages = {{ .Values.postgres.debug }} - {{- else }} - # INFO: default value from helm chart - log_min_messages = WARNING - {{- end }} - - replica.conf: | - hot_standby = on - - # wal_level = minimal - # INFO: extra user config - {{- if .Values.postgres.slave.extraConfigs }} - {{- toYaml .Values.postgres.slave.extraConfigs | nindent 2 }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/headlessService.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/headlessService.yaml deleted file mode 100644 index 10dcb8fc3..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/headlessService.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-db-master-headless - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - clusterIP: None - - selector: - {{- include "postgres.master.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 5432 - protocol: TCP - targetPort: 5432 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/podDisruptionBudget.yaml deleted file mode 100644 index 0d8be20f7..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/podDisruptionBudget.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- $pdbRequired := and .Values.global.masterReplicas (ge (int .Values.global.masterReplicas) 2) }} -{{- if $pdbRequired -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "postgres.master.podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{- if .Values.postgres.master.podDisruptionBudget }} - {{- toYaml .Values.postgres.master.podDisruptionBudget | nindent 2 }} - {{- else }} - minAvailable: 1 - {{- end }} - selector: - matchLabels: - {{- include "postgres.master.enrichedLabels" . | nindent 6 }} -{{- else -}} -# INFO: Skipped podDisruptionBudget because replicas < 2 -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/priorityClass.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/priorityClass.yaml deleted file mode 100644 index 7f07a707e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/priorityClass.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.podPriorityClass.enabled -}} -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass - -metadata: - name: {{ template "postgres.master.priorityClassName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.postgres.slave.podPriorityClass }} -{{- if .Values.postgres.slave.podPriorityClass.spec }} -{{- toYaml .Values.postgres.slave.podPriorityClass.spec | nindent 0 }} -{{- else }} -# INFO: default podPriorityClass -globalDefault: false -value: 100000 -preemptionPolicy: PreemptLowerPriority -description: "Specific priority for {{ template "postgres.master.podName" . }} with preemption" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/service.yaml deleted file mode 100644 index 68480e252..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-db-master - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "postgres.master.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 5432 - protocol: TCP - targetPort: 5432 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/statefulSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/statefulSet.yaml deleted file mode 100644 index 4461a86ae..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/master/statefulSet.yaml +++ /dev/null @@ -1,272 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet - -metadata: - name: {{ template "postgres.master.name" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - serviceName: {{ .Release.Name }}-db-master-headless - - updateStrategy: - type: {{ .Values.postgres.master.updateStrategy }} - - {{- if and .Values.global.masterReplicas (ge (int .Values.global.masterReplicas) 1) }} - replicas: {{ int .Values.global.masterReplicas }} - {{- else }} - replicas: 1 - {{- end }} - - selector: - matchLabels: - {{- include "postgres.master.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - {{- include "postgres.master.enrichedLabels" . | nindent 8 }} - {{- if .Values.postgres.metrics.enabled }} - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9187" - {{- end }} - spec: - {{- if .Values.global.podPriorityClass.enabled }} - {{- if .Values.postgres.master.podPriorityClass }} - priorityClassName: {{ template "postgres.master.priorityClassName" . }} - {{- end }} - {{- end }} - automountServiceAccountToken: false - containers: - - name: {{ template "postgres.master.name" . }}-container - image: {{ template "containerName" .Values.postgres.image.mainContainer }} - imagePullPolicy: {{ .Values.postgres.image.mainContainer.pullPolicy }} - args: - - -c - - config_file=/etc/postgres.conf - - -c - - hba_file=/etc/pg_hba.conf - - lifecycle: - postStart: - exec: - command: - - sh - - -c - - | - #!/bin/sh - set -e - mkdir -p {{ .Values.postgres.master.pvcMountPath }}/archive - ls {{ .Values.postgres.master.pvcMountPath }} - chown -R postgres:postgres {{ .Values.postgres.master.pvcMountPath }} - - ports: - - name: db - containerPort: 5432 - - envFrom: - - secretRef: - name: {{ template "postgres.secretName" . }} - - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: PGDATA - value: {{ .Values.postgres.master.pvcMountPath }}/pgdata - - name: PGPOOL_USER - valueFrom: - secretKeyRef: - name: {{ template "pgpool.secretName" . }} - key: PCP_USER - - name: PGPOOL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "pgpool.secretName" . }} - key: PCP_PASSWORD - - volumeMounts: - - name: {{ template "postgres.master.pvcName" . }} - mountPath: {{ .Values.postgres.master.pvcMountPath }} - - name: {{ template "postgres.configMapName" . }} - mountPath: /etc/postgres.conf - subPath: postgres.conf - - name: {{ template "postgres.configMapName" . }} - mountPath: /etc/pg_hba.conf - subPath: pg_hba.conf - - name: {{ template "postgres.configMapName" . }} - mountPath: /etc/master.conf - subPath: master.conf - - name: {{ template "postgres.script.configMapName" . }} - mountPath: /docker-entrypoint-initdb.d/01-postgres-users-setup.sh - subPath: 01-postgres-users-setup.sh - - name: {{ template "postgres.script.configMapName" . }} - mountPath: /docker-entrypoint-initdb.d/02-postgres-storage-setup.sh - subPath: 02-postgres-storage-setup.sh - - name: dshm - mountPath: /dev/shm - - {{- if .Values.postgres.master.readinessProbe }} - {{- if .Values.postgres.master.readinessProbe.enabled }} - {{- with .Values.postgres.master.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - exec: - command: - - 'psql' - - '-c' - - 'SELECT 1' - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.postgres.master.livenessProbe }} - {{- if .Values.postgres.master.livenessProbe.enabled }} - {{- with .Values.postgres.master.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - exec: - command: - - 'sh' - - '-c' - - 'exec pg_isready --host $POD_IP' - {{- end }} - {{- end }} - {{- end }} - {{/*{{- if .Values.postgres.image.mainContainer.securityContext }} - securityContext: - {{- toYaml .Values.postgres.image.mainContainer.securityContext | nindent 12 }} - {{- end }}*/}} - {{ if .Values.postgres.master.resources -}} - resources: - {{- toYaml .Values.postgres.master.resources | nindent 12 }} - {{- end }} - - {{- if .Values.postgres.metrics.enabled }} - - name: {{ template "postgres.master.name" . }}-exporter-container - image: {{ template "containerName" .Values.postgres.image.exporterContainer }} - imagePullPolicy: {{ .Values.postgres.image.exporterContainer.pullPolicy }} - ports: - - name: metrics - containerPort: 9187 - env: - {{- with .Values.global.dbCredentials }} - - name: DATA_SOURCE_NAME - value: "postgresql://{{ .postgres_user }}:{{ .postgres_password }}@localhost:5432/?sslmode=disable" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: PG_EXPORTER_CONSTANT_LABELS - value: "origin=${POD_NAME}" - resources: - limits: - cpu: "50m" - memory: "50Mi" - {{- end }} - {{- end }} - - volumes: - - name: {{ template "postgres.configMapName" . }} - configMap: - name: {{ template "postgres.configMapName" . }} - - name: {{ template "postgres.script.configMapName" . }} - configMap: - name: {{ template "postgres.script.configMapName" . }} - defaultMode: 0755 - {{- if .Values.global.existingClaim }} - - name: {{ template "postgres.master.pvcName" . }} - persistentVolumeClaim: - claimName: {{ .Values.global.existingClaim }} - {{- else }} - - name: {{ template "postgres.master.pvcName" . }} - persistentVolumeClaim: - claimName: {{ template "postgres.master.pvcName" . }} - {{- end }} - - name: dshm - emptyDir: - medium: Memory - sizeLimit: "3Gi" - - terminationGracePeriodSeconds: {{ int .Values.postgres.master.terminationGracePeriodSeconds }} - - {{- if .Values.postgres.masterAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.postgres.masterAntiAffinity.mastermasterAntiaffinity }} - {{- if .Values.postgres.masterAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{ end }} - {{- if .Values.postgres.masterAntiAffinity.mastermasterAntiaffinity }} - {{- if ge (int .Values.postgres.masterAntiAffinity.mastermasterAntiaffinity) 1 }} - - weight: {{ .Values.postgres.masterAntiAffinity.mastermasterAntiaffinity }} - {{- else }} - # ERROR: .Values.postgres.masterAntiAffinity.mastermasterAntiaffinity < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: .Values.postgres.masterAntiAffinity.mastermasterAntiaffinity undefined - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/part-of - operator: In - values: [{{ include "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "postgres.master.name" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - {{- if .Values.postgres.masterAntiAffinity.masterslaveAntiaffinity }} - {{- if ge (int .Values.postgres.masterAntiAffinity.masterslaveAntiaffinity) 1 }} - - weight: {{ .Values.postgres.masterAntiAffinity.masterslaveAntiaffinity }} - {{- else }} - # ERROR: .Values.postgres.masterAntiAffinity.masterslaveAntiaffinity < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: .Values.postgres.masterAntiAffinity.masterslaveAntiaffinity undefined - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ include "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "postgres.slave.name" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - - {{- if not .Values.global.existingClaim }} - volumeClaimTemplates: - - metadata: - name: {{ template "postgres.master.pvcName" . }} - labels: - {{- include "postgres.master.enrichedLabels" . | nindent 8 }} - - spec: - accessModes: [{{ .Values.postgres.master.accessModes | quote }}] - resources: - requests: - storage: {{ .Values.postgres.master.requests.storage | quote }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/mountedConfigMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/mountedConfigMap.yaml deleted file mode 100644 index 86a73f034..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/mountedConfigMap.yaml +++ /dev/null @@ -1,106 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "postgres.script.configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - 01-postgres-users-setup.sh: | - #!/bin/bash - CHART_NAME="{{ template "postgres.master.name" . }}" - LOG_ORIGIN="01-postgres-users-setup.sh" - {{- include "logFunctions" . | nindent 4}} - - if [[ -z $POSTGRES_USER ]]; then - _error "POSTGRES_USER cannot be empty" - fi - - if [[ -z $POSTGRES_PASSWORD ]]; then - _error "POSTGRES_PASSWORD cannot be empty" - fi - - _info "INFO: Creating roles for pgpool and replicas" - psql -v ON_ERROR_STOP=1 <<-EOSQL - CREATE ROLE $REPLICATION_USER WITH REPLICATION ENCRYPTED PASSWORD '${POSTGRES_PASSWORD}' LOGIN; - CREATE ROLE $PGPOOL_USER WITH LOGIN ENCRYPTED PASSWORD '${PGPOOL_PASSWORD}'; - ALTER ROLE $PGPOOL_USER WITH SUPERUSER; - ALTER ROLE $POSTGRES_USER WITH LOGIN ENCRYPTED PASSWORD '${POSTGRES_PASSWORD}'; - EOSQL - - 02-postgres-storage-setup.sh: | - #!/bin/bash - CHART_NAME="{{ template "postgres.master.name" . }}" - LOG_ORIGIN="02-postgres-storage-setup.sh" - {{- include "logFunctions" . | nindent 4}} - - _info "Creating default schemas for database" - psql -v ON_ERROR_STOP=1 <<-EOSQL - CREATE TABLE schema_version ( - installed_rank INTEGER NOT NULL, - version CHARACTER VARYING(60), - description CHARACTER VARYING(200) NOT NULL, - type CHARACTER VARYING(20) NOT NULL, - script CHARACTER VARYING(1000) NOT NULL, - checksum INTEGER, - installed_by CHARACTER VARYING(100) NOT NULL, - installed_on TIMESTAMP WITHOUT TIME ZONE DEFAULT now() NOT NULL, - execution_time INTEGER NOT NULL, - success BOOLEAN NOT NULL - ); - ALTER TABLE schema_version OWNER TO ${POSTGRES_USER}; - INSERT INTO schema_version VALUES( - 1, - '20161206.1800', - 'Base version', - 'BASELINE', - 'Base version', - NULL, - 'postgres', - '2016-12-06 18:00:00.000000', - 0, - true - ); - EOSQL - - replica-init.sh: |- - #!/bin/sh - CHART_NAME="{{ template "postgres.slave.name" . }}" - LOG_ORIGIN="replica-init.sh" - {{- include "logFunctions" . | nindent 4}} - - {{- $release := .Release.Name }} - until pg_isready -h {{ $release }}-db-master -p 5432; do - _info "Postgres-master not ready, sleeping for {{ .Values.postgres.slave.backoffDuration }}" - sleep {{ .Values.postgres.slave.backoffDuration }} - done - _info "Postgres master is ready" - - _info "Running pg_basebackup to catch up replication server..."; - pg_basebackup -R -h {{ $release }}-db-master -D $PGDATA -U $REPLICATION_USER - _info "Fixing permissions for PGDATA" - chown -R postgres:postgres $PGDATA - - master-poststart-hook.sh: |- - #!/bin/sh - CHART_NAME="{{ template "postgres.slave.name" . }}" - LOG_ORIGIN="replica-init.sh" - {{- include "logFunctions" . | nindent 4}} - - _info "Creating archive dir" - mkdir -p {{ .Values.postgres.master.pvcMountPath }}/archive - - _info "Fixing permissions archive dir" - chown -R postgres:postgres {{ .Values.postgres.master.pvcMountPath }} - chown postgres:postgres {{ .Values.postgres.master.pvcMountPath }}/archive - - master-prestop-hook.sh: |- - #!/bin/sh - CHART_NAME="{{ template "postgres.slave.name" . }}" - LOG_ORIGIN="replica-init.sh" - {{- include "logFunctions" . | nindent 4}} - - _log "Gracefully shutting down the postgres replica instance" - pg_ctl stop -m fast diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/secret.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/secret.yaml deleted file mode 100644 index 8eabda625..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/secret.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Secret - -metadata: - name: {{ template "secretName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- with .Values.global.dbCredentials }} - # Postgres docker env variables - POSTGRES_DB: {{ .postgres_db | b64enc }} - POSTGRES_USER: {{ .postgres_user | b64enc }} - POSTGRES_PASSWORD: {{ .postgres_password | b64enc }} - # Postgres actual env variables - PGDATABASE: {{ .postgres_db | b64enc }} - PGUSER: {{ .postgres_user | b64enc }} - PGPASSWORD: {{ .postgres_password | b64enc }} - REPLICATION_USER: {{ .replication_user | b64enc }} - {{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/headlessService.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/headlessService.yaml deleted file mode 100644 index aab746fe9..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/headlessService.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-db-slave-headless - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - clusterIP: None - - selector: - {{- include "postgres.slave.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 5432 - protocol: TCP - targetPort: 5432 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/podDisruptionBudget.yaml deleted file mode 100644 index d26ab34b4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/podDisruptionBudget.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- $pdbRequired := and .Values.global.replicationFactor (ge (mul .Values.global.replicationFactor .Values.global.masterReplicas ) 2) }} -{{- $pdbRequired := or $pdbRequired (and .Values.global.slaveReplicas (ge (int .Values.global.slaveReplicas) 2)) }} -{{- if $pdbRequired -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "postgres.slave.podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: -{{- if and .Values.postgres.slave.podDisruptionBudget }} - {{- toYaml .Values.postgres.slave.podDisruptionBudget | nindent 2 }} -{{- else if and .Values.global.replicationFactor (ge (mul .Values.global.replicationFactor .Values.global.masterReplicas ) 2) }} - {{- $minAvailable := sub (mul .Values.global.replicationFactor .Values.global.masterReplicas) 1 }} - minAvailable: {{ $minAvailable }} -{{- else }} - minAvailable: 1 -{{- end }} - selector: - matchLabels: - {{- include "postgres.slave.enrichedLabels" . | nindent 6 }} -{{- else -}} -# INFO: Skipped podDisruptionBudget because replicas < 2 -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/priorityClass.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/priorityClass.yaml deleted file mode 100644 index 6db7eb25f..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/priorityClass.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.podPriorityClass.enabled -}} -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass - -metadata: - name: {{ template "postgres.slave.priorityClassName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.postgres.slave.podPriorityClass }} -{{- if .Values.postgres.slave.podPriorityClass.spec }} -{{- toYaml .Values.postgres.slave.podPriorityClass.spec | nindent 0 }} -{{- else }} -# INFO: default podPriorityClass -globalDefault: false -value: 40000 -preemptionPolicy: PreemptLowerPriority -description: "Specific priority for {{ template "postgres.slave.podName" . }} with preemption" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/service.yaml deleted file mode 100644 index 004f57920..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-db-slave - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "postgres.slave.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 5432 - protocol: TCP - targetPort: 5432 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/statefulSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/statefulSet.yaml deleted file mode 100644 index 5ab0c419b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/templates/postgres/slave/statefulSet.yaml +++ /dev/null @@ -1,242 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet - -metadata: - name: {{ template "postgres.slave.name" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - serviceName: {{ .Release.Name }}-db-slave-headless - - updateStrategy: - type: {{ .Values.postgres.slave.updateStrategy }} - - {{- if and .Values.global.slaveReplicas (ge (int .Values.global.slaveReplicas) 1) }} - replicas: {{ .Values.global.slaveReplicas }} - {{- else if and .Values.global.replicationFactor (ge (mul .Values.global.replicationFactor .Values.global.masterReplicas ) 1) }} - replicas: {{ (mul .Values.global.masterReplicas .Values.global.masterReplicas) }} - {{- else }} - replicas: 2 - {{- end }} - selector: - matchLabels: - {{- include "postgres.slave.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - {{- include "postgres.slave.enrichedLabels" . | nindent 8 }} - {{- if .Values.postgres.metrics.enabled }} - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9187" - {{- end }} - spec: - {{- if .Values.global.podPriorityClass.enabled }} - {{- if .Values.postgres.slave.podPriorityClass }} - priorityClassName: {{ template "postgres.slave.priorityClassName" . }} - {{- end }} - {{- end }} - automountServiceAccountToken: false - initContainers: - - name: {{ template "postgres.slave.name" . }}-init-container - image: {{ template "containerName" .Values.postgres.image.initContainer }} - imagePullPolicy: {{ .Values.postgres.image.initContainer.pullPolicy }} - ports: - - name: db - containerPort: 5432 - command: - - sh - - -c - - . /vulas/replica-init.sh - - envFrom: - - secretRef: - name: {{ template "postgres.secretName" . }} - env: - - name: PGDATA - value: {{ .Values.postgres.slave.pvcMountPath }}/pgdata - - volumeMounts: - - name: {{ template "postgres.script.configMapName" . }} - mountPath: /vulas/replica-init.sh - subPath: replica-init.sh - - - name: {{ template "postgres.slave.pvcName" . }} - mountPath: {{ .Values.postgres.slave.pvcMountPath }} - - {{ if .Values.postgres.image.initContainer.securityContext -}} - securityContext: - {{- toYaml .Values.postgres.image.initContainer.securityContext | nindent 12 }} - {{- end }} - {{ if .Values.postgres.image.initContainer.resources -}} - resources: - {{- toYaml .Values.postgres.image.initContainer.resources | nindent 12 }} - {{- end }} - - containers: - - name: {{ template "postgres.slave.name" . }}-container - image: {{ template "containerName" .Values.postgres.image.mainContainer }} - imagePullPolicy: {{ .Values.postgres.image.mainContainer.pullPolicy }} - args: ['-c', 'config_file=/etc/postgres.conf'] - ports: - - name: db - containerPort: 5432 - - envFrom: - - secretRef: - name: {{ template "postgres.secretName" . }} - - env: - - name: PGDATA - value: {{ .Values.postgres.slave.pvcMountPath }}/pgdata - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: PGPOOL_USER - valueFrom: - secretKeyRef: - name: {{ template "pgpool.secretName" . }} - key: PCP_USER - - name: PGPOOL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "pgpool.secretName" . }} - key: PCP_PASSWORD - - volumeMounts: - - name: {{ template "postgres.slave.pvcName" . }} - mountPath: {{ .Values.postgres.slave.pvcMountPath }} - - name: {{ template "postgres.configMapName" . }} - mountPath: /etc/postgres.conf - subPath: postgres.conf - - name: {{ template "postgres.configMapName" . }} - mountPath: /etc/pg_hba.conf - subPath: pg_hba.conf - - name: {{ template "postgres.configMapName" . }} - mountPath: /etc/replica.conf - subPath: replica.conf - - name: {{ template "postgres.script.configMapName" . }} - mountPath: /docker-entrypoint-initdb.d/01-postgres-users-setup.sh - subPath: 01-postgres-users-setup.sh - - name: dshm - mountPath: /dev/shm - - {{- if .Values.postgres.slave.readinessProbe }} - {{- if .Values.postgres.slave.readinessProbe.enabled }} - {{- with .Values.postgres.slave.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - exec: - command: - - 'psql' - - '-c' - - 'SELECT 1' - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.postgres.slave.livenessProbe }} - {{- if .Values.postgres.slave.livenessProbe.enabled }} - {{- with .Values.postgres.slave.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - exec: - command: - - 'sh' - - '-c' - - 'exec pg_isready --host $POD_IP' - {{- end }} - {{- end }} - {{- end }} - {{/*- if .Values.postgres.image.mainContainer.securityContext }} - securityContext: - {{- toYaml .Values.postgres.image.mainContainer.securityContext | nindent 12 }} - {{- end */}} - {{- if .Values.postgres.slave.resources }} - resources: - {{- toYaml .Values.postgres.slave.resources | nindent 12 }} - {{- end }} - - {{- if .Values.postgres.metrics.enabled }} - - name: {{ template "postgres.slave.name" . }}-exporter-container - image: {{ template "containerName" .Values.postgres.image.exporterContainer }} - imagePullPolicy: {{ .Values.postgres.image.exporterContainer.pullPolicy }} - ports: - - name: metrics - containerPort: 9187 - env: - {{- with .Values.global.dbCredentials }} - - name: DATA_SOURCE_NAME - value: "postgresql://{{ .postgres_user }}:{{ .postgres_password }}@localhost:5432/?sslmode=disable" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: PG_EXPORTER_CONSTANT_LABELS - value: "origin=${POD_NAME}" - {{- end }} - resources: - limits: - cpu: "50m" - memory: "50Mi" - {{- end }} - - volumes: - - name: {{ template "postgres.configMapName" . }} - configMap: - name: {{ template "postgres.configMapName" . }} - - name: {{ template "postgres.script.configMapName" . }} - configMap: - name: {{ template "postgres.script.configMapName" . }} - defaultMode: 0755 - - name: {{ template "postgres.slave.pvcName" . }} - persistentVolumeClaim: - claimName: {{ template "postgres.slave.pvcName" . }} - - name: dshm - emptyDir: - medium: Memory - sizeLimit: "3Gi" - - terminationGracePeriodSeconds: {{ int .Values.postgres.slave.terminationGracePeriodSeconds }} - {{- if .Values.postgres.slaveAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.postgres.slaveAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{ end }} - - weight: {{ .Values.postgres.slaveAntiAffinity.weight }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ include "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "postgres.slave.name" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - - volumeClaimTemplates: - - metadata: - name: {{ template "postgres.slave.pvcName" . }} - labels: - {{- include "postgres.slave.enrichedLabels" . | nindent 8 }} - - spec: - accessModes: [{{ .Values.postgres.slave.accessModes | quote }}] - resources: - requests: - storage: {{ .Values.postgres.slave.requests.storage | quote }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/values.yaml deleted file mode 100644 index f03a3b3f7..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/values.yaml +++ /dev/null @@ -1,297 +0,0 @@ -postgres: - metrics: - enabled: true - - masterAntiAffinity: {} - # soft: true - # mastermasterAntiaffinity: 100 - # masterslaveAntiaffinity: 50 - - slaveAntiAffinity: {} - # soft: true - # weight: 50 - - # Values in { - # - DEBUG1..DEBUG5 - # - INFO - # - NOTICE - # - WARNING - # - ERROR - # - LOG - # - FATAL - # - PANIC - # } - debug: WARNING - - image: - initContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "postgres" - # Alpine images for init container to reduce - # overal resource strain with Image size: 28MBs - tag: "11.5-alpine" - - securityContext: - runAsUser: 0 - privileged: true - - resources: {} - # limits: - # memory: "35Mi" - # cpu: "150m" - # requests: - # memory: "25Mi" - # cpu: "100m" - - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "postgres" - # Debian based image - # Image size : 117MB - tag: "11.5" - - securityContext: - runAsUser: 999 - runAsGroup: 999 - privileged: false - readOnlyRootFilesystem: false - - exporterContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "wrouesnel/postgres_exporter" - # Debian based image - # Image size : 5.65MB - tag: "v0.5.1" - - master: - extraConfigs: {} - updateStrategy: "RollingUpdate" - # Desired master statefulset replicas - # Suggestion : ~= 1 - # or multiple but requires strict separation of R/W stream - # due to lack of consistency between masters - replicas: {} - resources: {} - # requests: - # memory: "16Gi" - # cpu: "16" - - podDisruptionBudget: {} - # # Warning : this won't be applied unless the replicas - # # values are >= 2 - # minAvailable: 1 - - podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 100000 - # preemptionPolicy: PreemptLowerPriority - spec: {} - - # Allows pods to live a certain period after termination - terminationGracePeriodSeconds: 10 - - readinessProbe: - enabled: true - # Worst case scenario time of failed response before container is considered ready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 29s ~= .5min - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 3 - failureThreshold: 3 - - livenessProbe: - enabled: true - # Worst case scenario time of failed response before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 220s ~= 4min - initialDelaySeconds: 60 - periodSeconds: 5 - timeoutSeconds: 3 - failureThreshold: 20 - - # This value is injected to postgres using the env variable $PG_DATA - # and the default value is the one recommended for postgresql imaes - pvcMountPath: "/var/lib/postgresql/data" - # Injecting this value ignores all other requests and accessModes input - # If set to { }, uses the other values - existingClaim: {} - accessModes: "ReadWriteOnce" - requests: - # After populating the database with go load and performing a global scan with - # patchlibanalyzer, the total database weights around 454M, but for actual uses: - # - 10Gi would be enough for very small test environments - # - 100Gi recommended for small-medium production environments - # - 500Gi recommended for big production environments (which is our case) - storage: "10Gi" - - slave: - backoffDuration: 10 - resources: {} - # requests: - # memory: "8Gi" - # cpu: "8" - # limits: - # memory: "15Gi" - # cpu: "15" - extraConfigs: {} - - - # Warning: this won't be applied unless the replicas - # values are >= 2 - podDisruptionBudget: {} - podPriorityClass: - - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 40000 - # preemptionPolicy: PreemptLowerPriority - spec: {} - - # Replicas will be dynamically calculated if set to {} - # # Desired slave statefulset replicas - # # Suggestion : ~= R * master stateful set replicas - # # with R the desired replication factor - # # Replicas will be dynamically calculated if set to {} - # replicas: 3 - updateStrategy: "RollingUpdate" - terminationGracePeriodSeconds: 10 - - readinessProbe: - # Worst case scenario time of failed response before container is considered ready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 94s ~= 1.5min - enabled: true - initialDelaySeconds: 40 - periodSeconds: 15 - timeoutSeconds: 3 - failureThreshold: 3 - - livenessProbe: - enabled: false - # Worst case scenario time of failed response before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 220s ~= 4min - initialDelaySeconds: 40 - periodSeconds: 15 - timeoutSeconds: 3 - failureThreshold: 10 - - # This value is injected to postgres using the env variable $PG_DATA - # and the default value is the one recommended for postgresql images - pvcMountPath: "/var/lib/postgresql/data" - accessModes: "ReadWriteOnce" - requests: - storage: "10Gi" - - -pgpool: - name: pgpool - # If set to false this sets CRUNCHY_DEBUG="False" as an env variable - # else CRUNCHY_DEBUG="true" because this is a crunchy pgpool image - debug: false - # Suggestion : ~= master statefulset replicas + slave statefulset replicas - # dynamically computed if set to {} - replicas: 3 - - podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 30000 - # preemptionPolicy: PreemptLowerPriority - spec: {} - - # Allows for automated rolling updates - updateStrategy: "RollingUpdate" - podDisruptionBudget: {} - # # Warning : this won't be applied unless the replicas - # # values are >= 2 - # # Pod disruption budget can be set dynamically or statically - # # dynamic: sum ( masters + replication factor * master ) - # dynamic: true - # # minAvailable: 1 - - antiAffinity: {} - # soft: true - # # _d_ antiAffinity towards own pods - # selfAntiAffinity: 50 - - affinity: {} - # soft: true - # # affinity towards being close to postgres replica nodes - # poolreplicaAffinity: 50 - # # affinity towards being close to postgres master nodes - # # preference higher than replica nodes because write functions - # # are only available on master nodes - # poolmasterAffinity: 70 - - loadBalanceMode: on - failOverOnBackendError: off - numInitChildren: 100 - - maxPool: 10 - clientIdleLimit: 920 - connectionLifeTime: 500 - - # Allows pods to live a certain period after termination - terminationGracePeriodSeconds: 15 - useWatchDog: on - watchDog: - interval: 15 - - healthCheck: - timeout: 0 - period: 30 - maxRetries: 5 - retryDelay: 5 - - image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "crunchydata/crunchy-pgpool" - tag: "centos7-11.4-2.4.1" - - securityContext: - runAsUser: 999 - runAsGroup: 999 - privileged: false - readOnlyRootFilesystem: false - - resources: {} - # limits: - # memory: "2Gi" - # cpu: "2000m" - # requests: - # memory: "1Gi" - # cpu: "1000m" - - readinessProbe: - # Worst case scenario time of failed response before container is considered ready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 95s ~= 1.5min - enabled: true - initialDelaySeconds: 35 - periodSeconds: 10 - timeoutSeconds: 10 - failureThreshold: 3 - - livenessProbe: - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 155s ~= 2.5min - enabled: true - initialDelaySeconds: 35 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 3 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/values_production.yaml deleted file mode 100644 index f35fb8273..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/database/values_production.yaml +++ /dev/null @@ -1,291 +0,0 @@ -postgres: - metrics: - enabled: true - - masterAntiAffinity: - soft: true - mastermasterAntiaffinity: 100 - masterslaveAntiaffinity: 50 - - slaveAntiAffinity: - soft: true - weight: 50 - - # Values in { - # - DEBUG1..DEBUG5 - # - INFO - # - NOTICE - # - WARNING - # - ERROR - # - LOG - # - FATAL - # - PANIC - # } - debug: WARNING - - image: - initContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "postgres" - # Alpine images for init container to reduce - # overal resource strain with Image size: 28MBs - tag: "11.5-alpine" - - securityContext: - runAsUser: 0 - privileged: true - - resources: - limits: - memory: "35Mi" - cpu: "150m" - requests: - memory: "25Mi" - cpu: "100m" - - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "postgres" - # Debian based image - # Image size : 117MB - tag: "11.5" - - securityContext: - runAsUser: 999 - runAsGroup: 999 - privileged: false - readOnlyRootFilesystem: false - - exporterContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "wrouesnel/postgres_exporter" - # Image size : 5.65MB - tag: "v0.5.1" - - master: - extraConfigs: {} - updateStrategy: "RollingUpdate" - # Suggestion : ~= 1 - # or multiple but requires strict separation of R/W stream - # due to lack of consistency between masters - replicas: {} - resources: - requests: - memory: "15Gi" - cpu: "15" - limits: - memory: "22Gi" - cpu: "22" - - podDisruptionBudget: - # Warning : this won't be applied unless the replicas - # values are >= 2 - minAvailable: 1 - - podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 100000 - # preemptionPolicy: PreemptLowerPriority - spec: {} - - # Allows pods to live a certain period after termination - terminationGracePeriodSeconds: 10 - - readinessProbe: - enabled: true - # Worst case scenario time of failed response before container is considered ready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 29s ~= .5min - initialDelaySeconds: 5 - periodSeconds: 20 - timeoutSeconds: 3 - failureThreshold: 3 - - livenessProbe: - enabled: true - # Worst case scenario time of failed response before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 220s ~= 4min - initialDelaySeconds: 60 - periodSeconds: 20 - timeoutSeconds: 3 - failureThreshold: 20 - - # This value is injected to postgres using the env variable $PG_DATA - # and the default value is the one recommended for postgresql imaes - pvcMountPath: "/var/lib/postgresql/data" - accessModes: "ReadWriteOnce" - requests: - # This value is set for production conditions and is therefore quite high - storage: "10Gi" - - slave: - backoffDuration: 10 - resources: - requests: - memory: "8Gi" - cpu: "8" - limits: - memory: "15Gi" - cpu: "15" - - extraConfigs: {} - # Warning: this won't be applied unless the replicas - # values are >= 2 - podDisruptionBudget: {} - podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 40000 - # preemptionPolicy: PreemptLowerPriority - spec: {} - - # Replicas will be dynamically calculated if set to {} - # # Desired slave statefulset replicas - # # Suggestion : ~= R * master stateful set replicas - # # with R the desired replication factor - # # Replicas will be dynamically calculated if set to {} - # replicas: 3 - - # Allows for automated rolling updates - updateStrategy: "RollingUpdate" - - # Allows pods to live a certain period after termination - terminationGracePeriodSeconds: 10 - readinessProbe: - enabled: true - # Worst case scenario time of failed response before container is considered ready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 94s ~= 1.5min - initialDelaySeconds: 40 - periodSeconds: 15 - timeoutSeconds: 3 - failureThreshold: 3 - - livenessProbe: - # Worst case scenario time of failed response before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 220s ~= 4min - enabled: false - initialDelaySeconds: 40 - periodSeconds: 15 - timeoutSeconds: 3 - failureThreshold: 10 - - # This value is injected to postgres using the env variable $PG_DATA - # and the default value is the one recommended for postgresql imaes - pvcMountPath: "/var/lib/postgresql/data" - accessModes: "ReadWriteOnce" - requests: - # This value is set for production conditions and is therefore quite high - storage: "10Gi" - -pgpool: - name: pgpool - # If set to false this sets CRUNCHY_DEBUG="False" as an env variable - # else CRUNCHY_DEBUG="true" because this is a crunchy pgpool image - debug: false - # Suggestion : ~= master statefulset replicas + slave statefulset replicas - # dynamically computed if set to {} - replicas: 3 - - podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 30000 - # preemptionPolicy: PreemptLowerPriority - spec: {} - - # Allows for automated rolling updates - updateStrategy: "RollingUpdate" - podDisruptionBudget: - # Warning : this won't be applied unless the replicas - # values are >= 2 - # Pod disruption budget can be set dynamically or statically - # dynamic: sum ( masters + replication factor * master ) - dynamic: true - # minAvailable: 1 - - antiAffinity: - soft: true - selfAntiAffinity: 50 - - affinity: - soft: true - # affinity towards being close to postgres replica nodes - poolreplicaAffinity: 50 - # affinity towards being close to postgres master nodes - # preference higher than replica nodes because write functions - # are only available on master nodes - poolmasterAffinity: 70 - - loadBalanceMode: on - failOverOnBackendError: off - numInitChildren: 100 - - maxPool: 10 - clientIdleLimit: 920 - connectionLifeTime: 500 - - # Allows pods to live a certain period after termination - terminationGracePeriodSeconds: 15 - useWatchDog: on - watchDog: - interval: 15 - - healthCheck: - timeout: 0 - period: 30 - maxRetries: 5 - retryDelay: 5 - - image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "crunchydata/crunchy-pgpool" - tag: "centos7-11.4-2.4.1" - - securityContext: - runAsUser: 999 - runAsGroup: 999 - privileged: false - readOnlyRootFilesystem: false - - resources: - limits: - memory: "2Gi" - cpu: "2000m" - requests: - memory: "1Gi" - cpu: "1000m" - - readinessProbe: - # Worst case scenario time of failed response before container is considered ready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 95s ~= 1.5min - enabled: true - initialDelaySeconds: 35 - periodSeconds: 10 - timeoutSeconds: 10 - failureThreshold: 3 - - livenessProbe: - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 155s ~= 2.5min - enabled: true - initialDelaySeconds: 35 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 3 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/Chart.yaml deleted file mode 100644 index c63e4bed4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" - -description: A Chart for frontendapps -name: frontendapps -version: 0.1.1 -appVersion: "3.1.7-SNAPSHOT" -kubeVersion: ">=v1.15.0" - -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/README.md b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/README.md deleted file mode 100644 index 4dcca184d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/README.md +++ /dev/null @@ -1,59 +0,0 @@ -# Frontend-apps: an UI5 interface for scans and report - -> This chart is already included in the vulnerability-assessment-tool-core chart - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the frontendapps subchart of the vulnerability-assessment-tool-core chart v0.1.1 chart -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the frontendapps chart and their default values. - -| Parameter | Description | Default | -| --- | --- | --- | -| replicas | For HA `2` or `3` replicas are recommended | `2` | -| debug | Sets the debug level for scripts | `true` | -| horizontalPodAutoScaler.enabled | Enables an autoscaling (requires a metrics server up and running) | `False` | -| image.pullPolicy | These images are maintained by the Eclipse Steady team and won't be subject to drift | `IfNotPresent` | -| image.name | | `eclipse/steady-frontend-apps` | -| image.tag | | `-jib` | -| image.livenessProbe | | enabled: `true`
initialDelaySeconds: `12`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `3` | -| image.readinessProbe | | enabled: `true`
initialDelaySeconds: `12`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `3` | - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` -These values can be configured as follows: - -| Parameter | Description | Default | -| --- | --- | --- | -| selfAntiAffinity | Makes frontend apps pod avoid each other | soft: `true`
weight: `100` | -| image.resources | The computing is done client-side so the requirements are quite low | requests:
 memory:`100Mi`
 cpu: `100m`
limit:
 memory: `200Mi`
 cpu: `200m` | -| image.securityContext | | runAsUser: `65534`
runAsGroup: `65534`
privileged: `False`
readOnlyRootFilesystem: `False`
capabilities:
 drop: `["ALL"]`
 add: `["SYS_TIME", "NET_ADMIN"]` | - -- Disabling probres: - -```diff -- livenessProbe.enabled: true -- readinessProbe.enabled: true -+ livenessProbe.enabled: False -+ readinessProbe.enabled: False -``` diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/NOTES.txt deleted file mode 100644 index d39c1da4d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/NOTES.txt +++ /dev/null @@ -1,16 +0,0 @@ - -The vulnerability-assessment-tool frontendapps chart has successfully been installed. -Base image: {{ .Values.image.name }}:{{ .Values.image.tag }} -{{- if .Values.image.resources }} -Resources: -- cpu : [{{ .Values.image.resources.requests.cpu | default "NA" }}, {{ .Values.image.resources.limits.cpu | default "NA"}}] -- memory : [{{ .Values.image.resources.requests.memory | default "NA" }}, {{ .Values.image.resources.limits.memory | default "NA"}}] -{{- end }} - -Within the cluster it can be accessed by this endpoints: - - - http://frontend-apps:8080/apps - -This app is not directly exposed to the internet and can only be served by -an ingress controller. You can also add a service with an externalDomain which -could expose this service. diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/_labels.tpl deleted file mode 100644 index faca9ca2a..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/_labels.tpl +++ /dev/null @@ -1,31 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - frontendapps.enrichedLabels : generic for admin labels - contexts: [ . ] - usage: {{ include "frontendapps.enrichedLabels" . }} -*/}} -{{- define "frontendapps.enrichedLabels" -}} -app.kubernetes.io/instance: {{ template "podName" . }} -{{ include "commonLabels" . }} -{{ include "frontendapps.serviceLabel" . }} -{{- end -}} - -{{/* - frontendapps.serviceLabels : generic service labels - contexts: [ .global ] - usage: {{ include "frontendapps.serviceLabels" . }} -*/}} -{{- define "frontendapps.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "frontendapps.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - frontendapps.serviceLabel: generic admin service label - contexts: [ . ] - usage: {{ include "frontendapps.serviceLabel" . }} - */}} -{{- define "frontendapps.serviceLabel" -}} -{{ .Values.global.projectName }}.core/service: {{ .Release.Name }}-frontend-apps -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/configMap.yaml deleted file mode 100644 index fa592133c..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/configMap.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.extraConfigs }} -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - # INFO: User defined environment in extraConfigs - {{- toYaml .Values.extraConfigs | nindent 2 }} -{{- else }} -# INFO: configmap disabled because extraConfigs set to {} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/deployment.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/deployment.yaml deleted file mode 100644 index 38252cb23..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/deployment.yaml +++ /dev/null @@ -1,112 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment - -metadata: - name: {{ template "deploymentName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - replicas: {{ .Values.replicas }} - - selector: - matchLabels: - {{- include "frontendapps.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - {{- include "frontendapps.enrichedLabels" . | nindent 8 }} - {{- if .Values.extraConfigs }} - annotations: - checksum/frontendapps-config: {{ include (print $.Template.BasePath "/configMap.yaml") . | sha256sum }} - {{- end }} - - spec: - {{- if .Values.global.podPriorityClass.enabled }} - priorityClassName: {{ template "priorityClassName" . }} - {{- end }} - automountServiceAccountToken: false - containers: - - name: {{ template "name" . }}-container - image: {{ template "containerName" .Values.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 8080 - {{- if .Values.debug }} - env: - - name: DEBUG - value: "true" - {{- end }} - {{- if .Values.extraConfigs }} - envFrom: - - configMapRef: - name: {{ template "configMapName" . }} - {{- end }} - {{- if .Values.image.resources }} - resources: - {{- toYaml .Values.image.resources | nindent 12 }} - {{- end }} - - {{- $global := .Values.global }} - {{- if and .Values.image.livenessProbe .Values.image.livenessProbe.enabled }} - {{- with .Values.image.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - tcpSocket: - port: http - {{- end }} - {{- end }} - {{- if and .Values.image.readinessProbe .Values.image.readinessProbe.enabled }} - {{- with .Values.image.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /apps - port: http - {{- end }} - {{- end }} - {{ if .Values.image.securityContext }} - securityContext: - {{- toYaml .Values.image.securityContext | nindent 12 }} - securityContext: - runAsNonRoot: true - {{- end -}} - {{- if .Values.selfAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution - {{- end }} - {{- if .Values.selfAntiAffinity.weight }} - {{- if ge (int .Values.selfAntiAffinity.weight) 1 }} - - weight: {{ .Values.selfAntiAffinity.weight }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight undefined - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ template "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "podName" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/horizontalPodAutoscaler.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/horizontalPodAutoscaler.yaml deleted file mode 100644 index d7fa03917..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/horizontalPodAutoscaler.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.horizontalPodAutoScaler.enabled -}} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler - -metadata: - name: {{ template "horizontalPodAutoScalerName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "deploymentName" . }} - - minReplicas: {{ .Values.replicas }} - maxReplicas: {{ mul .Values.replicas 3 }} - {{- if .Values.horizontalPodAutoScaler.spec }} - # INFO: User defined hpa spec in .horizontalPodAutoScaler.spec - {{- toYaml .Values.horizontalPodAutoScaler.spec | nindent 2 }} - {{- else }} - # INFO: Default hpa spec - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 70 - {{- end }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/podDisruptionBudget.yaml deleted file mode 100644 index 603b9f9ad..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/podDisruptionBudget.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.replicas (ge (int .Values.replicas) 2) -}} -{{- if .Values.podDisruptionBudget -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - # INFO: User defined pdb in .podDisruptionBudget - {{ toYaml .Values.podDisruptionBudget }} - selector: - matchLabels: - {{- include "frontendapps.enrichedLabels" . | nindent 6 }} -{{- end -}} -{{- else -}} -# INFO: Skipped podDisruptionBudget because replicas < 2 -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/priorityClass.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/priorityClass.yaml deleted file mode 100644 index 5b358fda4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/priorityClass.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.podPriorityClass.enabled -}} -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass - -metadata: - name: {{ template "priorityClassName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.podPriorityClass }} -{{- if .Values.podPriorityClass.spec }} -# INFO: user defined ppc in .podPriorityClass.spec -{{- toYaml .Values.podPriorityClass.spec | nindent 0 }} -{{- else }} -# INFO: default podPriorityClass -globalDefault: false -value: 200 -preemptionPolicy: Never -description: "Specific priority for {{ template "podName" . }}" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/service.yaml deleted file mode 100644 index 0dda1d288..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-frontend-apps - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - type: ClusterIP - - selector: - {{- include "frontendapps.serviceLabels" . | nindent 4 }} - - ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_container.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_container.tpl deleted file mode 100644 index 24f963b28..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_container.tpl +++ /dev/null @@ -1,18 +0,0 @@ - -{{/*-------------------------- Global Templates ----------------------------*/}} -{{/* - containerName : Generates containerName - contexts: [ .global ] - usage: {{ include "containerName" . }} -*/}} -{{- define "containerName" -}} -{{- if .registry -}} -{{- printf "%s" .registry -}} -{{- if .registryPort -}} -{{- printf ":%d/" (int .registryPort) -}} -{{- else -}} -{{- printf "/" -}} -{{- end -}} -{{- end -}} -{{- printf "%s:%s" .name .tag }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_getters.tpl deleted file mode 100644 index 6ab5fbed4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_getters.tpl +++ /dev/null @@ -1,250 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - name : Gets name of current component - contexts: [ . ] - usage: {{ include "name" . }} -*/}} -{{- define "name" -}} -{{ .Release.Name }}-{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - chart : Gets chart name of current component - contexts: [ . ] - usage: {{ include "chart" . }} -*/}} -{{- define "chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - configMapName : config map name getter - contexts: [ . ] - usage: {{ include "configMapName" . }} -*/}} -{{- define "configMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-config" $name -}} -{{- end -}} - -{{/* - cronJobName : cronJobName getter - contexts: [ . ] - usage: {{ include "cronJobName" . }} -*/}} -{{- define "cronJobName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cron-job" $name -}} -{{- end -}} - -{{/* - mountedConfigMapName : mounted config map name getter - contexts: [ . ] - usage: {{ include "mountedConfigMapName" . }} -*/}} -{{- define "mountedConfigMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-mounted-config" $name -}} -{{- end -}} - -{{/* - envConfigMapName : env config map name getter - contexts: [ . ] - usage: {{ include "envConfigMapName" . }} -*/}} -{{- define "envConfigMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-env-config" $name -}} -{{- end -}} - - -{{/* - secretName : secret name getter - contexts: [ . ] - usage: {{ include "secretName" . }} -*/}} -{{- define "secretName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-secret" $name -}} -{{- end -}} - -{{/* - deploymentName : Deployment name getter - contexts: [ . ] - usage: {{ include "deploymentName" . }} -*/}} -{{- define "deploymentName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-deployment" $name -}} -{{- end -}} - -{{/* - daemonSetName : DaemonSet name getter - contexts: [ . ] - usage: {{ include "daemonSetName" . }} -*/}} -{{- define "daemonSetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-daemon-set" $name -}} -{{- end -}} - -{{/* - statefulSetName : Statefulset name getter - contexts: [ . ] - usage: {{ include "statefulSetName" . }} -*/}} -{{- define "statefulSetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-stateful-set" $name -}} -{{- end -}} - -{{/* - pvcName : patchlibanalyzer pvc name getter - contexts: [ . ] - usage: {{ include "pvcName" . }} -*/}} -{{- define "pvcName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-volume-claim" $name -}} -{{- end -}} - -{{/* - pvName : patchlibanalyzer pv name getter - contexts: [ . ] - usage: {{ include "pvName" . }} -*/}} -{{- define "pvName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-persistent-nfs-volume" $name -}} -{{- end -}} - - -{{/* - serviceAccountName : serviceAccountName getter - contexts: [ . ] - usage: {{ include "serviceAccountName" . }} -*/}} -{{- define "serviceAccountName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-service-account" $name -}} -{{- end -}} - -{{/* - roleName : role name getter - contexts: [ . ] - usage: {{ include "roleName" . }} -*/}} -{{- define "roleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-role" $name -}} -{{- end -}} - -{{/* - roleBindingName : role binding name getter - contexts: [ . ] - usage: {{ include "roleBindingName" . }} -*/}} -{{- define "roleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-role-binding" $name -}} -{{- end -}} - -{{/* - clusterRoleName : cluster role name getter - contexts: [ . ] - usage: {{ include "clusterRoleName" . }} -*/}} -{{- define "clusterRoleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cluster-role" $name -}} -{{- end -}} - -{{/* - clusterRoleBindingName : cluster role binding name getter - contexts: [ . ] - usage: {{ include "clusterRoleBindingName" . }} -*/}} -{{- define "clusterRoleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cluster-role-binding" $name -}} -{{- end -}} - -{{/* - podName : deployment pod name getter - contexts: [ . ] - usage: {{ include "podName" . }} -*/}} -{{- define "podName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - -{{/* - podDisruptionBudgetName : deployment podDisruptionBudget name getter - contexts: [ . ] - usage: {{ include "podDisruptionBudgetName" . }} -*/}} -{{- define "podDisruptionBudgetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - -{{/* - networkPolicyName : networkPolicyName getter - contexts: [ . ] - usage: {{ include "networkPolicyName" . }} -*/}} -{{- define "networkPolicyName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-network-policy" $name -}} -{{- end -}} - -{{/* - horizontalPodAutoScalerName : horizontalPodAutoScalerName getter - contexts: [ . ] - usage: {{ include "horizontalPodAutoScalerName" . }} -*/}} -{{- define "horizontalPodAutoScalerName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-horizontal-pod-auto-scaler" $name -}} -{{- end -}} - -{{/* - verticalPodAutoScaler : verticalPodAutoScaler getter - contexts: [ . ] - usage: {{ include "verticalPodAutoScaler" . }} -*/}} -{{- define "verticalPodAutoScaler" -}} -{{- $name := include "name" . -}} -{{- printf "%s-vertical-pod-auto-scaler" $name -}} -{{- end -}} - -{{/* - podSecurityPolicyName : podSecurityPolicyName getter - contexts: [ . ] - usage: {{ include "podSecurityPolicyName" . }} -*/}} -{{- define "podSecurityPolicyName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod-security-policy" $name -}} -{{- end -}} - -{{/* - headlessServiceName : headlessServiceName getter - contexts: [ . ] - usage: {{ include "headlessServiceName" . }} -*/}} -{{- define "headlessServiceName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-headless-service" $name .Release.Name -}} -{{- end -}} - -{{/* - priorityClassName : priorityClassName getter - contexts: [ . ] - usage: {{ include "priorityClassName" . }} -*/}} -{{- define "priorityClassName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-priority-class" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_labels.tpl deleted file mode 100644 index b6823fff7..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_labels.tpl +++ /dev/null @@ -1,26 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - commonLabels : generic labels - contexts: [ . ] - usage: {{ include "commonLabels" . }} -*/}} - -{{- define "commonLabels" -}} -{{ if .Chart.AppVersion -}} -app.kubernetes.io/name: {{ .Chart.Name }} -app.kubernetes.io/part-of: {{ .Values.global.projectName }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{ include "projectLabels" . }} -{{- end -}} - - -{{/* - projectLabels : generic labels - contexts: [ . ] - usage: {{ include "projectLabels" . }} -*/}} -{{- define "projectLabels" -}} -{{ .Values.global.projectName }}/environment: {{ .Values.global.env }} -{{ .Values.global.projectName }}/release-name: {{ .Release.Name }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_logs.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_logs.tpl deleted file mode 100644 index 63f2002a6..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_logs.tpl +++ /dev/null @@ -1,22 +0,0 @@ -{{/*-------------------------- Global Templates ----------------------------*/}} -{{/* - logFunctions : generic logging function - contexts: [ . ] - usage: {{ include "logFunctions" . }} -*/}} - -{{- define "logFunctions" -}} -_log() { - echo `date "+%Y:%m:%d-%H:%M:%S"` "[$CHART_NAME|$LOG_ORIGIN]" "$1": "$2" -} - -_error() { - _log "ERROR" "$1" -} - -_info() { - if [ -z $DEBUG ]; then - _log "INFO" "$1" - fi -} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_ports.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_ports.tpl deleted file mode 100644 index e4be75e08..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/templates/shared/_ports.tpl +++ /dev/null @@ -1,12 +0,0 @@ - -{{/* - listPorts : lists port - contexts: [ .global ] - usage: {{ include "listPorts" . }} -*/}} -{{- define "listPorts" -}} -{{- range $key, $value := . }} -- name: {{ $key }} - {{- toYaml . | nindent 2 }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/values.yaml deleted file mode 100644 index d9b4272a7..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Suggestion : number of frontendapps replicas should -# be approximatively the amount of backend replicas -# in order to maximize uptime of the said service -replicas: 2 - -horizontalPodAutoScaler: - enabled: false - # If set to {} and .Values.horizontalPodAutoScaler.enabled=true - # defaults to - # metrics: - # - type: Resource - # resource: - # name: cpu - # targetAverageUtilization: 70 - # Else set to a map that respects scheme defined in - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#horizontalpodautoscalerlist-v1-autoscaling - spec: {} - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 200 - # preemptionPolicy: Never - spec: {} - -# Sets logging level for shell scripts -debug: true - -extraConfigs: {} -podNetworkPolicy: - enabled: false - -podDisruptionBudget: {} - # Warning: this won't be applied unless the replicas - # values are >= 2 - # minAvailable: 1 - -selfAntiAffinity: {} - # You can set selfAntiAffinity to {} in order to skip - # all affinity declarations in the statefulset - # soft: true - # weight: 100 - -image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # Jetty web server used to submit code for review - name: "eclipse/steady-frontend-apps" - # Footprint: - # - size: 68 MB - tag: "3.2.0-SNAPSHOT-jib" - - livenessProbe: - enabled: true - # Worst case scenario time of failed response before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 82s ~= 1.5min - initialDelaySeconds: 12 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 3 - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 82s ~= 1.5min - enabled: true - # Since this is a rather lightweight jetty server the startup time should - # be around ~ 12s. - initialDelaySeconds: 12 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - - resources: {} - # limits: - # memory: "200Mi" - # cpu: "200m" - # requests: - # memory: "100Mi" - # cpu: "100m" - - securityContext: {} - # runAsUser: 65534 - # runAsGroup: 65534 - # privileged: false - # readOnlyRootFilesystem: false - # capabilities: {} - # drop: - # - ALL - # add: - # - SYS_TIME - # - NET_ADMIN diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/values_production.yaml deleted file mode 100644 index f6643840c..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendapps/values_production.yaml +++ /dev/null @@ -1,93 +0,0 @@ -# Suggestion : number of frontendapps replicas should -# be approximatively the amount of backend replicas -# in order to maximize uptime of the said service -replicas: 2 - -horizontalPodAutoScaler: - enabled: true - # If set to {} and .Values.horizontalPodAutoScaler.enabled=true - # defaults to - # metrics: - # - type: Resource - # resource: - # name: cpu - # targetAverageUtilization: 70 - # Else set to a map that respects scheme defined in - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#horizontalpodautoscalerlist-v1-autoscaling - spec: {} - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 200 - # preemptionPolicy: Never - spec: {} - -# Sets logging level for shell scripts -debug: true -extraConfigs: {} - -podNetworkPolicy: - enabled: false -podDisruptionBudget: {} - # Warning: this won't be applied unless the replicas - # values are >= 2 - # minAvailable: 1 -selfAntiAffinity: - # You can set selfAntiAffinity to {} in order to skip - # all affinity declarations in the statefulset - soft: true - weight: 100 - -image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # Jetty web server used to submit code for review - name: "eclipse/steady-frontend-apps" - # Footprint: - # - size: 68 MB - tag: "3.2.0-SNAPSHOT-jib" - - livenessProbe: - enabled: true - # Worst case scenario time of failed response before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 82s ~= 1.5min - initialDelaySeconds: 12 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 3 - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 82s ~= 1.5min - enabled: true - # Since this is a rather lightweight jetty server the startup time should - # be around ~ 12s. - initialDelaySeconds: 12 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - - resources: - limits: - memory: "200Mi" - cpu: "200m" - requests: - memory: "100Mi" - cpu: "100m" - - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - privileged: false - readOnlyRootFilesystem: false - capabilities: - drop: - - ALL - add: - - SYS_TIME - - NET_ADMIN diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/Chart.yaml deleted file mode 100644 index 88f28551f..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" - -description: A Chart for frontendbugs -name: frontendbugs -version: 0.1.1 -kubeVersion: ">=v1.15.0" - -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/README.md b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/README.md deleted file mode 100644 index df7eb8091..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/README.md +++ /dev/null @@ -1,60 +0,0 @@ -# Frontend-apps: an UI5 interface for managing bugs - -> This chart is already included in the vulnerability-assessment-tool-core chart - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the frontendbugs subchart of the vulnerability-assessment-tool-core chart v0.1.1 chart -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the frontendbugs chart and their default values. - -| Parameter | Description | Default | -| --- | --- | --- | -| replicas | For HA `2` or `3` replicas are recommended | `2` | -| debug | Sets the debug level for scripts | `true` | -| horizontalPodAutoScaler.enabled | Enables an autoscaling (requires a metrics server up and running) | `False` | -| image.pullPolicy | These images are maintained by the team and won't be subject to drift | `IfNotPresent` | -| image.name | | `eclipse/steady-frontend-bugs` | -| image.tag | | `3.2.5-SNAPSHOT-SNAPSHOT-jib` | -| image.livenessProbe | | enabled: `true`
initialDelaySeconds: `8`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `3` | -| image.readinessProbe | | enabled: `true`
initialDelaySeconds: `5`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `3` | - - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` -These values can be configured as follows: - -| Parameter | Description | Default | -| --- | --- | --- | -| selfAntiAffinity | Makes frontend apps pod avoid each other | soft: `true`
weight: `100` | -| image.resources | The computing is done client-side so the requirements are quite low | requests:
 memory:`100Mi`
 cpu: `100m`
limit:
 memory: `200Mi`
 cpu: `200m` | -| image.securityContext | | runAsUser: `65534`
runAsGroup: `65534`
privileged: `False`
readOnlyRootFilesystem: `False`
capabilities:
 drop: `["ALL"]`
 add: `["SYS_TIME", "NET_ADMIN"]` | - -- Disabling probres: - -```diff -- livenessProbe.enabled: true -- readinessProbe.enabled: true -+ livenessProbe.enabled: False -+ readinessProbe.enabled: False -``` diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/NOTES.txt deleted file mode 100644 index 3331d6e11..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/NOTES.txt +++ /dev/null @@ -1,16 +0,0 @@ - -The vulnerability-assessment-tool frontendbugs chart has successfully been installed. -Base image: {{ .Values.image.name }}:{{ .Values.image.tag }} -{{- if .Values.image.resources }} -Resources: -- cpu : [{{ .Values.image.resources.requests.cpu | default "NA" }}, {{ .Values.image.resources.limits.cpu | default "NA"}}] -- memory : [{{ .Values.image.resources.requests.memory | default "NA" }}, {{ .Values.image.resources.limits.memory | default "NA"}}] -{{- end }} - -Within the cluster it can be accessed by this endpoints: - - - http://frontend-bugs:8080/bugs - -This app is not directly exposed to the internet and can only be served by -an ingress controller. You can also add a service with an externalDomain which -could expose this service. diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/_labels.tpl deleted file mode 100644 index 79b748292..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/_labels.tpl +++ /dev/null @@ -1,31 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - frontendbugs.enrichedLabels : generic for admin labels - contexts: [ . ] - usage: {{ include "frontendbugs.enrichedLabels" . }} -*/}} -{{- define "frontendbugs.enrichedLabels" -}} -app.kubernetes.io/instance: {{ template "podName" . }} -{{ include "commonLabels" . }} -{{ include "frontendbugs.serviceLabel" . }} -{{- end -}} - -{{/* - frontendbugs.serviceLabels : generic service labels - contexts: [ .global ] - usage: {{ include "frontendbugs.serviceLabels" . }} -*/}} -{{- define "frontendbugs.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "frontendbugs.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - frontendbugs.serviceLabel: generic admin service label - contexts: [ . ] - usage: {{ include "frontendbugs.serviceLabel" . }} - */}} -{{- define "frontendbugs.serviceLabel" -}} -{{ .Values.global.projectName }}.core/service: {{ .Release.Name }}-frontend-bugs -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/configMap.yaml deleted file mode 100644 index 79ccf1f30..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/configMap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.extraConfigs -}} -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "envConfigMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- if .Values.extraConfigs }} - # INFO: User defined environment in extraConfigs - {{- toYaml .Values.extraConfigs | nindent 2 }} - {{- end }} -{{- else }} -# INFO: configmap disabled because extraConfigs set to {} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/deployment.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/deployment.yaml deleted file mode 100644 index 1c861d04e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/deployment.yaml +++ /dev/null @@ -1,111 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment - -metadata: - name: {{ template "deploymentName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - replicas: {{ .Values.replicas }} - - selector: - matchLabels: - {{- include "frontendbugs.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - {{- include "frontendbugs.enrichedLabels" . | nindent 8 }} - {{- if .Values.extraConfigs }} - annotations: - checksum/frontendbugs-config: {{ include (print $.Template.BasePath "/configMap.yaml") . | sha256sum }} - {{- end }} - - spec: - {{- if .Values.global.podPriorityClass.enabled }} - priorityClassName: {{ template "priorityClassName" . }} - {{- end }} - automountServiceAccountToken: false - containers: - - name: {{ template "name" . }}-container - image: {{ template "containerName" .Values.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 8080 - {{ if .Values.image.resources -}} - resources: - {{- toYaml .Values.image.resources | nindent 12 }} - {{- end }} - {{- if .Values.debug }} - env: - - name: DEBUG - value: "true" - {{- end }} - {{- if .Values.extraConfigs }} - envFrom: - - configMapRef: - name: {{ template "envConfigMapName" . }} - {{- end }} - {{- if and .Values.image.livenessProbe .Values.image.livenessProbe.enabled }} - {{- with .Values.image.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - tcpSocket: - port: http - {{- end -}} - {{- end -}} - {{ if and .Values.image.readinessProbe .Values.image.readinessProbe.enabled }} - {{- with .Values.image.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /bugs - port: http - {{- end -}} - {{- end }} - {{ if .Values.image.securityContext }} - securityContext: - {{- toYaml .Values.image.securityContext | nindent 12 }} - - securityContext: - runAsNonRoot: true - {{- end -}} - {{- if .Values.selfAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution - {{- end }} - {{- if .Values.selfAntiAffinity.weight }} - {{- if ge (int .Values.selfAntiAffinity.weight) 1 }} - - weight: {{ .Values.selfAntiAffinity.weight }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight undefined - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ template "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "podName" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/horizontalPodAutoscaler.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/horizontalPodAutoscaler.yaml deleted file mode 100644 index 6e6dfca95..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/horizontalPodAutoscaler.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.horizontalPodAutoScaler.enabled -}} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler - -metadata: - name: {{ template "horizontalPodAutoScalerName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "deploymentName" . }} - - minReplicas: {{ .Values.replicas }} - maxReplicas: {{ mul .Values.replicas 3 }} - {{- if .Values.horizontalPodAutoScaler.spec }} - # INFO: User defined hpa spec in .horizontalPodAutoScaler.spec - {{- toYaml .Values.horizontalPodAutoScaler.spec | nindent 2 }} - {{- else }} - # INFO: Default hpa spec - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - {{- end }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/podDisruptionBudget.yaml deleted file mode 100644 index d4c49c922..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/podDisruptionBudget.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.replicas (ge (int .Values.replicas) 2) -}} -{{- if .Values.podDisruptionBudget -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - # INFO: User defined pdb in .podDisruptionBudget - {{ toYaml .Values.podDisruptionBudget }} - selector: - matchLabels: - {{- include "frontendbugs.enrichedLabels" . | nindent 6 }} -{{- end -}} -{{- else -}} -# INFO: Skipped podDisruptionBudget because replicas < 2 -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/priorityClass.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/priorityClass.yaml deleted file mode 100644 index 23407bcad..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/priorityClass.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.podPriorityClass.enabled -}} -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass - -metadata: - name: {{ template "priorityClassName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.podPriorityClass }} -{{- if .Values.podPriorityClass.spec }} -# INFO: user defined ppc in .podPriorityClass.spec -{{- toYaml .Values.podPriorityClass.spec | nindent 0 }} -{{- else }} -# INFO: default podPriorityClass -globalDefault: false -value: 300 -preemptionPolicy: Never -description: "Specific priority for {{ template "podName" . }}" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/service.yaml deleted file mode 100644 index a11622be6..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-frontend-bugs - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - type: ClusterIP - - selector: - {{- include "frontendbugs.serviceLabels" . | nindent 4 }} - - ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/values.yaml deleted file mode 100644 index 95a2f4481..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Suggestion : number of frontendbugs replicas should -# be approximatively the amount of backend replicas -# in order to maximize uptime of the said service -replicas: 2 - -extraConfigs: {} - -podNetworkPolicy: - enabled: false - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 300 - # preemptionPolicy: Never - spec: {} - -horizontalPodAutoScaler: - enabled: false - # If set to {} and .Values.horizontalPodAutoScaler.enabled=true - # defaults to - # metrics: - # - type: Resource - # resource: - # name: cpu - # targetAverageUtilization: 70 - # Else set to a map that respects scheme defined in - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#horizontalpodautoscalerlist-v1-autoscaling - spec: {} - -# Sets logging level for shell scripts -debug: true - -podDisruptionBudget: {} - # Warning : this won't be applied unless the replicas - # values are >= 2 - -selfAntiAffinity: {} - # soft: true - # weight: 100 - -image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # Jetty web server used to push new approved vulnerabilities - name: "eclipse/steady-frontend-bugs" - # Footprint: - # - size: 177.16MB - tag: "3.2.0-SNAPSHOT-jib" - - livenessProbe: - # Overall time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 78s ~= 1.3min - # Average start time for container ~ 7600ms - enabled: true - initialDelaySeconds: 8 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 75s ~= 1.25min - enabled: true - initialDelaySeconds: 5 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - - resources: {} - # limits: - # memory: "200Mi" - # cpu: "200m" - # requests: - # memory: "100Mi" - # cpu: "100m" - - securityContext: {} - # runAsUser: 65534 - # runAsGroup: 65534 - # privileged: false - # readOnlyRootFilesystem: false - # capabilities: - # drop: - # - ALL - # add: - # - SYS_TIME - # - NET_ADMIN diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/values_production.yaml deleted file mode 100644 index 1cb848a43..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/frontendbugs/values_production.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Suggestion : number of frontendbugs replicas should -# be approximatively the amount of backend replicas -# in order to maximize uptime of the said service -replicas: 2 - -extraConfigs: {} -podNetworkPolicy: - enabled: false - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 300 - # preemptionPolicy: Never - spec: {} - -horizontalPodAutoScaler: - enabled: true - # If set to {} and .Values.horizontalPodAutoScaler.enabled=true - # defaults to - # metrics: - # - type: Resource - # resource: - # name: cpu - # targetAverageUtilization: 70 - # Else set to a map that respects scheme defined in - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#horizontalpodautoscalerlist-v1-autoscaling - spec: {} - -# Sets logging level for shell scripts -debug: true - -podDisruptionBudget: {} - # Warning : this won't be applied unless the replicas - # values are >= 2 - # minAvailable: 1 - -selfAntiAffinity: - soft: true - weight: 100 - -image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # Jetty web server used to push new approved vulnerabilities - name: "eclipse/steady-frontend-bugs" - # Footprint: - # - size: 177.16MB - tag: "3.2.0-SNAPSHOT-jib" - - livenessProbe: - # Overall time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 78s ~= 1.3min - # Average start time for container ~ 7600ms - enabled: true - initialDelaySeconds: 8 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 75s ~= 1.25min - enabled: true - initialDelaySeconds: 5 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - - resources: - limits: - memory: "200Mi" - cpu: "200m" - requests: - memory: "100Mi" - cpu: "100m" - - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - privileged: false - readOnlyRootFilesystem: false - capabilities: - drop: - - ALL - add: - - SYS_TIME - - NET_ADMIN diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/Chart.yaml deleted file mode 100644 index 149f66843..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" - -description: A Chart for patch-lib-analyzer -name: patchlibanalyzer -version: 0.1.0 -kubeVersion: ">=v1.15.0" - -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/README.md b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/README.md deleted file mode 100644 index d59bca5c3..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Patchlibanalyzer - -> This chart is already included in the vulnerability-assessment-tool-core chart - -The patch library analyzer is a Java application that establishes whether a library contains a construct modified to fix a vulnerability (aka changed-construct) in its vulnerable or fixed version. The core idea of the patch lib analyzer is to compare the abstract syntax tree (AST) of the body of the changed-construct contained in a library with the AST of its vulnerable and fixed version. However, the biggest obstacle is that vulnerability fixes are applied on source code whereas library releases imported within applications are binaries. The patch lib analyzer overcomes this issue by retrieving the source code of binaries (if available) from Maven repositories (e.g. Maven Central or organization's specific Nexus repositories). - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the patchlibanalyzer subchart of the vulnerability-assessment-tool-core chart v0.1.1 chart -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the patchlibanalyzer chart and their default values. - -| Parameter | Description | Default | -| --- | --- | --- | -| deployment.enabled | If set to `true` creates a deployment, if set to `False` creates a cronJob | `False` | -| cronJob.period | Defaults to `23h` | `{}` | -| replicas | For HA `2` or `3` replicas are recommended (only applied if set to deployment) | `3` | -| startUpDelay | | `5` | -| backoffDuration | delay between probe attempts for init containers | `5` | -| debug | Sets the debug level for scripts | `true` | -| horizontalPodAutoScaler.enabled | Enables an autoscaling (requires a metrics server up and running) | `False` | -| image.initContainer.name | | `postgres` | -| image.initContainer.tag | | `11.5-alpine` | -| image.mainContainer.pullPolicy | These images are maintained by the team and won't be subject to drift | `IfNotPresent` | -| image.mainContainer.name | | `eclipse/steady-patch-lib-analyzer` | -| image.mainContainer.tag | image tag | `3.2.5-SNAPSHOT-SNAPSHOT-jib` | - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` -These values can be configured as follows: - -| Parameter | Description | Default | -| --- | --- | --- | -| cronJob.period | Defaults to `23h` | `{}` | -| image.initContainer.securityContext | | runAsUser: `65534`
runAsGroup: `65534`
privileged: `False`
readOnlyRootFilesystem: `False`
capabilities:
 drop: `["ALL"]`
 add: `["SYS_TIME", "NET_ADMIN"]` | -| image.mainContainer.securityContext | | runAsUser: `65534`
runAsGroup: `65534`
privileged: `False`
readOnlyRootFilesystem: `False`
capabilities:
 drop: `["ALL"]`
 add: `["DAC_OVERRIDE","SYS_TIME", "NET_ADMIN"]` | -| image.initContainer.resources | | requests:
 memory:`1Gi`
 cpu: `500m`
limit:
 memory: `4Gi`
 cpu: `1000m` | -| persistentVolume.storage | storage size for PVC | `1Gi` | -| persistentVolume.mountPath | PVC mountpath | `/patcheval-data` | -| persistentVolume.nfs.server | nfs server IP | `{}` | -| persistentVolume.nfs.path | nfs server shared path | `{}` | -| livenessProbe | | enabled: `true`
initialDelaySeconds: `30`
periodSeconds: `20`
timeoutSeconds: `5`
failureThreshold: `5` | - - -### Chosing between deployments and cronjob: - -As set previously this chart can either deploy the patchlibanalyzer as a cronjob or as a deployment. When set to a deployment, the java application automatically configures itself ats a cronjob, the main benefit of this approach being the persistence of the cache between scans. *note*: As the application is not suited for parallel execution, a deployment with n replicas would have the same efficiency as a chart with 1 replicas. On the other hand if you have an nfs, a cronjob is recommended due to its light footprint (only launched when the execution is required). - -To chose a deployment over a cronjob -```diff -- deployment.enabled: False -+ deployment.enabled: true -``` diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/cronJob.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/cronJob.yaml deleted file mode 100644 index c7e2e02ee..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/cronJob.yaml +++ /dev/null @@ -1,140 +0,0 @@ -{{- if not .Values.deployment.enabled }} -# INFO: cronjob enabled because .Values.deployment.enabled=false -apiVersion: batch/v1beta1 -kind: CronJob - -metadata: - name: {{ template "cronJobName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{- if .Values.cronJob.period }} - # INFO: user defined cronjob period - schedule: "* */{{ .Values.cronJob.period }} * * *" - {{- else }} - # INFO: default cronjob period - schedule: "* */23 * * *" - {{- end }} - concurrencyPolicy: Forbid - startingDeadlineSeconds: 600 - - jobTemplate: - metadata: - annotations: - checksum/patchlibanalyzer-env-config: {{ include (print .Template.BasePath "/envConfigMap.yaml") . | sha256sum | trunc 63 }} - checksum/patchlibanalyzer-mounted-config: {{ include (print .Template.BasePath "/mountedConfigMap.yaml") . | sha256sum | trunc 63 }} - checksum/patchlibanalyzer-secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum | trunc 63 }} - - spec: - ttlSecondsAfterFinished: 60 - backoffLimit: 6 - parallelism: 1 - - template: - spec: - initContainers: - - name: {{ template "name" . }}-postgres-checker-container - image: {{ template "containerName" .Values.image.initContainer }} - imagePullPolicy: {{ .Values.image.initContainer.pullPolicy }} - command: - - sh - - -c - - . /vulas/postgres-checker.sh - - volumeMounts: - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/postgres-checker.sh - subPath: postgres-checker.sh - - envFrom: - - configMapRef: - name: {{ template "envConfigMapName" . }} - - secretRef: - name: {{ template "secretName" . }} - {{- if .Values.image.initContainer.resources }} - resources: - {{- toYaml .Values.image.initContainer.resources | nindent 14 }} - {{- end }} - {{- if .Values.image.initContainer.securityContext }} - securityContext: - {{- toYaml .Values.image.initContainer.securityContext | nindent 14 }} - {{- end }} - - name: {{ template "name" . }}-restbackend-checker-container - image: everpeace/curl-jq:latest - imagePullPolicy: "IfNotPresent" - command: - - sh - - -c - - . /vulas/restbackend-checker.sh - - volumeMounts: - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/restbackend-checker.sh - subPath: restbackend-checker.sh - {{- if .Values.image.initContainer.resources }} - resources: - {{- toYaml .Values.image.initContainer.resources | nindent 14 }} - {{- end }} - {{- if .Values.image.initContainer.securityContext }} - securityContext: - {{- toYaml .Values.image.initContainer.securityContext | nindent 14 }} - {{- end }} - {{- if .Values.persistentVolume }} - - name: {{ template "name" . }}-permission-fix-container - image: {{ template "containerName" .Values.image.initContainer }} - imagePullPolicy: {{ .Values.image.initContainer.pullPolicy }} - command: - - sh - - -c - - chown -R {{ .Values.image.mainContainer.securityContext.runAsUser }}:{{ .Values.image.mainContainer.securityContext.runAsGroup }} {{ .Values.persistentVolume.mountPath }} - - volumeMounts: - - name: {{ template "pvcName" . }} - mountPath: {{ .Values.persistentVolume.mountPath }} - securityContext: - runAsUser: 0 - {{- end }} - containers: - - name: {{ template "name" . }}-container - image: {{ template "containerName" .Values.image.mainContainer }} - imagePullPolicy: {{ .Values.image.mainContainer.pullPolicy }} - ports: - - name: cia - containerPort: 8080 - - envFrom: - - configMapRef: - name: {{ template "envConfigMapName" . }} - - secretRef: - name: {{ template "secretName" . }} - - {{- if .Values.persistentVolume }} - volumeMounts: - - name: {{ template "pvcName" . }} - mountPath: {{ .Values.persistentVolume.mountPath }} - {{- end }} - {{- if .Values.image.mainContainer.securityContext }} - securityContext: - {{- toYaml .Values.image.mainContainer.securityContext | nindent 14 }} - {{- end }} - {{ if .Values.image.mainContainer.resources -}} - resources: - {{- toYaml .Values.image.mainContainer.resources | nindent 14 }} - {{- end }} - - restartPolicy: OnFailure - volumes: - {{- if .Values.persistentVolume }} - - name: {{ template "pvcName" . }} - persistentVolumeClaim: - claimName: {{ template "pvcName" . }} - {{- end }} - - name: {{ template "mountedConfigMapName" . }} - configMap: - name: {{ template "mountedConfigMapName" . }} - defaultMode: 0744 -{{- else }} -# INFO: cronjob disabled because .Values.deployment.enabled=true -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/deployment.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/deployment.yaml deleted file mode 100644 index e095d0b5d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/deployment.yaml +++ /dev/null @@ -1,176 +0,0 @@ -{{- if .Values.deployment.enabled -}} -# INFO: deployment enabled because .Values.deployment.enabled=true -apiVersion: apps/v1 -kind: Deployment - -metadata: - name: {{ template "deploymentName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - replicas: {{ .Values.replicas }} - - selector: - matchLabels: - app.kubernetes.io/instance: {{ template "podName" . }} - {{- include "commonLabels" . | nindent 6 }} - - template: - metadata: - name: {{ template "podName" . }} - labels: - app.kubernetes.io/instance: {{ template "podName" . }} - {{- include "commonLabels" . | nindent 8 }} - - annotations: - checksum/patchlibanalyzer-env-config: {{ include (print .Template.BasePath "/envConfigMap.yaml") . | sha256sum | trunc 63 }} - checksum/patchlibanalyzer-mounted-config: {{ include (print .Template.BasePath "/mountedConfigMap.yaml") . | sha256sum | trunc 63 }} - checksum/patchlibanalyzer-secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum | trunc 63 }} - - spec: - {{- if .Values.global.podPriorityClass.enabled }} - priorityClassName: {{ template "priorityClassName" . }} - {{- end }} - initContainers: - - name: {{ template "name" . }}-postgres-checker-container - image: {{ template "containerName" .Values.image.initContainer }} - imagePullPolicy: {{ .Values.image.initContainer.pullPolicy }} - command: - - sh - - -c - - . /vulas/postgres-checker.sh - - volumeMounts: - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/postgres-checker.sh - subPath: postgres-checker.sh - - envFrom: - - configMapRef: - name: {{ template "envConfigMapName" . }} - - secretRef: - name: {{ template "secretName" . }} - - {{- if .Values.image.initContainer.resources }} - resources: - {{- toYaml .Values.image.initContainer.resources | nindent 12 }} - {{- end }} - {{- if .Values.image.initContainer.securityContext }} - securityContext: - {{- toYaml .Values.image.initContainer.securityContext | nindent 12 }} - {{- end }} - - - name: {{ template "name" . }}-restbackend-checker-container - image: everpeace/curl-jq:latest - imagePullPolicy: "IfNotPresent" - command: - - sh - - -c - - . /vulas/restbackend-checker.sh - - volumeMounts: - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/restbackend-checker.sh - subPath: restbackend-checker.sh - - {{- if .Values.image.initContainer.resources }} - resources: - {{- toYaml .Values.image.initContainer.resources | nindent 12 }} - {{- end }} - {{- if .Values.image.initContainer.securityContext }} - securityContext: - {{- toYaml .Values.image.initContainer.securityContext | nindent 12 }} - {{- end }} - containers: - - name: {{ template "name" . }}-container - image: {{ template "containerName" .Values.image.mainContainer }} - imagePullPolicy: {{ .Values.image.mainContainer.pullPolicy }} - - envFrom: - - configMapRef: - name: {{ template "envConfigMapName" . }} - - secretRef: - name: {{ template "secretName" . }} - ports: - - name: cia - containerPort: 8080 - - volumeMounts: - {{- if .Values.persistentVolume }} - - name: {{ template "pvcName" . }} - mountPath: {{ .Values.persistentVolume.mountPath }} - {{- end }} - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/liveness-probe.sh - subPath: liveness-probe.sh - - {{- if and .Values.livenessProbe .Values.livenessProbe.enabled }} - {{- with .Values.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - exec: - command: - - sh - - -c - - . /vulas/liveness-probe.sh - {{- end }} - {{- end }} - {{- if .Values.image.mainContainer.securityContext }} - securityContext: - {{- toYaml .Values.image.mainContainer.securityContext | nindent 12 }} - {{- end }} - {{- if .Values.image.mainContainer.resources }} - resources: - {{- toYaml .Values.image.mainContainer.resources | nindent 12 }} - {{- end }} - volumes: - {{- if .Values.persistentVolume }} - - name: {{ template "pvcName" . }} - persistentVolumeClaim: - claimName: {{ template "pvcName" . }} - {{- end }} - - name: {{ template "mountedConfigMapName" . }} - configMap: - name: {{ template "mountedConfigMapName" . }} - defaultMode: 0744 - - {{- if .Values.selfAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution - {{- end }} - {{- if .Values.selfAntiAffinity.weight }} - {{- if ge (int .Values.selfAntiAffinity.weight) 1 }} - - weight: {{ .Values.selfAntiAffinity.weight }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight undefined - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ template "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "podName" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} -{{- else }} -# INFO: deployment disabled because .Values.deployment.enabled=false -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/envConfigMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/envConfigMap.yaml deleted file mode 100644 index ae932500b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/envConfigMap.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "envConfigMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- $release := .Release.Name }} - HOSTNAME: {{ $release }}-db-pool - DELAY_START_UP: {{ .Values.startUpDelay | quote }} - BACKOFF_DURATION: {{ .Values.backoffDuration | quote }} - {{- if .Values.debug }} - DEBUG: "true" - LOGGING_LEVEL_ROOT: "INFO" - {{- end }} - {{- if .Values.deployment.enabled }} - {{- if .Values.persistentVolume }} - PATCHEVAL_OPTS: -bug "{{ .Values.cronJob.bugs | default "" }}" -folder {{ .Values.persistentVolume.mountPath | default "/patcheval-data" }} -j -h {{ .Values.cronJob.delay | default "0" }} -p {{ .Values.cronJob.delay | default "6" }} - {{- else }} - PATCHEVAL_OPTS: -bug "{{ .Values.cronJob.bugs | default "" }}" -folder "/patcheval-data" -j -h {{ .Values.cronJob.delay | default "0" }} -p {{ .Values.cronJob.delay | default "6" }} - {{- end }} - {{- else }} - PATCHEVAL_OPTS: -bug "{{ .Values.cronJob.bugs | default "" }}" -folder {{ if .Values.persistentVolume }}{{ .Values.persistentVolume.mountPath }}{{ else }}"/patcheval-data"{{ end }} - {{- end }} - - vulas.shared.cia.serviceUrl: "http://{{ $release }}-restlibutils:8092/cia" - vulas.patchEval.onlyAddNewResults: "true" - vulas.shared.backend.serviceUrl: "http://{{ $release }}-restbackend:8091/backend" - {{- if .Values.extraConfigs }} - {{- toYaml .Values.extraConfigs | nindent 2 }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/mountedConfigMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/mountedConfigMap.yaml deleted file mode 100644 index c3d907a8c..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/mountedConfigMap.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "mountedConfigMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - postgres-checker.sh: |- - #!/bin/sh - CHART_NAME="{{ template "name" . }}" - LOG_ORIGIN="postgres-checker.sh" - {{- include "logFunctions" . | nindent 4 }} - - {{- $release := .Release.Name }} - until pg_isready -q -h {{ $release }}-db-master -p 5432; do - _info "Postgres-master not ready, sleeping for {{ .Values.backoffDuration }}" - sleep {{ .Values.backoffDuration }} - done - _info "Postgres master is ready" - - until pg_isready -q -h {{ $release }}-db-pool -p 5432; do - _info "Pgpool entrypoint not ready, sleeping for {{ .Values.backoffDuration }}" - sleep {{ .Values.backoffDuration }} - done - _info "Pgpool is ready" - exit 0 - - restbackend-checker.sh: |- - #!/bin/sh - CHART_NAME="{{ template "name" . }}" - LOG_ORIGIN="restbackend-checker.sh" - {{- include "logFunctions" . | nindent 4 }} - - until curl -q -X GET {{ $release }}-restbackend:8091/backend/health | grep -q "UP"; do - _info "Restbackend not ready, sleeping for {{ .Values.backoffDuration }}" - sleep {{ .Values.backoffDuration }} - done - _info "Restbackend is ready" - exit 0 - - liveness-probe.sh: |- - #!/bin/bash - if pgrep "java" > /dev/null; then - exit 0 - else - exit 127 - fi - - entrypoint.sh: |- - #!/bin/sh - - java \ - -Dhttp.nonProxyHosts=$NON_PROXY_HOSTS \ - -Dhttp.proxyHost=$HTTP_PROXY_HOST \ - -Dhttp.proxyPort=$HTTP_PROXY_PORT \ - -Dhttps.proxyHost=$HTTPS_PROXY_HOST \ - -Dhttps.proxyPort=$HTTPS_PROXY_PORT \ - -Dspring.profiles.active=docker \ - -jar /vulas/patch-lib-analyzer.jar $PATCHEVAL_OPTS diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/persistentVolume.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/persistentVolume.yaml deleted file mode 100644 index 6279c9694..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/persistentVolume.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.persistentVolume }} -{{- if .Values.persistentVolume.nfs }} -apiVersion: v1 -kind: PersistentVolume - -metadata: - name: {{ template "pvName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - accessModes: - {{- if .Values.persistentVolume.nfs }} - - ReadWriteMany - {{- else }} - - ReadWriteOnce - {{- end }} - - capacity: - storage: {{ .Values.persistentVolume.storage }} - - nfs: - server: {{ .Values.persistentVolume.nfs.server }} - path: {{ .Values.persistentVolume.nfs.path }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/persistentVolumeClaim.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/persistentVolumeClaim.yaml deleted file mode 100644 index 244619464..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/persistentVolumeClaim.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.persistentVolume }} -apiVersion: v1 -kind: PersistentVolumeClaim - -metadata: - name: {{ template "pvcName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - accessModes: - {{- if .Values.persistentVolume.nfs }} - - ReadWriteMany - {{- else }} - - ReadWriteOnce - {{- end }} - - storageClassName: "" - - resources: - requests: - storage: {{ .Values.persistentVolume.storage }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/podDisruptionBudget.yaml deleted file mode 100644 index fad20deef..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/podDisruptionBudget.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.deployment.enabled -}} -{{- if and .Values.replicas (ge (int .Values.replicas) 2) -}} -{{- if .Values.podDisruptionBudget -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - # INFO: User defined pdb in .podDisruptionBudget - {{ toYaml .Values.podDisruptionBudget }} - selector: - matchLabels: - {{- include "commonLabels" . | nindent 6 }} -{{- end -}} -{{- else -}} -# INFO: Skipped podDisruptionBudget because replicas < 2 -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/priorityClass.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/priorityClass.yaml deleted file mode 100644 index 2591db9de..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/priorityClass.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.deployment.enabled -}} -{{- if .Values.global.podPriorityClass.enabled -}} -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass - -metadata: - name: {{ template "priorityClassName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.podPriorityClass }} -{{- if .Values.podPriorityClass.spec }} -# INFO: User defined pdb in .podPriorityClass -{{- toYaml .Values.podPriorityClass.spec | nindent 0 }} -{{- else }} -# INFO: default podPriorityClass -globalDefault: false -value: 400 -preemptionPolicy: Never -description: "Specific priority for {{ template "podName" . }}" -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/secret.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/secret.yaml deleted file mode 100644 index f15a508cc..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/templates/secret.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Secret - -metadata: - name: {{ template "secretName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- with .Values.global.dbCredentials }} - SPRING_DATASOURCE_USERNAME: {{ .postgres_user | default "vulas" | b64enc }} - SPRING_DATASOURCE_PASSWORD: {{ .postgres_password | default "changeme" | b64enc }} - PGDATABASE: {{ .postgres_db | default "vulas" | b64enc }} - FLYWAY_USER: {{ .postgres_user | default "vulas" | b64enc }} - FLYWAY_PASSWORD: {{ .postgres_password | default "changeme" | b64enc }} - {{- end }} - - {{- if .Values.extraSecrets }} - {{- toYaml .Values.extraSecrets | nindent 2 }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/values.yaml deleted file mode 100644 index 30e6b9470..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/values.yaml +++ /dev/null @@ -1,126 +0,0 @@ -replicas: 3 - -deployment: - # if enabled:false this will create a cronjob rather than - # a deployment. - enabled: false - -cronJob: - # If set to {} defaults to 23h - period: {} - # If set to {} defaults to "" (scanning all bugs) - bugs: {} - delay: {} - -startUpDelay: 5 -backoffDuration: 5 - -podNetworkPolicy: - enabled: true - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 400 - # preemptionPolicy: Never - spec: {} - -extraConfigs: {} -extraSecrets: {} - -# Sets logging level for shell scripts as well as jar -debug: false - -podDisruptionBudget: {} - # Warning : this won't be applied unless the replicas - # values are >= 2 - # minAvailable: 1 - -selfAntiAffinity: {} - # You can set selfAntiAffinity to {} in order to skip - # all affinity declarations in the statefulset - # soft: true - # weight: 100 - -image: - initContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "postgres" - # Alpine images for init container to reduce - # overal resource strain with Image size: 28MBs - tag: "11.5-alpine" - - securityContext: {} - # runAsUser: 65534 - # runAsGroup: 65534 - # privileged: false - # readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL - # add: - # - SYS_TIME - # - NET_ADMIN - - resources: {} - # limits: - # memory: "35Mi" - # cpu: "100m" - # requests: - # memory: "25Mi" - # cpu: "100m" - - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "eclipse/steady-patch-lib-analyzer" - # Footprint: - # - size: 140.48MB - tag: "3.2.0-SNAPSHOT-jib" - - securityContext: {} - # runAsUser: 65534 - # runAsGroup: 65534 - # privileged: false - # readOnlyRootFilesystem: false - # capabilities: - # drop: - # - ALL - # add: - # - DAC_OVERRIDE - # - SYS_TIME - # - NET_ADMIN - - resources: {} - # limits: - # memory: "1Gi" - # cpu: "200m" - # requests: - # memory: "100Mi" - # cpu: "100m" - -# RWO is possible but mounting an nfs with RWM -# allows patcheval caches to share the same data -# thus allowing for a gain in performance -persistentVolume: {} - # storage: "1Gi" - # mountPath: /patcheval-data - # nfs: - # # nfs can be set to {} and it will automatically be - # # updated as to the accessMode - # server: :: - # path: /share - -livenessProbe: {} - # # Worst case scenario time before container is considered unready by k8s : - # # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # # = 145s ~= 2.5min - # enabled: true - # initialDelaySeconds: 30 - # periodSeconds: 5 - # timeoutSeconds: 5 - # failureThreshold: 5 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/values_production.yaml deleted file mode 100644 index 03481a6f7..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/patchlibanalyzer/values_production.yaml +++ /dev/null @@ -1,127 +0,0 @@ -replicas: 3 - -deployment: - # if enabled:false this will create a cronjob rather than - # a deployment. - enabled: false - -cronJob: - # If set to {} defaults to 23h - period: {} - # If set to {} defaults to "" (scanning all bugs) - bugs: {} - delay: {} - -startUpDelay: 5 -backoffDuration: 5 - -podNetworkPolicy: - enabled: true - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 400 - # preemptionPolicy: Never - spec: {} - -extraConfigs: {} -extraSecrets: {} - -# Sets logging level for shell scripts as well as jar -debug: false - -podDisruptionBudget: {} - # Warning : this won't be applied unless the replicas - # values are >= 2 - # minAvailable: 1 - -selfAntiAffinity: - # You can set selfAntiAffinity to {} in order to skip - # all affinity declarations in the statefulset - soft: true - weight: 100 - -image: - initContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "postgres" - # Alpine images for init container to reduce - # overal resource strain with Image size: 28MBs - tag: "11.5-alpine" - - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - privileged: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - add: - - SYS_TIME - - NET_ADMIN - - resources: - limits: - memory: "35Mi" - cpu: "100m" - requests: - memory: "25Mi" - cpu: "100m" - - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "eclipse/steady-patch-lib-analyzer" - # Footprint: - # - size: 140.48MB - tag: "3.2.0-SNAPSHOT-jib" - - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - privileged: false - readOnlyRootFilesystem: false - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - - SYS_TIME - - NET_ADMIN - - resources: - limits: - memory: "4Gi" - cpu: "1000m" - requests: - memory: "1Gi" - cpu: "500m" - - -# RWO is possible but mounting an nfs with RWM -# allows patcheval caches to share the same data -# thus allowing for a gain in performance -persistentVolume: {} - # storage: "1Gi" - # mountPath: /patcheval-data - # nfs: - # # # # nfs can be set to {} and it will automatically be - # # updated as to the accessMode - # server: :: - # path: /share - -livenessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 145s ~= 2.5min - enabled: true - initialDelaySeconds: 30 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/Chart.yaml deleted file mode 100644 index bfddc9a94..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" - -description: A Chart for the vulnerability-assessment-tool restbackend -name: restbackend -version: 0.1.1 -kubeVersion: ">=v1.15.0" - -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/README.md b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/README.md deleted file mode 100755 index 491ba9d02..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/README.md +++ /dev/null @@ -1,61 +0,0 @@ -# Restbackend - -> This chart is already included in the vulnerability-assessment-tool-core chart - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the restbackend subchart of the vulnerability-assessment-tool-core chart v0.1.1 chart -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the restbackend chart and their default values. - -| Parameter | Description | Default | -| --- | --- | --- | -| replicas | For HA `2` or `3` replicas are recommended (only applied if set to deployment) | `3` | -| licenseConfidenceThreshold | | `0.2` | -| langConfidenceThreshold | | `0.2` | -| backoffDuration | delay between probe attempts | `5` | -| debug | Sets the debug level for scripts | `true` | -| rbac.create | Creates the rbac required for the restbackend to query the kube api (used for checking if all replicas are up) | `true` | -| horizontalPodAutoScaler.enabled | Enables autoscaling (requires a metric server) | `False` | -| podDisruptionBudget.minAvailable | Ensure availability during disruption | `1` | -| livenessProbe | | enabled: `true`
initialDelaySeconds: `30`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `15` | -| readinessProbe | | enabled: `true`
initialDelaySeconds: `30`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `15` | -| selfAntiAffinity.soft | Makes restbackend containers avoid sharing pods | `true` | -| selfAntiAffinity.weight | weight for said antiaffinity | `100` | -| image.initContainer.pullPolicy | | `IfNotPresent` | -| image.initContainer.name | | `postgres` | -| image.initContainer.tag | image tag | `11.3-alpine` | -| image.mainContainer.pullPolicy | These images are maintained by the team and won't be subject to drift | `IfNotPresent` | -| image.mainContainer.name | | `eclipse/steady-rest-backend` | -| image.mainContainer.tag | image tag | `3.2.5-SNAPSHOT-SNAPSHOT-jib` | - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` -These values can be configured as follows: - -| Parameter | Description | Default | -| --- | --- | --- | -| image.initContainer.securityContext | | runAsUser: `65534`
runAsGroup: `65534`
privileged: `False`
readOnlyRootFilesystem: `False`
capabilities:
 drop: `["ALL"]`
 add: `["SYS_TIME", "NET_ADMIN"]` | -| image.initContainer.resources | | requests:
 memory:`25Mi`
 cpu: `100m`
limit:
 memory: `35Mi`
 cpu: `200m` | -| image.mainContainer.securityContext | | runAsUser: `0`
privileged: `False`
readOnlyRootFilesystem: `False` | -| image.mainContainer.resources | The restbackend consumes quite a bit of resources. These values are adpated for production values with around 300GB of data in the db | requests:
 memory:`8Gi`
 cpu: `4`
limit:
 memory: `16Gi`
 cpu: `8` | diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/_getters.tpl deleted file mode 100644 index bcd7d3e00..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/_getters.tpl +++ /dev/null @@ -1,30 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - restbackend.roleName : roleName getter - contexts: [ . ] - usage: {{ include "restbackend.roleName" . }} -*/}} -{{- define "restbackend.roleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-api-bridge" $name -}} -{{- end -}} - -{{/* - restbackend.roleBindingName : roleBindingName getter - contexts: [ . ] - usage: {{ include "restbackend.roleBindingName" . }} -*/}} -{{- define "restbackend.roleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-api-bridge" $name -}} -{{- end -}} - -{{/* - restbackend.serviceAccountName : serviceAccountName getter - contexts: [ . ] - usage: {{ include "restbackend.serviceAccountName" . }} -*/}} -{{- define "restbackend.serviceAccountName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-api-interface" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/_labels.tpl deleted file mode 100644 index a17f1dbd6..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/_labels.tpl +++ /dev/null @@ -1,31 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - restbackend.enrichedLabels : generic labels + serviceLabel - contexts: [ . ] - usage: {{ include "restbackend.commonLabels" . }} -*/}} -{{- define "restbackend.enrichedLabels" -}} -app.kubernetes.io/instance: {{ template "podName" . }} -{{ include "commonLabels" . }} -{{ include "restbackend.serviceLabel" . }} -{{- end -}} - -{{/* - restbackend.serviceLabels : generic service labels - contexts: [ .global ] - usage: {{ include "restbackend.serviceLabels" . }} -*/}} -{{- define "restbackend.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "restbackend.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - restbackend.serviceLabel: generic service label - contexts: [ .global ] - usage: {{ include "restbackend.serviceLabel" . }} - */}} -{{- define "restbackend.serviceLabel" -}} -{{ .Values.global.projectName }}.core/service: {{ .Release.Name }}-restbackend -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/envConfigMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/envConfigMap.yaml deleted file mode 100644 index c151987cd..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/envConfigMap.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "envConfigMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{ $release := .Release.Name }} - {{- with .Values.global.dbCredentials }} - spring.datasource.url: jdbc:postgresql://{{ $release }}-db-pool:5432/{{ .postgres_db }} - FLYWAY_URL: jdbc:postgresql://{{ $release }}-db-master:5432/{{ .postgres_db }} - {{- end }} - - {{- if .Values.debug }} - DEBUG: "true" - LOGGING_LEVEL_ROOT: "INFO" - {{- end }} - - vulas.backend.coverageService.licenseConfidenceThreshold: {{ .Values.licenseConfidenceThreshold | quote }} - vulas.backend.coverageService.langConfidenceThreshold: {{ .Values.langConfidenceThreshold | quote }} - vulas.shared.cia.serviceUrl: "http://{{ $release }}-restlibutils:8092/cia" - vulas.backend.cveCache.refetchAllMs: "7200000" - vulas.backend.cveCache.refetchSingleMs: "10000" - vulas.backend.cveCache.serviceUrl: "" - vulas.backend.space.doNotDelete: "" - vulas.backend.space.doNotClean: "" - vulas.backend.space.doNotModify: "" - vulas.shared.cve.serviceUrl: "" - vulas.shared.jira.serviceUrl: "" - vulas.shared.jira.projectId: "" - vulas.shared.jira.componentId: "" - vulas.shared.jira.browseIssueUrl: "" - vulas.shared.jira.createIssueUrl: "" - vulas.backend.allApps.mailSubject: "" - vulas.backend.smtp.sender: "" - vulas.backend.smtp.host: "" - vulas.backend.smtp.port: "" - vulas.backend.smtp.user: "" - vulas.backend.smtp.pwd: "" - vulas.backend.frontend.apps.dl.regex: "" - vulas.backend.frontend.apps.dl.example: "" - vulas.backend.frontend.apps.sw.id.label: "Software ID" - vulas.backend.frontend.apps.sw.id.url: "" - vulas.backend.frontend.apps.sw.id.mandatory: "false" - vulas.backend.frontend.apps.sw.id.link: "" - vulas.backend.frontend.apps.sw.id.db.key: "" - vulas.backend.frontend.apps.sw.id.regex: "" - vulas.backend.frontend.apps.wiki.url: "https://eclipse.github.io/steady/user/" - vulas.core.noThreads: "AUTO" diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/headlessService.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/headlessService.yaml deleted file mode 100644 index e1e9ebe38..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/headlessService.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ template "headlessServiceName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - clusterIP: None - - selector: - {{- include "restbackend.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 8091 - protocol: TCP - targetPort: 8091 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/horizontalPodAutoscaler.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/horizontalPodAutoscaler.yaml deleted file mode 100644 index 542389b70..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/horizontalPodAutoscaler.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.horizontalPodAutoScaler.enabled -}} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler - -metadata: - name: {{ template "horizontalPodAutoScalerName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: StatefulSet - name: {{ template "statefulSetName" . }} - - minReplicas: {{ .Values.replicas }} - maxReplicas: {{ mul .Values.replicas 3 }} - {{- if .Values.horizontalPodAutoScaler.spec }} - # INFO: User defined hpa spec in .horizontalPodAutoScaler.spec - {{- toYaml .Values.horizontalPodAutoScaler.spec | nindent 2 }} - {{- else }} - # INFO: Default hpa spec - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - {{- end }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/mountedConfigMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/mountedConfigMap.yaml deleted file mode 100644 index b91feaadf..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/mountedConfigMap.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "mountedConfigMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - postgres-checker.sh: |- - #!/bin/sh - CHART_NAME="{{ template "name" . }}" - LOG_ORIGIN="postgres-checker.sh" - {{- include "logFunctions" . | nindent 4 }} - - {{- $release := .Release.Name }} - until pg_isready -q -h {{ $release }}-db-master -p 5432; do - _info "Postgres-master not ready, sleeping for {{ .Values.backoffDuration }}" - sleep {{ .Values.backoffDuration }} - done - _info "Postgres master is ready" - - until pg_isready -q -h {{ $release }}-db-pool -p 5432; do - _info "Pgpool entrypoint not ready, sleeping for {{ .Values.backoffDuration }}" - sleep {{ .Values.backoffDuration }} - done - _info "Pgpool is ready" - exit 0 - - replica-checker.sh: |- - #!/bin/sh - {{- if .Values.rbac.create }} - CHART_NAME="{{ template "name" . }}" - LOG_ORIGIN="restbackend-checker.sh" - {{- include "logFunctions" . | nindent 4 }} - - KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) - RESPONSE=false - {{- with .Values.global }} - {{- $replica := (mul .masterReplicas .replicationFactor) | default .slaveReplicas }} - until $RESPONSE; do - READY_REPLICAS=$(curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/{{ .namespace }}/endpoints/{{ $release }}-db-slave | jq '.subsets[].addresses | length ') - _info "Found ${READY_REPLICAS} postgres replicas ready" - if [ $READY_REPLICAS -ge {{ $replica }} ]; then - _info "All replica nodes are ready" - exit 0 - fi - {{- end }} - _info "Replication nodes are not ready, sleeping for {{ .Values.backoffDuration }}" - sleep {{ .Values.backoffDuration }} - done - {{- else }} - _info "Sleeping 120s to ensure that replication is set up" - sleep 120 - {{- end }} - exit 0 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/persistentVolume.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/persistentVolume.yaml deleted file mode 100644 index 3cb99652d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/persistentVolume.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.persistentVolume -}} -{{- if .Values.persistentVolume.nfs -}} -apiVersion: v1 -kind: PersistentVolume - -metadata: - name: {{ template "pvName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - accessModes: - - "ReadWriteMany" - - capacity: - storage: {{ .Values.persistentVolume.storage | quote }} - - nfs: - server: {{ .Values.persistentVolume.nfs.server }} - path: {{ .Values.persistentVolume.nfs.path }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/persistentVolumeClaim.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/persistentVolumeClaim.yaml deleted file mode 100644 index 3075b664b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/persistentVolumeClaim.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.persistentVolume -}} -{{- if .Values.persistentVolume.nfs -}} -apiVersion: v1 -kind: PersistentVolumeClaim - -metadata: - name: {{ template "pvcName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - accessModes: - - "ReadWriteMany" - - storageClassName: "" - - resources: - requests: - storage: {{ .Values.persistentVolume.storage | quote }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/podDisruptionBudget.yaml deleted file mode 100644 index 684fedc5a..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/podDisruptionBudget.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.replicas (ge (int .Values.replicas) 2) -}} -{{- if .Values.podDisruptionBudget -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{ toYaml .Values.podDisruptionBudget }} - selector: - matchLabels: - {{- include "restbackend.enrichedLabels" . | nindent 6 }} -{{- else -}} -# INFO: Skipped podDisruptionBudget = null -{{- end -}} -{{- else -}} -# INFO: Skipped podDisruptionBudget because replicas < 2 -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/priorityClass.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/priorityClass.yaml deleted file mode 100644 index df91b2010..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/priorityClass.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.global.podPriorityClass.enabled -}} -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass - -metadata: - name: {{ template "priorityClassName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.podPriorityClass }} -{{- if .Values.podPriorityClass.spec }} -{{- toYaml .Values.podPriorityClass.spec | nindent 0 }} -{{- else }} -# INFO: default podPriorityClass -globalDefault: false -value: 10000 -preemptionPolicy: PreemptLowerPriority -description: "Specific priority for {{ template "podName" . }} with preemption" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/role.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/role.yaml deleted file mode 100644 index 9bb6454f3..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/role.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if and .Values.rbac .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role - -metadata: - name: {{ template "restbackend.roleName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -rules: - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - list - - describe - - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - describe - resourceNames: - - {{ .Values.global.namespace }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/roleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/roleBinding.yaml deleted file mode 100644 index 57b035ed4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/roleBinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.rbac .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding - -metadata: - name: {{ template "restbackend.roleBindingName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -roleRef: - kind: Role - name: {{ template "restbackend.roleName" . }} - apiGroup: rbac.authorization.k8s.io - -subjects: -- kind: ServiceAccount - name: {{ template "restbackend.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/secret.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/secret.yaml deleted file mode 100644 index 2ad06589d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Secret - -metadata: - name: {{ template "secretName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- with .Values.global.dbCredentials }} - spring.datasource.username: {{ .postgres_user | b64enc | quote }} - spring.datasource.password: {{ .postgres_password | b64enc | quote }} - PGDATABASE: {{ .postgres_db | b64enc }} - FLYWAY_USER: {{ .postgres_user | b64enc }} - FLYWAY_PASSWORD: {{ .postgres_password | b64enc }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/service.yaml deleted file mode 100644 index 1df6b7453..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-restbackend - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "restbackend.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 8091 - protocol: TCP - targetPort: 8091 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/serviceAccount.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/serviceAccount.yaml deleted file mode 100644 index 229d9bb75..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/serviceAccount.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if and .Values.rbac .Values.rbac.create }} -apiVersion: v1 -kind: ServiceAccount - -metadata: - name: {{ template "restbackend.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/statefulSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/statefulSet.yaml deleted file mode 100644 index b9a53f781..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/templates/statefulSet.yaml +++ /dev/null @@ -1,180 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet - -metadata: - name: {{ template "statefulSetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - serviceName: {{ template "headlessServiceName" . }} - replicas: {{ .Values.replicas }} - selector: - matchLabels: - {{- include "restbackend.enrichedLabels" . | nindent 6 }} - - podManagementPolicy: OrderedReady - - template: - metadata: - labels: - {{- include "restbackend.enrichedLabels" . | nindent 8 }} - annotations: - checksum/restbackend-env-config: {{ include (print $.Template.BasePath "/envConfigMap.yaml") . | sha256sum }} - checksum/restbackend-mounted-config: {{ include (print $.Template.BasePath "/mountedConfigMap.yaml") . | sha256sum }} - - spec: - {{- if .Values.global.podPriorityClass.enabled }} - priorityClassName: {{ template "priorityClassName" . }} - {{- end }} - serviceAccountName: {{ template "restbackend.serviceAccountName" . }} - initContainers: - - name: {{ template "name" . }}-init-container - image: {{ template "containerName" .Values.image.initContainer }} - imagePullPolicy: {{ .Values.image.initContainer.pullPolicy }} - command: - - sh - - -c - - . /vulas/postgres-checker.sh - - volumeMounts: - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/postgres-checker.sh - subPath: postgres-checker.sh - envFrom: - - secretRef: - name: {{ template "secretName" . }} - - {{ if .Values.image.initContainer.securityContext -}} - securityContext: - {{- toYaml .Values.image.initContainer.securityContext | nindent 12 }} - {{- end }} - {{ if .Values.image.initContainer.resources -}} - resources: - {{- toYaml .Values.image.initContainer.resources | nindent 12 }} - {{- end }} - - - name: {{ template "name" . }}-replica-checker-container - image: everpeace/curl-jq:latest - imagePullPolicy: "IfNotPresent" - command: - - sh - - -c - - . /vulas/replica-checker.sh - - volumeMounts: - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/replica-checker.sh - subPath: replica-checker.sh - {{ if .Values.image.initContainer.resources -}} - resources: - {{- toYaml .Values.image.initContainer.resources | nindent 12 }} - {{- end }} - {{ if .Values.image.initContainer.securityContext -}} - securityContext: - {{- toYaml .Values.image.initContainer.securityContext | nindent 12 }} - {{- end }} - - containers: - - name: {{ template "name" . }}-container - image: {{ template "containerName" .Values.image.mainContainer }} - imagePullPolicy: {{ .Values.image.mainContainer.pullPolicy }} - ports: - - name: backend - containerPort: 8091 - - envFrom: - - secretRef: - name: {{ template "secretName" . }} - - configMapRef: - name: {{ template "envConfigMapName" . }} - {{- $global := .Values.global }} - {{ if and .Values.livenessProbe .Values.livenessProbe.enabled }} - {{- with .Values.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /backend/health - port: backend - {{- end }} - {{- end }} - {{ if and .Values.readinessProbe .Values.readinessProbe.enabled }} - {{- with .Values.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /backend/health - port: backend - {{- end }} - {{- end }} - - volumeMounts: - {{- if .Values.persistentVolume }} - {{- if .Values.persistentVolume.nfs }} - - name: {{ template "pvcName" . }} - mountPath: /flyway-callbacks - {{- end }} - {{- end }} - - name: {{ template "mountedConfigMapName" . }} - mountPath: /vulas/entrypoint.sh - subPath: entrypoint.sh - {{- if .Values.image.mainContainer.securityContext }} - securityContext: - {{- toYaml .Values.image.mainContainer.securityContext | nindent 12 }} - {{- end }} - {{- if .Values.image.mainContainer.resources }} - resources: - {{- toYaml .Values.image.mainContainer.resources | nindent 12 }} - {{- end }} - - volumes: - {{- if .Values.persistentVolume }} - {{- if .Values.persistentVolume.nfs }} - - name: {{ template "pvcName" . }} - persistentVolumeClaim: - claimName: {{ template "pvcName" . }} - {{- end }} - {{- end }} - - name: {{ template "mountedConfigMapName" . }} - configMap: - name: {{ template "mountedConfigMapName" . }} - defaultMode: 0744 - {{ if .Values.selfAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- end }} - {{- if .Values.selfAntiAffinity.weight }} - {{- if ge (int .Values.selfAntiAffinity.weight) 1 }} - - weight: {{ .Values.selfAntiAffinity.weight }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight undefined - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ template "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "podName" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/values.yaml deleted file mode 100644 index eb6905023..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/values.yaml +++ /dev/null @@ -1,123 +0,0 @@ -replicas: 2 -licenseConfidenceThreshold: 0.2 -langConfidenceThreshold: 0.2 -backoffDuration: 5 - -# Sets logging level for shell scripts, root logging level for springboot -debug: true - -rbac: - # Creates service account required to check if the postgres - # replicas are ready by querying the Kubernetes API - create: true - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 10000 - # preemptionPolicy: PreemptLowerPriority - spec: {} - -horizontalPodAutoScaler: - enabled: false - # If set to {} and .Values.horizontalPodAutoScaler.enabled=true - # defaults to - # metrics: - # - type: Resource - # resource: - # name: cpu - # targetAverageUtilization: 80 - # Else set to a map that respects scheme defined in - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#horizontalpodautoscalerlist-v1-autoscaling - spec: {} - -persistentVolume: {} - # storage: "2Gi" - # nfs: - # server: 10.180.0.10 - # path: /share_1234cb44_31c6_4473_955f_860e3b61fb0e - - -podDisruptionBudget: - # Warning : this won't be applied unless the replicas - # values are >= 2 - minAvailable: 1 - -livenessProbe: - # High initial delay recommended due to startup time for postgres - # statefulsets and replication to come to life - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 330s ~= 5.5min - enabled: true - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 5 - failureThreshold: 15 - -readinessProbe: - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 130s ~= 2.2min - enabled: true - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 5 - failureThreshold: 5 - -# Avoids provisioning containers on the same node -selfAntiAffinity: - soft: true - weight: 100 - -image: - initContainer: - pullPolicy: "Always" - registry: {} - registryPort: {} - name: "postgres" - # Alpine images for init container to reduce footprint: - # - size: 28MB - tag: "11.3-alpine" - - securityContext: {} - # runAsUser: 65534 - # runAsGroup: 65534 - # privileged: false - # readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL - # add: - # - SYS_TIME - # - NET_ADMIN - - resources: {} - # requests: - # memory: "25Mi" - # cpu: "100m" - # limits: - # memory: "35Mi" - # cpu: "200m" - - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "eclipse/steady-rest-backend" - tag: "3.2.0-SNAPSHOT-jib" - - resources: {} - # limits: - # memory: "16Gi" - # cpu: "8" - # requests: - # memory: "8Gi" - # cpu: "4" - - securityContext: {} - # runAsUser: 65534 - # runAsGroup: 65534 - # privileged: false - # readOnlyRootFilesystem: false diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/values_production.yaml deleted file mode 100644 index 08b7cff64..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restbackend/values_production.yaml +++ /dev/null @@ -1,124 +0,0 @@ -replicas: 2 -licenseConfidenceThreshold: 0.2 -langConfidenceThreshold: 0.2 -backoffDuration: 5 - -# Sets logging level for shell scripts, root logging level for springboot -debug: true - -rbac: - # Creates service account required to check if the postgres - # replicas are ready by querying the Kubernetes API - create: true - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 10000 - # preemptionPolicy: PreemptLowerPriority - spec: {} - -horizontalPodAutoScaler: - enabled: true - # If set to {} and .Values.horizontalPodAutoScaler.enabled=true - # defaults to - # metrics: - # - type: Resource - # resource: - # name: cpu - # targetAverageUtilization: 80 - # Else set to a map that respects scheme defined in - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#horizontalpodautoscalerlist-v1-autoscaling - spec: {} - -persistentVolume: - storage: "2Gi" - nfs: - # # nfs can be set to {} and it will automatically be - # # updated as to the accessMode - # server: :: - # path: /share - -podDisruptionBudget: - # Warning : this won't be applied unless the replicas - # values are >= 2 - minAvailable: 1 - -livenessProbe: - # High initial delay recommended due to startup time for postgres - # statefulsets and replication to come to life - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 330s ~= 5.5min - enabled: true - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 5 - failureThreshold: 15 - -readinessProbe: - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 130s ~= 2.2min - enabled: true - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 5 - failureThreshold: 5 - -# Avoids provisioning containers on the same node -selfAntiAffinity: - soft: true - weight: 100 - -image: - initContainer: - pullPolicy: "Always" - registry: {} - registryPort: {} - name: "postgres" - # Alpine images for init container to reduce footprint: - # - size: 28MB - tag: "11.3-alpine" - - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - privileged: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - add: - - SYS_TIME - - NET_ADMIN - - resources: - requests: - memory: "25Mi" - cpu: "100m" - limits: - memory: "35Mi" - cpu: "200m" - - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "eclipse/steady-rest-backend" - tag: "3.2.0-SNAPSHOT-jib" - - resources: - limits: - memory: "16Gi" - cpu: "8" - requests: - memory: "8Gi" - cpu: "4" - - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - privileged: false - readOnlyRootFilesystem: false diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/Chart.yaml deleted file mode 100644 index e9376ab16..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" - -description: A Chart for rest-lib-utils -name: restlibutils -version: 0.1.1 -kubeVersion: ">=v1.15.0" - -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/README.md b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/README.md deleted file mode 100755 index 70a34a545..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/README.md +++ /dev/null @@ -1,59 +0,0 @@ -# Restlibutils - -> This chart is already included in the vulnerability-assessment-tool-core chart - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the restlibutils subchart of the vulnerability-assessment-tool-core chart v0.1.1 chart -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the restlibutils chart and their default values. - - -| Parameter | Description | Default | -| --- | --- | --- | -| replicas | For HA `2` or `3` replicas are recommended (only applied if set to deployment) | `3` | -| licenseConfidenceThreshold | | `0.2` | -| langConfidenceThreshold | | `0.2` | -| backoffDuration | delay between probe attempts | `5` | -| debug | Sets the debug level for scripts | `true` | -| rbac.create | Creates the rbac required for the restlibutils to query the kube api (used for checking if all replicas are up) | `true` | -| horizontalPodAutoScaler.enabled | Enables autoscaling (requires a metric server) | `False` | -| podDisruptionBudget.minAvailable | Ensure availability ²during disruption | `1` | -| livenessProbe | | enabled: `true`
initialDelaySeconds: `25`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5` | -| readinessProbe | | enabled: `true`
initialDelaySeconds: `20`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5` | -| image.pullPolicy | These images are maintained by the team and won't be subject to drift | `IfNotPresent` | -| image.name | | `eclipse/steady-rest-backend` | -| image.tag | | `3.2.5-SNAPSHOT-SNAPSHOT-jib` | - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` -These values can be configured as follows: - -| Parameter | Description | Default | -| --- | --- | --- | -| persistentVolume.storage | | `2Gi` | -| persistentVolume.mountPath | PVC mountpath | `/.m2` | -| image.mainContainer.securityContext | | runAsUser: `65534`
runAsGroup: `65534`
privileged: `False`
readOnlyRootFilesystem: `False` | -| image.mainContainer.resources | The restlibutils consumes quite a bit of resources. These values are adapted for production values with around 300GB of data in the db | requests:
 memory:`8Gi`
 cpu: `2`
limit:
 memory: `15Gi`
 cpu: `7` | -| selfAntiAffinity.soft | Makes reslibutils containers avoid sharing pods | `true` | -| selfAntiAffinity.weight | weight for said antiaffinity | `100` | diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/_labels.tpl deleted file mode 100644 index 49b0a07a8..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/_labels.tpl +++ /dev/null @@ -1,31 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - restlibutils.enrichedLabels : generic labels + serviceLabels - contexts: [ . ] - usage: {{ include "restlibutils.commonLabels" . }} -*/}} -{{- define "restlibutils.enrichedLabels" -}} -app.kubernetes.io/instance: {{ template "podName" . }} -{{ include "commonLabels" . }} -{{ include "restlibutils.serviceLabel" . }} -{{- end -}} - -{{/* - restlibutils.serviceLabels : generic service labels - contexts: [ .global ] - usage: {{ include "restlibutils.serviceLabels" . }} -*/}} -{{- define "restlibutils.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "restlibutils.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - restlibutils.serviceLabel : generic servicename - contexts: [ .global ] - usage: {{ include "restlibutils.serviceLabel" . }} -*/}} -{{- define "restlibutils.serviceLabel" -}} -{{ .Values.global.projectName }}.core/service: {{ .Release.Name }}-restlibutils -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/configMap.yaml deleted file mode 100644 index 925b3b3de..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/configMap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- if .Values.debug }} - DEBUG: "true" - LOGGING_LEVEL_ROOT: "INFO" - {{- end }} - - {{- if .Values.extraConfigs }} - {{- toYaml .Values.extraConfigs | nindent 2 }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/headlessService.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/headlessService.yaml deleted file mode 100644 index aeac3eb0c..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/headlessService.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ template "headlessServiceName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "restlibutils.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 8092 - protocol: TCP - targetPort: 8092 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/horizontalPodAutoscaler.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/horizontalPodAutoscaler.yaml deleted file mode 100644 index 6e6dfca95..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/horizontalPodAutoscaler.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.horizontalPodAutoScaler.enabled -}} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler - -metadata: - name: {{ template "horizontalPodAutoScalerName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "deploymentName" . }} - - minReplicas: {{ .Values.replicas }} - maxReplicas: {{ mul .Values.replicas 3 }} - {{- if .Values.horizontalPodAutoScaler.spec }} - # INFO: User defined hpa spec in .horizontalPodAutoScaler.spec - {{- toYaml .Values.horizontalPodAutoScaler.spec | nindent 2 }} - {{- else }} - # INFO: Default hpa spec - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - {{- end }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/persistentVolume.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/persistentVolume.yaml deleted file mode 100644 index d5a7fbf7e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/persistentVolume.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.persistentVolume -}} -{{- if .Values.persistentVolume.nfs -}} -apiVersion: v1 -kind: PersistentVolume - -metadata: - name: {{ template "pvName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - accessModes: - {{- if .Values.persistentVolume.nfs }} - - ReadWriteMany - {{- else }} - - ReadWriteOnce - {{- end }} - - capacity: - storage: {{ .Values.persistentVolume.storage }} - - nfs: - server: {{ .Values.persistentVolume.nfs.server }} - path: {{ .Values.persistentVolume.nfs.path }} - {{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/persistentVolumeClaim.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/persistentVolumeClaim.yaml deleted file mode 100644 index 2b8adfaae..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/persistentVolumeClaim.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.persistentVolume -}} -{{- if .Values.persistentVolume.nfs -}} -apiVersion: v1 -kind: PersistentVolumeClaim - -metadata: - name: {{ template "pvcName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - accessModes: - {{- if .Values.persistentVolume.nfs }} - - ReadWriteMany - {{- else }} - - ReadWriteOnce - {{- end }} - - storageClassName: "" - - resources: - requests: - storage: {{ .Values.persistentVolume.storage }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/podDisruptionBudget.yaml deleted file mode 100644 index 41bae58d9..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/podDisruptionBudget.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.replicas (ge (int .Values.replicas) 2) -}} -{{- if .Values.podDisruptionBudget -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ template "podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{- toYaml .Values.podDisruptionBudget | nindent 2 }} - selector: - matchLabels: - {{- include "restlibutils.enrichedLabels" . | nindent 6 }} -{{- else -}} -# INFO: Skipped podDisruptionBudget = null -{{- end -}} -{{- else -}} -# INFO: Skipped podDisruptionBudget because replicas < 2 -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/priorityClass.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/priorityClass.yaml deleted file mode 100644 index 54bacb95f..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/priorityClass.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.podPriorityClass.enabled -}} -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass - -metadata: - name: {{ template "priorityClassName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.podPriorityClass }} -{{- if .Values.podPriorityClass.spec }} -# INFO: user defined ppc in .podPriorityClass.spec -{{- toYaml .Values.podPriorityClass.spec | nindent 0 }} -{{- else }} -# INFO: default podPriorityClass -globalDefault: false -value: 500 -preemptionPolicy: Never -description: "Specific priority for {{ template "podName" . }}" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/service.yaml deleted file mode 100644 index 39362469d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-restlibutils - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "restlibutils.serviceLabels" . | nindent 4 }} - - ports: - - name: container - port: 8092 - protocol: TCP - targetPort: 8092 diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/statefulSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/statefulSet.yaml deleted file mode 100644 index 158e3b91a..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/templates/statefulSet.yaml +++ /dev/null @@ -1,153 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet - -metadata: - name: {{ template "statefulSetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - serviceName: {{ template "headlessServiceName" . }} - replicas: {{ .Values.replicas }} - - podManagementPolicy: Parallel - - selector: - matchLabels: - {{- include "restlibutils.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - {{- include "restlibutils.enrichedLabels" . | nindent 8 }} - annotations: - checksum/restlibutils-config: {{ include (print $.Template.BasePath "/configMap.yaml") . | sha256sum }} - - spec: - {{- if .Values.global.podPriorityClass.enabled }} - priorityClassName: {{ template "priorityClassName" . }} - {{- end }} - automountServiceAccountToken: false - {{- if .Values.persistentVolume }} - initContainers: - - name: {{ template "name" . }}-permission-init-container - image: alpine:3.10.2 - command: - - sh - - -c - - | - #!/bin/sh - set -e - chown -R {{ .Values.image.securityContext.runAsUser }}:{{ .Values.image.securityContext.runAsGroup }} {{ .Values.persistentVolume.mountPath }} - securityContext: - runAsUser: 0 - volumeMounts: - - name: {{ template "pvcName" . }} - mountPath: {{ .Values.persistentVolume.mountPath }} - resources: - limits: - cpu: "50m" - memory: "100Mi" - {{- end }} - containers: - - name: {{ template "name" . }}-container - image: {{ template "containerName" .Values.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: utils - containerPort: 8092 - - envFrom: - - configMapRef: - name: {{ template "configMapName" . }} - {{- $global := .Values.global }} - {{- if and .Values.livenessProbe .Values.livenessProbe.enabled }} - {{- with .Values.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - tcpSocket: - port: utils - {{- end }} - {{- end }} - {{- if and .Values.readinessProbe .Values.readinessProbe.enabled }} - {{- with .Values.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /cia/health - port: utils - {{- end }} - {{- end }} - {{- if .Values.persistentVolume }} - volumeMounts: - - name: {{ template "pvcName" . }} - mountPath: {{ .Values.persistentVolume.mountPath }} - {{- end }} - {{ if .Values.image.resources -}} - resources: - {{- toYaml .Values.image.resources | nindent 12 }} - {{- end }} - {{ if .Values.image.securityContext -}} - securityContext: - {{- toYaml .Values.image.securityContext | nindent 12 }} - {{- end }} - {{- if .Values.persistentVolume }} - volumes: - - name: {{ template "pvcName" . }} - persistentVolumeClaim: - claimName: {{ template "pvcName" . }} - {{- end }} - {{- if .Values.selfAntiAffinity }} - affinity: - podAntiAffinity: - {{- if and .Values.selfAntiAffinity .Values.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- end }} - {{- if .Values.selfAntiAffinity.weight }} - {{- if ge (int .Values.selfAntiAffinity.weight) 1 }} - - weight: {{ .Values.selfAntiAffinity.weight }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight < 1 - # replaced with default value 100 - - weight: 100 - {{- end }} - {{- else }} - # ERROR: .Values.selfAntiAffinity.weight undefined - # replaced with default value 100 - - weight: 100 - {{- end }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ template "name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "podName" . }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - {{- if .Values.persistentVolume }} - {{- if not .Values.persistentVolume.nfs }} - volumeClaimTemplates: - - metadata: - name: {{ template "pvcName" . }} - labels: - {{- include "commonLabels" . | nindent 8 }} - - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: {{ .Values.persistentVolume.storage }} - {{- end -}} - {{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/values.yaml deleted file mode 100644 index 3273004d7..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -replicas: 2 - -# Sets logging level for shell scripts -# and root logging level for springboot -debug: true - -extraConfigs: {} - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 500 - # preemptionPolicy: Never - spec: {} - -horizontalPodAutoScaler: - enabled: false - # If set to {} and .Values.horizontalPodAutoScaler.enabled=true - # defaults to - # metrics: - # - type: Resource - # resource: - # name: cpu - # targetAverageUtilization: 70 - # Else set to a map that respects scheme defined in - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#horizontalpodautoscalerlist-v1-autoscaling - spec: {} - -podDisruptionBudget: {} - # # Warning : this won't be applied unless the replicas - # # values are >= 2 - # minAvailable: 1 - -# Avoid sharing nodes with similar pods -selfAntiAffinity: {} - # soft: true - # weight: 100 - -livenessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 410s ~= 7min - enabled: true - initialDelaySeconds: 25 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 5 - -readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 150s ~= 2.5min - enabled: true - initialDelaySeconds: 20 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 5 - -# RWO is possible but mounting an nfs with RWM -# allows patcheval caches to share the same data -# thus allowing for a gain in performance -persistentVolume: {} - # storage: "2Gi" - # mountPath: /.m2 - # nfs: - # server: :: - # path: /share - -image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "eclipse/steady-rest-lib-utils" - tag: "3.2.0-SNAPSHOT" - - resources: {} - # limits: - # memory: "16Gi" - # cpu: "8" - # requests: - # memory: "8Gi" - # cpu: "2" - - securityContext: {} - # runAsUser: 65534 - # runAsGroup: 65534 - # privileged: false - # readOnlyRootFilesystem: false - # # capabilities: - # # drop: - # # - ALL - # # add: - # # - DAC_OVERRIDE - # # - SYS_TIME - # # - NET_ADMIN diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/values_production.yaml deleted file mode 100644 index 680077489..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/charts/restlibutils/values_production.yaml +++ /dev/null @@ -1,94 +0,0 @@ -replicas: 2 - -# Sets logging level for shell scripts -# and root logging level for springboot -debug: true -extraConfigs: {} - -podPriorityClass: - # If .Values.global.podPriorityClass.enabled and spec is {} - # defaults to - # globalDefault: false - # value: 500 - # preemptionPolicy: Never - spec: {} - -horizontalPodAutoScaler: - enabled: true - # If set to {} and .Values.horizontalPodAutoScaler.enabled=true - # defaults to - # metrics: - # - type: Resource - # resource: - # name: cpu - # targetAverageUtilization: 70 - # Else set to a map that respects scheme defined in - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#horizontalpodautoscalerlist-v1-autoscaling - spec: {} - -podDisruptionBudget: - # Warning : this won't be applied unless the replicas - # values are >= 2 - minAvailable: 1 - -# Avoid sharing nodes with similar pods -selfAntiAffinity: - soft: true - weight: 100 - -livenessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 410s ~= 7min - enabled: true - initialDelaySeconds: 25 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 5 - -readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 150s ~= 2.5min - enabled: true - initialDelaySeconds: 20 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 5 - -# RWO is possible but mounting an nfs with RWM -# allows patcheval caches to share the same data -# thus allowing for a gain in performance -persistentVolume: - storage: "2Gi" - mountPath: /.m2 - # nfs: - # server: :: - # path: /share - -image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "eclipse/steady-rest-lib-utils" - tag: "3.2.0-SNAPSHOT" - resources: - limits: - memory: "15Gi" - cpu: "7" - requests: - memory: "8Gi" - cpu: "2" - - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - privileged: false - readOnlyRootFilesystem: false - # capabilities: - # drop: - # - ALL - # add: - # - DAC_OVERRIDE - # - SYS_TIME - # - NET_ADMIN diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_container.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/templates/_container.tpl deleted file mode 100644 index 24f963b28..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_container.tpl +++ /dev/null @@ -1,18 +0,0 @@ - -{{/*-------------------------- Global Templates ----------------------------*/}} -{{/* - containerName : Generates containerName - contexts: [ .global ] - usage: {{ include "containerName" . }} -*/}} -{{- define "containerName" -}} -{{- if .registry -}} -{{- printf "%s" .registry -}} -{{- if .registryPort -}} -{{- printf ":%d/" (int .registryPort) -}} -{{- else -}} -{{- printf "/" -}} -{{- end -}} -{{- end -}} -{{- printf "%s:%s" .name .tag }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/templates/_getters.tpl deleted file mode 100644 index a1a5113b1..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_getters.tpl +++ /dev/null @@ -1,250 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - name : Gets name of current component - contexts: [ . ] - usage: {{ include "name" . }} -*/}} -{{- define "name" -}} -{{ .Release.Name }}-{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - chart : Gets chart name of current component - contexts: [ . ] - usage: {{ include "chart" . }} -*/}} -{{- define "chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - configMapName : config map name getter - contexts: [ . ] - usage: {{ include "configMapName" . }} -*/}} -{{- define "configMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-config" $name -}} -{{- end -}} - -{{/* - cronJobName : cronJobName getter - contexts: [ . ] - usage: {{ include "cronJobName" . }} -*/}} -{{- define "cronJobName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cron-job" $name -}} -{{- end -}} - -{{/* - mountedConfigMapName : mounted config map name getter - contexts: [ . ] - usage: {{ include "mountedConfigMapName" . }} -*/}} -{{- define "mountedConfigMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-mounted-config" $name -}} -{{- end -}} - -{{/* - envConfigMapName : env config map name getter - contexts: [ . ] - usage: {{ include "envConfigMapName" . }} -*/}} -{{- define "envConfigMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-env-config" $name -}} -{{- end -}} - - -{{/* - secretName : secret name getter - contexts: [ . ] - usage: {{ include "secretName" . }} -*/}} -{{- define "secretName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-secret" $name -}} -{{- end -}} - -{{/* - deploymentName : Deployment name getter - contexts: [ . ] - usage: {{ include "deploymentName" . }} -*/}} -{{- define "deploymentName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-deployment" $name -}} -{{- end -}} - -{{/* - daemonSetName : DaemonSet name getter - contexts: [ . ] - usage: {{ include "daemonSetName" . }} -*/}} -{{- define "daemonSetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-daemon-set" $name -}} -{{- end -}} - -{{/* - statefulSetName : Statefulset name getter - contexts: [ . ] - usage: {{ include "statefulSetName" . }} -*/}} -{{- define "statefulSetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-stateful-set" $name -}} -{{- end -}} - -{{/* - pvcName : patchlibanalyzer pvc name getter - contexts: [ . ] - usage: {{ include "pvcName" . }} -*/}} -{{- define "pvcName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-volume-claim" $name -}} -{{- end -}} - -{{/* - pvName : patchlibanalyzer pv name getter - contexts: [ . ] - usage: {{ include "pvName" . }} -*/}} -{{- define "pvName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-persistent-nfs-volume" $name -}} -{{- end -}} - - -{{/* - serviceAccountName : serviceAccountName getter - contexts: [ . ] - usage: {{ include "serviceAccountName" . }} -*/}} -{{- define "serviceAccountName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-service-account" $name -}} -{{- end -}} - -{{/* - roleName : role name getter - contexts: [ . ] - usage: {{ include "roleName" . }} -*/}} -{{- define "roleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-role" $name -}} -{{- end -}} - -{{/* - roleBindingName : role binding name getter - contexts: [ . ] - usage: {{ include "roleBindingName" . }} -*/}} -{{- define "roleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-role-binding" $name -}} -{{- end -}} - -{{/* - clusterRoleName : cluster role name getter - contexts: [ . ] - usage: {{ include "clusterRoleName" . }} -*/}} -{{- define "clusterRoleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cluster-role" $name -}} -{{- end -}} - -{{/* - clusterRoleBindingName : cluster role binding name getter - contexts: [ . ] - usage: {{ include "clusterRoleBindingName" . }} -*/}} -{{- define "clusterRoleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cluster-role-binding" $name -}} -{{- end -}} - -{{/* - podName : deployment pod name getter - contexts: [ . ] - usage: {{ include "podName" . }} -*/}} -{{- define "podName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - -{{/* - podDisruptionBudgetName : deployment podDisruptionBudget name getter - contexts: [ . ] - usage: {{ include "podDisruptionBudgetName" . }} -*/}} -{{- define "podDisruptionBudgetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - -{{/* - networkPolicyName : networkPolicyName getter - contexts: [ . ] - usage: {{ include "networkPolicyName" . }} -*/}} -{{- define "networkPolicyName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-network-policy" $name -}} -{{- end -}} - -{{/* - horizontalPodAutoScalerName : horizontalPodAutoScalerName getter - contexts: [ . ] - usage: {{ include "horizontalPodAutoScalerName" . }} -*/}} -{{- define "horizontalPodAutoScalerName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-horizontal-pod-auto-scaler" $name -}} -{{- end -}} - -{{/* - verticalPodAutoScaler : verticalPodAutoScaler getter - contexts: [ . ] - usage: {{ include "verticalPodAutoScaler" . }} -*/}} -{{- define "verticalPodAutoScaler" -}} -{{- $name := include "name" . -}} -{{- printf "%s-vertical-pod-auto-scaler" $name -}} -{{- end -}} - -{{/* - podSecurityPolicyName : podSecurityPolicyName getter - contexts: [ . ] - usage: {{ include "podSecurityPolicyName" . }} -*/}} -{{- define "podSecurityPolicyName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod-security-policy" $name -}} -{{- end -}} - -{{/* - headlessServiceName : headlessServiceName getter - contexts: [ . ] - usage: {{ include "headlessServiceName" . }} -*/}} -{{- define "headlessServiceName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-headless" $name -}} -{{- end -}} - -{{/* - priorityClassName : priorityClassName getter - contexts: [ . ] - usage: {{ include "priorityClassName" . }} -*/}} -{{- define "priorityClassName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-priority-class" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/templates/_labels.tpl deleted file mode 100644 index b6823fff7..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_labels.tpl +++ /dev/null @@ -1,26 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - commonLabels : generic labels - contexts: [ . ] - usage: {{ include "commonLabels" . }} -*/}} - -{{- define "commonLabels" -}} -{{ if .Chart.AppVersion -}} -app.kubernetes.io/name: {{ .Chart.Name }} -app.kubernetes.io/part-of: {{ .Values.global.projectName }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{ include "projectLabels" . }} -{{- end -}} - - -{{/* - projectLabels : generic labels - contexts: [ . ] - usage: {{ include "projectLabels" . }} -*/}} -{{- define "projectLabels" -}} -{{ .Values.global.projectName }}/environment: {{ .Values.global.env }} -{{ .Values.global.projectName }}/release-name: {{ .Release.Name }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_logs.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/templates/_logs.tpl deleted file mode 100644 index 63f2002a6..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_logs.tpl +++ /dev/null @@ -1,22 +0,0 @@ -{{/*-------------------------- Global Templates ----------------------------*/}} -{{/* - logFunctions : generic logging function - contexts: [ . ] - usage: {{ include "logFunctions" . }} -*/}} - -{{- define "logFunctions" -}} -_log() { - echo `date "+%Y:%m:%d-%H:%M:%S"` "[$CHART_NAME|$LOG_ORIGIN]" "$1": "$2" -} - -_error() { - _log "ERROR" "$1" -} - -_info() { - if [ -z $DEBUG ]; then - _log "INFO" "$1" - fi -} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_ports.tpl b/kubernetes/helm/vulnerability-assessment-tool-core/templates/_ports.tpl deleted file mode 100644 index e4be75e08..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/_ports.tpl +++ /dev/null @@ -1,12 +0,0 @@ - -{{/* - listPorts : lists port - contexts: [ .global ] - usage: {{ include "listPorts" . }} -*/}} -{{- define "listPorts" -}} -{{- range $key, $value := . }} -- name: {{ $key }} - {{- toYaml . | nindent 2 }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/README.md b/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/README.md deleted file mode 100644 index 0c2ee240b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Running benchmark for the Postgresql cluster - -These benchmark pod allow for benchmarking the performance of the Postgresql Cluster built by the [database chart](../../charts/database/README.md) by using `pgbench` with a readonly sql script. Three tests are possible: - -- benchmarking directly against the master service (`pgbench-direct.yaml`) -- benchmarking directly against the replica service (`pgbench-slave.yaml`) -- benchmarking against the pgpool service (`pgbench-pgpool.yaml`) - -This allows you to compare the performance and decide whether or not the use the pgpool as well as identify problematic queries that consume too much resources. - -## Running a specific script - -This assumes you already have a vulnerability-assessment-tool-core chart deployed on your Kubernetes cluster with the `values.yaml` in said directory. - -For example, from the vulnerability-assessment-tool-core chart directory (where the `Chart.yaml` and the `values.yaml` are located), to run the master benchmark: - -```sh -helm template . -x templates/benchmark/pgbench-direct.yaml \ - -x templates/benchmark/pgbench-sql.yaml \ - --set benchmark=true --name { Release Name } | kubectl apply -f - -``` - -To fetch results from the job execution: - -```sh -kubectl logs -l 'app.kubernetes.io/name=pgbench' -f -``` - -To clean up afterwards: - -```sh -kubectl delete configmap -l 'app.kubernetes.io/name=pgbench' -kubectl delete job -l 'app.kubernetes.io/name=pgbench' -``` diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-direct.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-direct.yaml deleted file mode 100644 index 527b759e5..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-direct.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if .Values.benchmark -}} -apiVersion: batch/v1 -kind: Job - -metadata: - name: bench-pgbench-direct - namespace: {{ .Values.global.namespace }} - labels: - app.kubernetes.io/name: pgbench - app.kubernetes.io/instance: master - app.kubernetes.io/part-of: {{ .Values.global.projectName }} - {{ .Values.global.projectName }}/release-name: {{ .Release.Name }} - -spec: - backoffLimit: 0 - template: - metadata: - labels: - app.kubernetes.io/name: pgbench - app.kubernetes.io/instance: master - app.kubernetes.io/part-of: {{ .Values.global.projectName }} - {{ .Values.global.projectName }}/release-name: {{ .Release.Name }} - spec: - restartPolicy: Never - containers: - - name: bench-pgbench-direct - image: postgres:11.5-alpine - imagePullPolicy: "IfNotPresent" - command: - - sh - - -c - - | - #!/bin/sh - export PGPASSWORD={{ .Values.global.dbCredentials.postgres_password }} - pgbench -d -c 80 -j 8 -U {{ .Values.global.dbCredentials.postgres_user }} \ - -f /bench.sql -r -n -T 600 -h {{ .Release.Name }}-db-master \ - -p 5432 {{ .Values.global.dbCredentials.postgres_db }} - - volumeMounts: - - name: bench-pgbench-sql - mountPath: /bench.sql - subPath: bench.sql - - volumes: - - name: bench-pgbench-sql - configMap: - name: bench-pgbench-sql -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-pgpool.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-pgpool.yaml deleted file mode 100644 index ee76d9021..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-pgpool.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if .Values.benchmark -}} -apiVersion: batch/v1 -kind: Job - -metadata: - name: bench-pgbench-pgpool - namespace: {{ .Values.global.namespace }} - labels: - app.kubernetes.io/name: pgbench - app.kubernetes.io/instance: pgpool - app.kubernetes.io/part-of: {{ .Values.global.projectName }} - {{ .Values.global.projectName }}/release-name: {{ .Release.Name }} - -spec: - backoffLimit: 0 - template: - metadata: - labels: - app.kubernetes.io/name: pgbench - app.kubernetes.io/instance: pgpool - app.kubernetes.io/part-of: {{ .Values.global.projectName }} - {{ .Values.global.projectName }}/release-name: {{ .Release.Name }} - spec: - restartPolicy: Never - containers: - - name: bench-pgbench-pgpool - image: postgres:11.5-alpine - imagePullPolicy: "IfNotPresent" - command: - - sh - - -c - - | - #!/bin/sh - export PGPASSWORD={{ .Values.global.dbCredentials.pool_password }} - pgbench -d -c 80 -j 8 -U {{ .Values.global.dbCredentials.pool_user }} \ - -f /bench.sql -r -n -T 600 -h {{ .Release.Name }}-db-pool \ - -p 5432 {{ .Values.global.dbCredentials.postgres_db }} - - volumeMounts: - - name: bench-pgbench-sql - mountPath: /bench.sql - subPath: bench.sql - - volumes: - - name: bench-pgbench-sql - configMap: - name: bench-pgbench-sql -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-slave.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-slave.yaml deleted file mode 100644 index d7e7a6e01..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-slave.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if .Values.benchmark -}} -apiVersion: batch/v1 -kind: Job - -metadata: - name: bench-pgbench-slave - namespace: {{ .Values.global.namespace }} - labels: - app.kubernetes.io/name: pgbench - app.kubernetes.io/instance: slave - app.kubernetes.io/part-of: {{ .Values.global.projectName }} - {{ .Values.global.projectName }}/release-name: {{ .Release.Name }} - -spec: - backoffLimit: 0 - template: - metadata: - labels: - app.kubernetes.io/name: pgbench - app.kubernetes.io/instance: slave - app.kubernetes.io/part-of: {{ .Values.global.projectName }} - {{ .Values.global.projectName }}/release-name: {{ .Release.Name }} - spec: - restartPolicy: Never - containers: - - name: bench-pgbench-slave - image: postgres:11.5-alpine - imagePullPolicy: "IfNotPresent" - command: - - sh - - -c - - | - #!/bin/sh - export PGPASSWORD={{ .Values.global.dbCredentials.postgres_password }} - pgbench -c 80 -j 8 -U {{ .Values.global.dbCredentials.postgres_user }} \ - -f /bench.sql -r -n -T 600 -h {{ .Release.Name }}-db-slave \ - -p 5432 {{ .Values.global.dbCredentials.postgres_db }} - - volumeMounts: - - name: bench-pgbench-sql - mountPath: /bench.sql - subPath: bench.sql - - volumes: - - name: bench-pgbench-sql - configMap: - name: bench-pgbench-sql -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-sql.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-sql.yaml deleted file mode 100644 index 80bfabb87..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/templates/benchmark/pgbench-sql.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.benchmark -}} -apiVersion: v1 -kind: ConfigMap - -metadata: - name: bench-pgbench-sql - namespace: {{ .Values.global.namespace }} - labels: - app.kubernetes.io/name: pgbench - app.kubernetes.io/part-of: {{ .Values.global.projectName }} - {{ .Values.global.projectName }}/release-name: {{ .Release.Name }} - -data: - bench.sql: | - BEGIN; - SELECT tenant0_.id as id1_27_, tenant0_.created_at as created_2_27_, tenant0_.is_default as is_defau3_27_, tenant0_.last_modified as last_mod4_27_, tenant0_.tenant_name as tenant_n5_27_, tenant0_.tenant_token as tenant_t6_27_ from public.tenant tenant0_ where tenant0_.is_default=true ; - - - SELECT spaces0_.tenant as tenant11_24_0_, spaces0_.id as id1_24_0_, spaces0_.id as id1_24_1_, spaces0_.bug_filter as bug_filt2_24_1_, spaces0_.created_at as created_3_24_1_, spaces0_.export_configuration as export_c4_24_1_, spaces0_.is_default as is_defau5_24_1_, spaces0_.is_public as is_publi6_24_1_, spaces0_.last_modified as last_mod7_24_1_, spaces0_.space_description as space_de8_24_1_, spaces0_.space_name as space_na9_24_1_, spaces0_.space_token as space_t10_24_1_, spaces0_.tenant as tenant11_24_1_ from space spaces0_ where spaces0_.tenant='319624120'; - - - SELECT distinct a.id, a.artifact, a.created_at, a.modified_at, a.last_vuln_change, a.last_scan, a.mvn_group, a.space, a.version from app a inner join space s on a.space=s.id where s.space_token= 'A5344E8A6D26617C92A0CAD02F10C89C' and (extract(epoch from last_vuln_change) > 0 OR extract(epoch from last_scan) > 0) ; - - - SELECT applicatio0_.id as id1_0_0_, space1_.id as id1_24_1_, applicatio0_.artifact as artifact2_0_0_, applicatio0_.created_at as created_3_0_0_, applicatio0_.last_scan as last_sca4_0_0_, applicatio0_.last_vuln_change as last_vul5_0_0_, applicatio0_.modified_at as modified6_0_0_, applicatio0_.mvn_group as mvn_grou7_0_0_, applicatio0_.space as space9_0_0_, applicatio0_.version as version8_0_0_, space1_.bug_filter as bug_filt2_24_1_, space1_.created_at as created_3_24_1_, space1_.export_configuration as export_c4_24_1_, space1_.is_default as is_defau5_24_1_, space1_.is_public as is_publi6_24_1_, space1_.last_modified as last_mod7_24_1_, space1_.space_description as space_de8_24_1_, space1_.space_name as space_na9_24_1_, space1_.space_token as space_t10_24_1_, space1_.tenant as tenant11_24_1_ from app applicatio0_ inner join space space1_ on applicatio0_.space=space1_.id where applicatio0_.mvn_group='com.acme' and applicatio0_.artifact='vulas-testapp-webapp' and applicatio0_.version='2.5.2-MVN' and applicatio0_.space='319624121' ; - - - SELECT dependenci0_.app as app10_2_0_, dependenci0_.id as id1_2_0_, dependenci0_.id as id1_2_1_, dependenci0_.app as app10_2_1_, dependenci0_.declared as declared2_2_1_, dependenci0_.filename as filename3_2_1_, dependenci0_.lib as lib11_2_1_, dependenci0_.origin as origin4_2_1_, dependenci0_.parent as parent12_2_1_, dependenci0_.path as path5_2_1_, dependenci0_.relative_path as relative6_2_1_, dependenci0_.scope as scope7_2_1_, dependenci0_.traced as traced8_2_1_, dependenci0_.transitive as transiti9_2_1_, library1_.id as id1_19_2_, library1_.created_at as created_2_19_2_, library1_.digest as digest3_19_2_, library1_.digest_algorithm as digest_a4_19_2_, library1_.digest_verification_url as digest_v5_19_2_, library1_.library_id_id as library_8_19_2_, library1_.modified_at as modified6_19_2_, library1_.wellknown_digest as wellknow7_19_2_, libraryid2_.id as id1_22_3_, libraryid2_.artifact as artifact2_22_3_, libraryid2_.mvn_group as mvn_grou3_22_3_, libraryid2_.version as version4_22_3_ from app_dependency dependenci0_ inner join lib library1_ on dependenci0_.lib=library1_.digest left outer join library_id libraryid2_ on library1_.library_id_id=libraryid2_.id where dependenci0_.app='319633948'; - - SELECT constructs0_.application_id as applicat1_1_0_, constructs0_.constructs_id as construc2_1_0_, constructi1_.id as id1_18_1_, constructi1_.lang as lang2_18_1_, constructi1_.qname as qname3_18_1_, constructi1_.type as type4_18_1_ from app_constructs constructs0_ inner join construct_id constructi1_ on constructs0_.constructs_id=constructi1_.id where constructs0_.application_id='319633948'; - - SELECT goalexecut0_.id as id1_5_, goalexecut0_.app as app12_5_, goalexecut0_.client_version as client_v2_5_, goalexecut0_.created_at as created_3_5_, goalexecut0_.exception as exceptio4_5_, goalexecut0_.execution_id as executio5_5_, goalexecut0_.goal as goal6_5_, goalexecut0_.mem_max as mem_max7_5_, goalexecut0_.mem_used_avg as mem_used8_5_, goalexecut0_.mem_used_max as mem_used9_5_, goalexecut0_.runtime_nano as runtime10_5_, goalexecut0_.started_at_client as started11_5_ from app_goal_exe goalexecut0_ where goalexecut0_.app='319633948' order by goalexecut0_.started_at_client DESC ; - - - SELECT applicatio0_.id as id1_0_0_, space1_.id as id1_24_1_, applicatio0_.artifact as artifact2_0_0_, applicatio0_.created_at as created_3_0_0_, applicatio0_.last_scan as last_sca4_0_0_, applicatio0_.last_vuln_change as last_vul5_0_0_, applicatio0_.modified_at as modified6_0_0_, applicatio0_.mvn_group as mvn_grou7_0_0_, applicatio0_.space as space9_0_0_, applicatio0_.version as version8_0_0_, space1_.bug_filter as bug_filt2_24_1_, space1_.created_at as created_3_24_1_, space1_.export_configuration as export_c4_24_1_, space1_.is_default as is_defau5_24_1_, space1_.is_public as is_publi6_24_1_, space1_.last_modified as last_mod7_24_1_, space1_.space_description as space_de8_24_1_, space1_.space_name as space_na9_24_1_, space1_.space_token as space_t10_24_1_, space1_.tenant as tenant11_24_1_ from app applicatio0_ inner join space space1_ on applicatio0_.space=space1_.id where applicatio0_.mvn_group='com.acme' and applicatio0_.artifact='vulas-testapp-webapp' and applicatio0_.version='2.5.2-MVN' and applicatio0_.space='319624121' ; - - - SELECT id FROM app_goal_exe WHERE app = '319633948' AND goal = 'APP' ORDER BY started_at_client DESC LIMIT 1 ; - - - SELECT goalexecut0_.id as id1_5_0_, goalexecut0_.app as app12_5_0_, goalexecut0_.client_version as client_v2_5_0_, goalexecut0_.created_at as created_3_5_0_, goalexecut0_.exception as exceptio4_5_0_, goalexecut0_.execution_id as executio5_5_0_, goalexecut0_.goal as goal6_5_0_, goalexecut0_.mem_max as mem_max7_5_0_, goalexecut0_.mem_used_avg as mem_used8_5_0_, goalexecut0_.mem_used_max as mem_used9_5_0_, goalexecut0_.runtime_nano as runtime10_5_0_, goalexecut0_.started_at_client as started11_5_0_, applicatio1_.id as id1_0_1_, applicatio1_.artifact as artifact2_0_1_, applicatio1_.created_at as created_3_0_1_, applicatio1_.last_scan as last_sca4_0_1_, applicatio1_.last_vuln_change as last_vul5_0_1_, applicatio1_.modified_at as modified6_0_1_, applicatio1_.mvn_group as mvn_grou7_0_1_, applicatio1_.space as space9_0_1_, applicatio1_.version as version8_0_1_, space2_.id as id1_24_2_, space2_.bug_filter as bug_filt2_24_2_, space2_.created_at as created_3_24_2_, space2_.export_configuration as export_c4_24_2_, space2_.is_default as is_defau5_24_2_, space2_.is_public as is_publi6_24_2_, space2_.last_modified as last_mod7_24_2_, space2_.space_description as space_de8_24_2_, space2_.space_name as space_na9_24_2_, space2_.space_token as space_t10_24_2_, space2_.tenant as tenant11_24_2_, properties3_.space_id as space_id1_25_3_, property4_.id as properti2_25_3_, property4_.id as id1_23_4_, property4_.name as name2_23_4_, property4_.property_value as property3_23_4_, property4_.source as source4_23_4_, property4_.value_sha1 as value_sh5_23_4_, spaceowner5_.space_id as space_id1_26_5_, spaceowner5_.space_owners as space_ow2_26_5_, tenant6_.id as id1_27_6_, tenant6_.created_at as created_2_27_6_, tenant6_.is_default as is_defau3_27_6_, tenant6_.last_modified as last_mod4_27_6_, tenant6_.tenant_name as tenant_n5_27_6_, tenant6_.tenant_token as tenant_t6_27_6_ from app_goal_exe goalexecut0_ inner join app applicatio1_ on goalexecut0_.app=applicatio1_.id inner join space space2_ on applicatio1_.space=space2_.id left outer join space_properties properties3_ on space2_.id=properties3_.space_id left outer join property property4_ on properties3_.properties_id=property4_.id left outer join space_owners spaceowner5_ on space2_.id=spaceowner5_.space_id inner join tenant tenant6_ on space2_.tenant=tenant6_.id where goalexecut0_.id='319767613'; - - - - SELECT configurat0_.goal_execution_id as goal_exe1_6_0_, configurat0_.configuration_id as configur2_6_0_, property1_.id as id1_23_1_, property1_.name as name2_23_1_, property1_.property_value as property3_23_1_, property1_.source as source4_23_1_, property1_.value_sha1 as value_sh5_23_1_ from app_goal_exe_configuration configurat0_ inner join property property1_ on configurat0_.configuration_id=property1_.id where configurat0_.goal_execution_id='319767613'; - - SELECT systeminfo0_.goal_execution_id as goal_exe1_7_0_, systeminfo0_.system_info_id as system_i2_7_0_, property1_.id as id1_23_1_, property1_.name as name2_23_1_, property1_.property_value as property3_23_1_, property1_.source as source4_23_1_, property1_.value_sha1 as value_sh5_23_1_ from app_goal_exe_system_info systeminfo0_ inner join property property1_ on systeminfo0_.system_info_id=property1_.id where systeminfo0_.goal_execution_id='319767613'; - - SELECT statistics0_.goal_execution_id as goal_exe1_8_0_, statistics0_.statistics as statisti2_8_0_, statistics0_.statistics_key as statisti3_0_ from app_goal_exe_statistics statistics0_ where statistics0_.goal_execution_id='319767613' ; - - - SELECT goalexecut0_.id as id1_5_0_, goalexecut0_.app as app12_5_0_, goalexecut0_.client_version as client_v2_5_0_, goalexecut0_.created_at as created_3_5_0_, goalexecut0_.exception as exceptio4_5_0_, goalexecut0_.execution_id as executio5_5_0_, goalexecut0_.goal as goal6_5_0_, goalexecut0_.mem_max as mem_max7_5_0_, goalexecut0_.mem_used_avg as mem_used8_5_0_, goalexecut0_.mem_used_max as mem_used9_5_0_, goalexecut0_.runtime_nano as runtime10_5_0_, goalexecut0_.started_at_client as started11_5_0_, applicatio1_.id as id1_0_1_, applicatio1_.artifact as artifact2_0_1_, applicatio1_.created_at as created_3_0_1_, applicatio1_.last_scan as last_sca4_0_1_, applicatio1_.last_vuln_change as last_vul5_0_1_, applicatio1_.modified_at as modified6_0_1_, applicatio1_.mvn_group as mvn_grou7_0_1_, applicatio1_.space as space9_0_1_, applicatio1_.version as version8_0_1_, space2_.id as id1_24_2_, space2_.bug_filter as bug_filt2_24_2_, space2_.created_at as created_3_24_2_, space2_.export_configuration as export_c4_24_2_, space2_.is_default as is_defau5_24_2_, space2_.is_public as is_publi6_24_2_, space2_.last_modified as last_mod7_24_2_, space2_.space_description as space_de8_24_2_, space2_.space_name as space_na9_24_2_, space2_.space_token as space_t10_24_2_, space2_.tenant as tenant11_24_2_, properties3_.space_id as space_id1_25_3_, property4_.id as properti2_25_3_, property4_.id as id1_23_4_, property4_.name as name2_23_4_, property4_.property_value as property3_23_4_, property4_.source as source4_23_4_, property4_.value_sha1 as value_sh5_23_4_, spaceowner5_.space_id as space_id1_26_5_, spaceowner5_.space_owners as space_ow2_26_5_, tenant6_.id as id1_27_6_, tenant6_.created_at as created_2_27_6_, tenant6_.is_default as is_defau3_27_6_, tenant6_.last_modified as last_mod4_27_6_, tenant6_.tenant_name as tenant_n5_27_6_, tenant6_.tenant_token as tenant_t6_27_6_ from app_goal_exe goalexecut0_ inner join app applicatio1_ on goalexecut0_.app=applicatio1_.id inner join space space2_ on applicatio1_.space=space2_.id left outer join space_properties properties3_ on space2_.id=properties3_.space_id left outer join property property4_ on properties3_.properties_id=property4_.id left outer join space_owners spaceowner5_ on space2_.id=spaceowner5_.space_id inner join tenant tenant6_ on space2_.tenant=tenant6_.id where goalexecut0_.id='319767613' ; - - SELECT distinct dependency0_.id as col_0_0_, bug5_.id as col_1_0_ from app_dependency dependency0_ inner join app applicatio1_ on dependency0_.app=applicatio1_.id inner join lib library2_ on dependency0_.lib=library2_.digest inner join lib_constructs constructs3_ on library2_.id=constructs3_.library_id inner join construct_id constructi4_ on constructs3_.constructs_id=constructi4_.id cross join bug bug5_ inner join bug_construct_change constructc6_ on bug5_.bug_id=constructc6_.bug where applicatio1_.mvn_group='com.acme' and applicatio1_.artifact='vulas-testapp-webapp' and applicatio1_.version='2.5.2-MVN' and applicatio1_.space='319624121' and constructi4_.id=constructc6_.construct_id and (constructi4_.type<>'PACK' or not (exists (SELECT 1 from bug_construct_change constructc7_ inner join construct_id constructi8_ on constructc7_.construct_id=constructi8_.id where constructc7_.bug=constructc6_.bug and constructi8_.type<>'PACK' and (constructi8_.qname not like '%test%') and (constructi8_.qname not like '%Test%') and constructc7_.construct_change_type<>'ADD'))) and (constructi4_.type<>'MODU' or constructi4_.qname<>'setup') ; - - SELECT a.affected from (SELECT distinct bug_id,library_id,affected from bug_affected_library where source='MANUAL' and lib is null UNION SELECT distinct al1.bug_id,al1.library_id,al1.affected from bug_affected_library as al1 where al1.lib is null and (al1.source='AST_EQUALITY' OR al1.source='MINOR_EQUALITY'OR al1.source='MAJOR_EQUALITY' OR al1.source='GREATER_RELEASE' OR al1.source='INTERSECTION' OR al1.source='PROPAGATE_MANUAL') and not exists (SELECT 1 from bug_affected_library as al2 where al2.source='MANUAL' and al1.bug_id=al2.bug_id and al1.library_id=al2.library_id)) as a where a.bug_id='CVE-2014-3612' and a.library_id='236764304'; - END; -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-core/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-core/values.yaml deleted file mode 100644 index e35178df2..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-core/values.yaml +++ /dev/null @@ -1,16 +0,0 @@ -global: - dbCredentials: - pool_user: pgpool - pool_password: changeme - postgres_db: vulas - postgres_password: changeme - postgres_user: postgres - replication_user: replication - env: TESTING - existingClaim: {} - masterReplicas: 1 - namespace: vulnerability-assessment-tool-core - podPriorityClass: - enabled: true - projectName: vulnerability-assessment-tool - slaveReplicas: 2 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/.helmignore b/kubernetes/helm/vulnerability-assessment-tool-monitoring/.helmignore deleted file mode 100644 index 5537b7118..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/.helmignore +++ /dev/null @@ -1,2 +0,0 @@ -*.md -stern.sh diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/Chart.yaml deleted file mode 100644 index f53ced4f4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -appVersion: "3.1.7-SNAPSHOT" -name: vulnerability-assessment-tool-monitoring -version: v0.1.1 - -kubeVersion: ">=v1.15.0" -description: Helm Chart for vulnerability-assessment-tool monitoring services -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "holla" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/README.md b/kubernetes/helm/vulnerability-assessment-tool-monitoring/README.md deleted file mode 100644 index a0e47df00..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/README.md +++ /dev/null @@ -1,59 +0,0 @@ - -# Vulnerability-assessment-tool-monitoring -Helm Chart for vulnerability-assessment-tool monitoring services - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -# With helm 2 -# helm install { custom name } . -$ helm install monitoring-release . - -# With helm 3, you need to create the desired namespace before hand -$ kubectl create namespace { namespace } -$ kubectl install monitoring-release . -``` - -The command deploys the vulnerability-assessment-tool-monitoring subchart of the vulnerability assessment tool v0.1.1 -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete monitoring-release . -``` - -## Configuration -The following table lists the configurable parameters of the vulnerability-assessment-tool-monitoring chart and their default values. - -| Parameter | Description | Default | -| --------------------- | -------------------------------- | ----------------------------------------- | -| global.namespace | destination namespace for chart | `vulnerability-asessment-tool-monitoring` | -| global.projectName | | `vulnerability-assessment-tool` | -| global.env | label for deployment environment | `TESTING` | -| global.ingresClass | ingress controller class | `nginx` | -| global.adminNamespace | admin chart namespace | `vulnerability-asessment-tool-admin` | -| global.subPath | subpath to serve from | `""` | - -### Elastic -The subchart values can be configured by modifying the values directly in the subdirectory (for more configuration detail see [here](charts/elastic/README.md) or overridden in the vulnerability-assessment-tool-monitoring chart by nesting values inside `elastic`. For example, to modify the `kibana.replicas` value, you can do; -``` -elastic: - kibana: - replicas: 2 -``` - - -### Fluentd -These values should be prepended by nesting them in `fluent` and can be seen in detail [here](charts/fluentd/README.md) - -### Grafana -These values should be prepended by nesting them in `grafana` and can be seen in detail [here](charts/grafana/README.md) - -### Prometheus -These values should be prepended by nesting them in `prometheus` and can be seen in detail [here](charts/prometheus/README.md) diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/Chart.yaml deleted file mode 100644 index 423037a54..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -appVersion: 7.3.2 -name: elastic -version: v0.1.1 - -kubeVersion: ">=v1.15.0" -description: Helm Chart for elasticsearch + kibana for the vulnerability-assessment-tool -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/README.md b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/README.md deleted file mode 100644 index 2b8d11067..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# Elastic: Kibana + Elasticsearch - -> This chart is already included in the vulnerability-assessment-tool-monitoring chart - -This chart is a modified version of the stable chart (see [original chart](https://github.com/helm/charts/tree/master/stable/) creates a and an cluster for visualizing and storing logs from the cluster. It also launches some jobs to set up log levels as well as ILM (Index Lifecycle Management) for the ES cluster. - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the elastic subchart of the vulnerability-assessment-tool-core chart v0.1.1 on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the elastic chart and their default values. As values in this chart are quite highly nested, this table is split into two parts for easy readability - -### .Values.kibana -| Parameter | Description | Default | -|---|---|---| -| enabled | Kibana is an optional part of this chart and can be decoupled by setting this to `False` | `True` | -| replicas | | `1` | -| debug | Sets Kibana logging level through environment variables. `LOGGING_VERBOSE` to True | `False` | -| serverHost | | `0.0.0.0` | -| plugins.enabled | Installs a series of plugins | `False` | -| persistentVolume.enabled | Used to persist plugins and keep it from reoptimizing every time a pod gets launched | `False` | -| image.pullPolicy | Maintained by the elasticsearch team so quite stable | `IfNotPresent` | -| image.name | | `kibana` | -| image.tag | image tag | `7.3.1` | -| livenessProbe | | enabled: `True`
initialDelaySeconds: `30`
failureThreshold: `3`
periodSeconds: `10`
timeoutSeconds: `5` | -| readinessProbe | | enabled: `True`
initialDelaySeconds: `15`
failureThreshold: `3`
periodSeconds: `10`
timeoutSeconds: `5` | - - -### .Values.elasticsearch -| Parameter | Description | Default | -| --- | --- | --- | -| debug | Creates a job called logSetterJob.yaml that sets the desired logging level of logger.org.elasticsearch.transport: if `True` then "trace" else "error" | `False` | -| clusterName | Name for the cluster (used by the headless service) | ` | -| nodeGroup | | `master` | -| replicas | 3 is the minimum number of nodes in order to garantee fault tolerance | `3` | -| roles | Sets the role for each node | master: `true`
ingest: `true`
storage: `true` | -| esJavaOpts | Used in production to avoid java from exceeding the default heap limit | `-Xmx1g -Xms1g` | -| networkHost | | `0.0.0.0` | -| sysctlVmMaxMapCount | Optimal system mmapfs count limit (see [guide](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)) | `262144` | -| selfAntiAffinity | Weight for antiaffinity towards sharing a node with another elasticsearch node | `100` | -| updateStrategy | | `RollingUpdate` | -| podManagementPolicy | Unordered management because ES is a self managed cluster | `Parallel` | -| terminationGracePeriodSeconds | Allows for elasticsearch cluster to gracefully end which speeds up election in the next deployment | `120` | -| clusterHealthCheckParams | query used for health chekc | `wait_for_status=green&timeout=1s` | -| podDisruptionBudget.maxUnavailable | | `1` | -| image.initContainer.pullPolicy | | `IfNotPresent` | -| image.initContainer.name | | `busybox` | -| image.initContainer.tag | | `1.31.0` | -| image.mainContainer.pullPolicy | | `IfNotPresent` | -| image.mainContainer.name | | `elasticsearch` | -| image.mainContainer.tag | | `7.3.1` | -| image.mainContainer.readinessProbe | | failureThreshold: `3`
initialDelaySeconds: `10`
periodSeconds: `10`
successThreshold: `3`
timeoutSeconds: `5` | -| image.sidecarContainer.pullPolicy | | `IfNotPresent` | -| image.sidecarContainer.name | | `elasticsearch` | -| image.sidecarContainer.tag | image tag | `7.3.1` | -| volumeClaimTemplate | PVC template for storing logs | accessModes:
  -`ReadWriteOnce`
 resources:
  requests:
   storage: `40Gi` | - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` -These values can be configured as follows: - -### .Values.kibana -| Parameter | Description | Default | -| --- | --- | --- | -| selfAntiAffinity | Avoids sharing nodes with similar pods | soft: `True`
weight: `100` | -| elasticsearchAffinity | Stays close to ES pods | soft: `True`
weight: `100` | -| podDisruptionBudget.minAvailable | ensure availability during disruption | `1` | -| persistentVolume.storage | storage size for PVC | `1Gi` | -| securityContext | | enabled: `True`
allowPrivilegeEscalation: `False`
runAsUser: `1000` | -| image.resources | | requests:
 memory: `1G`
 cpu: `1000m`limit:
 memory: `2G`
 cpu: `2000m` | - -### .Values.elasticsearch -| Parameter | Description | Default | -| --- | --- | --- | -| retention.max_size | Sets ILM max size | `100GB` | -| retention.max_age | Sets max age for logs | `180d` | -| retention.min_age | Sets min age for unused logs | `90d` | -| image.initContainer.resources | | requests:
 memory: `128Mi`
 cpu: `25m`limit:
 memory: `150Mi`
 cpu: `25m` | -| image.mainContainer.resources | | requests:
 memory: `1500Mi`
 cpu: `160m`limit:
 memory: `2Gi`
 cpu: `1000m` | diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/files/logtrail.json b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/files/logtrail.json deleted file mode 100644 index 7ab00a54e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/files/logtrail.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "version" : 1, - "index_patterns" : [ - { - "es": { - "default_index": "*" - }, - "tail_interval_in_seconds": 10, - "es_index_time_offset_in_seconds": 0, - "display_timezone": "local", - "display_timestamp_format": "MMM DD HH:mm:ss", - "max_buckets": 500, - "default_time_range_in_days" : 0, - "max_hosts": 100, - "max_events_to_keep_in_viewer": 5000, - "fields" : { - "mapping" : { - "timestamp" : "@timestamp", - "hostname" : "kubernetes.host", - "program": "kubernetes.pod_name", - "message": "log" - }, - "message_format": "{{{log}}}" - }, - "color_mapping" : { - } - }] -} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/ILMSetterJob.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/ILMSetterJob.yaml deleted file mode 100644 index ba8622097..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/ILMSetterJob.yaml +++ /dev/null @@ -1,104 +0,0 @@ -{{- if .Values.elasticsearch.retention -}} -apiVersion: batch/v1 -kind: Job - -metadata: - name: {{ template "elastic.name" . }}-ilm-setter - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - backoffLimit: 0 - parallelism: 1 - ttlSecondsAfterFinished: 60 - - template: - metadata: - name: {{ template "elastic.name" . }}-ilm-setter - labels: - {{- include "commonLabels" . | nindent 8 }} - - spec: - restartPolicy: Never - containers: - - name: {{ template "elastic.name" . }}-ilm-setter-pod - image: appropriate/curl:3.1 - imagePullPolicy: "IfNotPresent" - envFrom: - - configMapRef: - name: {{ include "elastic.configMapName" . }} - resources: - limits: - cpu: "40m" - memory: "32Mi" - command: - - sh - - -c - - |- - #!/bin/sh - CHART_NAME="{{ template "elastic.name" . }}" - LOG_ORIGIN="ilm-level-setter.sh" - {{- include "logFunctions" . | nindent 10 }} - - http () { - local path="${1}" - if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then - BASIC_AUTH="-u ${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}" - else - BASIC_AUTH='' - fi - curl -XGET --write-out %{http_code} -s --output /dev/null -k --fail ${BASIC_AUTH} ${{ .Release.Name | upper }}_ELASTICSEARCH_SERVICE_HOST:9200${path} - } - status_code=$(http "/_cluster/health?{{ .Values.elasticsearch.clusterHealthCheckParams }}") - attempts=0 - - while [ $status_code -ne "200" ]; do - status_code=$(http "/_cluster/health?{{ .Values.elasticsearch.clusterHealthCheckParams }}") - attemps=$((attempts + 1)) - if [ $attempts -ge "15" ]; then - _error "Ran out of attempts. Job cancelled." - exit 127 - fi - _error "Cluster is not ready. Sleeping for 10 seconds" - sleep 10 - done - - _info "Cluster is up and ready, attempting to inject configurations" - status_code=$(curl --write-out %{http_code} -s --output /dev/null -X GET "${{ .Release.Name | upper }}_ELASTICSEARCH_SERVICE_HOST:9200/_ilm/status" -H 'Content-Type: application/json') - if [ $status_code -ne "200" ]; then - _info "ILM is not currently running" - exit 0 - fi - - status_code=$(curl --write-out %{http_code} -s --output /dev/null -X PUT "${{ .Release.Name | upper }}_ELASTICSEARCH_SERVICE_HOST:9200/_ilm/policy/datastream_policy?pretty" -H 'Content-Type: application/json' -d' - { - "policy": { - "phases": { - "hot": { - "actions": { - "rollover": { - "max_size": "{{ .Values.elasticsearch.retention.max_size }}", - "max_age": "{{ .Values.elasticsearch.retention.max_age }}" - } - } - }, - "delete": { - "min_age": "{{ .Values.elasticsearch.retention.min_age }}", - "actions": { - "delete": {} - } - } - } - } - } - ') - - if [ $status_code -eq "200" ]; then - _info "ILM level is set" - exit 0 - else - _error "Error setting Index Lifecycle Management level" - exit 127 - fi -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/_getters.tpl deleted file mode 100644 index d80f5b6d2..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/_getters.tpl +++ /dev/null @@ -1,113 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - elastic.name : Gets name of current component - contexts: [ . ] - usage: {{ include "elastic.name" . }} -*/}} -{{- define "elastic.name" -}} -{{ .Release.Name }}-elasticsearch -{{- end -}} - -{{/* - elastic.clusterName : Gets name of current component - contexts: [ . ] - usage: {{ include "elastic.clusterName" . }} -*/}} -{{- define "elastic.clusterName" -}} -{{- $name := include "elastic.name" . -}} -{{- printf "%s-cluster" $name -}} -{{- end -}} - -{{/* - elastic.chart : Create chart name and version as used by the chart label. - contexts: [ . ] - usage: {{ include "patch.chart" . }} -*/}} -{{- define "elastic.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - elastic.configMapName : ConfigMap getter - contexts: [ . ] - usage: {{ include "elastic.configMapName" . }} -*/}} -{{- define "elastic.configMapName" -}} -{{- $name := include "elastic.name" . -}} -{{- printf "%s-config" $name -}} -{{- end -}} - - -{{/* - elastic.statefulSetName : Deployment stateful set name getter - contexts: [ . ] - usage: {{ include "elastic.statefulSetName" . }} -*/}} -{{- define "elastic.statefulSetName" -}} -{{- $name := include "elastic.name" . -}} -{{- printf "%s-stateful-set" $name -}} -{{- end -}} - - -{{/* - elastic.pvcName : elastic pvc name getter - contexts: [ . ] - usage: {{ include "elastic.pvcName" . }} -*/}} -{{- define "elastic.pvcName" -}} -{{- $name := include "elastic.name" . -}} -{{- printf "%s-volume-claim" $name -}} -{{- end -}} - - -{{/* - elastic.pvName : elastic pv name getter - contexts: [ . ] - usage: {{ include "elastic.pvName" . }} -*/}} -{{- define "elastic.pvName" -}} -{{- $name := include "elastic.name" . -}} -{{- printf "%s-persistent-nfs-volume" $name -}} -{{- end -}} - - -{{/* - elastic.podName : elastic pod name getter - contexts: [ . ] - usage: {{ include "elastic.podName" . }} -*/}} -{{- define "elastic.podName" -}} -{{- $name := include "elastic.name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - - -{{/* - elastic.podDisruptionBudgetName : elastic pod disruption budget name getter - contexts: [ . ] - usage: {{ include "elastic.podDisruptionBudgetName" . }} -*/}} -{{- define "elastic.podDisruptionBudgetName" -}} -{{- $name := include "elastic.name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - - - -{{- define "elastic.endpoints" -}} -{{- $replicas := .Values.elasticsearch.replicas | int }} -{{- $name := include "elastic.statefulSetName" . -}} -{{- range $i, $e := untilStep 0 $replicas 1 -}} -{{ printf "%s-%d," $name $i }} -{{- end -}} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - elastic.headlessServiceName : elastic service name getter - contexts: [ .global ] - usage: {{ include "elastic.headlessServiceName" . }} -*/}} -{{- define "elastic.headlessServiceName" -}} -{{- printf "%s-headless" .Values.global.monitoring.elasticsearch.service -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/_labels.tpl deleted file mode 100644 index fcfd391da..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/_labels.tpl +++ /dev/null @@ -1,31 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - elastic.enrichedLabels : generic labels - contexts: [ . ] - usage: {{ include "elastic.enrichedLabels" . }} -*/}} -{{- define "elastic.enrichedLabels" -}} -app.kubernetes.io/instance: {{ include "elastic.podName" . }} -{{ include "commonLabels" . }} -{{ include "elastic.serviceLabel" . }} -{{- end -}} - -{{/* - elastic.serviceLabels : generic labels - contexts: [ . ] - usage: {{ include "elastic.serviceLabels" . }} -*/}} -{{- define "elastic.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "elastic.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - elastic.serviceLabel : generic service label - contexts: [ .global ] - usage: {{ include "elastic.serviceLabel" . }} -*/}} -{{- define "elastic.serviceLabel" -}} -{{ .Values.global.projectName }}.monitoring/service: {{ .Release.Name }}-elasticsearch -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/configMap.yaml deleted file mode 100644 index 89f3aec87..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/configMap.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ include "elastic.configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- $rootContext := . }} - {{- with .Values.elasticsearch }} - {{- if eq .roles.master "true" }} - cluster.initial_master_nodes: {{ include "elastic.endpoints" $rootContext | quote }} - discovery.seed_hosts: "{{ $rootContext.Release.Name }}-elasticsearch-headless" - {{- end }} - cluster.name: {{ include "elastic.clusterName" $rootContext | quote }} - network.host: {{ .networkHost | quote }} - ES_JAVA_OPTS: {{ .esJavaOpts | quote }} - {{- range $role, $enabled := .roles }} - node.{{ $role }}: {{ $enabled | quote }} - {{- end }} - - {{- if .extraConfigs }} - {{- toYaml .extraConfigs | nindent 2 }} - {{- end }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/headlessService.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/headlessService.yaml deleted file mode 100644 index cc3d91f3d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/headlessService.yaml +++ /dev/null @@ -1,27 +0,0 @@ -kind: Service -apiVersion: v1 - -metadata: - name: {{ .Release.Name }}-elasticsearch-headless - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" - -spec: - clusterIP: None - publishNotReadyAddresses: true - - selector: - {{- include "elastic.serviceLabels" . | nindent 4 }} - - ports: - - name: http - port: 9200 - protocol: TCP - - - name: transport - port: 9300 - protocol: TCP diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/logSetterJob.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/logSetterJob.yaml deleted file mode 100644 index 04390e45f..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/logSetterJob.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: batch/v1 -kind: Job - -metadata: - name: {{ template "elastic.name" . }}-log-setter - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - backoffLimit: 0 - parallelism: 1 - ttlSecondsAfterFinished: 60 - - template: - metadata: - name: {{ template "elastic.name" . }}-log-setter - labels: - {{- include "commonLabels" . | nindent 8 }} - - spec: - restartPolicy: Never - containers: - - name: {{ template "elastic.name" . }}-log-setter-pod - image: appropriate/curl:3.1 - imagePullPolicy: "IfNotPresent" - envFrom: - - configMapRef: - name: {{ include "elastic.configMapName" . }} - resources: - limits: - cpu: "40m" - memory: "32Mi" - - command: - - sh - - -c - - |- - #!/bin/sh - CHART_NAME="{{ template "elastic.name" . }}" - LOG_ORIGIN="log-level-setter.sh" - {{- include "logFunctions" . | nindent 10 }} - - http () { - local path="${1}" - if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then - BASIC_AUTH="-u ${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}" - else - BASIC_AUTH='' - fi - curl -XGET --write-out %{http_code} -s --output /dev/null -k --fail ${BASIC_AUTH} ${{ .Release.Name | upper }}_ELASTICSEARCH_SERVICE_HOST:9200${path} - } - status_code=$(http "/_cluster/health?{{ .Values.elasticsearch.clusterHealthCheckParams }}") - attempts=0 - - while [ $status_code -ne "200" ]; do - status_code=$(http "/_cluster/health?{{ .Values.elasticsearch.clusterHealthCheckParams }}") - attemps=$((attempts + 1)) - if [ $attempts -ge "15" ]; then - _error "Ran out of attempts. Job cancelled." - exit 127 - fi - _error "Cluster is not ready. Sleeping for 10 seconds" - sleep 10 - done - - _info "Cluster is up and ready, attempting to inject configurations" - {{- if .Values.elasticsearch.debug }} - status_code=$(curl --write-out %{http_code} -s --output /dev/null -X PUT "${{ .Release.Name | upper }}_ELASTICSEARCH_SERVICE_HOST:9200/_cluster/settings?pretty" -H 'Content-Type: application/json' -d ' - { - "transient": { - "logger.org.elasticsearch.transport": "trace" - } - } - ') - {{- else }} - status_code=$(curl --write-out %{http_code} -s --output /dev/null -X PUT "${{ .Release.Name | upper }}_ELASTICSEARCH_SERVICE_HOST:9200/_cluster/settings?pretty" -H 'Content-Type: application/json' -d ' - { - "transient": { - "logger.org.elasticsearch.transport": "error" - } - } - ') - {{- end }} - - if [ $status_code -eq "200" ]; then - _info "Log level is set" - exit 0 - else - _error "Error setting log level" - exit 127 - fi diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/podDisruptionBudget.yaml deleted file mode 100644 index 3806de7d5..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/podDisruptionBudget.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.elasticsearch.replicas (ge (int .Values.elasticsearch.replicas) 2) -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ include "elastic.podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{- if .Values.elasticsearch.podDisruptionBudget }} - {{- toYaml .Values.elasticsearch.podDisruptionBudget | nindent 2 }} - {{- else }} - maxUnavailable: 1 - {{- end }} - selector: - matchLabels: - {{- include "elastic.enrichedLabels" . | nindent 6 }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/service.yaml deleted file mode 100644 index 237ef1721..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -kind: Service -apiVersion: v1 - -metadata: - name: {{ .Release.Name }}-elasticsearch - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - type: ClusterIP - - selector: - {{- include "elastic.serviceLabels" . | nindent 4 }} - - ports: - - name: http - port: 9200 - protocol: TCP - - - name: transport - port: 9300 - protocol: TCP diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/statefulSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/statefulSet.yaml deleted file mode 100644 index 091716765..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/elasticsearch/statefulSet.yaml +++ /dev/null @@ -1,185 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet - -metadata: - name: {{ include "elastic.statefulSetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - serviceName: {{ .Release.Name }}-elasticsearch-headless - updateStrategy: - type: {{ .Values.elasticsearch.updateStrategy }} - podManagementPolicy: {{ .Values.elasticsearch.podManagementPolicy }} - replicas: {{ default .Values.elasticsearch.replicas }} - - selector: - matchLabels: - {{- include "elastic.enrichedLabels" . | nindent 6 }} - - volumeClaimTemplates: - - metadata: - name: {{ include "elastic.pvcName" . }} - labels: - {{- include "elastic.enrichedLabels" . | nindent 8 }} - - spec: - {{- toYaml .Values.elasticsearch.volumeClaimTemplate | nindent 6 }} - - template: - metadata: - name: {{ include "elastic.podName" . }} - labels: - {{- include "elastic.enrichedLabels" . | nindent 8 }} - - annotations: - checksum/elasticsearch-config: {{ include (print .Template.BasePath "/elasticsearch/configMap.yaml") . | sha256sum | trunc 63 }} - - spec: - automountServiceAccountToken: false - {{- if .Values.elasticsearch.image.mainContainer.securityContext }} - securityContext: - fsGroup: {{ .Values.elasticsearch.image.mainContainer.securityContext.runAsUser }} - {{- end }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: {{ .Values.elasticsearch.selfAntiAffinity }} - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: [{{ include "elastic.podName" . | quote }}] - - terminationGracePeriodSeconds: {{ .Values.elasticsearch.terminationGracePeriodSeconds }} - - volumes: - - name: esconfig - configMap: - name: {{ include "elastic.configMapName" . }} - - initContainers: - - name: {{ include "elastic.name" . }}-init-container - image: {{ include "containerName" .Values.elasticsearch.image.initContainer }} - imagePullPolicy: "{{ .Values.elasticsearch.image.initContainer.pullPolicy }}" - command: ["sysctl", "-w", "vm.max_map_count={{ .Values.elasticsearch.sysctlVmMaxMapCount}}"] - resources: - {{- toYaml .Values.elasticsearch.image.initContainer.resources | nindent 10 }} - - securityContext: - {{- toYaml .Values.elasticsearch.image.initContainer.securityContext | nindent 10 }} - - containers: - - name: {{ include "elastic.name" . }}-container - image: {{ include "containerName" .Values.elasticsearch.image.mainContainer }} - imagePullPolicy: "{{ .Values.elasticsearch.image.mainContainer.pullPolicy }}" - securityContext: - {{- toYaml .Values.elasticsearch.image.mainContainer.securityContext | nindent 10 }} - ports: - - name: http - containerPort: 9200 - - name: transport - containerPort: 9300 - - resources: - {{- toYaml .Values.elasticsearch.image.mainContainer.resources | nindent 10 }} - - envFrom: - - configMapRef: - name: {{ include "elastic.configMapName" . }} - env: - - name: node.name - valueFrom: - fieldRef: - fieldPath: metadata.name - - readinessProbe: - {{- toYaml .Values.elasticsearch.image.mainContainer.readinessProbe | nindent 10 }} - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - START_FILE=/tmp/.es_start_file - - http () { - local path="${1}" - if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then - BASIC_AUTH="-u ${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}" - else - BASIC_AUTH='' - fi - curl -XGET -s -k --fail ${BASIC_AUTH} http://127.0.0.1:9200${path} - } - - if [ -f "${START_FILE}" ]; then - echo 'Elasticsearch is already running, lets check the node is healthy' - http "/" - else - echo 'Waiting for elasticsearch cluster to become cluster to be ready (request params: "{{ .Values.elasticsearch.clusterHealthCheckParams }}" )' - if http "/_cluster/health?{{ .Values.elasticsearch.clusterHealthCheckParams }}" ; then - touch ${START_FILE} - exit 0 - else - echo 'Cluster is not yet ready (request params: "{{ .Values.elasticsearch.clusterHealthCheckParams }}" )' - exit 1 - fi - fi - - volumeMounts: - - name: {{ include "elastic.pvcName" . | quote }} - mountPath: /usr/share/elasticsearch/data - - {{- if eq .Values.elasticsearch.roles.master "true" }} - # This sidecar will prevent slow master re-election - # https://github.com/elastic/helm-charts/issues/63 - - name: {{ include "elastic.name" . }}-master-graceful-termination-handler - image: {{ include "containerName" .Values.elasticsearch.image.sidecarContainer }} - imagePullPolicy: {{ .Values.elasticsearch.image.sidecarContainer.pullPolicy }} - command: - - "sh" - - -c - - | - #!/usr/bin/env bash - set -eo pipefail - http () { - local path="${1}" - if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then - BASIC_AUTH="-u ${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}" - else - BASIC_AUTH='' - fi - curl -XGET -s -k --fail ${BASIC_AUTH} TCP://{{ .Release.Name }}-elasticsearch:9200${path} - } - - cleanup () { - while true ; do - local master="$(http "/_cat/master?h=node" || echo "")" - if [[ $master == "{{ .Release.Name }}-elasticsearch"* && $master != "${NODE_NAME}" ]]; then - echo "This node is not master." - break - fi - echo "This node is still master, waiting gracefully for it to step down" - sleep 1 - done - exit 0 - } - - trap cleanup SIGTERM - - sleep infinity & - wait $! - - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - resources: - {{- toYaml .Values.elasticsearch.image.sidecarContainer.resources | nindent 10 }} - {{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/_getters.tpl deleted file mode 100644 index ceb610130..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/_getters.tpl +++ /dev/null @@ -1,100 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - kibana.name : Gets name of current component - contexts: [ . ] - usage: {{ include "kibana.name" . }} -*/}} -{{- define "kibana.name" -}} -{{ .Release.Name }}-kibana -{{- end -}} - -{{/* - kibana.chart : Create chart name and version as used by the chart label. - contexts: [ . ] - usage: {{ include "kibana.chart" . }} -*/}} -{{- define "kibana.chart" -}} -{{- printf "%s-kibana-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - kibana.configMapName : ConfigMap getter - contexts: [ . ] - usage: {{ include "kibana.configMapName" . }} -*/}} -{{- define "kibana.configMapName" -}} -{{- $name := include "kibana.name" . -}} -{{- printf "%s-config" $name -}} -{{- end -}} - - -{{/* - kibana.ingressName : ingress name getter - contexts: [ . ] - usage: {{ include "kibana.ingressName" . }} -*/}} -{{- define "kibana.ingressName" -}} -{{- $name := include "kibana.name" . -}} -{{- printf "03-%s-kibana-ingress" $name -}} -{{- end -}} - -{{/* - kibana.deploymentName : deploymentName name getter - contexts: [ . ] - usage: {{ include "kibana.deploymentName" . }} -*/}} -{{- define "kibana.deploymentName" -}} -{{- $name := include "kibana.name" . -}} -{{- printf "%s-deployment" $name -}} -{{- end -}} - -{{/* - kibana.podName : kibana pod name getter - contexts: [ . ] - usage: {{ include "kibana.podName" . }} -*/}} -{{- define "kibana.podName" -}} -{{- $name := include "kibana.name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - -{{/* - kibana.serviceAccountName : kibana service account name getter - contexts: [ . ] - usage: {{ include "kibana.serviceAccountName" . }} -*/}} -{{- define "kibana.serviceAccountName" -}} -{{- $name := include "kibana.name" . -}} -{{- printf "%s-%s-discovery-agent" .Values.global.projectName $name }} -{{- end -}} - -{{/* - kibana.podDisruptionBudgetName : kibana pod disruption budget name getter - contexts: [ . ] - usage: {{ include "kibana.podDisruptionBudgetName" . }} -*/}} -{{- define "kibana.podDisruptionBudgetName" -}} -{{- $name := include "kibana.name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - - -{{/* - kibana.pvName : kibana persistent volume name getter - contexts: [ . ] - usage: {{ include "kibana.pvName" . }} -*/}} -{{- define "kibana.pvName" -}} -{{- $name := include "kibana.name" . -}} -{{- printf "%s-persistent-volume" $name -}} -{{- end -}} - -{{/* - kibana.pvcName : kibana persistent volume claim name getter - contexts: [ . ] - usage: {{ include "kibana.pvc Name" . }} -*/}} -{{- define "kibana.pvcName" -}} -{{- $name := include "kibana.name" . -}} -{{- printf "%s-volume-claim" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/_labels.tpl deleted file mode 100644 index f0397e11a..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/_labels.tpl +++ /dev/null @@ -1,31 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - kibana.enrichedLabels : generic labels - contexts: [ . ] - usage: {{ include "kibana.enrichedLabels" . }} -*/}} -{{- define "kibana.enrichedLabels" -}} -app.kubernetes.io/instance: {{ include "kibana.podName" . }} -{{ include "commonLabels" . }} -{{ include "kibana.serviceLabel" . }} -{{- end -}} - -{{/* - kibana.serviceLabels : generic labels - contexts: [ . ] - usage: {{ include "kibana.serviceLabels" . }} -*/}} -{{- define "kibana.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "kibana.serviceLabel" . }} -{{- end -}} - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - kibana.serviceLabel : generic service label - contexts: [ .global ] - usage: {{ include "kibana.serviceLabel" . }} -*/}} -{{- define "kibana.serviceLabel" -}} -{{ .Values.global.projectName }}.monitoring/service: {{ .Release.Name }}-kibana -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/configMap.yaml deleted file mode 100644 index 41e6596a1..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/configMap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.kibana.enabled -}} -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ include "kibana.configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - ELASTICSEARCH_HOSTS: "http://{{ .Release.Name }}-elasticsearch:9200" - SERVER_HOST: {{ .Values.kibana.serverHost | quote }} - SERVER_REWRITEBASEPATH: "true" - SERVER_BASEPATH: {{ .Values.global.subPath }}{{ .Values.kibana.path }} - SERVER_NAME: "kibana" - - NODE_OPTIONS: "--max-old-space-size=2000" - {{- if .Values.kibana.debug }} - LOGGING_VERBOSE: "true" - {{- else }} - LOGGING_QUIET: "true" - LOGGING_SILENT: "true" - {{- end }} - - {{- if .Values.kibana.extraConfigs }} - {{- toYaml .Values.kibana.extraConfigs | nindent 2 }} - {{- end }} - {{/* logtrail.json: {{ .Files.Get "files/logtrail.json" | quote }} */}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/deployment.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/deployment.yaml deleted file mode 100644 index b53ae11ae..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/deployment.yaml +++ /dev/null @@ -1,209 +0,0 @@ -{{- if .Values.kibana.enabled -}} -apiVersion: apps/v1 -kind: Deployment - -metadata: - name: {{ include "kibana.deploymentName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - replicas: {{ .Values.kibana.replicas }} - revisionHistoryLimit: 5 - - strategy: - rollingUpdate: - maxUnavailable: 1 - - selector: - matchLabels: - {{- include "kibana.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - {{- include "kibana.enrichedLabels" . | nindent 8 }} - annotations: - checksum/kibana-config: {{ include (print .Template.BasePath "/kibana/configMap.yaml") . | sha256sum | trunc 63 }} - - spec: - {{- if .Values.kibana.securityContext }} - {{- if .Values.kibana.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.kibana.securityContext.runAsUser }} - {{- end }} - {{- end }} - serviceAccount: {{ include "kibana.serviceAccountName" . | quote }} - automountServiceAccountToken: false - {{- if or .Values.kibana.selfAntiAffinity .Values.kibana.elasticsearchAffinity }} - affinity: - {{- if .Values.kibana.selfAntiAffinity }} - podAntiAffinity: - {{- if .Values.kibana.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{ end }} - - weight: {{ .Values.kibana.selfAntiAffinity.weight }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "kibana.name" . }}] - - key: {{ .Values.global.projectName }}/release-name - operator: In - values: [{{ .Release.Name }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - {{- if .Values.kibana.elasticsearchAffinity }} - podAffinity: - {{- if .Values.kibana.elasticsearchAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution: - {{ end }} - - weight: {{ .Values.kibana.elasticsearchAffinity.weight }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "elastic.name" . }}] - - key: {{ .Values.global.projectName }}/release-name - operator: In - values: [{{ .Release.Name }}] - topologyKey: "kubernetes.io/hostname" - {{- end }} - {{- end }} - - {{- if .Values.kibana.plugins.enabled }} - initContainers: - - name: {{ template "kibana.name" . }}-plugin-container - image: {{ template "containerName" .Values.kibana.image }} - imagePullPolicy: {{ .Values.kibana.image.pullPolicy }} - command: - - /bin/bash - - "-c" - - | - set -e - rm -rf plugins/lost+found - plugins=( - {{- range .Values.kibana.plugins.values }} - {{ . }} - {{- end }} - ) - if {{ .Values.kibana.plugins.reset }} - then - for p in $(./bin/kibana-plugin list | cut -d "@" -f1) - do - ./bin/kibana-plugin remove ${p} - done - fi - for i in "${plugins[@]}" - do - IFS=',' read -ra PLUGIN <<< "$i" - pluginInstalledCheck=$(./bin/kibana-plugin list | grep "${PLUGIN[0]}" | cut -d '@' -f1 || true) - pluginVersionCheck=$(./bin/kibana-plugin list | grep "${PLUGIN[0]}" | cut -d '@' -f2 || true) - if [ "${pluginInstalledCheck}" = "${PLUGIN[0]}" ] - then - if [ "${pluginVersionCheck}" != "${PLUGIN[1]}" ] - then - ./bin/kibana-plugin remove "${PLUGIN[0]}" - ./bin/kibana-plugin install "${PLUGIN[2]}" - fi - else - ./bin/kibana-plugin install "${PLUGIN[2]}" - fi - done - ports: - - name: kibana - containerPort: 5601 - - envFrom: - - configMapRef: - name: {{ include "kibana.configMapName" . }} - - volumeMounts: - - name: {{ include "kibana.pvcName" . }} - mountPath: /usr/share/kibana/plugins - {{- if .Values.kibana.securityContext }} - {{- if .Values.kibana.securityContext.enabled }} - securityContext: - allowPrivilegeEscalation: {{ .Values.kibana.securityContext.allowPrivilegeEscalation }} - {{- end }} - {{- end }} - {{- end }} - containers: - - name: {{ include "kibana.name" . }}-container - image: {{ include "containerName" .Values.kibana.image }} - imagePullPolicy: {{ .Values.kibana.image.pullPolicy }} - ports: - - name: kibana - containerPort: 5601 - - envFrom: - - configMapRef: - name: {{ include "kibana.configMapName" . }} - {{- $rootContext := .Values.global }} - {{- if and .Values.kibana.readinessProbe .Values.kibana.readinessProbe.enabled }} - {{- with .Values.kibana.readinessProbe }} - readinessProbe: - failureThreshold: {{ .failureThreshold }} - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - http () { - local path="${1}" - set -- -XGET -s --fail - if [ -n "${ELASTICSEARCH_USERNAME}" ] && [ -n "${ELASTICSEARCH_PASSWORD}" ]; then - set -- "$@" -u "${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" - fi - STATUS=$(curl -L --output /dev/null --write-out "%{http_code}" -k "$@" "http://localhost:5601${path}") - if [[ "${STATUS}" -eq 200 ]]; then - exit 0 - fi - echo "Error: Got HTTP code ${STATUS} but expected a 200" - exit 1 - } - http "{{ $rootContext.subPath }}/monitoring/kibana" - {{- end }} - {{- end }} - resources: - {{- toYaml .Values.kibana.image.resources | nindent 10 }} - - volumeMounts: - {{- if .Values.kibana.plugins.enabled }} - - name: {{ include "kibana.pvcName" . }} - mountPath: /usr/share/kibana/plugins - {{- end }} - # - name: {{ include "kibana.configMapName" . }} - # mountPath: /usr/share/kibana/plugins/logtrail/logtrail.json - # subPath: logtrail.json - - volumes: - - name: {{ template "kibana.configMapName" . }} - configMap: - name: {{ template "kibana.configMapName" . }} - - name: {{ template "kibana.pvcName" . }} - emptyDir: {} - - {{- if and .Values.kibana.plugins.enabled .Values.kibana.persistentVolume.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ template "kibana.pvcName" . }} - - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: {{ .Values.kibana.persistentVolume.storage }} - {{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/ingress.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/ingress.yaml deleted file mode 100644 index ac306cb6f..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/ingress.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.kibana.enabled -}} -apiVersion: extensions/v1beta1 -kind: Ingress - -metadata: - name: {{ template "kibana.ingressName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - - annotations: - kubernetes.io/ingress.class: {{ .Values.global.ingressClass }} - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: {{ .Values.global.adminNamespace }}/auth-secret - nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' - -spec: - rules: - - http: - paths: - - path: {{ .Values.global.subPath }}{{ .Values.kibana.path }} - backend: - serviceName: {{ .Release.Name }}-kibana - servicePort: 5601 -{{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/podDisruptionBudget.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/podDisruptionBudget.yaml deleted file mode 100644 index 002bcb985..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/podDisruptionBudget.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.kibana.enabled -}} -{{- if and .Values.kibana.replicas (ge (int .Values.kibana.replicas) 2) -}} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget - -metadata: - name: {{ include "kibana.podDisruptionBudgetName" . }} - namespace: {{ .Values.global.namespace }} - - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - {{- if .Values.kibana.podDisruptionBudget }} - {{- toYaml .Values.kibana.podDisruptionBudget | nindent 2 }} - {{- else }} - minAvailable: 1 - {{- end }} - selector: - matchLabels: - {{- include "kibana.enrichedLabels" . | nindent 6 }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/service.yaml deleted file mode 100644 index d70827bed..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.kibana.enabled -}} -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-kibana - namespace: {{ .Values.global.namespace }} - - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "kibana.serviceLabels" . | nindent 4 }} - - ports: - - name: http - port: 5601 - protocol: TCP - targetPort: kibana -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/serviceAccount.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/serviceAccount.yaml deleted file mode 100644 index 7b84a5e59..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/templates/kibana/serviceAccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.kibana.enabled -}} -apiVersion: v1 -kind: ServiceAccount - -metadata: - name: {{ template "kibana.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - - labels: - {{- include "commonLabels" . | nindent 4 }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/values.yaml deleted file mode 100644 index 546b2761f..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/values.yaml +++ /dev/null @@ -1,209 +0,0 @@ -# Kibana deployment meant to link up with elasticsearch to provide a -# graphical option to analyze log data - -kibana: - enabled: true - # Suggestion : ~= elasticsearch cluster members / 2 - replicas: 1 - - path: /monitoring/kibana - extraConfigs: {} - debug: false - # soft anti affinity towards sharing nodes with kibana pods - # recommended to garantee uptime for services - selfAntiAffinity: {} - # soft: true - # weight: 100 - - # soft affinity towards sharing nodes with elasticsearch pods - # recommended to garantee uptime for services - elasticsearchAffinity: {} - # soft: true - # weight: 100 - - # Pod disruption budget for kibana deployment makes sure during - # changes at least {.Values.kibana.minAvailable} kibana pod is available - podDisruptionBudget: {} - # minAvailable: 1 - - serverHost: "0.0.0.0" - - plugins: - enabled: false - # reset: true - # values: - # - logtrail,0.1.31,https://github.com/sivasamyk/logtrail/releases/download/v0.1.31/logtrail-7.3.1-0.1.31.zip - - persistentVolume: - enabled: false - storage: {} - - securityContext: {} - # default security context - # enabled: true - # allowPrivilegeEscalation: false - # runAsUser: 1000 - - image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # Image size : 359MB - name: "kibana" - tag: "7.3.1" - - resources: {} - # limits: - # memory: "2G" - # cpu: "2000m" - # requests: - # memory: "1G" - # cpu: "1000m" - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 80s ~= 1.4min - enabled: true - initialDelaySeconds: 15 - failureThreshold: 3 - periodSeconds: 10 - timeoutSeconds: 5 - - livenessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 95s ~= 1.5min - enabled: true - initialDelaySeconds: 30 - failureThreshold: 3 - periodSeconds: 10 - timeoutSeconds: 5 - - -elasticsearch: - debug: false - retention: {} - # max_size: "100GB" - # max_age: "180d" - # min_age: "90d" - - clusterName: "elasticsearch" - nodeGroup: "master" - extraConfigs: {} - # Suggestion : >= 3 - replicas: 3 - - roles: - master: "true" - ingest: "true" - data: "true" - - # Java heap size for elasticsearch - # Xmx : maximum heap size - # Xms : minimum heap size - # Elasticsearch's recommendation: - # Xmx, Xms <= 50% RAM available on server - # Xmx, Xms <= threshold JVM uses for compressed objects - # pointers (compressed oops) ~= 32 GB - # can be verified looking at elastic logs - # Xmx, Xms <= threshold JVM uses for zero-based compressed - # oops ~= 26Gb on most system - esJavaOpts: "-Xmx1g -Xms1g" - networkHost: "0.0.0.0" - - # Since elasticsearch uses mmapfs directory to store its indices - # increases it to avoid out of memory exceptions - sysctlVmMaxMapCount: 262144 - - # soft Anti affinity towards sharing pods with other - # elasticsearch cluster members - selfAntiAffinity: 100 - - # Allows for automated rolling updates - updateStrategy: RollingUpdate - # Allows independent termination and creation of pods - podManagementPolicy: "Parallel" - # Allows pods to live a certain period after termination - terminationGracePeriodSeconds: 120 - clusterHealthCheckParams: "wait_for_status=green&timeout=1s" - podDisruptionBudget: - maxUnavailable: 1 - - image: - initContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # busybox images for init container to reduce - # overal resource strain with Image size: 763KB - name: "busybox" - tag: "1.31.0" - - resources: {} - # limits: - # cpu: "25m" - # memory: "150Mi" - # requests: - # cpu: "25m" - # memory: "128Mi" - - securityContext: - privileged: true - runAsUser: 0 - - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # Image size : 405MB - name: "elasticsearch" - tag: "7.3.1" - - resources: {} - # limits: - # cpu: "1000m" - # memory: "2Gi" - # requests: - # cpu: "100m" - # memory: "1Gi" - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 64s ~= 1min - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 3 - timeoutSeconds: 5 - - securityContext: - capabilities: - drop: - - ALL - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - - sidecarContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # Image size : 405MB - name: "elasticsearch" - tag: "7.3.1" - - resources: {} - # limits: - # cpu: "50m" - # memory: "150Mi" - # requests: - # cpu: "25m" - # memory: "128Mi" - - volumeClaimTemplate: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: "10Gi" diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/values_production.yaml deleted file mode 100644 index 36832d725..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/elastic/values_production.yaml +++ /dev/null @@ -1,221 +0,0 @@ -# Kibana deployment meant to link up with elasticsearch to provide a -# graphical option to analyze log data - -kibana: - # Desired kibana deployment replicas - # Suggestion : ~= elasticsearch cluster members / 2 - replicas: 1 - extraConfigs: {} - debug: false - - path: /monitoring/kibana - - enabled: true - # soft anti affinity towards sharing nodes with kibana pods - # recommended to garantee uptime for services - selfAntiAffinity: - soft: true - weight: 100 - - # soft affinity towards sharing nodes with elasticsearch pods - # recommended to garantee uptime for services - elasticsearchAffinity: - soft: true - weight: 100 - - # Pod disruption budget for kibana deployment makes sure during - # changes at least {.Values.kibana.minAvailable} kibana pod is available - - podDisruptionBudget: - minAvailable: 1 - - serverHost: "0.0.0.0" - - plugins: - enabled: false - # reset: true - # values: - # - logtrail,0.1.31,https://github.com/sivasamyk/logtrail/releases/download/v0.1.31/logtrail-7.3.1-0.1.31.zip - - persistentVolume: - enabled: false - storage: "1Gi" - # default security context - securityContext: - enabled: true - allowPrivilegeEscalation: false - runAsUser: 1000 - - image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - - # Image size : 359MB - name: "kibana" - tag: "7.3.1" - - resources: - limits: - memory: "2G" - cpu: "2000m" - requests: - memory: "1G" - cpu: "1000m" - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 80s ~= 1.4min - enabled: true - initialDelaySeconds: 15 - failureThreshold: 3 - periodSeconds: 10 - timeoutSeconds: 5 - - livenessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 95s ~= 1.5min - enabled: true - initialDelaySeconds: 30 - failureThreshold: 3 - periodSeconds: 10 - timeoutSeconds: 5 - -elasticsearch: - debug: false - - retention: - max_size: "100GB" - max_age: "180d" - min_age: "90d" - - # Name for the elasticsearch cluster - clusterName: "elasticsearch" - nodeGroup: "master" - extraConfigs: {} - - # Desired elasticsearch deployment replicas - # Suggestion : >= 3 - replicas: 3 - - # Roles set for each member of the stateful set - # master : controls the cluster - # ingest : accessible endpoints for 'external' resources - # data : storage node - roles: - master: "true" - ingest: "true" - data: "true" - - # Java heap size for elasticsearch - # Xmx : maximum heap size - # Xms : minimum heap size - # Elasticsearch's recommendation: - # Xmx, Xms <= 50% RAM available on server - # Xmx, Xms <= threshold JVM uses for compressed objects - # pointers (compressed oops) ~= 32 GB - # can be verified looking at elastic logs - # Xmx, Xms <= threshold JVM uses for zero-based compressed - # oops ~= 26Gb on most system - esJavaOpts: "-Xmx1g -Xms1g" - networkHost: "0.0.0.0" - - # Since elasticsearch uses mmapfs directory to store its indices - # increases it to avoid out of memory exceptions - sysctlVmMaxMapCount: 262144 - - - # soft Anti affinity towards sharing pods with other - # elasticsearch cluster members - selfAntiAffinity: 100 - - # Allows for automated rolling updates - updateStrategy: RollingUpdate - # Allows independent termination and creation of pods - podManagementPolicy: "Parallel" - - # Allows pods to live a certain period after termination - terminationGracePeriodSeconds: 120 - - clusterHealthCheckParams: "wait_for_status=green&timeout=1s" - podDisruptionBudget: - maxUnavailable: 1 - - - image: - initContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # busybox images for init container to reduce - # overal resource strain with Image size: 763KB - tag: "1.31.0" - name: "busybox" - resources: - limits: - cpu: "25m" - memory: "150Mi" - requests: - cpu: "25m" - memory: "128Mi" - - securityContext: - privileged: true - runAsUser: 0 - - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - # Image size : 405MB - name: "elasticsearch" - tag: "7.3.1" - - resources: - limits: - cpu: "1000m" - memory: "2Gi" - requests: - cpu: "160m" - memory: "1500Mi" - - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 64s ~= 1min - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 3 - timeoutSeconds: 5 - - securityContext: - capabilities: - drop: - - ALL - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - - sidecarContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "elasticsearch" - tag: "7.3.1" - - resources: - limits: - cpu: "50m" - memory: "150Mi" - requests: - cpu: "25m" - memory: "128Mi" - - volumeClaimTemplate: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: "10Gi" diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/Chart.yaml deleted file mode 100644 index 1c31e064a..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -appVersion: "3.1.7-SNAPSHOT" - -description: A Chart for fluentd logging -name: fluentd -version: 0.1.1 - -kubeVersion: ">=v1.15.0" -description: Helm Chart for elasticsearch + kibana for the vulnerability-assessment-tool -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/README.md b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/README.md deleted file mode 100644 index 419e2ce79..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/README.md +++ /dev/null @@ -1,46 +0,0 @@ -# Fluentd: Unified Logging aggregator - -> This chart is already included in the vulnerability-assessment-tool-monitoring chart - -*Warning*: This chart is bound to be replaced with fluentbit (see [docs](https://fluentbit.io/)) once that project matures for a lighter footprint during log collection. - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the fluentd subchart of the vulnerability-assessment-tool-monitoring v0.1.1 on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the fluentd chart and their default values. - -| Parameter | Description | Default | -|----------|-------------|--------| -| debug | self logging level for fluentd | `False` | -| image.pullPolicy | As this image is quite prone to change, `Always` is recommended for production values | `IfNotPresent` | -| image.name | | `fluent/fluentd-kubernetes-daemonset` | -| image.tag | image tag | `v1.7-debian-elasticsearch6-1` | - -## Production configuration -This chart includes a `values_production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. -```sh -$ helm install { custom release name } -f values_production.yaml . -``` - -These values can be configured as follows: - -| Parameter | Description | Default | -|----------|-------------|--------| -| image.resources | These containers are not meant to be on high loads (serving only for redirects and static json for alerts) | requests:
 memory:`150Mi`
 cpu: `150m`
limit:
 memory: `200Mi`
 cpu: `200m` | diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/_getters.tpl deleted file mode 100644 index eea33459d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/_getters.tpl +++ /dev/null @@ -1,30 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - fluentd.serviceAccountName : serviceAccountName getter - contexts: [ . ] - usage: {{ include "fluentd.serviceAccountName" . }} -*/}} -{{- define "fluentd.serviceAccountName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-log-collector" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - fluentd.clusterRoleBindingName : cluster role name getter - contexts: [ . ] - usage: {{ include "fluentd.clusterRoleBindingName" . }} -*/}} -{{- define "fluentd.clusterRoleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-metrics-collector" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - fluentd.clusterRoleName : cluster role name getter - contexts: [ . ] - usage: {{ include "fluentd.clusterRoleName" . }} -*/}} -{{- define "fluentd.clusterRoleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-metrics-collector" .Values.global.projectName $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/clusterRole.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/clusterRole.yaml deleted file mode 100644 index 646102668..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/clusterRole.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole - -metadata: - name: {{ template "fluentd.clusterRoleName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -rules: -- apiGroups: [""] - resources: - - namespaces - - pods - verbs: ["get", "list", "watch"] diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/clusterRoleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/clusterRoleBinding.yaml deleted file mode 100644 index 28d17f1e2..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/clusterRoleBinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding - -metadata: - name: {{ template "fluentd.clusterRoleBindingName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "fluentd.clusterRoleName" . }} - -subjects: -- kind: ServiceAccount - name: {{ template "fluentd.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/daemonSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/daemonSet.yaml deleted file mode 100644 index 2dfb4c3ab..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/daemonSet.yaml +++ /dev/null @@ -1,95 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet - -metadata: - name: {{ include "daemonSetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - matchLabels: - app.kubernetes.io/instance: {{ template "podName" . }} - {{- include "commonLabels" . | nindent 6 }} - - template: - metadata: - labels: - app.kubernetes.io/instance: {{ template "podName" . }} - {{- include "commonLabels" . | nindent 8 }} - - spec: - serviceAccountName: {{ template "fluentd.serviceAccountName" . }} - volumes: - - name: varlog - hostPath: - path: /var/log - - name: varlibdockercontainers - hostPath: - path: /var/lib/docker/containers - - name: minikube - hostPath: - path: /mnt/sda1/var/lib/docker/containers - - containers: - - name: {{ template "name" . }}-kubernetes-container - image: {{ template "containerName" .Values.image }} - imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }} - ports: - - name: metrics - containerPort: 2020 - - env: - - name: PROJECT_NAME - value: {{ .Values.global.projectName }} - - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - {{- if not .Values.debug }} - - name: FLUENT_OPTS - value: "-q" - {{- end }} - - name: FLUENT_UID - value: "0" - - name: FLUENT_ELASTICSEARCH_HOST - value: {{ .Release.Name }}-elasticsearch - - name: FLUENT_ELASTICSEARCH_PORT - value: "9200" - - name: FLUENT_ELASTICSEARCH_SCHEME - value: "http" - - name: FLUENT_ELASTICSEARCH_SSL_VERIFY - value: "true" - - name: ELASTICSEARCH_METRICS_INDEX - value: {{ .Values.metricsIndex | default "fluentd" | quote }} - - volumeMounts: - - name: varlog - mountPath: /var/log - - name: varlibdockercontainers - mountPath: /var/lib/docker/containers - readOnly: true - - name: minikube - mountPath: /mnt/sda1/var/lib/docker/containers - readOnly: true - - {{- if .Values.resources }} - resources: - {{- toYaml .Values.resources | nindent 10 }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/serviceAccount.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/serviceAccount.yaml deleted file mode 100644 index a187d7a42..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/templates/serviceAccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - -metadata: - name: {{ template "fluentd.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/values.yaml deleted file mode 100644 index 01156ffae..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/values.yaml +++ /dev/null @@ -1,18 +0,0 @@ -debug: false -image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "fluent/fluentd-kubernetes-daemonset" - # overal resource strain with Image size: 113.02MB - tag: "v1.7-debian-elasticsearch6-1" - -resources: {} - # limits: - # memory: "100Mi" - # cpu: "100m" - # requests: - # memory: "50Mi" - # cpu: "100m" - -metricsIndex: "fluentd" diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/values_production.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/values_production.yaml deleted file mode 100644 index 0a7f352e8..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/fluentd/values_production.yaml +++ /dev/null @@ -1,18 +0,0 @@ -debug: false -image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: "fluent/fluentd-kubernetes-daemonset" - # overal resource strain with Image size: 113.02MB - tag: "v1.7-debian-elasticsearch6-1" - -resources: - limits: - memory: "200Mi" - cpu: "200m" - requests: - memory: "150Mi" - cpu: "150m" - -metricsIndex: "fluentd" diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/Chart.yaml deleted file mode 100644 index 4062ecd13..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -appVersion: 6.4.3 -name: grafana -version: v0.1.1 - -kubeVersion: ">=v1.15.0" -description: Helm Chart for grafana for the vulnerability-assessment-tool -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/README.md b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/README.md deleted file mode 100644 index b31ac908d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# Grafana: Graphical analysis for metrics - -> This chart is already included in the vulnerability-assessment-tool-monitoring chart - -This chart provides an out of the box ready grafana for the vulnerability-assessment-tool with built-in dashboards for monitoring the vulnerability assessment tool database as well as the overall cluster health. - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the grafana subchart of the vulnerability-assessment-tool-monitoring v0.1.1 -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the grafana chart and their default values. - - -| Parameter | Description | Default | -|----------|-------------|--------| -| replicas | desired number of instances | `1` | -| path | Path from which to serve from (set by using $GF_SERVER_ROOT_URL) | `/monitoring/grafana` | -| credentials.user | User credentials to access Grafana | `vulas` | -| metricsIndex | append metrics with string | `fluentd` | -| credentials.password | | `changeme` | -| rbac.create | Creates rbac for grafana | `True` | -| rbac.namespaced | | `False` | -| persistentVolume.enabled | Increases startup speed | `True` | -| persistentVolume.storage | Storage size for PVC | `1Gi` | -| image.initContainer.name | Init container to fix permission for PVC | `busybox` | -| image.initContainer.tag | image tag | `1.31.0` | -| image.initContainer.pullpolicy | | `IfNotPresent` | -| image.initContainer.resources | This container does not require a lot of resources however a limit is set to avoid DDOS attacks | limit:
 memory: `100Mi`
 cpu: `50m` | -| image.securityContext.runAsUser | UID | `12000` | -| image.mainContainer.name | | `grafana/grafana` | -| image.mainContainer.tag | | `6.4.3` | -| image.mainContainer.pullpolicy | | `IfNotPresent` | -| image.mainContainer.resources | | requests:
 memory: `128Mi`
 cpu: `100m`limit:
 memory: `128Mi`
 cpu: `100m` | -| image.mainContainer.livenessProbe | | enabled: `False`
initialDelaySeconds: `5`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5` | -| image.mainContainer.readinessProbe | | enabled: `False`
initialDelaySeconds: `5`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5` | diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/dashboards/kubernetes.json b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/dashboards/kubernetes.json deleted file mode 100644 index 8015279f3..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/dashboards/kubernetes.json +++ /dev/null @@ -1,1094 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "description": "Cluster level overview of workloads deployed, based on prometheus metrics exposed by kubelet, node-exporter, nginx ingress controller", - "editable": true, - "gnetId": 7249, - "graphTooltip": 0, - "id": 5, - "links": [], - "panels": [ - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": true, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(248, 112, 0, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "format": "none", - "gauge": { - "maxValue": 3000, - "minValue": 0, - "show": true, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 7, - "w": 4, - "x": 0, - "y": 0 - }, - "id": 13, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(0, 192, 255)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(nginx_ingress_controller_nginx_process_connections)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "", - "metric": "node_memory_MemTotal", - "refId": "A", - "step": 40 - } - ], - "thresholds": "2000,2500", - "title": "Current Connections", - "type": "singlestat", - "valueFontSize": "120%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": true, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "decimals": 2, - "format": "percentunit", - "gauge": { - "maxValue": 1, - "minValue": 0, - "show": true, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 7, - "w": 2, - "x": 4, - "y": 0 - }, - "id": 4, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sort_desc(min(avg(rate(node_cpu_seconds_total{mode=\"idle\"}[2m])) by (instance)))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "", - "refId": "A", - "step": 40 - } - ], - "thresholds": "0.1,0.2", - "title": "Least CPU Idle", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "min" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": true, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "description": "", - "format": "percentunit", - "gauge": { - "maxValue": 1, - "minValue": 0, - "show": true, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 7, - "w": 2, - "x": 6, - "y": 0 - }, - "id": 2, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "min(node_filesystem_avail_bytes{mountpoint!~\".*(serviceaccount|proc|sys).*\"}/node_filesystem_size_bytes{mountpoint!~\".*(serviceaccount|proc|sys).*\"})", - "format": "time_series", - "intervalFactor": 2, - "refId": "A", - "step": 40 - } - ], - "thresholds": "0.075,0.2", - "title": "Min Space", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": true, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(248, 112, 0, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "format": "s", - "gauge": { - "maxValue": 10, - "minValue": 0, - "show": true, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 7, - "w": 2, - "x": 8, - "y": 0 - }, - "id": 15, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(0, 192, 255)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "avg(irate(coredns_dns_request_duration_seconds_bucket[10m]))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "", - "metric": "node_memory_MemTotal", - "refId": "A", - "step": 40 - } - ], - "thresholds": "2,5", - "title": "DNS Request duration", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": true, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(248, 112, 0, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "format": "s", - "gauge": { - "maxValue": 10, - "minValue": 0, - "show": true, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 7, - "w": 3, - "x": 10, - "y": 0 - }, - "id": 18, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(0, 192, 255)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "avg(irate(apiserver_request_latencies_count[10m]))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "", - "metric": "node_memory_MemTotal", - "refId": "A", - "step": 40 - } - ], - "thresholds": "2,5", - "title": "Api Server latency", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "datasource": "Prometheus", - "gridPos": { - "h": 7, - "w": 11, - "x": 13, - "y": 0 - }, - "id": 9, - "links": [], - "options": { - "displayMode": "gradient", - "fieldOptions": { - "calcs": [ - "lastNotNull" - ], - "defaults": { - "mappings": [], - "max": 100, - "min": 0, - "thresholds": [ - { - "color": "green", - "value": null - }, - { - "color": "#EAB839", - "value": 60 - }, - { - "color": "red", - "value": 80 - } - ], - "unit": "percent" - }, - "override": {}, - "values": false - }, - "orientation": "horizontal" - }, - "pluginVersion": "6.5.0-pre", - "targets": [ - { - "expr": "(kubelet_volume_stats_available_bytes/kubelet_volume_stats_capacity_bytes)", - "format": "time_series", - "instant": false, - "intervalFactor": 1, - "legendFormat": "{{persistentvolumeclaim}}", - "metric": "node_memory_MemTotal", - "refId": "A", - "step": 40 - } - ], - "title": "PVC Volume usage", - "type": "bargauge" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 6, - "w": 6, - "x": 0, - "y": 7 - }, - "id": 8, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "node_load1", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{instance}}", - "metric": "node_load1", - "refId": "A", - "step": 10 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Load 1m", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 6, - "w": 6, - "x": 6, - "y": 7 - }, - "id": 7, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "node_memory_MemFree_bytes + node_memory_Buffers_bytes + node_memory_Cached_bytes", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{instance}}", - "metric": "node_memory_MemAvailable", - "refId": "A", - "step": 10 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "fillGradient": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 7 - }, - "height": "230px", - "id": 3, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "avg(rate(node_cpu_seconds_total{mode=\"idle\"}[2m])) by (instance)", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{ instance }}", - "refId": "A", - "step": 10 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CPU Idle Avg", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": "", - "logBase": 1, - "max": "1", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 6, - "x": 0, - "y": 13 - }, - "id": 17, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(node_disk_io_time_seconds_total[2m])", - "format": "time_series", - "hide": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{instance}} {{device}}", - "refId": "A", - "step": 10 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk IO s", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 6, - "x": 6, - "y": 13 - }, - "height": "300px", - "id": 10, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "topk(5,sum(container_memory_usage_bytes{image!=\"\"}) by (pod_name))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{pod_name}}", - "refId": "A", - "step": 10 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Top 5 Memory Intense Pods", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "fillGradient": 0, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 13 - }, - "height": "230px", - "id": 6, - "legend": { - "alignAsTable": true, - "avg": false, - "current": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "topk(5, sum(rate(container_cpu_usage_seconds_total{image!=\"\"}[2m])) by (pod_name, container_name))", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{ container_name }} in {{ pod_name }}", - "metric": "container_cpu_usage_seconds_total", - "refId": "A", - "step": 4 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "TOP CPU Containers", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "30s", - "schemaVersion": 20, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-30m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Kubernetes Cluster", - "uid": "os6Bh8Omk", - "version": 1 -} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/dashboards/postgresql.json b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/dashboards/postgresql.json deleted file mode 100644 index 185ad859b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/dashboards/postgresql.json +++ /dev/null @@ -1,3159 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "description": "This dashboard works with postgres_exporter for prometheus", - "editable": true, - "gnetId": 9628, - "graphTooltip": 0, - "id": 12, - "iteration": 1569482931674, - "links": [], - "panels": [ - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 34, - "panels": [], - "title": "General Counters, CPU, Memory and File Descriptor Stats", - "type": "row" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": true, - "colors": [ - "#299c46", - "#7eb26d", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "none", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 4, - "x": 0, - "y": 1 - }, - "id": 36, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_static{release=\"$release\", instance=\"$instance\"}", - "format": "time_series", - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{short_version}}", - "refId": "A" - } - ], - "thresholds": "", - "title": "Version", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "name" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "description": "start time of the process", - "format": "dateTimeFromNow", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 4, - "x": 4, - "y": 1 - }, - "id": 28, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "110%", - "prefix": "", - "prefixFontSize": "110%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "process_start_time_seconds{release=\"$release\", instance=\"$instance\"} * 1000", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "Start Time", - "type": "singlestat", - "valueFontSize": "110%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "decbytes", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 4, - "x": 8, - "y": 1 - }, - "height": "200px", - "id": 10, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "SUM(pg_stat_database_tup_fetched{datname=~\"$datname\", instance=~\"$instance\"})", - "format": "time_series", - "intervalFactor": 2, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Current fetch data", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "decbytes", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 4, - "x": 12, - "y": 1 - }, - "height": "200px", - "id": 11, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "SUM(pg_stat_database_tup_inserted{release=\"$release\", datname=~\"$datname\", instance=~\"$instance\"})", - "format": "time_series", - "intervalFactor": 2, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Current insert data", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "decbytes", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 4, - "x": 16, - "y": 1 - }, - "height": "200px", - "id": 12, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "SUM(pg_stat_database_tup_updated{datname=~\"$datname\", instance=~\"$instance\"})", - "format": "time_series", - "intervalFactor": 2, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Current update data", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "none", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 4, - "x": 20, - "y": 1 - }, - "id": 38, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_max_connections{release=\"$release\", instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Max Connections", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "Average user and system CPU time spent in seconds.", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 4 - }, - "id": 22, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": true, - "min": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "avg(rate(process_cpu_seconds_total{release=\"$release\", instance=\"$instance\"}[5m]) * 1000)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "CPU Time", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Average CPU Usage", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "Virtual and Resident memory size in bytes, averages over 5 min interval", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 8, - "y": 4 - }, - "id": 24, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": true, - "min": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "avg(rate(process_resident_memory_bytes{release=\"$release\", instance=\"$instance\"}[5m]))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Mem", - "refId": "A" - }, - { - "expr": "avg(rate(process_virtual_memory_bytes{release=\"$release\", instance=\"$instance\"}[5m]))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Virtual Mem", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Average Memory Usage", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "Number of open file descriptors", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 16, - "y": 4 - }, - "id": 26, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": true, - "min": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_open_fds{release=\"$release\", instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Open FD", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Open File Descriptors", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 11 - }, - "id": 32, - "panels": [], - "title": "Settings", - "type": "row" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "bytes", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 0, - "y": 12 - }, - "id": 40, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_shared_buffers_bytes{instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Shared Buffers", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "bytes", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 3, - "y": 12 - }, - "id": 42, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_effective_cache_size_bytes{instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Effective Cache", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "bytes", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 6, - "y": 12 - }, - "id": 44, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_maintenance_work_mem_bytes{instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Maintenance Work Mem", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "bytes", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 9, - "y": 12 - }, - "id": 46, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_work_mem_bytes{instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "Work Mem", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "decimals": 1, - "format": "bytes", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 12, - "y": 12 - }, - "id": 48, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_max_wal_size_bytes{instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Max WAL Size", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "none", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 15, - "y": 12 - }, - "id": 50, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_random_page_cost{instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Random Page Cost", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "none", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 2, - "x": 18, - "y": 12 - }, - "id": 52, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_max_wal_senders{instance=\"$instance\"}", - "format": "time_series", - "instant": false, - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Seq Page Cost", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "none", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 2, - "x": 20, - "y": 12 - }, - "id": 54, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_max_worker_processes{instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Max Worker Processes", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "none", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 2, - "x": 22, - "y": 12 - }, - "id": 56, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "options": {}, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": false, - "lineColor": "rgb(31, 120, 193)", - "show": false - }, - "tableColumn": "", - "targets": [ - { - "expr": "pg_settings_max_parallel_workers{instance=\"$instance\"}", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": "", - "title": "Max Parallel Workers", - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 15 - }, - "id": 30, - "panels": [], - "title": "Database Stats", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 16 - }, - "id": 1, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": true, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": false, - "linewidth": 1, - "links": [], - "nullPointMode": "connected", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 3, - "points": true, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_stat_activity_count{datname=~\"$datname\", instance=~\"$instance\", state=\"active\"} !=0", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{datname}}, s: {{state}}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Active sessions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 0, - "format": "none", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 8, - "y": 16 - }, - "id": 60, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "irate(pg_stat_database_xact_commit{instance=\"$instance\", datname=~\"$datname\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{datname}} commits", - "refId": "A" - }, - { - "expr": "irate(pg_stat_database_xact_rollback{instance=\"$instance\", datname=~\"$datname\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{datname}} rollbacks", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Transactions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 16, - "y": 16 - }, - "id": 8, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sideWidth": null, - "sort": "current", - "sortDesc": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_stat_database_tup_updated{datname=~\"$datname\", instance=~\"$instance\"} != 0", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{datname}}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Update data", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 23 - }, - "id": 5, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_stat_database_tup_fetched{datname=~\"$datname\", instance=~\"$instance\"} != 0", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{datname}}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Fetch data (SELECT)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 8, - "y": 23 - }, - "id": 6, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_stat_database_tup_inserted{datname=~\"$datname\", instance=~\"$instance\"} != 0", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{datname}}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Insert data", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "decimals": 0, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 16, - "y": 23 - }, - "id": 3, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "hideEmpty": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_locks_count{datname=~\"$datname\", instance=~\"$instance\", mode=~\"$mode\"} != 0", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{datname}},{{mode}}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Lock tables", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 0, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 30 - }, - "id": 14, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "total", - "sortDesc": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_stat_database_tup_returned{datname=~\"$datname\", instance=~\"$instance\"} != 0", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{datname}}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Return data", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 8, - "y": 30 - }, - "id": 4, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": true, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": false, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_stat_activity_count{datname=~\"$datname\", instance=~\"$instance\", state=~\"idle|idle in transaction|idle in transaction (aborted)\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{datname}}, s: {{state}}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Idle sessions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 16, - "y": 30 - }, - "id": 7, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_stat_database_tup_deleted{datname=~\"$datname\", instance=~\"$instance\"} != 0", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{datname}}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Delete data", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "decimals": 2, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 37 - }, - "id": 62, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pg_stat_database_blks_hit{instance=\"$instance\", datname=~\"$datname\"} / (pg_stat_database_blks_read{instance=\"$instance\", datname=~\"$datname\"} + pg_stat_database_blks_hit{instance=\"$instance\", datname=~\"$datname\"})", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ datname }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Cache Hit Rate", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 4, - "format": "percentunit", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 8, - "y": 37 - }, - "id": 64, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": true, - "min": true, - "rightSide": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "irate(pg_stat_bgwriter_buffers_backend{instance=\"$instance\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "buffers_backend", - "refId": "A" - }, - { - "expr": "irate(pg_stat_bgwriter_buffers_alloc{instance=\"$instance\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "buffers_alloc", - "refId": "B" - }, - { - "expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{instance=\"$instance\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "backend_fsync", - "refId": "C" - }, - { - "expr": "irate(pg_stat_bgwriter_buffers_checkpoint{instance=\"$instance\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "buffers_checkpoint", - "refId": "D" - }, - { - "expr": "irate(pg_stat_bgwriter_buffers_clean{instance=\"$instance\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "buffers_clean", - "refId": "E" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Buffers (bgwriter)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "decimals": 0, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 16, - "y": 37 - }, - "id": 66, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "irate(pg_stat_database_conflicts{instance=\"$instance\", datname=~\"$datname\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{datname}} conflicts", - "refId": "B" - }, - { - "expr": "irate(pg_stat_database_deadlocks{instance=\"$instance\", datname=~\"$datname\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{datname}} deadlocks", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Conflicts/Deadlocks", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "Total amount of data written to temporary files by queries in this database. All temporary files are counted, regardless of why the temporary file was created, and regardless of the log_temp_files setting.", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 44 - }, - "id": 68, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": true, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "irate(pg_stat_database_temp_bytes{instance=\"$instance\", datname=~\"$datname\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{datname}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Temp File (Bytes)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 16, - "x": 8, - "y": 44 - }, - "id": 70, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": true, - "min": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "irate(pg_stat_bgwriter_checkpoint_write_time{instance=\"$instance\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.", - "refId": "B" - }, - { - "expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{instance=\"$instance\"}[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Checkpoint Stats", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ms", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": false, - "schemaVersion": 20, - "style": "dark", - "tags": [ - "postgres", - "db", - "stats" - ], - "templating": { - "list": [ - { - "auto": true, - "auto_count": 200, - "auto_min": "1s", - "current": { - "tags": [], - "text": "1m", - "value": "1m" - }, - "hide": 0, - "label": "Interval", - "name": "interval", - "options": [ - { - "selected": false, - "text": "auto", - "value": "$__auto_interval_interval" - }, - { - "selected": false, - "text": "1s", - "value": "1s" - }, - { - "selected": false, - "text": "5s", - "value": "5s" - }, - { - "selected": true, - "text": "1m", - "value": "1m" - }, - { - "selected": false, - "text": "5m", - "value": "5m" - }, - { - "selected": false, - "text": "1h", - "value": "1h" - }, - { - "selected": false, - "text": "6h", - "value": "6h" - }, - { - "selected": false, - "text": "1d", - "value": "1d" - } - ], - "query": "1s,5s,1m,5m,1h,6h,1d", - "refresh": 2, - "skipUrlSync": false, - "type": "interval" - }, - { - "allValue": null, - "current": { - "text": "vulnerability-assessment-tool-core", - "value": "vulnerability-assessment-tool-core" - }, - "datasource": "Prometheus", - "definition": "", - "hide": 0, - "includeAll": false, - "label": "Namespace", - "multi": false, - "name": "namespace", - "options": [], - "query": "query_result(pg_exporter_last_scrape_duration_seconds)", - "refresh": 2, - "regex": "/.*kubernetes_namespace=\"([^\"]+).*/", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "isNone": true, - "text": "None", - "value": "" - }, - "datasource": "Prometheus", - "definition": "", - "hide": 0, - "includeAll": false, - "label": "Release", - "multi": false, - "name": "release", - "options": [], - "query": "query_result(pg_exporter_last_scrape_duration_seconds{kubernetes_namespace=\"$namespace\"})", - "refresh": 2, - "regex": "/.*release=\"([^\"]+)/", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "100.100.0.221:9187", - "value": "100.100.0.221:9187" - }, - "datasource": "Prometheus", - "definition": "query_result(up{release=\"$release\"})", - "hide": 0, - "includeAll": false, - "label": "Instance", - "multi": false, - "name": "instance", - "options": [], - "query": "query_result(up{release=\"$release\"})", - "refresh": 1, - "regex": "/.*instance=\"([^\"]+:9187).*/", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "postgres", - "value": "postgres" - }, - "datasource": "Prometheus", - "definition": "", - "hide": 0, - "includeAll": false, - "label": "Database", - "multi": true, - "name": "datname", - "options": [], - "query": "label_values(datname)", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "definition": "", - "hide": 0, - "includeAll": true, - "label": "Lock table", - "multi": true, - "name": "mode", - "options": [], - "query": "label_values({mode=~\"accessexclusivelock|accesssharelock|exclusivelock|rowexclusivelock|rowsharelock|sharelock|sharerowexclusivelock|shareupdateexclusivelock\"}, mode)", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-6h", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "PostgreSQL Database", - "uid": "000000039", - "version": 2 -} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/_getters.tpl deleted file mode 100644 index 529d50e3a..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/_getters.tpl +++ /dev/null @@ -1,61 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - grafana.serviceAccountName : serviceAccountName getter - contexts: [ . ] - usage: {{ include "grafana.serviceAccountName" . }} -*/}} -{{- define "grafana.serviceAccountName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-discovery-agent" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - grafana.clusterRoleBindingName : cluster role name getter - contexts: [ . ] - usage: {{ include "grafana.clusterRoleBindingName" . }} -*/}} -{{- define "grafana.clusterRoleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-discovery-agent" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - grafana.clusterRoleName : cluster role name getter - contexts: [ . ] - usage: {{ include "grafana.clusterRoleName" . }} -*/}} -{{- define "grafana.clusterRoleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-discovery-agent" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - grafana.ingressName : ingress name getter - contexts: [ . ] - usage: {{ include "grafana.ingressName" . }} -*/}} -{{- define "grafana.ingressName" -}} -{{- $name := include "name" . -}} -{{- printf "04-%s-ingress" $name -}} -{{- end -}} - - -{{/* - grafana.roleBindingName : cluster role name getter - contexts: [ . ] - usage: {{ include "grafana.clusterRoleBindingName" . }} -*/}} -{{- define "grafana.roleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-discovery-agent" .Values.global.namespace $name -}} -{{- end -}} - -{{/* - grafana.roleName : cluster role name getter - contexts: [ . ] - usage: {{ include "grafana.roleName" . }} -*/}} -{{- define "grafana.roleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-discovery-agent" .Values.global.namespace $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/_labels.tpl deleted file mode 100644 index 7a4a31163..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/_labels.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - grafana.enrichedLabels : generic labels + serviceLabel - contexts: [ . ] - usage: {{ include "grafana.commonLabels" . }} -*/}} -{{- define "grafana.enrichedLabels" -}} -app.kubernetes.io/instance: {{ template "podName" . }} -{{ include "commonLabels" . }} -{{ include "grafana.serviceLabel" . }} -{{- end -}} - -{{/* - grafana.serviceLabels : generic servicename - contexts: [ .global ] - usage: {{ include "grafana.serviceLabels" . }} -*/}} -{{- define "grafana.serviceLabels" -}} -{{ include "projectLabels" . }} -{{ include "grafana.serviceLabel" . }} -{{- end -}} - - -{{/*---------------------------- Global Templates ---------------------------*/}} -{{/* - grafana.serviceLabel : generic servicename - contexts: [ .global ] - usage: {{ include "grafana.serviceLabel" . }} -*/}} -{{- define "grafana.serviceLabel" -}} -{{ .Values.global.projectName }}.monitoring/service: {{ .Release.Name }}-grafana -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/clusterRole.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/clusterRole.yaml deleted file mode 100644 index dda2a7dbd..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/clusterRole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 - -metadata: - name: {{ template "clusterRoleName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -rules: [] -{{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/clusterRoleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/clusterRoleBinding.yaml deleted file mode 100644 index 1199c8110..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/clusterRoleBinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding - -metadata: - name: {{ template "grafana.clusterRoleBindingName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -subjects: - - kind: ServiceAccount - name: {{ template "grafana.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - -roleRef: - kind: ClusterRole - name: {{ template "grafana.clusterRoleName" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/configMap.yaml deleted file mode 100644 index 57477cfbe..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/configMap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- $subPath := .Values.global.subPath }} - GF_SERVER_ROOT_URL: "%(protocol)s://%(domain)s:%(http_port)s{{ $subPath }}/monitoring/grafana" - GF_SESSION_COOKIE_SECURE: "false" - GF_ANALYTICS_REPORTING_ENABLED: "false" - GF_LOG_LEVEL: "error" - - datasource.yaml: | - apiVersion: 1 - - datasources: - - name: Prometheus - type: prometheus - url: http://{{ .Release.Name }}-prometheus:9090{{ $subPath }}/monitoring/prometheus - access: proxy - basicAuth: false diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/dashboardConfigMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/dashboardConfigMap.yaml deleted file mode 100644 index 6ff6f960b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/dashboardConfigMap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "configMapName" . }}-dashboard - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - kubernetes.yaml: |- - apiVersion: 1 - providers: - - name: 'File Provider' - orgId: 1 - folder: '' - folderUid: "" - type: file - disableDeletion: false - editable: true - updateIntervalSeconds: 60 - options: - path: /var/lib/grafana/dashboards - - {{- (.Files.Glob "dashboards/*").AsConfig | nindent 2 }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/headlessService.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/headlessService.yaml deleted file mode 100644 index b9f364b52..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/headlessService.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-grafana-headless - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - clusterIP: None - - selector: - {{- include "grafana.serviceLabels" . | nindent 4 }} - - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 3000 - - - name: transport - port: 3000 - protocol: TCP - targetPort: 3000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/ingress.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/ingress.yaml deleted file mode 100644 index 7ff0df284..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/ingress.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress - -metadata: - name: {{ template "grafana.ingressName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - - annotations: - kubernetes.io/ingress.class: {{ .Values.global.ingressClass }} - nginx.ingress.kubernetes.io/proxy-buffering: "on" - {{- $subPath := .Values.global.subPath }} - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite ^{{ $subPath }}{{ .Values.path }}/(.*)$ /$1 break; -spec: - rules: - - http: - paths: - - path: {{ $subPath }}{{ .Values.path }} - backend: - serviceName: {{ .Release.Name }}-grafana - servicePort: 3000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/role.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/role.yaml deleted file mode 100644 index 3c87e27e4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role - -metadata: - name: {{ template "grafana.roleName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -{{- if .Values.rbac.namespaced }} -- apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "watch", "list"] -{{- end }} -{{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/roleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/roleBinding.yaml deleted file mode 100644 index 82132290f..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/roleBinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding - -metadata: - name: {{ template "grafana.roleBindingName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -subjects: -- kind: ServiceAccount - name: {{ template "grafana.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - -roleRef: - kind: Role - name: {{ template "grafana.roleName" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/secret.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/secret.yaml deleted file mode 100644 index 044b173a0..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Secret - -metadata: - name: {{ template "secretName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - {{- with .Values.credentials }} - GF_SECURITY_ADMIN_USER: {{ .user | b64enc }} - GF_SECURITY_ADMIN_PASSWORD: {{ .password | b64enc }} - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/service.yaml deleted file mode 100644 index 1adb6b026..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-grafana - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "grafana.serviceLabels" . | nindent 4 }} - - ports: - - name: transport - port: 3000 - protocol: TCP - targetPort: 3000 - - - name: http - port: 80 - protocol: TCP - targetPort: 3000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/serviceAccount.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/serviceAccount.yaml deleted file mode 100644 index 259e45a88..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/serviceAccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - -metadata: - name: {{ template "grafana.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/statefulset.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/statefulset.yaml deleted file mode 100644 index ea5c0bb79..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/templates/statefulset.yaml +++ /dev/null @@ -1,158 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet - -metadata: - name: {{ template "statefulSetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - serviceName: {{ .Release.Name }}-grafana-headless - replicas: {{ .Values.replicas }} - selector: - matchLabels: - {{- include "grafana.enrichedLabels" . | nindent 6 }} - - updateStrategy: - type: RollingUpdate - - template: - metadata: - labels: - {{- include "grafana.enrichedLabels" . | nindent 8 }} - annotations: - checksum/grafana-config: {{ include (print $.Template.BasePath "/configMap.yaml") . | sha256sum }} - checksum/grafana-secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - - spec: - serviceAccountName: {{ template "grafana.serviceAccountName" . }} - - {{- if .Values.persistentVolume.enabled }} - initContainers: - - name: {{ template "name" . }}-init-container - image: {{ template "containerName" .Values.image.initContainer }} - imagePullPolicy: {{ .Values.image.initContainer.pullpolicy }} - command: - - sh - - -c - - | - #!/bin/sh - {{- if .Values.image.securityContext.runAsUser }} - chown -R {{ .Values.image.securityContext.runAsUser }}:{{ .Values.image.securityContext.runAsUser }} /var/lib/grafana - {{- end }} - if [ ! -w /var/lib/grafana ]; then - exit 127 - fi - - exit 0 - - {{- if .Values.image.initContainer.resources }} - resources: - {{- toYaml .Values.image.initContainer.resources | nindent 12 }} - {{- end }} - - securityContext: - runAsUser: 0 - - volumeMounts: - - name: {{ template "pvcName" . }} - mountPath: /var/lib/grafana - {{- end }} - - containers: - - name: {{ template "name" . }}-container - image: {{ template "containerName" .Values.image.mainContainer }} - imagePullPolicy: {{ .Values.image.mainContainer.pullpolicy }} - - volumeMounts: - - name: {{ template "configMapName" . }} - mountPath: /etc/grafana/provisioning/datasources/datasource.yaml - subPath: datasource.yaml - - name: {{ template "configMapName" . }}-dashboard - mountPath: /etc/grafana/provisioning/dashboards/kubernetes.yaml - subPath: kubernetes.yaml - - name: {{ template "configMapName" . }}-dashboard - mountPath: /var/lib/grafana/dashboards/kubernetes.json - subPath: kubernetes.json - - name: {{ template "configMapName" . }}-dashboard - mountPath: /var/lib/grafana/dashboards/postgresql.json - subPath: postgresql.json - {{- if .Values.persistentVolume.enabled }} - - name: {{ template "pvcName" . }} - mountPath: /var/lib/grafana - {{- end }} - - {{- if .Values.image.securityContext }} - securityContext: - {{- toYaml .Values.image.securityContext | nindent 12 }} - {{- end }} - - ports: - - name: http - containerPort: 3000 - protocol: TCP - - envFrom: - - configMapRef: - name: {{ template "configMapName" . }} - - secretRef: - name: {{ template "secretName" . }} - - {{- if .Values.image.mainContainer.livenessProbe.enabled }} - {{- with .Values.image.mainContainer.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - successThreshold: {{ .successThreshold }} - httpGet: - path: /api/health - port: 3000 - {{- end }} - {{- end }} - {{- if .Values.image.mainContainer.readinessProbe.enabled }} - {{- with .Values.image.mainContainer.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - successThreshold: {{ .successThreshold }} - httpGet: - path: /api/health - port: 3000 - {{- end }} - {{- end }} - - {{- if .Values.image.mainContainer.resources }} - resources: - {{- toYaml .Values.image.mainContainer.resources | nindent 12 }} - {{- end }} - - volumes: - - name: {{ template "configMapName" . }} - configMap: - name: {{ template "configMapName" . }} - - name: {{ template "configMapName" . }}-dashboard - configMap: - name: {{ template "configMapName" . }}-dashboard - - name: {{ template "pvcName" . }} - {{- if .Values.persistentVolume.enabled }} - persistentVolumeClaim: - claimName: {{ template "pvcName" . }} - - volumeClaimTemplates: - - metadata: - name: {{ template "pvcName" . }} - namespace: {{ .Values.global.namespace }} - - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: "{{ .Values.persistentVolume.storage }}" - {{- else }} - emptyDir: {} - {{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/values.yaml deleted file mode 100644 index d6c8a3fc4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/grafana/values.yaml +++ /dev/null @@ -1,64 +0,0 @@ -replicas: 1 - -credentials: - user: "vulas" - password: "changeme" - -path: /monitoring/grafana - -rbac: - create: true - namespaced: false - -persistentVolume: - enabled: true - storage: "1Gi" - -image: - initContainer: - registry: {} - registryPort: {} - name: "busybox" - tag: "1.31.0" - pullpolicy: "IfNotPresent" - resources: - limits: - cpu: "50m" - memory: "100Mi" - - securityContext: - runAsUser: 12000 - - mainContainer: - registry: {} - registryPort: {} - name: "grafana/grafana" - tag: "6.4.3" - pullpolicy: "IfNotPresent" - resources: - limits: - cpu: "100m" - memory: "128Mi" - requests: - cpu: "100m" - memory: "128Mi" - - livenessProbe: - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 130s ~= 2min - enabled: false - initialDelaySeconds: 5 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 130s ~= 2min - enabled: false - initialDelaySeconds: 5 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/Chart.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/Chart.yaml deleted file mode 100644 index 18333fb6e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -appVersion: v2.12.0 -name: prometheus -version: v0.1.1 - -kubeVersion: ">=v1.15.0" -description: Helm Chart for prometheus server + kubestatemetrics + nodeExporter for the vulnerability-assessment-tool -keywords: - - "SAP" - - "vulnerability-assessment-tool" - - "open-source" - - "security-tools" - - "java" - - "python" - - "maven" - - "gradle" - -home: https://eclipse.github.io/steady -sources: - - https://github.com/eclipse/steady - -maintainers: - - name: "Quoc Trung HOANG" - email: "quoc.trung.hoang@sap.com" - url: "" - -engine: gotpl diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/README.md b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/README.md deleted file mode 100644 index 0c95c3b69..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/README.md +++ /dev/null @@ -1,78 +0,0 @@ -# Prometheus - -> This chart is already included in the vulnerability-assessment-tool-monitoring chart - -This chart is a modified version of the stable chart (see [source](https://github.com/helm/charts/tree/master/stable/prometheus)) with a lot of simplification and some labeling / name schema changes. - -## Prerequisites -- Kubernetes >=v1.15.0 with Beta APIs enabled -- Persistent volume provisioner support in underlying infrastructure - -## Installing the chart -To install the chart with the release name `release`: -```console -$ helm install release . -``` - -The command deploys the prometheus subchart of the vulnerability-assessment-tool-monitoring v0.1.1 -on the Kubernetes cluster in the default configuration. The configuration section lists -the parameters that can be configured during installation. - -## Uninstalling the chart -To uninstall/delete the `release` deployment: -```console -$ helm delete release -``` - -## Configuration -The following table lists the configurable parameters of the prometheus chart and their default values. As values in this chart are quite highly nested, this table is split into four parts for easy readability - -| Parameter | Description | Default | -|----------|-------------|--------| -| rbac.create | bool to decide whether or not to add rbac layer | `True` | - -### .Values.kubeStateMetrics -| Parameter | Description | Default | -| --- |--- | --- | -| enabled | Enables the kubeStateMetrics deployment | `True` | -| replicas | One instance should be plenty for a small cluster if Fault tolerance is not the goal | `1` | -| selfAntiAffinity | antiaffinity towards sharing a node with similar pods | soft: `True`
weight: `100` | -| image.pullPolicy | | `IfNotPresent` | -| image.registry | | `quay.io` | -| image.name | | `coreos/kube-state-metrics` | -| image.tag | | `v1.7.2` | -| image.livenessProbe | | enabled: `False`
initialDelaySeconds: `5`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5` | -| image.readinessProbe | | enabled: `False`
initialDelaySeconds: `5`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5` | -| image.resources | | requests:
 memory: `32Mi`
 cpu: `10m`limit:
 memory: `64Mi`
 cpu: `40m` | - -### .Values.nodeExporter -| Parameter | Description | Default | -| --- |--- | --- | -| enabled | Enables the nodeExporter daemonset | `True` | -| selfAntiAffinity | antiaffinity towards sharing a node with similar pods | soft: `True`
weight: `100` | -| image.pullPolicy || `IfNotPresent` | -| image.name | | `prom/node-exporter` | -| image.tag | | `v0.18.1` | -| image.livenessProbe | | enabled: `False`
initialDelaySeconds: `5`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5` | -| image.readinessProbe | | enabled: `False`
initialDelaySeconds: `5`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5` | -| image.resources | | requests:
 memory: `30Mi`
 cpu: `100m`limit:
 memory: `50Mi`
 cpu: `200m` | -| podSecurityPolicy.enabled | | `True` | -| podSecurityPolicy.hostNetwork | | `True` | -| podSecurityPolicy.hostPID | | `True` | - -### .Values.server (Prometheus Server) -| Parameter | Description | Default | -| --- | --- | --- | -| path | Path to serve the admin api for prometheus set by `--web.external-url` | `/monitoring/prometheus/` | -| replicas | One replica should suffice for an small cluster | `1` | -| podManagementPolicy | | `Parallel` | -| enableAdminApi | Allows the admin API | `True` | -| retention | metrics retention duration | `90d` | -| selfAntiAffinity | antiaffinity towards sharing a node with similar pods | soft: `True`
weight: `100` | -| persistentVolume | pvc for metrics | enabled: `False`
mountPath: `/data`
storage: `2Gi` | -| image.mainContainer.pullPolicy | | `IfNotPresent` | -| image.mainContainer.name | | `prom/prometheus` | -| image.mainContainer.tag | | `v2.12.0` | -| image.mainContainer.livenessProbe | | enabled: `False`
initialDelaySeconds: `30`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5`
path: `/healthy` | -| image.mainContainer.readinessProbe | | enabled: `False`
initialDelaySeconds: `30`
periodSeconds: `30`
timeoutSeconds: `5`
failureThreshold: `5`
successThreshold: `1`
path: `/ready` | -| image.mainContainer0resources | | requests:
 memory: `512Mi`
 cpu: `500m`limit:
 memory: `512Mi`
 cpu: `500m` | diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/NOTES.txt b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/_getters.tpl deleted file mode 100644 index 35ea1e575..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/_getters.tpl +++ /dev/null @@ -1,60 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - prom.kube.name : Gets name of current component - contexts: [ . ] - usage: {{ include "prom.kube.name" . }} -*/}} -{{- define "prom.kube.name" -}} -{{ .Release.Name }}-kube-state-metrics -{{- end -}} - -{{/* - prom.kube.clusterRoleBindingName : Gets name of current component - contexts: [ . ] - usage: {{ include "prom.kube.clusterRoleBindingName" . }} -*/}} -{{- define "prom.kube.clusterRoleBindingName" -}} -{{- $name := include "prom.kube.name" . -}} -{{- printf "%s-%s-metrics-collector" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - prom.kube.clusterRoleName : Gets name of current component - contexts: [ . ] - usage: {{ include "prom.kube.clusterRoleName" . }} -*/}} -{{- define "prom.kube.clusterRoleName" -}} -{{- $name := include "prom.kube.name" . -}} -{{- printf "%s-%s-metrics-collector" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - prom.kube.serviceAccountName : Gets name of current component - contexts: [ . ] - usage: {{ include "prom.kube.serviceAccountName" . }} -*/}} -{{- define "prom.kube.serviceAccountName" -}} -{{- $name := include "prom.kube.name" . -}} -{{- printf "%s-%s-metrics-collector" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - prom.kube.deploymentName : Gets name of current component - contexts: [ . ] - usage: {{ include "prom.kube.deploymentName" . }} -*/}} -{{- define "prom.kube.deploymentName" -}} -{{- $name := include "prom.kube.name" . -}} -{{- printf "%s-deployment" $name -}} -{{- end -}} - - -{{/* - prom.kube.podName : Gets name of current component - contexts: [ . ] - usage: {{ include "prom.kube.podName" . }} -*/}} -{{- define "prom.kube.podName" -}} -{{- $name := include "prom.kube.name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/_labels.tpl deleted file mode 100644 index b7509718c..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/_labels.tpl +++ /dev/null @@ -1,34 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - prom.kube.commonLabels : generic for labels - contexts: [ . ] - usage: {{ include "prom.kube.commonLabels" . }} -*/}} -{{- define "prom.kube.commonLabels" -}} -{{ if .Chart.AppVersion -}} -app.kubernetes.io/part-of: {{ include "prom.kube.name" . }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{ include "projectLabels" . }} -{{- end -}} - -{{/* - prom.kube.enrichedLabels : generic for labels - contexts: [ . ] - usage: {{ include "prom.kube.enrichedLabels" . }} -*/}} -{{- define "prom.kube.enrichedLabels" -}} -{{ include "prom.kube.commonLabels" . }} -{{ .Values.global.projectName }}.monitoring/service : {{ .Release.Name }}-kube-state-metrics -{{- end -}} - -{{/* - prom.kube.serviceLabel: generic admin service label - contexts: [ . ] - usage: {{ include "prom.kube.serviceLabel" . }} - */}} -{{- define "prom.kube.serviceLabel" -}} -{{ include "projectLabels" . }} -{{ .Values.global.projectName }}.monitoring/service : {{ .Release.Name }}-kube-state-metrics -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/clusterRole.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/clusterRole.yaml deleted file mode 100644 index 67fc48bad..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/clusterRole.yaml +++ /dev/null @@ -1,94 +0,0 @@ -{{- if and .Values.kubeStateMetrics.enabled .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole - -metadata: - name: {{ template "prom.kube.serviceAccountName" . }} - labels: - {{- include "prom.kube.commonLabels" . | nindent 4 }} - -rules: - - apiGroups: - - "" - resources: - - namespaces - - nodes - - persistentvolumeclaims - - pods - - services - - resourcequotas - - replicationcontrollers - - limitranges - - persistentvolumeclaims - - persistentvolumes - - endpoints - - secrets - - configmaps - verbs: - - list - - watch - - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - ingresses - - replicasets - verbs: - - list - - watch - - - apiGroups: - - apps - resources: - - daemonsets - - deployments - - statefulsets - - replicasets - verbs: - - get - - list - - watch - - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - list - - watch - - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - list - - watch - - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - list - - watch - - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - list - - watch - - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - list - - watch -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/clusterRoleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/clusterRoleBinding.yaml deleted file mode 100644 index d1a015322..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/clusterRoleBinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.kubeStateMetrics.enabled .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding - -metadata: - name: {{ template "prom.kube.serviceAccountName" . }} - labels: - {{- include "prom.kube.commonLabels" . | nindent 4 }} - -subjects: - - kind: ServiceAccount - name: {{ template "prom.kube.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "prom.kube.serviceAccountName" . }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/deployment.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/deployment.yaml deleted file mode 100644 index 98eb78624..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/deployment.yaml +++ /dev/null @@ -1,91 +0,0 @@ -{{- if .Values.kubeStateMetrics.enabled -}} -apiVersion: apps/v1 -kind: Deployment - -metadata: - name: {{ template "prom.kube.deploymentName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "prom.kube.enrichedLabels" . | nindent 4 }} - -spec: - replicas: {{ .Values.kubeStateMetrics.replicas }} - - selector: - matchLabels: - app.kubernetes.io/instance: {{ template "prom.kube.podName" . }} - {{- include "prom.kube.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - app.kubernetes.io/instance: {{ template "prom.kube.podName" . }} - {{- include "prom.kube.enrichedLabels" . | nindent 8 }} - annotations: - prometheus.io/scrape: "true" - - spec: - serviceAccountName: {{ template "prom.kube.serviceAccountName" . }} - - containers: - - name: {{ template "prom.kube.name" . }}-container - image: {{ template "containerName" .Values.kubeStateMetrics.image }} - imagePullPolicy: "{{ .Values.kubeStateMetrics.image.pullPolicy }}" - ports: - - name: http - containerPort: 8080 - - {{- if .Values.kubeStateMetrics.image.livenessProbe.enabled }} - {{- with .Values.kubeStateMetrics.image.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /healthz - port: http - {{- end }} - {{- end }} - {{ if .Values.kubeStateMetrics.image.readinessProbe.enabled }} - {{- with .Values.kubeStateMetrics.image.readinessProbe }} - readinessProbe: - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - successThreshold: {{ .successThreshold }} - httpGet: - path: /healthz - port: http - {{- end }} - {{- end }} - {{- if .Values.kubeStateMetrics.image.resources }} - resources: - {{- toYaml .Values.kubeStateMetrics.image.resources | nindent 12 }} - {{- end }} - {{- if .Values.kubeStateMetrics.image.securityContext }} - securityContext: - {{- toYaml .Values.kubeStateMetrics.image.securityContext | nindent 12 }} - {{- end }} - - {{- if .Values.kubeStateMetrics.selfAntiAffinity }} - affinity: - podAntiAffinity: - {{- if .Values.kubeStateMetrics.selfAntiAffinity.soft }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- else }} - requiredDuringSchedulingIgnoredDuringExecution - {{- end }} - - weight: {{ .Values.kubeStateMetrics.selfAntiAffinity.weight }} - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: [{{ template "prom.kube.name" . }}] - - key: app.kubernetes.io/instance - operator: In - values: [{{ template "prom.kube.podName" . }}] - topologyKey: "kubernetes.io/hostname" - {{ end }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/service.yaml deleted file mode 100644 index 5cdceaa8d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.kubeStateMetrics.enabled -}} -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-kube-state-metrics - namespace: {{ .Values.global.namespace }} - labels: - {{- include "prom.kube.commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "prom.kube.enrichedLabels" . | nindent 4 }} - - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 - -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/serviceAccount.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/serviceAccount.yaml deleted file mode 100644 index 89d7868d1..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/kube-state-metrics/serviceAccount.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if and .Values.kubeStateMetrics.enabled -}} -apiVersion: v1 -kind: ServiceAccount - -metadata: - name: {{ template "prom.kube.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "prom.kube.commonLabels" . | nindent 4 }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/_getters.tpl deleted file mode 100644 index 3908a9f0e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/_getters.tpl +++ /dev/null @@ -1,90 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* -prom.node.name: alertmanager name -contexts: [ . ] -usage: {{ include "prom.node.name" . }} -*/}} -{{- define "prom.node.name" -}} -{{ .Release.Name }}-node-exporter -{{- end -}} - -{{/* -prom.node.configMapName: nodeexporter configMapName -contexts: [ . ] -usage: {{ include "prom.node.configMapName" . }} -*/}} -{{- define "prom.node.configMapName" -}} -{{- $name := include "prom.node.name" . -}} -{{- printf "%s-config" $name }} -{{- end -}} - -{{/* -prom.node.deploymentName: nodeexporter deploymentName -contexts: [ . ] -usage: {{ include "prom.node.deploymentName" . }} -*/}} -{{- define "prom.node.deploymentName" -}} -{{- $name := include "prom.node.name" . -}} -{{- printf "%s-deployment" $name }} -{{- end -}} - -{{/* -prom.node.podName: nodeexporter pod name -contexts: [ . ] -usage: {{ include "prom.node.podName" . }} -*/}} -{{- define "prom.node.podName" -}} -{{- $name := include "prom.node.name" . -}} -{{- printf "%s-pods" $name }} -{{- end -}} - -{{/* - prom.node.serviceAccountName : serviceAccountName getter - contexts: [ . ] - usage: {{ include "prom.node.serviceAccountName" . }} -*/}} -{{- define "prom.node.serviceAccountName" -}} -{{- $name := include "prom.node.name" . -}} -{{- printf "%s-%s-metrics-collector" .Values.global.projectName $name -}} -{{- end -}} - -{{/* - prom.node.roleName : cluster role name getter - contexts: [ . ] - usage: {{ include "prom.node.roleName" . }} -*/}} -{{- define "prom.node.roleName" -}} -{{- $name := include "prom.node.name" . -}} -{{- printf "%s-%s-metrics-collector" .Values.global.namespace $name -}} -{{- end -}} - -{{/* - prom.node.roleBindingName : cluster binding name getter - contexts: [ . ] - usage: {{ include "prom.node.roleBindingName" . }} -*/}} -{{- define "prom.node.roleBindingName" -}} -{{- $name := include "prom.node.name" . -}} -{{- printf "%s-cluster-role-binding" $name -}} -{{- end -}} - -{{/* - prom.node.daemonSetName : daemonset name getter - contexts: [ . ] - usage: {{ include "prom.node.daemonSetName" . }} -*/}} -{{- define "prom.node.daemonSetName" -}} -{{- $name := include "prom.node.name" . -}} -{{- printf "%s-daemon-set" $name -}} -{{- end -}} - - -{{/* - prom.node.podSecurityPolicyName : podSecurityPolicyName name getter - contexts: [ . ] - usage: {{ include "prom.node.podSecurityPolicyName" . }} -*/}} -{{- define "prom.node.podSecurityPolicyName" -}} -{{- $name := include "prom.node.name" . -}} -{{- printf "%s-%s-metrics-collection" .Values.global.projectName $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/_labels.tpl deleted file mode 100644 index 94636d7e5..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/_labels.tpl +++ /dev/null @@ -1,34 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - prom.node.commonLabels : generic for labels - contexts: [ . ] - usage: {{ include "prom.node.commonLabels" . }} -*/}} -{{- define "prom.node.commonLabels" -}} -{{ if .Chart.AppVersion -}} -app.kubernetes.io/part-of: {{ include "prom.node.name" . }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{ include "projectLabels" . }} -{{- end -}} - -{{/* - prom.node.enrichedLabels : generic for labels - contexts: [ . ] - usage: {{ include "prom.node.enrichedLabels" . }} -*/}} -{{- define "prom.node.enrichedLabels" -}} -{{ include "prom.node.commonLabels" . }} -{{ .Values.global.projectName }}.monitoring/service : {{ .Release.Name }}-node-exporter -{{- end -}} - -{{/* - prom.node.serviceLabel: generic admin service label - contexts: [ . ] - usage: {{ include "prom.node.serviceLabel" . }} - */}} -{{- define "prom.node.serviceLabel" -}} -{{ include "projectLabels" . }} -{{ .Values.global.projectName }}.monitoring/service : {{ .Release.Name }}-node-exporter -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/daemonSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/daemonSet.yaml deleted file mode 100644 index 0f287997b..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/daemonSet.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- if .Values.nodeExporter.enabled -}} -apiVersion: apps/v1 -kind: DaemonSet - -metadata: - name: {{ template "prom.node.daemonSetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "prom.node.enrichedLabels" . | nindent 4 }} - -spec: - selector: - matchLabels: - app.kubernetes.io/instance: {{ template "prom.node.podName" . }} - {{- include "prom.node.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - app.kubernetes.io/instance: {{ template "prom.node.podName" . }} - {{- include "prom.node.enrichedLabels" . | nindent 8 }} - annotations: - prometheus.io/scrape: "true" - - spec: - serviceAccountName: {{ template "prom.node.serviceAccountName" . }} - automountServiceAccountToken: false - containers: - - name: {{ template "prom.node.name" . }}-container - image: {{ template "containerName" .Values.nodeExporter.image }} - imagePullPolicy: "{{ .Values.nodeExporter.image.pullPolicy }}" - args: - - --path.procfs=/host/proc - - --path.sysfs=/host/sys - ports: - - name: node - containerPort: 9100 - - volumeMounts: - - name: proc - mountPath: /host/proc - readOnly: true - - name: sys - mountPath: /host/sys - readOnly: true - - {{- if .Values.nodeExporter.image.resources }} - resources: - {{- toYaml .Values.nodeExporter.image.resources | nindent 12 }} - {{- end }} - {{- if .Values.nodeExporter.podSecurityPolicy.enabled }} - hostNetwork: {{ .Values.nodeExporter.podSecurityPolicy.hostNetwork }} - hostPID: {{ .Values.nodeExporter.podSecurityPolicy.hostPID }} - {{- end }} - {{- if .Values.nodeExporter.image.securityContext }} - securityContext: - {{- toYaml .Values.nodeExporter.image.securityContext | nindent 8 }} - {{- end }} - volumes: - - name: proc - hostPath: - path: /proc - - name: sys - hostPath: - path: /sys -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/podSecurityPolicy.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/podSecurityPolicy.yaml deleted file mode 100644 index 08e64abc0..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/podSecurityPolicy.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if and .Values.nodeExporter.enabled .Values.rbac.create -}} -{{- if .Values.nodeExporter.podSecurityPolicy.enabled -}} -apiVersion: extensions/v1beta1 -kind: PodSecurityPolicy - -metadata: - name: {{ template "prom.node.podSecurityPolicyName" . }} - labels: - {{- include "prom.node.commonLabels" . | nindent 4 }} - -spec: - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - - requiredDropCapabilities: - - ALL - - volumes: - - 'configMap' - - 'hostPath' - - 'secret' - - allowedHostPaths: - - pathPrefix: /proc - readOnly: true - - pathPrefix: /sys - readOnly: true - - hostNetwork: {{ .Values.nodeExporter.podSecurityPolicy.hostNetwork }} - hostPID: {{ .Values.nodeExporter.podSecurityPolicy.hostPID }} - hostIPC: false - - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - - hostPorts: - - min: 1 - max: 65535 -{{- end }} -{{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/role.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/role.yaml deleted file mode 100644 index 8d2d3f6c0..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} -{{- if .Values.nodeExporter.podSecurityPolicy.enabled }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role - -metadata: - name: {{ template "prom.node.serviceAccountName" . }} - labels: - {{- include "prom.node.commonLabels" . | nindent 4 }} - -rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ template "prom.node.podSecurityPolicyName" . }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/roleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/roleBinding.yaml deleted file mode 100644 index 17f04de21..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/roleBinding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} -{{- if .Values.nodeExporter.podSecurityPolicy.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding - -metadata: - name: {{ template "prom.node.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "prom.node.commonLabels" . | nindent 4 }} - -roleRef: - kind: Role - name: {{ template "prom.node.serviceAccountName" . }} - apiGroup: rbac.authorization.k8s.io - -subjects: -- kind: ServiceAccount - name: {{ template "prom.node.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/service.yaml deleted file mode 100644 index 8130f7c03..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.nodeExporter.enabled -}} -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-node-exporter - namespace: {{ .Values.global.namespace }} - labels: - {{- include "prom.node.commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "prom.node.enrichedLabels" . | nindent 4 }} - - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: node -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/serviceAccount.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/serviceAccount.yaml deleted file mode 100644 index 77f35bdbe..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/node-exporter/serviceAccount.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if and .Values.nodeExporter.enabled -}} -apiVersion: v1 -kind: ServiceAccount - -metadata: - name: {{ template "prom.node.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "prom.node.commonLabels" . | nindent 4 }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/_getters.tpl deleted file mode 100644 index bf070cbfb..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/_getters.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - prom.server.serviceAccountName : generic for admin labels - contexts: [ . ] - usage: {{ include "prom.server.serviceAccountName" . }} -*/}} -{{- define "prom.server.serviceAccountName" -}} -{{ .Values.global.projectName }}-{{ template "name" . }}-discovery-agent -{{- end -}} - - -{{/* - prom.server.ingressName : ingress name getter - contexts: [ . ] - usage: {{ include "prom.server.ingressName" . }} -*/}} -{{- define "prom.server.ingressName" -}} -{{- $name := include "name" . -}} -{{- printf "05-%s-ingress" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/_labels.tpl deleted file mode 100644 index 04785684d..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/_labels.tpl +++ /dev/null @@ -1,10 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - prom.server.enrichedLabels : generic for admin labels - contexts: [ . ] - usage: {{ include "prom.enrichedLabels" . }} -*/}} -{{- define "prom.server.enrichedLabels" -}} -{{ include "commonLabels" . }} -{{ .Values.global.projectName }}.monitoring/service: {{ .Release.Name }}-prometheus -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/clusterRole.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/clusterRole.yaml deleted file mode 100644 index b1b2a22c4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/clusterRole.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole - -metadata: - name: {{ template "prom.server.serviceAccountName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - services - - endpoints - - pods - - ingresses - - configmaps - verbs: - - get - - list - - watch - - - apiGroups: - - "extensions" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - - nonResourceURLs: - - "/metrics" - verbs: - - get -{{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/clusterRoleBinding.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/clusterRoleBinding.yaml deleted file mode 100644 index aa21dc9ec..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/clusterRoleBinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding - -metadata: - name: {{ template "prom.server.serviceAccountName" . }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -subjects: - - kind: ServiceAccount - name: {{ template "prom.server.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "prom.server.serviceAccountName" . }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/configMap.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/configMap.yaml deleted file mode 100644 index 1a75b9e39..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/configMap.yaml +++ /dev/null @@ -1,277 +0,0 @@ -apiVersion: v1 -kind: ConfigMap - -metadata: - name: {{ template "configMapName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -data: - prometheus.yml: | - rule_files: - - /etc/config/rules - - /etc/config/alerts - - scrape_configs: - - job_name: prometheus - static_configs: - - targets: - - localhost:9090 - {{- $subPath := .Values.global.subPath }} - metrics_path: {{ $subPath }}{{ .Values.server.path }}metrics - # A scrape configuration for running Prometheus on a Kubernetes cluster. - # This uses separate scrape configs for cluster components (i.e. API server, node) - # and services to allow each to use different authentication configs. - # - # Kubernetes labels will be added as Prometheus labels on metrics via the - # `labelmap` relabeling action. - - # Scrape config for API servers. - # - # Kubernetes exposes API servers as endpoints to the default/kubernetes - # service so this uses `endpoints` role and uses relabelling to only keep - # the endpoints associated with the default/kubernetes service using the - # default named port `https`. This works for single API server deployments as - # well as HA API server deployments. - - job_name: 'kubernetes-apiservers' - - kubernetes_sd_configs: - - role: endpoints - - # Default to scraping over https. If required, just disable this or change to - # `http`. - scheme: https - - # This TLS & bearer token file config is used to connect to the actual scrape - # endpoints for cluster components. This is separate to discovery auth - # configuration because discovery & scraping are two separate concerns in - # Prometheus. The discovery auth config is automatic if Prometheus runs inside - # the cluster. Otherwise, more config options have to be provided within the - # . - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # If your node certificates are self-signed or use a different CA to the - # master CA, then disable certificate verification below. Note that - # certificate verification is an integral part of a secure infrastructure - # so this should only be disabled in a controlled environment. You can - # disable certificate verification by uncommenting the line below. - # - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - - # Keep only the default/kubernetes service endpoints for the https port. This - # will add targets for each API server which Kubernetes adds an endpoint to - # the default/kubernetes service. - relabel_configs: - - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: default;kubernetes;https - - - job_name: 'kubernetes-nodes' - - # Default to scraping over https. If required, just disable this or change to - # `http`. - scheme: https - - # This TLS & bearer token file config is used to connect to the actual scrape - # endpoints for cluster components. This is separate to discovery auth - # configuration because discovery & scraping are two separate concerns in - # Prometheus. The discovery auth config is automatic if Prometheus runs inside - # the cluster. Otherwise, more config options have to be provided within the - # . - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # If your node certificates are self-signed or use a different CA to the - # master CA, then disable certificate verification below. Note that - # certificate verification is an integral part of a secure infrastructure - # so this should only be disabled in a controlled environment. You can - # disable certificate verification by uncommenting the line below. - # - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - - kubernetes_sd_configs: - - role: node - - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics - - - - job_name: 'kube-state-metrics' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - - - job_name: 'kubernetes-nodes-cadvisor' - - # Default to scraping over https. If required, just disable this or change to - # `http`. - scheme: https - - # This TLS & bearer token file config is used to connect to the actual scrape - # endpoints for cluster components. This is separate to discovery auth - # configuration because discovery & scraping are two separate concerns in - # Prometheus. The discovery auth config is automatic if Prometheus runs inside - # the cluster. Otherwise, more config options have to be provided within the - # . - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # If your node certificates are self-signed or use a different CA to the - # master CA, then disable certificate verification below. Note that - # certificate verification is an integral part of a secure infrastructure - # so this should only be disabled in a controlled environment. You can - # disable certificate verification by uncommenting the line below. - # - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - - kubernetes_sd_configs: - - role: node - - # This configuration will work only on kubelet 1.7.3+ - # As the scrape endpoints for cAdvisor have changed - # if you are using older version you need to change the replacement to - # replacement: /api/v1/nodes/$1:4194/proxy/metrics - # more info here https://github.com/coreos/prometheus-operator/issues/633 - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - - # Scrape config for service endpoints. - # - # The relabeling allows the actual service scrape endpoint to be configured - # via the following annotations: - # - # * `prometheus.io/scrape`: Only scrape services that have a value of `true` - # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need - # to set this to `https` & most likely set the `tls_config` of the scrape config. - # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. - # * `prometheus.io/port`: If the metrics are exposed on a different port to the - # service then set this appropriately. - - job_name: 'kubernetes-service-endpoints' - - kubernetes_sd_configs: - - role: endpoints - - relabel_configs: - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] - action: keep - regex: true - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] - action: replace - target_label: __scheme__ - regex: (https?) - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] - action: replace - target_label: __address__ - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: kubernetes_namespace - - source_labels: [__meta_kubernetes_service_name] - action: replace - target_label: kubernetes_name - - source_labels: [__meta_kubernetes_pod_node_name] - action: replace - target_label: kubernetes_node - - - job_name: 'prometheus-pushgateway' - honor_labels: true - - kubernetes_sd_configs: - - role: service - - relabel_configs: - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] - action: keep - regex: pushgateway - - # Example scrape config for probing services via the Blackbox Exporter. - # - # The relabeling allows the actual service scrape endpoint to be configured - # via the following annotations: - # - # * `prometheus.io/probe`: Only probe services that have a value of `true` - - job_name: 'kubernetes-services' - - metrics_path: /probe - params: - module: [http_2xx] - - kubernetes_sd_configs: - - role: service - - relabel_configs: - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] - action: keep - regex: true - - source_labels: [__address__] - target_label: __param_target - - target_label: __address__ - replacement: blackbox - - source_labels: [__param_target] - target_label: instance - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - target_label: kubernetes_namespace - - source_labels: [__meta_kubernetes_service_name] - target_label: kubernetes_name - - # Example scrape config for pods - # - # The relabeling allows the actual pod scrape endpoint to be configured via the - # following annotations: - # - # * `prometheus.io/scrape`: Only scrape pods that have a value of `true` - # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. - # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. - - job_name: 'kubernetes-pods' - - kubernetes_sd_configs: - - role: pod - - relabel_configs: - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: kubernetes_namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: kubernetes_pod_name diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/ingress.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/ingress.yaml deleted file mode 100644 index 0b1052cc4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/ingress.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress - -metadata: - name: {{ template "prom.server.ingressName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - - annotations: - kubernetes.io/ingress.class: {{ .Values.global.ingressClass }} - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: {{ .Values.global.adminNamespace }}/auth-secret - nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' -spec: - rules: - - http: - paths: - - path: {{ .Values.global.subPath }}{{ .Values.server.path }} - backend: - serviceName: {{ .Release.Name }}-prometheus - servicePort: 9090 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/service.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/service.yaml deleted file mode 100644 index a346469ac..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-prometheus - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - selector: - {{- include "prom.server.enrichedLabels" . | nindent 4 }} - - ports: - - name: http - protocol: TCP - port: 9090 - targetPort: 9090 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/serviceAccount.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/serviceAccount.yaml deleted file mode 100644 index de3e12525..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/serviceAccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - -metadata: - name: {{ template "prom.server.serviceAccountName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/serviceHeadless.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/serviceHeadless.yaml deleted file mode 100644 index 3a1061776..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/serviceHeadless.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service - -metadata: - name: {{ .Release.Name }}-prometheus-headless - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - clusterIP: None - selector: - {{- include "prom.server.enrichedLabels" . | nindent 4 }} - - ports: - - name: http - protocol: TCP - port: 9090 - targetPort: 9090 diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/statefulSet.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/statefulSet.yaml deleted file mode 100644 index 407180696..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/templates/prom-server/statefulSet.yaml +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet - -metadata: - name: {{ template "statefulSetName" . }} - namespace: {{ .Values.global.namespace }} - labels: - {{- include "commonLabels" . | nindent 4 }} - -spec: - replicas: {{ .Values.server.replicas }} - serviceName: {{ .Release.Name }}-prometheus-headless - podManagementPolicy: {{ .Values.server.podManagementPolicy }} - - selector: - matchLabels: - app.kubernetes.io/instance: {{ template "podName" . }} - {{- include "prom.server.enrichedLabels" . | nindent 6 }} - - template: - metadata: - labels: - app.kubernetes.io/instance: {{ template "podName" . }} - {{- include "prom.server.enrichedLabels" . | nindent 8 }} - annotations: - checksum/prometheus-config: {{ include (print .Template.BasePath "/prom-server/configMap.yaml") . | sha256sum | trunc 63 }} - - spec: - serviceAccountName: {{ template "prom.server.serviceAccountName" . }} - - containers: - - name: {{ template "name" . }}-server-container - image: {{ template "containerName" .Values.server.image.mainContainer }} - imagePullPolicy: {{ .Values.server.image.mainContainer.pullPolicy }} - args: - - --config.file=/etc/config/prometheus.yml - - --web.external-url=http://localhost:9090{{ .Values.global.subPath }}/monitoring/prometheus - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - {{- if .Values.server.enableAdminApi }} - - --web.enable-admin-api - {{- end }} - {{- if .Values.server.retention }} - - --storage.tsdb.retention.time={{ .Values.server.retention }} - {{- end }} - # {{- if .Values.server.persistentVolume.enabled }} - # - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} - # {{- end }} - ports: - - name: prom - containerPort: 9090 - {{- if .Values.server.image.mainContainer.livenessProbe.enabled }} - {{- with .Values.server.image.mainContainer.livenessProbe }} - livenessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /healthz - port: prom - {{- end }} - {{- end }} - {{ if .Values.kubeStateMetrics.image.readinessProbe.enabled }} - {{- with .Values.kubeStateMetrics.image.readinessProbe }} - readinessProbe: - initialDelaySeconds: {{ .initialDelaySeconds }} - periodSeconds: {{ .periodSeconds }} - timeoutSeconds: {{ .timeoutSeconds }} - failureThreshold: {{ .failureThreshold }} - httpGet: - path: /healthz - port: prom - {{- end }} - {{- end }} - {{- if .Values.server.image.mainContainer.resources -}} - resources: - {{- toYaml .Values.server.image.mainContainer.resources | nindent 12 }} - {{- end }} - {{- if .Values.server.image.mainContainer.securityContext }} - securityContext: - {{- toYaml .Values.server.image.mainContainer.securityContext | nindent 12 }} - {{- end }} - - volumeMounts: - - name: config-volume - mountPath: /etc/config - {{- if .Values.server.persistentVolume.enabled }} - - name: {{ template "pvcName" . }} - mountPath: {{ .Values.server.persistentVolume.mountPath }} - {{- end }} - - volumes: - - name: config-volume - configMap: - name: {{ template "configMapName" . }} - {{- if .Values.server.persistentVolume.enabled }} - - name: {{ template "pvcName" . }} - persistentVolumeClaim: - claimName: {{ template "pvcName" . }} - {{- end }} - - {{- if .Values.server.persistentVolume.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ template "pvcName" . }} - - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: "{{ .Values.server.persistentVolume.storage }}" - {{- end }} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/values.yaml deleted file mode 100644 index 34c0555f4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/charts/prometheus/values.yaml +++ /dev/null @@ -1,156 +0,0 @@ -rbac: - create: true - -kubeStateMetrics: - enabled: true - replicas: 1 - - selfAntiAffinity: - soft: true - weight: 100 - - image: - pullPolicy: "IfNotPresent" - registry: quay.io - registryPort: {} - name: coreos/kube-state-metrics - tag: "v1.7.2" - - livenessProbe: - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 130s ~= 2min - enabled: false - initialDelaySeconds: 5 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 130s ~= 2min - enabled: false - initialDelaySeconds: 5 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - - resources: - limits: - cpu: 40m - memory: 64Mi - requests: - cpu: 10m - memory: 32Mi - - securityContext: - runAsUser: 65534 - -nodeExporter: - enabled: true - - selfAntiAffinity: - soft: true - weight: 100 - - image: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: prom/node-exporter - tag: "v0.18.1" - - livenessProbe: - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 130s ~= 2min - enabled: false - initialDelaySeconds: 5 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 130s ~= 2min - enabled: false - initialDelaySeconds: 5 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - - resources: - limits: - cpu: 200m - memory: 50Mi - requests: - cpu: 100m - memory: 30Mi - - securityContext: {} - - podSecurityPolicy: - enabled: true - ## If true, node-exporter pods share the host network namespace - hostNetwork: true - ## If true, node-exporter pods share the host PID namespace - hostPID: true - -server: - path: "/monitoring/prometheus/" - replicas: 1 - podManagementPolicy: "Parallel" - enableAdminApi: true - retention: "90d" - - selfAntiAffinity: - soft: true - weight: 100 - - persistentVolume: - enabled: false - mountPath: /data - storage: "2Gi" - - image: - mainContainer: - pullPolicy: "IfNotPresent" - registry: {} - registryPort: {} - name: prom/prometheus - tag: "v2.12.0" - - livenessProbe: - # Worst case scenario time before container is killed by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * failureThreshold) - # = 145s ~= 2min - enabled: false - initialDelaySeconds: 20 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - path: /healthy - - readinessProbe: - # Worst case scenario time before container is considered unready by k8s : - # initialDelaySeconds + ((periodSeconds + timeoutSeconds) * successThreshold) - # = 145s ~= 3.5min - enabled: false - initialDelaySeconds: 20 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - path: /ready - - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 500m - memory: 512Mi - securityContext: {} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/stern.sh b/kubernetes/helm/vulnerability-assessment-tool-monitoring/stern.sh deleted file mode 100755 index fa549702e..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/stern.sh +++ /dev/null @@ -1,147 +0,0 @@ -#!/bin/bash -if [ -z $VULNERABILITY_ASSESSMENT_TOOL_CORE_NAMESPACE ]; then - VULNERABILITY_ASSESSMENT_TOOL_CORE_NAMESPACE="vulnerability-assessment-tool-core" -fi - -if [ -z $VULNERABILITY_ASSESSMENT_TOOL_ADMIN_NAMESPACE ]; then - VULNERABILITY_ASSESSMENT_TOOL_ADMIN_NAMESPACE="vulnerability-assessment-tool-admin" -fi - -if [ -z $VULNERABILITY_ASSESSMENT_TOOL_MONITORING_NAMESPACE ]; then - VULNERABILITY_ASSESSMENT_TOOL_MONITORING_NAMESPACE="vulnerability-assessment-tool-monitoring" -fi - -if [ -z $TAIL_LENGTH ]; then - TAIL_LENGTH=15 -fi - -_stern_log() { - echo `date "+%Y:%m:%d-%H:%M:%S"` "$1" "\033[0m: $2" -} - -_stern_info() { - if [[ -z $STERN_DEBUG ]]; then - _stern_log "[info]" "$1" - fi -} -_stern_warn() { - _stern_log "\e[1;33m[warning]" "$1" -} -_stern_error() { - _stern_log "\e[1;31m[error]" "$1" -} -_stern_success() { - _stern_log "\e[1;32m[success]" "$1" -} - -check_prerequisites() { - STERN_PATH=`command -v stern` - if [ -n "$STERN_PATH" ]; then - _stern_success "stern installation has been found in $STERN_PATH" - export STERN_PATH=$STERN_PATH - else - _stern_error "stern has not been found" - fi -} - -query_constructor() { - QUERY_STRING="stern $1 \ - --namespace $2 " - if [[ -n "$CONTAINER" ]]; then - QUERY_STRING+="--container $CONTAINER " - fi - if [[ $SINGLE -eq "0" ]]; then - QUERY_STRING+="--template '{{ color .PodColor .PodName }} {{ .Message }}' " - else - QUERY_STRING+="--template '{{ .Message }}' " - fi - - if [[ -n "$TAIL_LENGTH" ]]; then - QUERY_STRING+="--tail $TAIL_LENGTH " - fi - if [[ -n "$TAIL_SINCE" ]]; then - QUERY_STRING+=" --since $TAIL_SINCE " - fi - echo $QUERY_STRING -} - -query_constructor_core() { - query_constructor $1 $VULNERABILITY_ASSESSMENT_TOOL_CORE_NAMESPACE -} -query_constructor_admin() { - query_constructor $1 $VULNERABILITY_ASSESSMENT_TOOL_ADMIN_NAMESPACE -} -query_constructor_monitoring(){ - query_constructor $1 $VULNERABILITY_ASSESSMENT_TOOL_MONITORING_NAMESPACE -} - - -restbackend() { - SINGLE="1" - POD_QUERY="restbackend-stateful-set-$1" - CONTAINER="" - if [[ -z "$1" ]]; then - SINGLE="0" - POD_QUERY="restbackend-stateful-set" - fi - eval `query_constructor_core $POD_QUERY` -} - -restlibutils() { - SINGLE="0" - POD_QUERY="restlibutils-deployment" - CONTAINER="" - eval `query_constructor_core $POD_QUERY` -} - -frontendapps() { - SINGLE="0" - POD_QUERY="frontendapps-deployment" - CONTAINER="" - eval `query_constructor_core $POD_QUERY` -} - -frontendbugs() { - SINGLE="0" - POD_QUERY="frontendbugs-deployment" - CONTAINER="" - eval `query_constructor_core $POD_QUERY` -} - -postgres_master() { - SINGLE="1" - POD_QUERY="postgres-master-$1" - CONTAINER="postgres-master-container" - if [[ -z "$1" ]]; then - POD_QUERY="postgres-master-0" - fi - eval `query_constructor_core $POD_QUERY` -} - -postgres_slave() { - SINGLE="1" - POD_QUERY="postgres-slave-$1" - CONTAINER="postgres-slave-container" - if [[ -z "$1" ]]; then - SINGLE="0" - POD_QUERY="postgres-slave" - fi - eval `query_constructor_core $POD_QUERY` -} - -patchlibanalyzer() { - SINGLE="1" - POD_QUERY="patchlibanalyzer-deployment" - CONTAINER="" - eval `query_constructor_core $POD_QUERY` -} - -nginx() { - SINGLE="0" - POD_QUERY="nginx-ingress-controller" - CONTAINER="" - eval `query_constructor_admin $POD_QUERY` -} - - -eval "$1" diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_container.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_container.tpl deleted file mode 100644 index 24f963b28..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_container.tpl +++ /dev/null @@ -1,18 +0,0 @@ - -{{/*-------------------------- Global Templates ----------------------------*/}} -{{/* - containerName : Generates containerName - contexts: [ .global ] - usage: {{ include "containerName" . }} -*/}} -{{- define "containerName" -}} -{{- if .registry -}} -{{- printf "%s" .registry -}} -{{- if .registryPort -}} -{{- printf ":%d/" (int .registryPort) -}} -{{- else -}} -{{- printf "/" -}} -{{- end -}} -{{- end -}} -{{- printf "%s:%s" .name .tag }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_getters.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_getters.tpl deleted file mode 100644 index 6ab5fbed4..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_getters.tpl +++ /dev/null @@ -1,250 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - name : Gets name of current component - contexts: [ . ] - usage: {{ include "name" . }} -*/}} -{{- define "name" -}} -{{ .Release.Name }}-{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - chart : Gets chart name of current component - contexts: [ . ] - usage: {{ include "chart" . }} -*/}} -{{- define "chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - configMapName : config map name getter - contexts: [ . ] - usage: {{ include "configMapName" . }} -*/}} -{{- define "configMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-config" $name -}} -{{- end -}} - -{{/* - cronJobName : cronJobName getter - contexts: [ . ] - usage: {{ include "cronJobName" . }} -*/}} -{{- define "cronJobName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cron-job" $name -}} -{{- end -}} - -{{/* - mountedConfigMapName : mounted config map name getter - contexts: [ . ] - usage: {{ include "mountedConfigMapName" . }} -*/}} -{{- define "mountedConfigMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-mounted-config" $name -}} -{{- end -}} - -{{/* - envConfigMapName : env config map name getter - contexts: [ . ] - usage: {{ include "envConfigMapName" . }} -*/}} -{{- define "envConfigMapName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-env-config" $name -}} -{{- end -}} - - -{{/* - secretName : secret name getter - contexts: [ . ] - usage: {{ include "secretName" . }} -*/}} -{{- define "secretName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-secret" $name -}} -{{- end -}} - -{{/* - deploymentName : Deployment name getter - contexts: [ . ] - usage: {{ include "deploymentName" . }} -*/}} -{{- define "deploymentName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-deployment" $name -}} -{{- end -}} - -{{/* - daemonSetName : DaemonSet name getter - contexts: [ . ] - usage: {{ include "daemonSetName" . }} -*/}} -{{- define "daemonSetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-daemon-set" $name -}} -{{- end -}} - -{{/* - statefulSetName : Statefulset name getter - contexts: [ . ] - usage: {{ include "statefulSetName" . }} -*/}} -{{- define "statefulSetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-stateful-set" $name -}} -{{- end -}} - -{{/* - pvcName : patchlibanalyzer pvc name getter - contexts: [ . ] - usage: {{ include "pvcName" . }} -*/}} -{{- define "pvcName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-volume-claim" $name -}} -{{- end -}} - -{{/* - pvName : patchlibanalyzer pv name getter - contexts: [ . ] - usage: {{ include "pvName" . }} -*/}} -{{- define "pvName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-persistent-nfs-volume" $name -}} -{{- end -}} - - -{{/* - serviceAccountName : serviceAccountName getter - contexts: [ . ] - usage: {{ include "serviceAccountName" . }} -*/}} -{{- define "serviceAccountName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-service-account" $name -}} -{{- end -}} - -{{/* - roleName : role name getter - contexts: [ . ] - usage: {{ include "roleName" . }} -*/}} -{{- define "roleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-role" $name -}} -{{- end -}} - -{{/* - roleBindingName : role binding name getter - contexts: [ . ] - usage: {{ include "roleBindingName" . }} -*/}} -{{- define "roleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-role-binding" $name -}} -{{- end -}} - -{{/* - clusterRoleName : cluster role name getter - contexts: [ . ] - usage: {{ include "clusterRoleName" . }} -*/}} -{{- define "clusterRoleName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cluster-role" $name -}} -{{- end -}} - -{{/* - clusterRoleBindingName : cluster role binding name getter - contexts: [ . ] - usage: {{ include "clusterRoleBindingName" . }} -*/}} -{{- define "clusterRoleBindingName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-cluster-role-binding" $name -}} -{{- end -}} - -{{/* - podName : deployment pod name getter - contexts: [ . ] - usage: {{ include "podName" . }} -*/}} -{{- define "podName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod" $name -}} -{{- end -}} - -{{/* - podDisruptionBudgetName : deployment podDisruptionBudget name getter - contexts: [ . ] - usage: {{ include "podDisruptionBudgetName" . }} -*/}} -{{- define "podDisruptionBudgetName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod-disruption-budget" $name -}} -{{- end -}} - -{{/* - networkPolicyName : networkPolicyName getter - contexts: [ . ] - usage: {{ include "networkPolicyName" . }} -*/}} -{{- define "networkPolicyName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-network-policy" $name -}} -{{- end -}} - -{{/* - horizontalPodAutoScalerName : horizontalPodAutoScalerName getter - contexts: [ . ] - usage: {{ include "horizontalPodAutoScalerName" . }} -*/}} -{{- define "horizontalPodAutoScalerName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-horizontal-pod-auto-scaler" $name -}} -{{- end -}} - -{{/* - verticalPodAutoScaler : verticalPodAutoScaler getter - contexts: [ . ] - usage: {{ include "verticalPodAutoScaler" . }} -*/}} -{{- define "verticalPodAutoScaler" -}} -{{- $name := include "name" . -}} -{{- printf "%s-vertical-pod-auto-scaler" $name -}} -{{- end -}} - -{{/* - podSecurityPolicyName : podSecurityPolicyName getter - contexts: [ . ] - usage: {{ include "podSecurityPolicyName" . }} -*/}} -{{- define "podSecurityPolicyName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-pod-security-policy" $name -}} -{{- end -}} - -{{/* - headlessServiceName : headlessServiceName getter - contexts: [ . ] - usage: {{ include "headlessServiceName" . }} -*/}} -{{- define "headlessServiceName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-%s-headless-service" $name .Release.Name -}} -{{- end -}} - -{{/* - priorityClassName : priorityClassName getter - contexts: [ . ] - usage: {{ include "priorityClassName" . }} -*/}} -{{- define "priorityClassName" -}} -{{- $name := include "name" . -}} -{{- printf "%s-priority-class" $name -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_labels.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_labels.tpl deleted file mode 100644 index b6823fff7..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_labels.tpl +++ /dev/null @@ -1,26 +0,0 @@ -{{/*---------------------------- Local Templates ----------------------------*/}} -{{/* - commonLabels : generic labels - contexts: [ . ] - usage: {{ include "commonLabels" . }} -*/}} - -{{- define "commonLabels" -}} -{{ if .Chart.AppVersion -}} -app.kubernetes.io/name: {{ .Chart.Name }} -app.kubernetes.io/part-of: {{ .Values.global.projectName }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{ include "projectLabels" . }} -{{- end -}} - - -{{/* - projectLabels : generic labels - contexts: [ . ] - usage: {{ include "projectLabels" . }} -*/}} -{{- define "projectLabels" -}} -{{ .Values.global.projectName }}/environment: {{ .Values.global.env }} -{{ .Values.global.projectName }}/release-name: {{ .Release.Name }} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_logs.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_logs.tpl deleted file mode 100644 index 63f2002a6..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_logs.tpl +++ /dev/null @@ -1,22 +0,0 @@ -{{/*-------------------------- Global Templates ----------------------------*/}} -{{/* - logFunctions : generic logging function - contexts: [ . ] - usage: {{ include "logFunctions" . }} -*/}} - -{{- define "logFunctions" -}} -_log() { - echo `date "+%Y:%m:%d-%H:%M:%S"` "[$CHART_NAME|$LOG_ORIGIN]" "$1": "$2" -} - -_error() { - _log "ERROR" "$1" -} - -_info() { - if [ -z $DEBUG ]; then - _log "INFO" "$1" - fi -} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_ports.tpl b/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_ports.tpl deleted file mode 100644 index e4be75e08..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/templates/_ports.tpl +++ /dev/null @@ -1,12 +0,0 @@ - -{{/* - listPorts : lists port - contexts: [ .global ] - usage: {{ include "listPorts" . }} -*/}} -{{- define "listPorts" -}} -{{- range $key, $value := . }} -- name: {{ $key }} - {{- toYaml . | nindent 2 }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm/vulnerability-assessment-tool-monitoring/values.yaml b/kubernetes/helm/vulnerability-assessment-tool-monitoring/values.yaml deleted file mode 100644 index d7bcaff96..000000000 --- a/kubernetes/helm/vulnerability-assessment-tool-monitoring/values.yaml +++ /dev/null @@ -1,9 +0,0 @@ - -global: - env: "TESTING" - projectName: "vulnerability-assessment-tool" - namespace: "vulnerability-assessment-tool-monitoring" - - adminNamespace: "vulnerability-assessment-tool-admin" - ingressClass: "nginx" - subPath: "" diff --git a/kubernetes/kustomize/config/haproxy-ingress-configmap.yaml b/kubernetes/kustomize/config/haproxy-ingress-configmap.yaml deleted file mode 100644 index ddfdd96a4..000000000 --- a/kubernetes/kustomize/config/haproxy-ingress-configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: haproxy-ingress-cm -data: - dynamic-scaling: "true" - ssl-redirect: "false" - app-root: "/" - stats-auth: vulas:vulas diff --git a/kubernetes/kustomize/config/postgres-setup-script b/kubernetes/kustomize/config/postgres-setup-script deleted file mode 100644 index 9da16174a..000000000 --- a/kubernetes/kustomize/config/postgres-setup-script +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -set -e - -if [ -z ${POSTGRES_PASSWORD} ] || [ -z ${POSTGRES_USER} ] -then - echo 'POSTGRES_USER or POSTGRES_PASSWORD cannot be empty' - exit 1 -fi - -psql --dbname=vulas -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL_B -CREATE TABLE schema_version ( -installed_rank integer NOT NULL, -version character varying(50), -description character varying(200) NOT NULL, -type character varying(20) NOT NULL, -script character varying(1000) NOT NULL, -checksum integer, -installed_by character varying(100) NOT NULL, -installed_on timestamp without time zone DEFAULT now() NOT NULL, -execution_time integer NOT NULL, -success boolean NOT NULL -); -ALTER TABLE schema_version OWNER TO ${POSTGRES_USER}; -INSERT INTO schema_version VALUES (1, '20161206.1800', 'Base version', 'BASELINE', 'Base version', NULL, 'postgres', '2016-12-06 18:00:00.000000', 0, true); -EOSQL_B diff --git a/kubernetes/kustomize/config/restbackend-config b/kubernetes/kustomize/config/restbackend-config deleted file mode 100644 index 4b270bb8b..000000000 --- a/kubernetes/kustomize/config/restbackend-config +++ /dev/null @@ -1,7 +0,0 @@ -vulas.backend.cveCache.refetchAllMs=7200000 -vulas.backend.cveCache.refetchSingleMs=10000 -vulas.backend.frontend.apps.dl.regex= -vulas.backend.frontend.apps.sw.id.label=Software ID -vulas.backend.frontend.apps.sw.id.mandatory=false -vulas.backend.frontend.apps.wiki.url=https://eclipse.github.io/steady -vulas.core.noThreads=AUTO \ No newline at end of file diff --git a/kubernetes/kustomize/deployments/default-deployment.yaml b/kubernetes/kustomize/deployments/default-deployment.yaml deleted file mode 100644 index b673b13eb..000000000 --- a/kubernetes/kustomize/deployments/default-deployment.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: default-backend - labels: - component: default-backend -spec: - replicas: 1 - selector: - matchLabels: - component: default-backend - template: - metadata: - labels: - component: default-backend - spec: - containers: - - name: default-backend - image: gcr.io/google_containers/defaultbackend:1.4 - ports: - - containerPort: 8080 - resources: - limits: - memory: "64Mi" - cpu: "50m" \ No newline at end of file diff --git a/kubernetes/kustomize/deployments/frontend-apps-deployment.yaml b/kubernetes/kustomize/deployments/frontend-apps-deployment.yaml deleted file mode 100644 index 3abf56107..000000000 --- a/kubernetes/kustomize/deployments/frontend-apps-deployment.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: frontend-apps - labels: - component: frontend-apps -spec: - replicas: 1 - template: - metadata: - labels: - component: frontend-apps - spec: - containers: - - name: frontend-apps - image: eclipse/steady-frontend-apps:3.2.0-SNAPSHOT - ports: - - containerPort: 8080 - resources: - limits: - memory: "128Mi" - cpu: "200m" diff --git a/kubernetes/kustomize/deployments/frontend-bugs-deployment.yaml b/kubernetes/kustomize/deployments/frontend-bugs-deployment.yaml deleted file mode 100644 index d06b8f87c..000000000 --- a/kubernetes/kustomize/deployments/frontend-bugs-deployment.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: frontend-bugs - labels: - component: frontend-bugs -spec: - replicas: 1 - template: - metadata: - labels: - component: frontend-bugs - spec: - containers: - - name: frontend-bugs - image: eclipse/steady-frontend-bugs:3.2.0-SNAPSHOT - ports: - - containerPort: 8080 - resources: - limits: - memory: "128Mi" - cpu: "200m" - diff --git a/kubernetes/kustomize/deployments/haproxy-ingress-controller.yaml b/kubernetes/kustomize/deployments/haproxy-ingress-controller.yaml deleted file mode 100644 index cde5083e9..000000000 --- a/kubernetes/kustomize/deployments/haproxy-ingress-controller.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1beta2 -kind: Deployment -metadata: - name: haproxy-ingress-controller - labels: - component: haproxy-ingress -spec: - replicas: 1 - selector: - matchLabels: - component: haproxy-ingress - template: - metadata: - labels: - component: haproxy-ingress - spec: - serviceAccountName: ingress-controller - containers: - - name: haproxy-ingress-controller - image: quay.io/jcmoraisjr/haproxy-ingress:v0.7.3 - resources: - limits: - memory: "256Mi" - cpu: "500m" - args: - - --default-backend-service=$(POD_NAMESPACE)/default-backend - - --default-ssl-certificate=$(POD_NAMESPACE)/tls-secret - - --configmap=$(POD_NAMESPACE)/haproxy-ingress-cm - - --reload-strategy=native - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - - name: stat - containerPort: 1936 - livenessProbe: - httpGet: - path: /healthz - port: 10253 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace diff --git a/kubernetes/kustomize/deployments/patch-lib-analyzer-deployment.yaml b/kubernetes/kustomize/deployments/patch-lib-analyzer-deployment.yaml deleted file mode 100644 index 968aaa4f9..000000000 --- a/kubernetes/kustomize/deployments/patch-lib-analyzer-deployment.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: patch-lib-analyzer - labels: - component: patch-lib-analyzer -spec: - replicas: 1 - template: - metadata: - labels: - component: patch-lib-analyzer - spec: - containers: - - name: patch-lib-analyzer - image: eclipse/steady-patch-lib-analyzer:3.2.0-SNAPSHOT - ports: - - containerPort: 8080 - env: - - name: vulas.patchEval.onlyAddNewResults - value: "true" - - name: vulas.shared.backend.serviceUrl - value: http://rest-backend:8091/backend - - name: vulas.shared.cia.serviceUrl - value: http://rest-lib-utils:8092/cia - - name: PATCHEVAL_OPTS - value: -bug "" -folder /patcheval-data -j -h 0 -p 6 - resources: {} - volumeMounts: - - mountPath: /patcheval-data - name: patch-lib-analyzer-claim0 - volumes: - - name: patch-lib-analyzer-claim0 - persistentVolumeClaim: - claimName: patch-lib-analyzer-claim0 diff --git a/kubernetes/kustomize/deployments/postgres-deployment.yaml b/kubernetes/kustomize/deployments/postgres-deployment.yaml deleted file mode 100644 index 59ef1dd00..000000000 --- a/kubernetes/kustomize/deployments/postgres-deployment.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: postgresql - labels: - component: postgresql -spec: - replicas: 1 - template: - metadata: - labels: - component: postgresql - spec: - containers: - - name: postgresql - image: postgres:11.3 - ports: - - containerPort: 5432 - env: - - name: POSTGRES_USER - value: postgres - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: env-secret - key: POSTGRES_PASSWORD - - name: PGDATA - value: /var/lib/postgresql/data/pgdata - - name: POSTGRES_DB - value: vulas - resources: {} - volumeMounts: - - mountPath: /var/lib/postgresql/data - name: postgres-claim0 - - mountPath: /docker-entrypoint-initdb.d - name: startup - volumes: - - name: postgres-claim0 - persistentVolumeClaim: - claimName: postgres-claim0 - - name: startup - configMap: - name: postgres-setup-script-cm - items: - - key: postgres-setup-script - path: 10-vulas-setup.sh diff --git a/kubernetes/kustomize/deployments/rest-backend-deployment.yaml b/kubernetes/kustomize/deployments/rest-backend-deployment.yaml deleted file mode 100644 index 339e32e64..000000000 --- a/kubernetes/kustomize/deployments/rest-backend-deployment.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: rest-backend - labels: - component: rest-backend -spec: - replicas: 2 - template: - metadata: - labels: - component: rest-backend - spec: - initContainers: - - name: database-checker - image: postgres:11.3 - command: ['sh', '-c', - 'until pg_isready -h postgresql -p 5432; - do echo waiting for database; sleep 2; done;'] - containers: - - name: rest-backend - image: eclipse/steady-rest-backend:3.2.0-SNAPSHOT - ports: - - containerPort: 8091 - env: - - name: DELAY_STARTUP - value: "1" - - name: spring.datasource.username - value: postgres - - name: spring.datasource.password - valueFrom: - secretKeyRef: - name: env-secret - key: POSTGRES_PASSWORD - - name: vulas.backend.coverageService.langConfidenceThreshold - value: "0.2" - - name: vulas.backend.coverageService.licenseConfidenceThreshold - value: "0.2" - - name: vulas.shared.cia.serviceUrl - value: http://rest-lib-utils:8092/cia - envFrom: - - configMapRef: - name: restbackend-config-cm - readinessProbe: - periodSeconds: 5 - initialDelaySeconds: 20 - httpGet: - path: /backend/health - port: 8091 - livenessProbe: - periodSeconds: 10 - initialDelaySeconds: 60 - httpGet: - path: /backend/health - port: 8091 - resources: - limits: - memory: "4Gi" - cpu: "800m" diff --git a/kubernetes/kustomize/deployments/rest-lib-utils-deployment.yaml b/kubernetes/kustomize/deployments/rest-lib-utils-deployment.yaml deleted file mode 100644 index 44e31839e..000000000 --- a/kubernetes/kustomize/deployments/rest-lib-utils-deployment.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: rest-lib-utils - labels: - component: rest-lib-utils -spec: - replicas: 2 - template: - metadata: - labels: - component: rest-lib-utils - spec: - containers: - - name: rest-lib-utils - image: eclipse/steady-rest-lib-utils:3.2.0-SNAPSHOT - ports: - - containerPort: 8092 - resources: - limits: - memory: "8Gi" - cpu: "800m" diff --git a/kubernetes/kustomize/kustomization.yaml b/kubernetes/kustomize/kustomization.yaml deleted file mode 100644 index 5f9528711..000000000 --- a/kubernetes/kustomize/kustomization.yaml +++ /dev/null @@ -1,39 +0,0 @@ -namespace: vulnerability-assessment-tool - -configMapGenerator: - - name: postgres-setup-script-cm - files: - - config/postgres-setup-script - - name: restbackend-config-cm - env: config/restbackend-config # HACK: Not documented in Kustomize for configMapGenerators - -secretGenerator: - - name: env-secret - env: secrets/.env # TODO: change in envs as kustomize release 2.0.4 - type: Opaque - - name: bugs-frontend-secret - files: - - auth=secrets/bugs-frontend-credentials - -resources: - - other/namespace.yaml - - other/ingress-controller-rbac.yaml - - config/haproxy-ingress-configmap.yaml - - services/default-service.yaml - - services/frontend-apps-service.yaml - - services/frontend-bugs-service.yaml - - services/postgres-service.yaml - - services/rest-backend-service.yaml - - services/rest-lib-utils-service.yaml - - services/cloud.yaml - - volumes/postgres-persistentvolumeclaim.yaml - - volumes/patch-lib-analyzer-persistentvolumeclaim.yaml - - deployments/default-deployment.yaml - - deployments/frontend-apps-deployment.yaml - - deployments/frontend-bugs-deployment.yaml - - deployments/postgres-deployment.yaml - - deployments/rest-backend-deployment.yaml - - deployments/rest-lib-utils-deployment.yaml - - deployments/patch-lib-analyzer-deployment.yaml - - deployments/haproxy-ingress-controller.yaml - - other/ingress.yaml diff --git a/kubernetes/kustomize/other/ingress-controller-rbac.yaml b/kubernetes/kustomize/other/ingress-controller-rbac.yaml deleted file mode 100644 index acf7f6dfe..000000000 --- a/kubernetes/kustomize/other/ingress-controller-rbac.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-controller ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: ingress-controller -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - resources: - - ingresses/status - verbs: - - update ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: ingress-controller -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - create - - update ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: ingress-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-controller -subjects: - - kind: ServiceAccount - name: ingress-controller - - - apiGroup: rbac.authorization.k8s.io - kind: User - name: ingress-controller ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: ingress-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-controller -subjects: - - kind: ServiceAccount - name: ingress-controller - - - apiGroup: rbac.authorization.k8s.io - kind: User - name: ingress-controller diff --git a/kubernetes/kustomize/other/ingress.yaml b/kubernetes/kustomize/other/ingress.yaml deleted file mode 100644 index 55d68950d..000000000 --- a/kubernetes/kustomize/other/ingress.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: default-ingress -spec: - rules: - - http: - paths: - - path: /apps - backend: - serviceName: frontend-apps - servicePort: 8080 - - path: /backend - backend: - serviceName: rest-backend - servicePort: 8091 - - path: /cia - backend: - serviceName: rest-lib-utils - servicePort: 8092 - - path: / - backend: - serviceName: default-backend - servicePort: 8080 ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: auth-ingress - annotations: - ingress.kubernetes.io/auth-type: basic - ingress.kubernetes.io/auth-realm: Default realm - ingress.kubernetes.io/auth-secret: bugs-frontend-secret -spec: - rules: - - http: - paths: - - path: /bugs - backend: - serviceName: frontend-bugs - servicePort: 8080 diff --git a/kubernetes/kustomize/other/namespace.yaml b/kubernetes/kustomize/other/namespace.yaml deleted file mode 100644 index c6578f735..000000000 --- a/kubernetes/kustomize/other/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: vulnerability-assessment-tool - labels: - name: vulnerability-assessment-tool diff --git a/kubernetes/kustomize/secrets/.env.sample b/kubernetes/kustomize/secrets/.env.sample deleted file mode 100644 index 5e12b4745..000000000 --- a/kubernetes/kustomize/secrets/.env.sample +++ /dev/null @@ -1 +0,0 @@ -POSTGRES_PASSWORD=vulas \ No newline at end of file diff --git a/kubernetes/kustomize/secrets/bugs-frontend-credentials.sample b/kubernetes/kustomize/secrets/bugs-frontend-credentials.sample deleted file mode 100644 index 17171d624..000000000 --- a/kubernetes/kustomize/secrets/bugs-frontend-credentials.sample +++ /dev/null @@ -1 +0,0 @@ -vulas::vulas \ No newline at end of file diff --git a/kubernetes/kustomize/services/cloud.yaml b/kubernetes/kustomize/services/cloud.yaml deleted file mode 100644 index 42cfa6a0e..000000000 --- a/kubernetes/kustomize/services/cloud.yaml +++ /dev/null @@ -1,23 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: haproxy-ingress - labels: - component: haproxy-ingress -spec: - type: LoadBalancer - externalTrafficPolicy: Local - ports: - - name: public-http - port: 8080 - targetPort: http - - name: public-https - port: 443 - targetPort: http - - name: public-stat - port: 1936 - targetPort: stat - selector: - component: haproxy-ingress ---- - diff --git a/kubernetes/kustomize/services/default-service.yaml b/kubernetes/kustomize/services/default-service.yaml deleted file mode 100644 index dc308ba41..000000000 --- a/kubernetes/kustomize/services/default-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: default-backend - labels: - component: default-backend -spec: - selector: - component: default-backend - ports: - - port: 8080 - targetPort: 8080 \ No newline at end of file diff --git a/kubernetes/kustomize/services/frontend-apps-service.yaml b/kubernetes/kustomize/services/frontend-apps-service.yaml deleted file mode 100644 index a84b07083..000000000 --- a/kubernetes/kustomize/services/frontend-apps-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - component: frontend-apps - name: frontend-apps -spec: - selector: - component: frontend-apps - ports: - - port: 8080 - targetPort: 8080 diff --git a/kubernetes/kustomize/services/frontend-bugs-service.yaml b/kubernetes/kustomize/services/frontend-bugs-service.yaml deleted file mode 100644 index 0bca53bcf..000000000 --- a/kubernetes/kustomize/services/frontend-bugs-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: frontend-bugs - labels: - component: frontend-bugs -spec: - selector: - component: frontend-bugs - ports: - - port: 8080 - targetPort: 8080 diff --git a/kubernetes/kustomize/services/postgres-service.yaml b/kubernetes/kustomize/services/postgres-service.yaml deleted file mode 100644 index bb404d29f..000000000 --- a/kubernetes/kustomize/services/postgres-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: postgresql - labels: - component: postgresql -spec: - selector: - component: postgresql - ports: - - port: 5432 - targetPort: 5432 diff --git a/kubernetes/kustomize/services/rest-backend-service.yaml b/kubernetes/kustomize/services/rest-backend-service.yaml deleted file mode 100644 index 5af79c0ca..000000000 --- a/kubernetes/kustomize/services/rest-backend-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: rest-backend - labels: - component: rest-backend -spec: - selector: - component: rest-backend - ports: - - port: 8091 - targetPort: 8091 diff --git a/kubernetes/kustomize/services/rest-lib-utils-service.yaml b/kubernetes/kustomize/services/rest-lib-utils-service.yaml deleted file mode 100644 index 7ef3ce513..000000000 --- a/kubernetes/kustomize/services/rest-lib-utils-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: rest-lib-utils - labels: - component: rest-lib-utils -spec: - selector: - component: rest-lib-utils - ports: - - port: 8092 - targetPort: 8092 diff --git a/kubernetes/kustomize/volumes/patch-lib-analyzer-persistentvolumeclaim.yaml b/kubernetes/kustomize/volumes/patch-lib-analyzer-persistentvolumeclaim.yaml deleted file mode 100644 index 164473959..000000000 --- a/kubernetes/kustomize/volumes/patch-lib-analyzer-persistentvolumeclaim.yaml +++ /dev/null @@ -1,27 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: patch-lib-analyzer-volume0 - labels: - type: local - component: patch-lib-analyzer -spec: - capacity: - storage: 10Gi - accessModes: - - ReadWriteOnce - hostPath: - path: "/mnt/data" ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: patch-lib-analyzer-claim0 - labels: - component: patch-lib-analyzer -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/kubernetes/kustomize/volumes/postgres-persistentvolumeclaim.yaml b/kubernetes/kustomize/volumes/postgres-persistentvolumeclaim.yaml deleted file mode 100644 index 40f09ca60..000000000 --- a/kubernetes/kustomize/volumes/postgres-persistentvolumeclaim.yaml +++ /dev/null @@ -1,27 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: postgres-volume0 - labels: - type: local - component: postgresql -spec: - capacity: - storage: 10Gi - accessModes: - - ReadWriteOnce - hostPath: - path: "/mnt/data" ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: postgres-claim0 - labels: - component: postgresql -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/pom.xml b/pom.xml index 38303b0ae..10991a5b9 100755 --- a/pom.xml +++ b/pom.xml @@ -589,7 +589,6 @@ **/*.tokens **/*.log **/.travis/** - **/kubernetes/** **/docker/** **/docs/** **/.github/** diff --git a/rest-backend/pom.xml b/rest-backend/pom.xml index 9088994a7..a4dbe5846 100644 --- a/rest-backend/pom.xml +++ b/rest-backend/pom.xml @@ -558,7 +558,6 @@ **/*.tokens **/*.log **/.travis/** - **/kubernetes/** **/docker/** **/docs/** **/.github/** diff --git a/rest-lib-utils/pom.xml b/rest-lib-utils/pom.xml index ecc64c96e..51e8cbb90 100644 --- a/rest-lib-utils/pom.xml +++ b/rest-lib-utils/pom.xml @@ -507,7 +507,6 @@ **/*.tokens **/*.log **/.travis/** - **/kubernetes/** **/docker/** **/docs/** **/.github/**