Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: security issues #464

Merged
merged 4 commits into from
Mar 6, 2023
Merged

fix: security issues #464

merged 4 commits into from
Mar 6, 2023

Conversation

odubajDT
Copy link
Contributor

@odubajDT odubajDT commented Mar 3, 2023

This PR

  • fixes security findings

Related Issues

Fixes #321

@codecov
Copy link

codecov bot commented Mar 3, 2023
edited
Loading

Codecov Report

Merging #464 (a4ea3b5) into main (10d5f2c) will decrease coverage by 0.03%.
The diff coverage is 100.00%.

❗ Current head a4ea3b5 differs from pull request most recent head bb3ad84. Consider uploading reports for the commit bb3ad84 to get more accurate results

@@            Coverage Diff             @@
##             main     #464      +/-   ##
==========================================
- Coverage   62.26%   62.24%   -0.03%     
==========================================
  Files          13       13              
  Lines        1659     1658       -1     
==========================================
- Hits         1033     1032       -1     
  Misses        563      563              
  Partials       63       63
Impacted Files Coverage Δ
pkg/sync/http/http_sync.go 46.00% <100.00%> (-0.54%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

Kavindu-Dodan
Kavindu-Dodan approved these changes Mar 3, 2023
View reviewed changes
Copy link
Contributor

@Kavindu-Dodan Kavindu-Dodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apporoving and waiting for conversation to be resloved

odubajDT added 3 commits March 6, 2023 07:50
@odubajDT
fix: security issues
efc3985 
Signed-off-by: odubajDT <[email protected]>
@odubajDT
adapt test
cf7c1b5 
Signed-off-by: odubajDT <[email protected]>
@odubajDT
pr review
b6c6319 
Signed-off-by: odubajDT <[email protected]>
@toddbaert toddbaert self-requested a review March 6, 2023 13:46
toddbaert
toddbaert approved these changes Mar 6, 2023
View reviewed changes
Copy link
Member

@toddbaert toddbaert left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH this is definitely a false positive security issue. The hash isn't being used here for anything security related, just to reduce un-needed cycles if the HTTP contents haven't changed.

That said, if switching to sha256 save us some false positive warnings in tools I think it's a good change.

@odubajDT @toddbaert
Update pkg/sync/http/http_sync.go
bb3ad84 
Co-authored-by: Todd Baert <[email protected]>
Signed-off-by: odubajDT <[email protected]>
@beeme1mr beeme1mr merged commit 7f1e759 into open-feature:main Mar 6, 2023
@github-actions github-actions bot mentioned this pull request Mar 6, 2023
Merged
beeme1mr pushed a commit that referenced this pull request Mar 7, 2023
@github-actions
chore(main): release 0.4.1 (#462)
4e904a2 
🤖 I have created a release *beep* *boop*
---


##
[0.4.1](v0.4.0...v0.4.1)
(2023-03-07)


### 🔄 Refactoring

* remove unused struct field
([#458](#458))
([a04c0b8](a04c0b8))


### 🧹 Chore

* **deps:** update sigstore/cosign-installer digest to bd2d118
([#471](#471))
([ee90f48](ee90f48))


### 🐛 Bug Fixes

* **deps:** update module
github.com/open-feature/go-sdk-contrib/providers/flagd to v0.1.10
([#459](#459))
([cbdf9b0](cbdf9b0))
* **deps:** update module golang.org/x/net to v0.8.0
([#468](#468))
([10d5f2c](10d5f2c))
* fix broken image signing
([#461](#461))
([05bb51c](05bb51c))
* fixing image delimeter
([#463](#463))
([b4ee495](b4ee495))
* security issues
([#464](#464))
([7f1e759](7f1e759))
* set readiness once only
([#465](#465))
([41a888d](41a888d))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Dec 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kavindu-Dodan Kavindu-Dodan Kavindu-Dodan approved these changes

@toddbaert toddbaert toddbaert approved these changes

@AlexsJones AlexsJones Awaiting requested review from AlexsJones

@james-milligan james-milligan Awaiting requested review from james-milligan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Investigate security findings
4 participants
@odubajDT @Kavindu-Dodan @toddbaert @beeme1mr