PCP-6891 : updated go version & packages to fix vulnerabilities#277
Conversation
![bulwark-spectrocloud[bot]](https://avatars.githubusercontent.com/u/36211249?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary
| Severity | Count |
|---|---|
| High | 12 |
| Total | 12 |
Details
Grouped by audit rule and file. Line/column refer to the workflow or action YAML on the scanned branch.
dangerous-triggers — High
use of fundamentally insecure workflow trigger
File: .github/workflows/pr-gh-workflow-approve.yaml
Fix guidance: https://docs.zizmor.sh/audits/#dangerous-triggers
Locations:
- Line 2–8 (cols 0–19) — pull_request_target is almost always used insecurely
dangerous-triggers — High
use of fundamentally insecure workflow trigger
File: .github/workflows/pr-verify.yaml
Fix guidance: https://docs.zizmor.sh/audits/#dangerous-triggers
Locations:
- Line 2–4 (cols 0–50) — pull_request_target is almost always used insecurely
excessive-permissions — High
overly broad permissions
File: .github/workflows/release.yaml
Fix guidance: https://docs.zizmor.sh/audits/#excessive-permissions
Locations:
- Line 10 (cols 2–17) — contents: write is overly broad at the workflow level
known-vulnerable-actions — High
action has a known vulnerability
File: .github/workflows/release.yaml
Fix guidance: https://docs.zizmor.sh/audits/#known-vulnerable-actions
Locations:
- Line 24 (cols 8–79) — GHSA-mrrh-fwg8-r2c3
cache-poisoning — High
runtime artifacts potentially vulnerable to a cache poisoning attack
File: .github/workflows/release.yaml
Fix guidance: https://docs.zizmor.sh/audits/#cache-poisoning
Locations:
- Line 107 (cols 8–82) — runtime artifacts usually published here
- Line 96 (cols 8–71) — enables caching by default
- Line 95–98 (cols 8–43) — this step
template-injection — High
code injection via template expansion
File: .github/workflows/spectro-release.yaml
Fix guidance: https://docs.zizmor.sh/audits/#template-injection
Locations:
- Line 32–35 (cols 8–16) — this step
- Line 34 (cols 44–79) — expression
github.event.inputs.release_version— may expand into attacker-controllable code - Line 33 (cols 8–11) — this run block
unpinned-uses — High (6 similar finding(s))
unpinned action reference
File: .github/workflows/spectro-release.yaml
Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses
Locations:
- Line 27 (cols 14–46) — expression
mukunku/tag-exists-action@v1.2.0— action is not pinned to a hash (required by blanket policy) - Line 42 (cols 14–33) — expression
actions/checkout@v3— action is not pinned to a hash (required by blanket policy) - Line 50 (cols 14–43) — expression
docker/setup-buildx-action@v1— action is not pinned to a hash (required by blanket policy) - Line 53 (cols 14–36) — expression
docker/login-action@v1— action is not pinned to a hash (required by blanket policy) - Line 60 (cols 14–36) — expression
docker/login-action@v1— action is not pinned to a hash (required by blanket policy) - Line 89 (cols 14–39) — expression
actions/create-release@v1— action is not pinned to a hash (required by blanket policy)
Please review these findings before merging.
There was a problem hiding this comment.
- G115: integer overflow conversion int64 -> int32, Severity: HIGH
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/cluster/cluster_controller_status.go:107:63
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/cluster/cluster_controller_status.go:104:70
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/contract/types.go:129:22
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/test/envtest/environment.go:89:47
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller_status.go:189:26
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller_status.go:123:26
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller.go:1204:28
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:690:26
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:678:27
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:253:33
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:238:35
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/mdutil/util.go:726:14
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/mdutil/util.go:655:58
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/machinedeployment_sync.go:623:15
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/machinedeployment_rollout_ondelete.go:122:29
- ... (truncated), run gosec locally to capture all failure for the rule G115
-
- G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/util/util.go:61:8
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/util/conversion/conversion.go:160:18
-
- G402: TLS InsecureSkipVerify set to true., Severity: HIGH
-
- File: /home/runner/_work/bulwark/bulwark/target-repo/controlplane/kubeadm/internal/workload_cluster.go:469:62
-
Please review these findings and fix the issues before merging.
2 participants
PCP-6891 : updated go version & packages to fix vulnerabilities