Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TRB-43095] PRISMA-2022-0227 issue in go-restful/v3 #895

Merged
merged 2 commits into from
Jul 5, 2023
Merged

[TRB-43095] PRISMA-2022-0227 issue in go-restful/v3 #895

merged 2 commits into from
Jul 5, 2023

Conversation

tian-ma
Copy link
Member

@tian-ma tian-ma commented Jul 5, 2023
edited
Loading

Intent

Issue PRISMA-2022-0227 reported by TwistLock scan

Background

github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. \ \ Fix: fixed in v3.10.0 \ \ Image: icr.io/cpopen/turbonomic/kubeturbo:8.9.4-SNAPSHOT \ \ Details: emicklei/go-restful#497

Testing

Check updated whitesource scanner report.
TwistLock scan report twistlock-scan-results-20230705-162317-565579000-UTC-06160807.results.csv

Manual testing

  • build image using the changes
docker buildx build --platform=linux/amd64 --tag docker-na.artifactory.swg-devops.com/hyc-turbo-internal-team-docker-local/turbonomic/tamer/badkubeturbo:8.9.5-TM -f build/Dockerfile.multi-archs --build-arg VERSION=8.9.5-TM --push .
  • deploy it to ROSA cluster using helm, test and check pod log for errors.
image:
  #repository: icr.io/cpopen/turbonomic/kubeturbo
  repository:  docker-na.artifactory.swg-devops.com/hyc-turbo-internal-team-docker-local/turbonomic/tamer/badkubeturbo
  tag: 8.9.5-TM
  pullPolicy: Always

Checklist

These are the items that must be done by the developer and by reviewers before the change is ready to merge. Please strikeout any items that are not applicable, but don't delete them

  • Developer Checks
    • Full build with unit tests and fmt and vet checks
    • Unit tests added / updated
    • No unlicensed images, no third-party code (such as from StackOverflow)
    • Integration tests added / updated
    • Manual testing done (and described)
    • Product sweep run and passed
    • Developer wiki updated (and linked to this description)
  • Reviewer Checks
    • Merge request description clear and understandable
    • Developer checklist items complete
    • Functional code review (how is the code written)
    • Architectural review (does the code try to do the right thing, in the right way)
    • Defensive coding (incoming data checked / sanitized, exceptions logged, clear error messages)
    • No unlicensed images, no third-party code (such as from StackOverflow)
    • Security review checklist complete.

Audience

@ading1977 @irfanurrehman

@tian-ma tian-ma self-assigned this Jul 5, 2023
@tian-ma tian-ma merged commit 81e1ffa into master Jul 5, 2023
@tian-ma tian-ma deleted the bug/TRB-43095 branch July 5, 2023 23:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pankajbatra1 pankajbatra1 pankajbatra1 approved these changes

@ading1977 ading1977 ading1977 approved these changes

@irfanurrehman irfanurrehman Awaiting requested review from irfanurrehman

Assignees

@tian-ma tian-ma

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tian-ma @ading1977 @pankajbatra1