Skip to content

cve_scan: Use envoy.dependency.cve_scan #19047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
htuch merged 2 commits into from
Nov 29, 2021
Merged

cve_scan: Use envoy.dependency.cve_scan #19047

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f3a971
cve_scan: Use `envoy.dependency.cve_scan`
phlax Nov 10, 2021
c423d06
pr-updates
phlax Nov 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions ci/do_ci.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,6 @@ elif [[ "$CI_TARGET" == "deps" ]]; then
exit 0
elif [[ "$CI_TARGET" == "cve_scan" ]]; then
echo "scanning for CVEs in dependencies..."
bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:cve_scan_test
bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:cve_scan
exit 0
elif [[ "$CI_TARGET" == "tooling" ]]; then
Expand All @@ -482,11 +481,6 @@ elif [[ "$CI_TARGET" == "tooling" ]]; then
echo "dependency validate_test..."
"${ENVOY_SRCDIR}"/tools/dependency/validate_test.py

# Validate the CVE scanner works. We do it here as well as in cve_scan, since this blocks
# presubmits, but cve_scan only runs async.
echo "cve_scan_test..."
bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:cve_scan_test

exit 0
elif [[ "$CI_TARGET" == "verify_examples" ]]; then
run_ci_verify "*" "wasm-cc|win32-front-proxy"
Expand Down
1 change: 1 addition & 0 deletions tools/base/requirements.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ envoy.base.checker
envoy.base.runner
envoy.base.utils>=0.0.10
envoy.code_format.python_check>=0.0.4
envoy.dependency.cve_scan
envoy.dependency.pip_check>=0.0.4
envoy.distribution.release
envoy.distribution.verify
Expand Down
13 changes: 13 additions & 0 deletions tools/base/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ abstracts==0.0.12 \
# envoy.abstract.command
# envoy.base.utils
# envoy.code-format.python-check
# envoy.dependency.cve-scan
# envoy.dependency.pip-check
# envoy.github.abstract
# envoy.github.release
Expand All @@ -19,6 +20,7 @@ aio.functional==0.0.9 \
# via
# -r requirements.in
# aio.tasks
# envoy.dependency.cve-scan
# envoy.github.abstract
# envoy.github.release
aio.stream==0.0.2 \
Expand All @@ -34,6 +36,7 @@ aio.tasks==0.0.4 \
# via
# -r requirements.in
# envoy.code-format.python-check
# envoy.dependency.cve-scan
# envoy.github.abstract
# envoy.github.release
aiodocker==0.21.0 \
Expand Down Expand Up @@ -87,6 +90,7 @@ aiohttp==3.7.4.post0 \
# via
# aio.stream
# aiodocker
# envoy.dependency.cve-scan
# envoy.github.abstract
# envoy.github.release
# slackclient
Expand Down Expand Up @@ -261,6 +265,7 @@ envoy.base.checker==0.0.2 \
# via
# -r requirements.in
# envoy.code-format.python-check
# envoy.dependency.cve-scan
# envoy.dependency.pip-check
# envoy.distribution.distrotest
# envoy.distribution.verify
Expand All @@ -279,6 +284,7 @@ envoy.base.utils==0.0.10 \
# via
# -r requirements.in
# envoy.code-format.python-check
# envoy.dependency.cve-scan
# envoy.dependency.pip-check
# envoy.distribution.distrotest
# envoy.docs.sphinx-runner
Expand All @@ -287,6 +293,10 @@ envoy.base.utils==0.0.10 \
envoy.code-format.python-check==0.0.4 \
--hash=sha256:5e166102d1f873f0c14640bcef87b46147cbad1cb68888c977acfde7fce96e04
# via -r requirements.in
envoy.dependency.cve-scan==0.0.1 \
--hash=sha256:438973e6258deb271d60a9ad688c13ebf9c5360ccb9b6b0d4af3b3228235b153 \
--hash=sha256:733fa5c6bdbe91da4afe1d46bca75279f717e410693866825d92208fa0d3418f
# via -r requirements.in
envoy.dependency.pip-check==0.0.4 \
--hash=sha256:3213d77959f65c3c97e9b5d74cb14c02bc02dae64bac2e7c3cb829a2f4e5e40e
# via -r requirements.in
Expand Down Expand Up @@ -375,6 +385,7 @@ jinja2==3.0.2 \
--hash=sha256:8569982d3f0889eed11dd620c706d39b60c36d6d25843961f33f77fb6bc6b20c
# via
# -r requirements.in
# envoy.dependency.cve-scan
# sphinx
markupsafe==2.0.1 \
--hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \
Expand Down Expand Up @@ -481,6 +492,7 @@ packaging==21.0 \
--hash=sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7 \
--hash=sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14
# via
# envoy.dependency.cve-scan
# envoy.github.release
# pytest
# sphinx
Expand Down Expand Up @@ -732,6 +744,7 @@ typing-extensions==3.10.0.2 \
# via
# aiodocker
# aiohttp
# gitpython
uritemplate==3.0.1 \
--hash=sha256:07620c3f3f8eed1f12600845892b0e036a2420acf513c53f7de0abd911a5894f \
--hash=sha256:5af8ad10cec94f215e3f48112de2022e1d5a37ed427fbd88652fa908f2ab7cae
Expand Down
21 changes: 5 additions & 16 deletions tools/dependency/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,23 +24,12 @@ py_library(

py_binary(
name = "cve_scan",
srcs = [
"cve_scan.py",
"utils.py",
],
srcs = ["cve_scan.py"],
args = ["$(location :cve.yaml)"],
data = [
":cve.yaml",
":exports",
requirement("envoy.base.utils"),
],
)

py_binary(
name = "cve_scan_test",
srcs = ["cve_scan_test.py"],
data = [
":cve_scan",
data = [":cve.yaml"],
deps = [
":utils",
requirement("envoy.dependency.cve_scan"),
],
)

Expand Down
34 changes: 1 addition & 33 deletions tools/dependency/cve.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,9 @@
# We only look back a few years, since we shouldn't have any ancient deps.
start_year: 2018

ndist_url: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-{year}.json.gz

# These CVEs are false positives for the match heuristics. An explanation is
# required when adding a new entry to this list as a comment.
ignore:
ignored_cves:
# Node.js issue unrelated to http-parser (napi_ API implementation).
- CVE-2020-8174
# Node.js HTTP desync attack. Request smuggling due to CR and hyphen
Expand All @@ -22,24 +20,12 @@ ignore:
- CVE-2020-8251
# Node.js issue unrelated to http-parser (libuv).
- CVE-2020-8252
# Fixed via the nghttp2 1.41.0 bump in Envoy 8b6ea4.
- CVE-2020-11080
# Node.js issue rooted in a c-ares bug. Does not appear to affect
# http-parser or our use of c-ares, c-ares has been bumped regardless.
- CVE-2020-8277
# gRPC issue that only affects Javascript bindings.
- CVE-2020-7768
# Node.js issue unrelated to http-parser, see
# https://github.com/mhart/StringStream/issues/7.
- CVE-2018-21270
# These should not affect Curl 7.74.0, but we see false positives due to the
# relative release date and CPE wildcard.
- CVE-2020-8169
- CVE-2020-8177
- CVE-2020-8284
# Low severity Curl issue with incorrect re-use of connections due to case
# in/sensitivity
- CVE-2021-22924
# Node.js issue unrelated to http-parser (Node TLS).
- CVE-2020-8265
# Node.js request smuggling.
Expand All @@ -51,9 +37,6 @@ ignore:
# Node.js issue unrelated to http-parser (*).
- CVE-2021-22883
- CVE-2021-22884
# False positive on the match heuristic, fixed in Curl 7.76.0.
- CVE-2021-22876
- CVE-2021-22890
# Node.js issues unrelated to http-parser.
# See https://nvd.nist.gov/vuln/detail/CVE-2021-22918
# See https://nvd.nist.gov/vuln/detail/CVE-2021-22921
Expand All @@ -66,18 +49,3 @@ ignore:
- CVE-2021-22931
- CVE-2021-22939
- CVE-2021-22940
#
# Currently, cvescan does not respect/understand versions (see #18354).
#
# The following CVEs target versions that are not currently used in the Envoy repo.
#
# libcurl
- CVE-2021-22945
#
# kafka
- CVE-2021-38153
#
# wasmtime
- CVE-2021-39216
- CVE-2021-39218
- CVE-2021-39219
Loading