Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions ci/do_ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,6 @@ elif [[ "$CI_TARGET" == "deps" ]]; then
exit 0
elif [[ "$CI_TARGET" == "cve_scan" ]]; then
echo "scanning for CVEs in dependencies..."
bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:cve_scan_test
bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:cve_scan
exit 0
elif [[ "$CI_TARGET" == "tooling" ]]; then
Expand All @@ -482,11 +481,6 @@ elif [[ "$CI_TARGET" == "tooling" ]]; then
echo "dependency validate_test..."
"${ENVOY_SRCDIR}"/tools/dependency/validate_test.py

# Validate the CVE scanner works. We do it here as well as in cve_scan, since this blocks
# presubmits, but cve_scan only runs async.
echo "cve_scan_test..."
bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:cve_scan_test

exit 0
elif [[ "$CI_TARGET" == "verify_examples" ]]; then
run_ci_verify "*" "wasm-cc|win32-front-proxy"
Expand Down
1 change: 1 addition & 0 deletions tools/base/requirements.in
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ envoy.base.checker
envoy.base.runner
envoy.base.utils>=0.0.10
envoy.code_format.python_check>=0.0.4
envoy.dependency.cve_scan
envoy.dependency.pip_check>=0.0.4
envoy.distribution.release
envoy.distribution.verify
Expand Down
13 changes: 13 additions & 0 deletions tools/base/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ abstracts==0.0.12 \
# envoy.abstract.command
# envoy.base.utils
# envoy.code-format.python-check
# envoy.dependency.cve-scan
# envoy.dependency.pip-check
# envoy.github.abstract
# envoy.github.release
Expand All @@ -19,6 +20,7 @@ aio.functional==0.0.9 \
# via
# -r requirements.in
# aio.tasks
# envoy.dependency.cve-scan
# envoy.github.abstract
# envoy.github.release
aio.stream==0.0.2 \
Expand All @@ -34,6 +36,7 @@ aio.tasks==0.0.4 \
# via
# -r requirements.in
# envoy.code-format.python-check
# envoy.dependency.cve-scan
# envoy.github.abstract
# envoy.github.release
aiodocker==0.21.0 \
Expand Down Expand Up @@ -87,6 +90,7 @@ aiohttp==3.7.4.post0 \
# via
# aio.stream
# aiodocker
# envoy.dependency.cve-scan
# envoy.github.abstract
# envoy.github.release
# slackclient
Expand Down Expand Up @@ -261,6 +265,7 @@ envoy.base.checker==0.0.2 \
# via
# -r requirements.in
# envoy.code-format.python-check
# envoy.dependency.cve-scan
# envoy.dependency.pip-check
# envoy.distribution.distrotest
# envoy.distribution.verify
Expand All @@ -279,6 +284,7 @@ envoy.base.utils==0.0.10 \
# via
# -r requirements.in
# envoy.code-format.python-check
# envoy.dependency.cve-scan
# envoy.dependency.pip-check
# envoy.distribution.distrotest
# envoy.docs.sphinx-runner
Expand All @@ -287,6 +293,10 @@ envoy.base.utils==0.0.10 \
envoy.code-format.python-check==0.0.4 \
--hash=sha256:5e166102d1f873f0c14640bcef87b46147cbad1cb68888c977acfde7fce96e04
# via -r requirements.in
envoy.dependency.cve-scan==0.0.1 \
--hash=sha256:438973e6258deb271d60a9ad688c13ebf9c5360ccb9b6b0d4af3b3228235b153 \
--hash=sha256:733fa5c6bdbe91da4afe1d46bca75279f717e410693866825d92208fa0d3418f
# via -r requirements.in
envoy.dependency.pip-check==0.0.4 \
--hash=sha256:3213d77959f65c3c97e9b5d74cb14c02bc02dae64bac2e7c3cb829a2f4e5e40e
# via -r requirements.in
Expand Down Expand Up @@ -375,6 +385,7 @@ jinja2==3.0.2 \
--hash=sha256:8569982d3f0889eed11dd620c706d39b60c36d6d25843961f33f77fb6bc6b20c
# via
# -r requirements.in
# envoy.dependency.cve-scan
# sphinx
markupsafe==2.0.1 \
--hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \
Expand Down Expand Up @@ -481,6 +492,7 @@ packaging==21.0 \
--hash=sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7 \
--hash=sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14
# via
# envoy.dependency.cve-scan
# envoy.github.release
# pytest
# sphinx
Expand Down Expand Up @@ -732,6 +744,7 @@ typing-extensions==3.10.0.2 \
# via
# aiodocker
# aiohttp
# gitpython
uritemplate==3.0.1 \
--hash=sha256:07620c3f3f8eed1f12600845892b0e036a2420acf513c53f7de0abd911a5894f \
--hash=sha256:5af8ad10cec94f215e3f48112de2022e1d5a37ed427fbd88652fa908f2ab7cae
Expand Down
21 changes: 5 additions & 16 deletions tools/dependency/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -24,23 +24,12 @@ py_library(

py_binary(
name = "cve_scan",
srcs = [
"cve_scan.py",
"utils.py",
],
srcs = ["cve_scan.py"],
args = ["$(location :cve.yaml)"],
data = [
":cve.yaml",
":exports",
requirement("envoy.base.utils"),
],
)

py_binary(
name = "cve_scan_test",
srcs = ["cve_scan_test.py"],
data = [
":cve_scan",
data = [":cve.yaml"],
deps = [
":utils",
requirement("envoy.dependency.cve_scan"),
],
)

Expand Down
2 changes: 1 addition & 1 deletion tools/dependency/cve.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ndist_url: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-{year}.json.gz

# These CVEs are false positives for the match heuristics. An explanation is
# required when adding a new entry to this list as a comment.
ignore:
ignored_cves:
Comment thread
phlax marked this conversation as resolved.
# Node.js issue unrelated to http-parser (napi_ API implementation).
- CVE-2020-8174
# Node.js HTTP desync attack. Request smuggling due to CR and hyphen
Expand Down
Loading