merge main into release #96

nam20485 · 2023-10-28T14:10:27Z

No description provided.

Signed-off-by: StepSecurity Bot <[email protected]>

@nam20485

## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @nam20485. Please merge the Pull Request to incorporate the requested changes. Please tag @nam20485 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Keeping your actions up to date with Dependabot With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF). - [GitHub Security Guide](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) ### Add Dependency Review Workflow The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. - [Github Guide about Dependency Review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) - [Github Guide for Configuring Dependency Review Action](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#using-inline-configuration-to-set-up-the-dependency-review-action) ## Feedback For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <[email protected]>

Bumps [django](https://github.com/django/django) from 4.2.3 to 4.2.6. - [Commits](django/django@4.2.3...4.2.6) --- updated-dependencies: - dependency-name: django dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.1.0...b4ffde6) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

… them from github

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.1.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@0efb1d1...6c5ccda) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.4 to 2.22.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2.2.4...49abf0b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

@v2

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2.3.1 to 3.1.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v2.3.1...a8a3f3a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2.3.1 to 3.1.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v3.1.3</h2> <h2>What's Changed</h2> <ul> <li>chore(github): remove trailing whitespaces by <a href="https://github.com/ljmf00"><code>@ljmf00</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/313">actions/upload-artifact#313</a></li> <li>Bump <code>@actions/artifact</code> version to v1.1.2 by <a href="https://github.com/bethanyj28"><code>@bethanyj28</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/436">actions/upload-artifact#436</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v3...v3.1.3">https://github.com/actions/upload-artifact/compare/v3...v3.1.3</a></p> <h2>v3.1.2</h2> <ul> <li>Update all <code>@actions/*</code> NPM packages to their latest versions- <a href="https://redirect.github.com/actions/upload-artifact/issues/374">#374</a></li> <li>Update all dev dependencies to their most recent versions - <a href="https://redirect.github.com/actions/upload-artifact/issues/375">#375</a></li> </ul> <h2>v3.1.1</h2> <ul> <li>Update actions/core package to latest version to remove <code>set-output</code> deprecation warning <a href="https://redirect.github.com/actions/upload-artifact/issues/351">#351</a></li> </ul> <h2>v3.1.0</h2> <h2>What's Changed</h2> <ul> <li>Bump <code>@actions/artifact</code> to v1.1.0 (<a href="https://redirect.github.com/actions/upload-artifact/pull/327">actions/upload-artifact#327</a>) <ul> <li>Adds checksum headers on artifact upload (<a href="https://redirect.github.com/actions/toolkit/pull/1095">actions/toolkit#1095</a>) (<a href="https://redirect.github.com/actions/toolkit/pull/1063">actions/toolkit#1063</a>)</li> </ul> </li> </ul> <h2>v3.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update default runtime to node16 (<a href="https://redirect.github.com/actions/upload-artifact/issues/293">#293</a>)</li> <li>Update package-lock.json file version to 2 (<a href="https://redirect.github.com/actions/upload-artifact/issues/302">#302</a>)</li> </ul> <h3>Breaking Changes</h3> <p>With the update to Node 16, all scripts will now be run with Node 16 rather than Node 12.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/a8a3f3ad30e3422c9c7b888a15615d19a852ae32"><code>a8a3f3a</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/436">#436</a> from bethanyj28/main</li> <li><a href="https://github.com/actions/upload-artifact/commit/7b48769c030f7121ecb01c3558dd3cd8b9660a20"><code>7b48769</code></a> update dependency cache</li> <li><a href="https://github.com/actions/upload-artifact/commit/66630398dfe3d04deb4c489ac54b9b468f071706"><code>6663039</code></a> update dist/index.js</li> <li><a href="https://github.com/actions/upload-artifact/commit/55e76b779da56f582e27a6f7aff54c1e610551e5"><code>55e76b7</code></a> bump <code>@actions/artifact</code> version</li> <li><a href="https://github.com/actions/upload-artifact/commit/65d862660abb392b8c4a3d1195a2108db131dd05"><code>65d8626</code></a> chore(github): remove trailing whitespaces (<a href="https://redirect.github.com/actions/upload-artifact/issues/313">#313</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/0b7f8abb1508181956e8e162db84b466c27e18ce"><code>0b7f8ab</code></a> ci(github): update action/download-artifact from v1 to v3 (<a href="https://redirect.github.com/actions/upload-artifact/issues/312">#312</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/013d2b89baa2f354c5ffec54c68bec4ab39a2534"><code>013d2b8</code></a> Create devcontainer for codespaces + update all dev dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/375">#375</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/055b8b3f04a4a7ed853f2c6ab04256f83e4874dc"><code>055b8b3</code></a> Bump Actions NPM dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/374">#374</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/7a5d4831f75130126bffffb8443b412485f7b836"><code>7a5d483</code></a> ci(github): update action/checkout from v2 to v3 (<a href="https://redirect.github.com/actions/upload-artifact/issues/315">#315</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/e0057a5b76f2fdad976135e8dd7b691e632b9056"><code>e0057a5</code></a> README: Bump actions/checkout to v3 (<a href="https://redirect.github.com/actions/upload-artifact/issues/352">#352</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/upload-artifact/compare/v2.3.1...a8a3f3ad30e3422c9c7b888a15615d19a852ae32">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=2.3.1&new-version=3.1.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 3.3.0 to 5.0.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Upgrade guide](https://github.com/docker/metadata-action/blob/master/UPGRADE.md) - [Commits](docker/metadata-action@98669ae...96383f4) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 2.1.1 to 3.0.2. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@cbed621...9bc31d5) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [docker/login-action](https://github.com/docker/login-action) from 1.9.0 to 3.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@28218f9...343f7c4) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 5.0.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@ac9327e...0565240) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 2.1.1 to 3.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v3.0.2</h2> <ul> <li>Bump <code>@actions/artifact</code> to v1.1.1 - <a href="https://redirect.github.com/actions/download-artifact/pull/195">actions/download-artifact#195</a></li> <li>Fixed a bug in Node16 where if an HTTP download finished too quickly (<1ms, e.g. when it's mocked) we attempt to delete a temp file that has not been created yet <a href="hhttps://redirect.github.com/actions/toolkit/pull/1278">actions/toolkit#1278</a></li> </ul> <h2>v3.0.1</h2> <ul> <li><a href="https://redirect.github.com/actions/download-artifact/pull/178">Bump <code>@actions/core</code> to 1.10.0</a></li> </ul> <h2>v3.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update default runtime to node16 (<a href="https://redirect.github.com/actions/download-artifact/pull/134">actions/download-artifact#134</a>)</li> <li>Update package-lock.json file version to 2 (<a href="https://redirect.github.com/actions/download-artifact/pull/136">actions/download-artifact#136</a>)</li> </ul> <h3>Breaking Changes</h3> <p>With the update to Node 16, all scripts will now be run with Node 16 rather than Node 12.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/9bc31d5ccc31df68ecc42ccf4149144866c47d8a"><code>9bc31d5</code></a> Update to latest actions/artifact NPM package (<a href="https://redirect.github.com/actions/download-artifact/issues/195">#195</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/d2278a10efbd646909370fd49fb454cb04e368e3"><code>d2278a1</code></a> Update release-new-action-version.yml (<a href="https://redirect.github.com/actions/download-artifact/issues/196">#196</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/c1a6d8f06a2e68a3b8f869512742db4750e492bd"><code>c1a6d8f</code></a> Update codeql-analysis.yml (<a href="https://redirect.github.com/actions/download-artifact/issues/197">#197</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/9782bd6a9848b53b110e712e20e42d89988822b7"><code>9782bd6</code></a> Update <code>@actions/core</code> to 1.10.0 (<a href="https://redirect.github.com/actions/download-artifact/issues/178">#178</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/076f0f7dd036d87e8e04f5f00d614e790308961b"><code>076f0f7</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/156">#156</a> from actions/dependabot/npm_and_yarn/ansi-regex-4.1.1</li> <li><a href="https://github.com/actions/download-artifact/commit/7151be32215ef355cb7fe2aea5a54c10fd02172d"><code>7151be3</code></a> Bump ansi-regex from 4.1.0 to 4.1.1</li> <li><a href="https://github.com/actions/download-artifact/commit/51cbdc41c19b18c53d3d78c72b50536e5abb89ce"><code>51cbdc4</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/152">#152</a> from actions/dependabot/npm_and_yarn/minimist-1.2.6</li> <li><a href="https://github.com/actions/download-artifact/commit/e89a529079d575da1409e3cd6ff98eb88d707721"><code>e89a529</code></a> Bump minimist from 1.2.5 to 1.2.6</li> <li><a href="https://github.com/actions/download-artifact/commit/fb598a63ae348fa914e94cd0ff38f362e927b741"><code>fb598a6</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/136">#136</a> from actions/jtamsut/update-lockfile-version</li> <li><a href="https://github.com/actions/download-artifact/commit/a4a09c5d7eb5932e0e6c4e77a434738189a24f1b"><code>a4a09c5</code></a> regenerate index.js</li> <li>Additional commits viewable in <a href="https://github.com/actions/download-artifact/compare/cbed621e49e4c01b044d60f6c80ea4ed6328b281...9bc31d5ccc31df68ecc42ccf4149144866c47d8a">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=2.1.1&new-version=3.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

[//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 5.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/build-push-action/releases">docker/build-push-action's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <ul> <li>Node 20 as default runtime (requires <a href="https://github.com/actions/runner/releases/tag/v2.308.0">Actions Runner v2.308.0</a> or later) by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/954">docker/build-push-action#954</a></li> <li>Bump <code>@actions/core</code> from 1.10.0 to 1.10.1 in <a href="https://redirect.github.com/docker/build-push-action/pull/959">docker/build-push-action#959</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v4.2.1...v5.0.0">https://github.com/docker/build-push-action/compare/v4.2.1...v5.0.0</a></p> <h2>v4.2.1</h2> <blockquote> <p><strong>Note</strong></p> <p>Buildx v0.10 enables support for a minimal <a href="https://slsa.dev/provenance/">SLSA Provenance</a> attestation, which requires support for <a href="https://github.com/opencontainers/image-spec">OCI-compliant</a> multi-platform images. This may introduce issues with registry and runtime support (e.g. <a href="https://redirect.github.com/docker/buildx/issues/1533">Google Cloud Run and AWS Lambda</a>). You can optionally disable the default provenance attestation functionality using <code>provenance: false</code>.</p> </blockquote> <ul> <li>warn if docker config can't be parsed by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/957">docker/build-push-action#957</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v4.2.0...v4.2.1">https://github.com/docker/build-push-action/compare/v4.2.0...v4.2.1</a></p> <h2>v4.2.0</h2> <blockquote> <p><strong>Note</strong></p> <p>Buildx v0.10 enables support for a minimal <a href="https://slsa.dev/provenance/">SLSA Provenance</a> attestation, which requires support for <a href="https://github.com/opencontainers/image-spec">OCI-compliant</a> multi-platform images. This may introduce issues with registry and runtime support (e.g. <a href="https://redirect.github.com/docker/buildx/issues/1533">Google Cloud Run and AWS Lambda</a>). You can optionally disable the default provenance attestation functionality using <code>provenance: false</code>.</p> </blockquote> <ul> <li>display proxy configuration by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/872">docker/build-push-action#872</a></li> <li>chore(deps): Bump <code>@docker/actions-toolkit</code> from 0.6.0 to 0.8.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/930">docker/build-push-action#930</a></li> <li>chore(deps): Bump word-wrap from 1.2.3 to 1.2.5 in <a href="https://redirect.github.com/docker/build-push-action/pull/925">docker/build-push-action#925</a></li> <li>chore(deps): Bump semver from 6.3.0 to 6.3.1 in <a href="https://redirect.github.com/docker/build-push-action/pull/902">docker/build-push-action#902</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v4.1.1...v4.2.0">https://github.com/docker/build-push-action/compare/v4.1.1...v4.2.0</a></p> <h2>v4.1.1</h2> <blockquote> <p><strong>Note</strong></p> <p>Buildx v0.10 enables support for a minimal <a href="https://slsa.dev/provenance/">SLSA Provenance</a> attestation, which requires support for <a href="https://github.com/opencontainers/image-spec">OCI-compliant</a> multi-platform images. This may introduce issues with registry and runtime support (e.g. <a href="https://redirect.github.com/docker/buildx/issues/1533">Google Cloud Run and AWS Lambda</a>). You can optionally disable the default provenance attestation functionality using <code>provenance: false</code>.</p> </blockquote> <ul> <li>Bump <code>@docker/actions-toolkit</code> from 0.3.0 to 0.5.0 by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/880">docker/build-push-action#880</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v4.1.0...v4.1.1">https://github.com/docker/build-push-action/compare/v4.1.0...v4.1.1</a></p> <h2>v4.1.0</h2> <blockquote> <p><strong>Note</strong></p> <p>Buildx v0.10 enables support for a minimal <a href="https://slsa.dev/provenance/">SLSA Provenance</a> attestation, which requires support for <a href="https://github.com/opencontainers/image-spec">OCI-compliant</a> multi-platform images. This may introduce issues with registry and runtime support (e.g. <a href="https://redirect.github.com/docker/buildx/issues/1533">Google Cloud Run and AWS Lambda</a>). You can optionally disable the default provenance attestation functionality using <code>provenance: false</code>.</p> </blockquote> <ul> <li>Switch to actions-toolkit implementation by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/811">docker/build-push-action#811</a> <a href="https://redirect.github.com/docker/build-push-action/pull/838">docker/build-push-action#838</a> <a href="https://redirect.github.com/docker/build-push-action/pull/855">docker/build-push-action#855</a> <a href="https://redirect.github.com/docker/build-push-action/pull/860">docker/build-push-action#860</a> <a href="https://redirect.github.com/docker/build-push-action/pull/875">docker/build-push-action#875</a></li> <li>e2e: quay.io by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/799">docker/build-push-action#799</a> <a href="https://redirect.github.com/docker/build-push-action/pull/805">docker/build-push-action#805</a></li> <li>e2e: local harbor and nexus by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/800">docker/build-push-action#800</a></li> <li>e2e: add artifactory container registry to test against by <a href="https://github.com/jedevc"><code>@jedevc</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/804">docker/build-push-action#804</a></li> <li>e2e: add distribution tests by <a href="https://github.com/jedevc"><code>@jedevc</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/814">docker/build-push-action#814</a> <a href="https://redirect.github.com/docker/build-push-action/pull/815">docker/build-push-action#815</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v4.0.0...v4.1.0">https://github.com/docker/build-push-action/compare/v4.0.0...v4.1.0</a></p> <h2>v4.0.0</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/build-push-action/commit/0565240e2d4ab88bba5387d719585280857ece09"><code>0565240</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/959">#959</a> from docker/dependabot/npm_and_yarn/actions/core-1.10.1</li> <li><a href="https://github.com/docker/build-push-action/commit/3ab07f880128dd3b47d7764b661d608b1e37712a"><code>3ab07f8</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/build-push-action/commit/b9e7e4daec1dd1fed28b226354d2eef8aa92ca38"><code>b9e7e4d</code></a> chore(deps): Bump <code>@actions/core</code> from 1.10.0 to 1.10.1</li> <li><a href="https://github.com/docker/build-push-action/commit/04d1a3b0491bb1fbd0843d1fea3390e385bf2252"><code>04d1a3b</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/954">#954</a> from crazy-max/update-node20</li> <li><a href="https://github.com/docker/build-push-action/commit/1a4d1a13fb219ebf616f93930a8c4c6a9ff24155"><code>1a4d1a1</code></a> chore: node 20 as default runtime</li> <li><a href="https://github.com/docker/build-push-action/commit/675965c0e16f1a0f94ecafff969d8c966f92c17b"><code>675965c</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/build-push-action/commit/58ee34cb6bad9fc3b471453afb4ed741cb0e6ff3"><code>58ee34c</code></a> chore: fix author in package.json</li> <li><a href="https://github.com/docker/build-push-action/commit/c97c4060bdc51e97b1b2a972eab2f77d6ae8e57a"><code>c97c406</code></a> fix ProxyConfig type when checking length</li> <li><a href="https://github.com/docker/build-push-action/commit/47d5369e0b15ff3b951d5787a265fbecf0fc2bac"><code>47d5369</code></a> vendor: bump <code>@docker/actions-toolkit</code> from 0.8.0 to 0.12.0</li> <li><a href="https://github.com/docker/build-push-action/commit/8895c7468fbe88881dcc4c5b416553e604722cf2"><code>8895c74</code></a> chore: update dev dependencies</li> <li>Additional commits viewable in <a href="https://github.com/docker/build-push-action/compare/ac9327eae2b366085ac7f6a2d02df8aa8ead720a...0565240e2d4ab88bba5387d719585280857ece09">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=docker/build-push-action&package-manager=github_actions&previous-version=2.10.0&new-version=5.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [ilammy/msvc-dev-cmd](https://github.com/ilammy/msvc-dev-cmd) from 1.12.0 to 1.12.1. - [Release notes](https://github.com/ilammy/msvc-dev-cmd/releases) - [Commits](ilammy/msvc-dev-cmd@7315a94...cec98b9) --- updated-dependencies: - dependency-name: ilammy/msvc-dev-cmd dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

[//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [ilammy/msvc-dev-cmd](https://github.com/ilammy/msvc-dev-cmd) from 1.12.0 to 1.12.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ilammy/msvc-dev-cmd/releases">ilammy/msvc-dev-cmd's releases</a>.</em></p> <blockquote> <h2>msvc-dev-cmd v1.12.1</h2> <ul> <li>Bump <code>@actions/core</code> to 1.10.0 (<a href="https://redirect.github.com/ilammy/msvc-dev-cmd/pull/62">#62</a>)</li> </ul> <p>Thanks to <a href="https://github.com/Simran-B"><code>@Simran-B</code></a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ilammy/msvc-dev-cmd/commit/cec98b9d092141f74527d0afa6feb2af698cfe89"><code>cec98b9</code></a> msvc-dev-cmd v1.12.1</li> <li><a href="https://github.com/ilammy/msvc-dev-cmd/commit/bba535b3febaff0dc5acaa23eca66da3024e6e24"><code>bba535b</code></a> Bump <code>@actions/core</code> to 1.10.0 (<a href="https://redirect.github.com/ilammy/msvc-dev-cmd/issues/62">#62</a>)</li> <li><a href="https://github.com/ilammy/msvc-dev-cmd/commit/674ff850cbd739c402260838fa45b7114f750570"><code>674ff85</code></a> Have "Release" job test <code>release/v1</code> branch (<a href="https://redirect.github.com/ilammy/msvc-dev-cmd/issues/61">#61</a>)</li> <li><a href="https://github.com/ilammy/msvc-dev-cmd/commit/f57be51deefa14a6df9e6b949b71bed9e5d9abff"><code>f57be51</code></a> Bump to 1.13.0-dev</li> <li>See full diff in <a href="https://github.com/ilammy/msvc-dev-cmd/compare/7315a94840631165970262a99c72cfb48a65d25d...cec98b9d092141f74527d0afa6feb2af698cfe89">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ilammy/msvc-dev-cmd&package-manager=github_actions&previous-version=1.12.0&new-version=1.12.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

…lopment

… if it fixes scorecard flagging it as non-pinned dependencies

…ments.txt

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.4 to 2.22.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@49abf0b...74483a3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: StepSecurity Bot <[email protected]>

@nam20485

## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @nam20485. Please merge the Pull Request to incorporate the requested changes. Please tag @nam20485 on your message if you have any questions related to the PR. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Keeping your actions up to date with Dependabot With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF). - [GitHub Security Guide](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) ## Feedback For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.4 to 2.22.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>2.22.5 - 27 Oct 2023</h2> <p>No user facing changes.</p> <h2>2.22.4 - 20 Oct 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.15.1. <a href="https://redirect.github.com/github/codeql-action/pull/1953">#1953</a></li> <li>Users will begin to see warnings on Node.js 16 deprecation in their Actions logs on code scanning runs starting October 23, 2023. <ul> <li>All code scanning workflows should continue to succeed regardless of the warning.</li> <li>The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and actively working on creating another version of the CodeQL Action, v3, that will bump us to Node 20.</li> <li>For more information, and to communicate with the maintaining team, please use <a href="https://redirect.github.com/github/codeql-action/issues/1959">this issue</a>.</li> </ul> </li> </ul> <h2>2.22.3 - 13 Oct 2023</h2> <ul> <li>Provide an authentication token when downloading the CodeQL Bundle from the API of a GitHub Enterprise Server instance. <a href="https://redirect.github.com/github/codeql-action/pull/1945">#1945</a></li> </ul> <h2>2.22.2 - 12 Oct 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.15.0. <a href="https://redirect.github.com/github/codeql-action/pull/1938">#1938</a></li> <li>Improve the log output when an error occurs in an invocation of the CodeQL CLI. <a href="https://redirect.github.com/github/codeql-action/pull/1927">#1927</a></li> </ul> <h2>2.22.1 - 09 Oct 2023</h2> <ul> <li>Add a workaround for Python 3.12, which is not supported in CodeQL CLI version 2.14.6 or earlier. If you are running an analysis on Windows and using Python 3.12 or later, the CodeQL Action will switch to running Python 3.11. In this case, if Python 3.11 is not found, then the workflow will fail. <a href="https://redirect.github.com/github/codeql-action/pull/1928">#1928</a></li> </ul> <h2>2.22.0 - 06 Oct 2023</h2> <ul> <li>The CodeQL Action now requires CodeQL version 2.10.5 or later. For more information, see the corresponding changelog entry for CodeQL Action version 2.21.8. <a href="https://redirect.github.com/github/codeql-action/pull/1907">#1907</a></li> <li>The CodeQL Action no longer runs ML-powered queries. For more information, including details on our investment in AI-powered security technology, see <a href="https://github.blog/changelog/2023-09-29-codeql-code-scanning-deprecates-ml-powered-alerts/">"CodeQL code scanning deprecates ML-powered alerts."</a> <a href="https://redirect.github.com/github/codeql-action/pull/1910">#1910</a></li> <li>Fix a bug which prevented tracing of projects using Go 1.21 and above on Linux. <a href="https://redirect.github.com/github/codeql-action/pull/1909">#1909</a></li> </ul> <h2>2.21.9 - 27 Sep 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.14.6. <a href="https://redirect.github.com/github/codeql-action/pull/1897">#1897</a></li> <li>We are rolling out a feature in October 2023 that will improve the success rate of C/C++ autobuild. <a href="https://redirect.github.com/github/codeql-action/pull/1889">#1889</a></li> <li>We are rolling out a feature in October 2023 that will provide specific file coverage information for C and C++, Java and Kotlin, and JavaScript and TypeScript. Currently file coverage information for each of these pairs of languages is grouped together. <a href="https://redirect.github.com/github/codeql-action/pull/1903">#1903</a></li> <li>Add a warning to help customers avoid inadvertently analyzing the same CodeQL language in multiple matrix jobs. <a href="https://redirect.github.com/github/codeql-action/pull/1901">#1901</a></li> </ul> <h2>2.21.8 - 19 Sep 2023</h2> <ul> <li>Add a deprecation warning for customers using CodeQL version 2.10.4 and earlier. These versions of CodeQL were discontinued on 12 September 2023 alongside GitHub Enterprise Server 3.6, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/1884">#1884</a> <ul> <li>If you are using one of these versions, please update to CodeQL CLI version 2.10.5 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.</li> </ul> </li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/74483a38d39275f33fcff5f35b679b5ca4a26a99"><code>74483a3</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1972">#1972</a> from github/update-v2.22.5-2d5ffa777</li> <li><a href="https://github.com/github/codeql-action/commit/2ba6829f2be5b94619d62b0fa920cbceb03b4c25"><code>2ba6829</code></a> Update changelog for v2.22.5</li> <li><a href="https://github.com/github/codeql-action/commit/2d5ffa7773a66e73dade704e35d2d50378caddac"><code>2d5ffa7</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1970">#1970</a> from github/henrymercer/clean-up-init-logs</li> <li><a href="https://github.com/github/codeql-action/commit/14d0fa93b407a5901c543d04d95cb7f47b64da50"><code>14d0fa9</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1967">#1967</a> from github/henrymercer/enable-features-on-ghes</li> <li><a href="https://github.com/github/codeql-action/commit/5744b13b669bded0635b39ab6bcfea7bd8aa81b2"><code>5744b13</code></a> Rebuild Action</li> <li><a href="https://github.com/github/codeql-action/commit/f3b55862ea536f287e422fe679ff5a2d31ae22ee"><code>f3b5586</code></a> Check out the right branch in <code>rebuild.yml</code></li> <li><a href="https://github.com/github/codeql-action/commit/95c219819daf2d5528ce5e88bd18d58ed97d1550"><code>95c2198</code></a> Add a log in the OK case</li> <li><a href="https://github.com/github/codeql-action/commit/e8e83c3a56bd831d3e9bf6353a799842468c8299"><code>e8e83c3</code></a> Merge branch 'main' into henrymercer/enable-features-on-ghes</li> <li><a href="https://github.com/github/codeql-action/commit/c7abe9ca5f33e2f7fa03694eef40bb97815c7250"><code>c7abe9c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/1971">#1971</a> from github/henrymercer/bot-rebuild</li> <li><a href="https://github.com/github/codeql-action/commit/3fc281e07926297f6a1415e70999053c90c5e329"><code>3fc281e</code></a> Add workflow to rebuild the Action on a label</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/49abf0ba24d0b7953cb586944e918a0b92074c80...74483a38d39275f33fcff5f35b679b5ca4a26a99">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=2.22.4&new-version=2.22.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.4.0 to 6.0.0. - [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases) - [Commits](crazy-max/ghaction-import-gpg@e00cb83...82a020f) --- updated-dependencies: - dependency-name: crazy-max/ghaction-import-gpg dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

…haction-import-gpg-6.0.0

… interpreted languages (i.e. not C++)

…lopment

github-actions · 2023-10-28T14:17:09Z

🔍 Vulnerabilities of `nam20485/odbdesign:pr-96`

📦 Image Reference nam20485/odbdesign:pr-96

digest	`sha256:bcb25368562ef6c756354af458ffdcae7473e13367767f03948cd72e426eb07c`
vulnerabilities
platform	linux/amd64
size	39 MB
packages	126

📦 Base Image debian:12-slim

also known as	`12.2-slim` `bookworm-20231009-slim` `bookworm-slim`
digest	`sha256:ceffa8e71bafc0190f915774b9696a0b6cb6262d1df5f64028b570ca4055ba83`
vulnerabilities

zlib 1:1.2.13.dfsg-1 (deb)

pkg:deb/debian/zlib@1:1.2.13.dfsg-1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=1:1.2.13.dfsg-1`
Fixed version	Not Fixed

Description

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.

glibc 2.36-9+deb12u3 (deb)

pkg:deb/debian/[email protected]+deb12u3?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.36-9+deb12u2`
Fixed version	Not Fixed

Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Affected range	`>=2.36-9+deb12u2`
Fixed version	Not Fixed

Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

tar 1.34+dfsg-1.2 (deb)

pkg:deb/debian/[email protected]+dfsg-1.2?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=1.34+dfsg-1.2`
Fixed version	Not Fixed

Description

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

Affected range	`>=1.34+dfsg-1.2`
Fixed version	Not Fixed

Description

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

perl 5.36.0-7 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=5.36.0-7`
Fixed version	Not Fixed

Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Affected range	`>=5.36.0-7`
Fixed version	Not Fixed

Description

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

shadow 1:4.13+dfsg1-1 (deb)

pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=1:4.13+dfsg1-1`
Fixed version	Not Fixed

Description

shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).

Affected range	`>=1:4.13+dfsg1-1`
Fixed version	Not Fixed

Description

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

gnutls28 3.7.9-2 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=3.7.9-2`
Fixed version	Not Fixed

Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

systemd 252.17-1~deb12u1 (deb)

pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=252.17-1~deb12u1`
Fixed version	Not Fixed

Description

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

libgcrypt20 1.10.1-3 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=1.10.1-3`
Fixed version	Not Fixed

Description

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

gcc-12 12.2.0-14 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=12.2.0-14`
Fixed version	Not Fixed

Description

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

util-linux 2.38.1-5 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.38.1-5`
Fixed version	Not Fixed

Description

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

gnupg2 2.2.40-1.1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.2.40-1.1`
Fixed version	Not Fixed

Description

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

coreutils 9.1-1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=9.1-1`
Fixed version	Not Fixed

Description

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

util-linux 2.38.1-5+b1 (deb)

pkg:deb/debian/[email protected]+b1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.38.1-5`
Fixed version	Not Fixed

Description

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

apt 2.6.1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`>=2.6.1`
Fixed version	Not Fixed

Description

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

github-actions · 2023-10-28T14:17:12Z

Recommended fixes for image `nam20485/odbdesign:pr-96`

Base image is debian:12-slim

Name	bookworm-20231009-slim
Digest	sha256:ceffa8e71bafc0190f915774b9696a0b6cb6262d1df5f64028b570ca4055ba83
Vulnerabilities
Pushed	2 weeks ago
Size	29 MB
Packages	126
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): 12.2-slim, bookworm-20231009-slim, bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
`stable-slim` Tag is preferred tag Also known as: stable-20231009-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 29 MB Flavor: debian OS: 11 Slim: ✅	2 weeks ago
`12` Tag is latest Also known as: 12.2 bookworm bookworm-20231009 latest	Benefits: Same OS detected Tag is latest Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 50 MB Flavor: debian OS: 12	2 weeks ago

github-actions · 2023-10-28T14:17:29Z

Overview

Image reference	`ghcr.io/nam20485/odbdesign:release-latest`	`nam20485/odbdesign:pr-96`
- digest	`51d979efdac6`	`bcb25368562e`
- provenance	`f1bde5b`	`aa174e1`
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	35 MB	39 MB (+4.3 MB)
- packages	126	126
Base Image	`debian:12-slim` also known as: • `12.2-slim` • `bookworm-20231009-slim` • `bookworm-slim`	`debian:12-slim` also known as: • `12.2-slim` • `bookworm-20231009-slim` • `bookworm-slim`
- vulnerabilities

Labels (3 changes)

± 3 changed

6 unchanged

 org.opencontainers.image.authors=https://github.com/nam20485
-org.opencontainers.image.created=2023-10-25T03:04:01.733Z
+org.opencontainers.image.created=2023-10-28T14:11:18.587Z
 org.opencontainers.image.description=A free open source cross-platform C++ library for parsing ODB++ Design archives, accessing their data, and building net list product models. Exposed via a REST API and packaged inside of a Docker image.
 org.opencontainers.image.licenses=MIT
-org.opencontainers.image.revision=f1bde5bd844fd98507726b1e5baf3ab249bcb1ad
+org.opencontainers.image.revision=aa174e18cd820b465ad705534f5fe6d0568b1f22
 org.opencontainers.image.source=https://github.com/nam20485/OdbDesign
 org.opencontainers.image.title=OdbDesign
 org.opencontainers.image.url=https://github.com/nam20485/OdbDesign
-org.opencontainers.image.version=release-292
+org.opencontainers.image.version=pr-96

nam20485 and others added 30 commits October 24, 2023 17:41

move protoc-generated files into new directory to match namespace

ab97f39

change doxygen cmake configuring message

3533ce9

move files into folders matching their namespace

b062ef9

include win.h to fix undefined _WIN32_WINNT macro warnings

6c373db

fix windows header includes

d040720

move lib app files into the correct namespace

dca0caa

use windows include header

2394634

log exception when designs dir doesn't exist in designs/list endpoint

abbd1d6

move DesignCache into Odb::Lib::App namespace & folder

c967e54

guard against including windows header stuff if not using msc

abd6161

disable showing source download buttons in docs site

8983f9e

make branch names bigger in README's CI/CD section

cd6c579

Create scorecard.yml

27abbc9

Create scorecard.yml (#75)

4217b36

add empty proto definition files

5efd3bf

[StepSecurity] Apply security best practices

1b355bc

Signed-off-by: StepSecurity Bot <[email protected]>

move codeql-config.yml config into top-level .github directory

7d3053b

move disabled workflow config files into a disabled directory to hide…

5a05ff1

… them from github

fix action urls to move version comment out of the value

4d2e6f0

dependabot bot and others added 26 commits October 27, 2023 02:26

pin base image tags to shas in dockerfiles

fb5f074

Merge branch 'development' of github.com:nam20485/OdbDesign into deve…

2abad09

…lopment

descend into directory before pip install'ing requirements.txt to see…

6cea070

… if it fixes scorecard flagging it as non-pinned dependencies

comment out pip install command in python Dockerfile

443b056

use pip-compile to generate hashes for python dependencies in require…

324ba0d

…ments.txt

uncomment final image build in python Dockerfile

7fdd894

create sha256sum's for binaries and upload them as release assets

f2272f9

import GPG key and create signature binary release assets

0014526

[StepSecurity] Apply security best practices

6d0d808

Signed-off-by: StepSecurity Bot <[email protected]>

Merge branch 'development' into dependabot/github_actions/crazy-max/g…

56f1dcb

…haction-import-gpg-6.0.0

comment out paths field in CodeQL config, its only used when scanning…

ae1334a

… interpreted languages (i.e. not C++)

Merge branch 'development' of github.com:nam20485/OdbDesign into deve…

86fb51a

…lopment

merge development into main (#94)

f7e878f

nam20485 merged commit 85a4565 into release Oct 29, 2023
18 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

merge main into release #96

merge main into release #96

nam20485 commented Oct 28, 2023

github-actions bot commented Oct 28, 2023

github-actions bot commented Oct 28, 2023

github-actions bot commented Oct 28, 2023

merge main into release #96

merge main into release #96

Conversation

nam20485 commented Oct 28, 2023

github-actions bot commented Oct 28, 2023

🔍 Vulnerabilities of nam20485/odbdesign:pr-96

github-actions bot commented Oct 28, 2023

Recommended fixes for image nam20485/odbdesign:pr-96

Refresh base image

Change base image

github-actions bot commented Oct 28, 2023

Overview

🔍 Vulnerabilities of `nam20485/odbdesign:pr-96`

Recommended fixes for image `nam20485/odbdesign:pr-96`