Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

melange/0.13.3 package update #30356

Merged
merged 1 commit into from
Oct 8, 2024
Merged

melange/0.13.3 package update #30356

merged 1 commit into from
Oct 8, 2024

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Oct 8, 2024

@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr labels Oct 8, 2024
@octo-sts octo-sts bot mentioned this pull request Oct 8, 2024
Closed
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2024

Package melange-microvm-init: Click to expand/collapse

Package melange-microvm-init:
Unchanged

Package melange: Click to expand/collapse

Package melange:
Modified: /usr/bin/melange

malcontent found differences: Click to expand/collapse

Deleted: melange/var/lib/db/sbom/melange-0.13.1-r0.spdx.json [⚠️ MEDIUM]

RISK KEY DESCRIPTION EVIDENCE
-MEDIUM net/download download files downloadLocation
-LOW ref/site/url contains embedded HTTPS URLs https://spdx.org/spdxdocs/chainguard/melange/f7272cc16492a845a6bc1973e232

Added: melange/var/lib/db/sbom/melange-0.13.3-r0.spdx.json [⚠️ MEDIUM]

RISK KEY DESCRIPTION EVIDENCE
+MEDIUM net/download download files downloadLocation
+LOW ref/site/url contains embedded HTTPS URLs https://spdx.org/spdxdocs/chainguard/melange/5b1f9ea48198f45ce704fca21203

Changed: /tmp/wolfictl-apk-3885527745/melange-microvm-init/init

Changed: /tmp/wolfictl-apk-3885527745/melange/usr/bin/melange

Moved: melange-microvm-init/var/lib/db/sbom/melange-microvm-init-0.13.1-r0.spdx.json -> /tmp/wolfictl-apk-3885527745/melange-microvm-init/var/lib/db/sbom/melange-microvm-init-0.13.3-r0.spdx.json (similarity: 0.99)

@octo-sts octo-sts bot added the bincapz/blocking Bincapz (aka malcontent) scan results detected CRITICALs on the packages. label Oct 8, 2024
@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Oct 8, 2024

malcontent detected files with a risk score equal or higher than 'CRITICAL': Click to expand/collapse

/tmp/malcontent1206317828/packages/x86_64/melange-0.13.3-r0.apk/usr/bin/melange [🚨 CRITICAL]

RISK KEY DESCRIPTION EVIDENCE
HIGH admin/pip_install Installs software using pip from python pip installb3312fa7e23ee7e4988e056be3f82d19
CRITICAL combo/dropper/shell change dir, fetch file via tor, make it executable, and run it ./b
./configure --prefix
./configure command.
./configure.ac
./dist/
./m
./package.json
./pipe/docker
./pombump-deps.yaml
./pombump-properties.yaml
.onion
cd $
cd /home/build
chmod
curl -L
HIGH ref/path/hidden hidden path in a system directory scallhtml3125Atoilib/bin/.so.

@egibs egibs added the malcontent/reviewed The malcontent findings in this PR have been manually reviewed by security. label Oct 8, 2024
@mamccorm mamccorm merged commit 9db10e0 into main Oct 8, 2024
15 checks passed
@mamccorm mamccorm deleted the wolfictl-2652b260-c668-4de0-8db4-c381cf435e11 branch October 8, 2024 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mamccorm mamccorm mamccorm approved these changes

Assignees
No one assigned
Labels
automated pr bincapz/blocking Bincapz (aka malcontent) scan results detected CRITICALs on the packages. malcontent/reviewed The malcontent findings in this PR have been manually reviewed by security. request-version-update request for a newer version of a package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mamccorm @egibs @wolfi-bot