Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: automated PR to main 2024-06-30 #179

Open
wants to merge 324 commits into
base: main
Choose a base branch
from
Open

chore: automated PR to main 2024-06-30 #179

wants to merge 324 commits into from

Conversation

github-actions[bot]
Copy link

Automated Pull Request to main branch

@github-actions github-actions bot requested a review from akashsinghal as a code owner June 30, 2024 08:35
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 10, 2024
View reviewed changes
pkg/referrerstore/oras/oras.go
@@ -183,7 +183,7 @@
insecureTransport.MaxIdleConnsPerHost = HTTPMaxIdleConnsPerHost
// #nosec G402
insecureTransport.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
InsecureSkipVerify: true, //nolint:gosec

Check failure

Code scanning / CodeQL

Disabled TLS certificate check High

InsecureSkipVerify should not be used in production code.

Copilot Autofix AI 21 days ago

To fix the problem, we should avoid setting InsecureSkipVerify to true in production code. Instead, we should ensure that the application uses valid certificates and performs proper certificate verification. If there is a need to handle both secure and insecure connections, we should provide a configuration option that allows the user to specify whether to skip certificate verification, but default to secure connections.

In this specific case, we will remove the insecureTransport configuration and ensure that the application only uses the secureTransport configuration. This will enforce TLS certificate verification.

Suggested changeset 1
pkg/referrerstore/oras/oras.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/pkg/referrerstore/oras/oras.go b/pkg/referrerstore/oras/oras.go
--- a/pkg/referrerstore/oras/oras.go
+++ b/pkg/referrerstore/oras/oras.go
@@ -179,14 +179,2 @@
 
-	// define the http client for TLS disabled
-	insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
-	insecureTransport.MaxIdleConns = HTTPMaxIdleConns
-	insecureTransport.MaxConnsPerHost = HTTPMaxConnsPerHost
-	insecureTransport.MaxIdleConnsPerHost = HTTPMaxIdleConnsPerHost
-	// #nosec G402
-	insecureTransport.TLSClientConfig = &tls.Config{
-		InsecureSkipVerify: true, //nolint:gosec
-	}
-	insecureRetryTransport := retry.NewTransport(insecureTransport)
-	insecureRetryTransport.Policy = customRetryPolicy
-
 	return &orasStore{config: &conf,
@@ -196,3 +184,2 @@
 		httpClient:         &http.Client{Transport: secureRetryTransport},
-		httpClientInsecure: &http.Client{Transport: insecureRetryTransport},
 		createRepository:   createDefaultRepository}, nil
EOF
@@ -179,14 +179,2 @@

// define the http client for TLS disabled
insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
insecureTransport.MaxIdleConns = HTTPMaxIdleConns
insecureTransport.MaxConnsPerHost = HTTPMaxConnsPerHost
insecureTransport.MaxIdleConnsPerHost = HTTPMaxIdleConnsPerHost
// #nosec G402
insecureTransport.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true, //nolint:gosec
}
insecureRetryTransport := retry.NewTransport(insecureTransport)
insecureRetryTransport.Policy = customRetryPolicy

return &orasStore{config: &conf,
@@ -196,3 +184,2 @@
httpClient: &http.Client{Transport: secureRetryTransport},
httpClientInsecure: &http.Client{Transport: insecureRetryTransport},
createRepository: createDefaultRepository}, nil
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
dependabot bot and others added 2 commits December 5, 2024 14:55
@dependabot
chore: Bump github/codeql-action from 3.27.5 to 3.27.6 (ratify-projec…
fa9be71 
…t#1963)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@akashsinghal
build: add image signing for all release images (ratify-project#1947)
a2efeb7 
Signed-off-by: Akash Singhal <[email protected]>
@akashsinghal akashsinghal deployed to azure-publish December 8, 2024 08:39 — with GitHub Actions Active
@dependabot
chore: Bump golang from 73f06be to 574185e in /httpserver (ratify…
78b2eba 
…-project#1973)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
akashsinghal and others added 12 commits December 10, 2024 12:58
@akashsinghal
docs: update dev image release guidance (ratify-project#1974)
d176ea0 
Signed-off-by: Akash Singhal <[email protected]>
@junczhu @binbin-li @susanshi
feat: Implementation of KMP CRL revocation factory with cache (ratify…
59240ad 
…-project#1900)

Signed-off-by: Juncheng Zhu <[email protected]>
Co-authored-by: Binbin Li <[email protected]>
Co-authored-by: Susan Shi <[email protected]>
@dependabot
chore: Bump alpine from 1e42bbe to 21dc606 (ratify-project#1972)
bb71ae7 
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump google.golang.org/grpc from 1.68.0 to 1.68.1 (ratify-proj…
dd3a6b0 
…ect#1971)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump actions/cache from 4.1.2 to 4.2.0 (ratify-project#1967)
0c39265 
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump codecov/codecov-action from 5.0.7 to 5.1.1 (ratify-projec…
9db18d3 
…t#1966)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump github.com/notaryproject/notation-core-go from 1.2.0-rc.1…
77419d5 
… to 1.2.0-rc.2 (ratify-project#1970)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump actions/setup-go from 5.1.0 to 5.2.0 (ratify-project#1979)
303c52e 
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump github/codeql-action from 3.27.6 to 3.27.7 (ratify-projec…
ffddcda 
…t#1978)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@akashsinghal
chore: bump K8s versions (ratify-project#1975)
dea367e 
Signed-off-by: Akash Singhal <[email protected]>
@akashsinghal
chore: bump makefile tool dependency version (ratify-project#1976)
9233abb 
Signed-off-by: Akash Singhal <[email protected]>
@junczhu
chore: bump up golang.org/x/crypto pkg to fix vuln (ratify-project#1981)
252afd8 
Signed-off-by: Juncheng Zhu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.