Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Transition Xsc to Xray #1046

Merged
merged 18 commits into from
Nov 24, 2024
Merged

Transition Xsc to Xray #1046

merged 18 commits into from
Nov 24, 2024

Conversation

attiasas
Copy link
Contributor

@attiasas attiasas commented Nov 14, 2024

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.

  • Remove the "404" error when XSC is not avaliable
  • Remove old unused API
  • Add the new API URL's to the XSC service in its new location as an inner service in Xray

@attiasas attiasas added the ignore for release Automatically generated release notes label Nov 14, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 17, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 17, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 18, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 18, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 18, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 18, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 18, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 18, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 18, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 18, 2024
@attiasas attiasas marked this pull request as ready for review November 21, 2024 13:14
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 21, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 21, 2024
Copy link
Contributor

🚨 Frogbot scanned this pull request and found the below:


Copy link
Contributor

{
		User: "admin",
		Auth: []ssh.AuthMethod{
			sshAuth,
		},
		//#nosec G106 -- Used to get ssh headers only.
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

at auth/sshlogin.go (line 67)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Low
SSH key not verified properly, expired certificates may be accepted
Full description

Overview

SSH Keys Past Expiration is a vulnerability that occurs when SSH keys
used for authentication have expired. Expired keys can lead to
unauthorized access to systems and sensitive data, posing a security
risk to the organization.

Vulnerable example

package main

import (
    "golang.org/x/crypto/ssh"
    "net"
)

func main() {}

func insecureIgnoreHostKey() {
    _ = &ssh.ClientConfig{
        User:            "username",
        Auth:            []ssh.AuthMethod{nil},
        HostKeyCallback: ssh.InsecureIgnoreHostKey(),
    }
}

In this example, the InsecureIgnoreHostKey function is used to ignore
host key verification, which can lead to accepting expired or invalid
keys.

Remediation

package main

import (
    "golang.org/x/crypto/ssh"
    "net"
)

func main() {}

func secureHostKeyCallback() {
    publicKeyBytes, _ := ioutil.ReadFile("allowed_hostkey.pub")
    publicKey, _ := ssh.ParsePublicKey(publicKeyBytes)

    _ = &ssh.ClientConfig{
        User:            "username",
        Auth:            []ssh.AuthMethod{nil},
        HostKeyCallback: ssh.FixedHostKey(publicKey),
    }
}

By using allowed host keys and proper host key verification, we can
mitigate the risk of accepting expired or invalid SSH keys.


@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 21, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 21, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 21, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 21, 2024
xsc/services/utils/utils.go Outdated Show resolved Hide resolved
xray/services/scan.go Outdated Show resolved Hide resolved
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 24, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 24, 2024
@eyalbe4 eyalbe4 merged commit 50bd3e5 into jfrog:dev Nov 24, 2024
23 of 24 checks passed
@attiasas attiasas added improvement Automatically generated release notes and removed ignore for release Automatically generated release notes labels Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
improvement Automatically generated release notes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants