Resolved vulnerabilities - java tool installer #16184
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/azp run |
|
Azure Pipelines successfully started running 4 pipeline(s). |
…er-vulnerabilities
|
|
KonstantinTyukalov
approved these changes
Apr 29, 2022
|
/azp run |
|
Azure Pipelines successfully started running 4 pipeline(s). |
kirill-ivlev
approved these changes
Apr 29, 2022
…er-vulnerabilities
|
/azp run |
|
Azure Pipelines successfully started running 4 pipeline(s). |
…er-vulnerabilities
|
/azp run |
|
Azure Pipelines successfully started running 4 pipeline(s). |
mmrazik
approved these changes
May 3, 2022
mpodriezov
approved these changes
May 4, 2022
2 tasks
Kozlov-Igor
pushed a commit
to Kozlov-Igor/azure-pipelines-tasks
that referenced
this pull request
May 25, 2022
Co-authored-by: Konstantin Tyukalov <[email protected]>
alexander-smolyakov
pushed a commit
that referenced
this pull request
May 30, 2022
* Fix code coverage Maven jacoco issue #12597 * remove unused debug * fix 1 * fix PR commets * second iteration fix * hotfix * delete '.' from file type * fix iteration 3 * hotfix * fix whitespaces * hotfix * Fix code coverage Maven jacoco issue #12597 * remove unused debug * fix 1 * fix PR commets * second iteration fix * hotfix * delete '.' from file type * Update yml to include pool for single task (#16179) * fix permissions for specified files in DotNetCoreInstallerV0, DotNetCoreInstallerV1, UseDotNetV2 tasks (#16100) Co-authored-by: Tomáš Hübelbauer <[email protected]> Co-authored-by: Martin Mrazik <[email protected]> Co-authored-by: Tom Hubelbauer <[email protected]> * Updated PTRV2 task to version 2.203.0 (#16213) * Updated make.json * Updated task.json * Updated task.loc.json * Updated VsTestV2 task to version 2.203.0 (#16212) * Updated make.json * Updated task.json * Updated task.loc.json * Move assignment of transitioned tasks (#16211) * Add a note about too recent versions of Node (#16229) Running the build and test scripts won't work because of changes to the sync request APIs in recent Node versions. I have added a recommendation to stick with ~ Node 10 or so. I don't know the exact major from which this is broken, but we should focus on fixing the tooling over finding the exact version of old Node the contributors must use anyway, so this will do for now. * Create the basic workflow for the Node migration tracking The workflow pulls all issues related to the Node migration (which at the time of push will be zero) and prints them. In the next steps, it will ensure a migration issue exists for each task and reflect the migration status in the issue's state. * Mark the .github/workflows directory to be able to use ESM This will not spill over to the outside directories as it is constrained to this one. * Disable the Tasks directory trigger It seems Dependabot is pushing dep changes in droves (not sure why yet) which keeps triggering this workflow. * Fix a typo in the issue count print statement Two typos actually, issue->issues and label->length. * Print Node versions used by each task Later this will be used to find corresponding update issue or create one if it doesn't exist yet. * Skip the Common directory and limit to tasks that do use Node Some tasks do not use Node and use only PowerShell for example, we can skip those and they are not going to be a part of the update. The Common directory are some helpers, not a real task. * Print tasks with manifest with no execution field I think all should have it but possibly not? * Skip tasks with missing execution manifest field They happen to be Node tasks, but seem to lack this field. I will get to them separately and see if I can extend the handling for them or fix them. * Check to see if any tasks have both Node 6 and Node 10 keys and throw if so This should not be the case, but the check will ensure it remains not the case. * Limit the trackNodeMigration to the main branch This will prevent it from running for PR branches. * Add the logic to create the tracking issue For now one, I will manually verify it looks good and then remove the early exit so all get created. * Use startsWith for matching existing issues The template always has it at the start of the title so this check matches better. * Remove the short-circuit so that all remaining issues get created I have also added a link to the label which now serves at the full list of tasks that still need to be upgraded with the ratio of open/closed indicating how far along we are. * Resolved vulnerabilities - java tool installer (#16184) Co-authored-by: Konstantin Tyukalov <[email protected]> * Bump lodash from 4.17.10 to 4.17.21 in /Tasks/AzureMysqlDeploymentV1 (#16041) * Bump lodash from 4.17.10 to 4.17.21 in /Tasks/AzureMysqlDeploymentV1 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.10 to 4.17.21. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.10...4.17.21) --- updated-dependencies: - dependency-name: lodash dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * bumping the task version * Bump the task version to 1.205.0 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: v-nagarajku <[email protected]> Co-authored-by: v-nagarajku <[email protected]> Co-authored-by: Konstantin Tyukalov <[email protected]> Co-authored-by: Konstantin Tyukalov <[email protected]> * Added notes for task version bump - cut off date (#16292) Co-authored-by: Konstantin Tyukalov <[email protected]> * updated lodash and lodash.merge dependencies to newer version. (#16214) Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects. CVE-2019-10744 Co-authored-by: Andrii Kozin <[email protected]> * This affects the package set-value before 2.0.1, and starting with 3.0.0 but prior to 4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays. (#16228) Co-authored-by: Andrii Kozin <[email protected]> * Fix CVE-2019-10746 for AppCenterTestV1 (#16289) * Update lodash * Bump task version * Revert "Update lodash" This reverts commit 113396a. * Npm audit fix * Audit fix for AzureMonitorAlertsV0 * Audit fix for MysqlDeploymentOnMachineGroupV1 * Revert "Audit fix for MysqlDeploymentOnMachineGroupV1" This reverts commit 0c1f4f1. * Revert "Audit fix for AzureMonitorAlertsV0" This reverts commit d7dd19f. * Revert "Npm audit fix" This reverts commit 312d713. * npm audit fix for AppCenterTestV1 * Bump task version * Reset packege-lock.json to master * Run npm audit fix * Bump task version * Added warning about 'chmod' method (#16189) * Added warning to Gradle task * Update Tasks/GradleV3/Modules/project-configuration.ts Co-authored-by: Alexander Smolyakov <[email protected]> * Upgraded task version Co-authored-by: Alexander Smolyakov <[email protected]> * Fixed vulnerabilities (npm audit fix) - for az-blobstorage-provider-v2 (#16185) * npm audit fix * Bumped package version Co-authored-by: Konstantin Tyukalov <[email protected]> * Fixed vulnerabilities (npm audit fix) - VsTestV2 (#16224) * Run npm audit fix * Bump the task version to 2.204.0 * Bump the task version to 2.205.0 * Replaced request with typed-rest-client package (#16188) * replace request with typed-rest-client * bump version * bump version * hotfix * fix iteration 3 * fix whitespaces * hotfix * Update pypy3 default version to 3.9 (#16321) * Bump pypy3 default version to 3.9 * Update task messages * Bump task version to 0.205.0 * Text changes completed (#16277) * Text changes completed * Text changes completed Co-authored-by: Philipson Joseph V <[email protected]> * Remove appcenter-cli from dependencies to solve security issues (#16288) * Remove appcenter-cli dependency * Bump version * 1933760-set the parameter value customMessage:true in updateDeploymen… (#16141) * 1933760-set the parameter value customMessage:true in updateDeploymentHistory and finally block, * PR review feedback changes * Update AppCenter owners (#16223) * Bump vm2 from 3.9.5 to 3.9.9 in /Tasks/AppCenterDistributeV3 (#15978) Bumps [vm2](https://github.com/patriksimek/vm2) from 3.9.5 to 3.9.9. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/master/CHANGELOG.md) - [Commits](patriksimek/vm2@3.9.5...3.9.9) --- updated-dependencies: - dependency-name: vm2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ondřej Merkun <[email protected]> * fix for upgrading SF application in pipeline repo (#16328) * Bump minimist from 1.2.5 to 1.2.6 (#16061) Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6. - [Release notes](https://github.com/substack/minimist/releases) - [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6) --- updated-dependencies: - dependency-name: minimist dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alexander Smolyakov <[email protected]> * Add option to remove hidden files in CopyFilesOverSSHV0 task (#16029) * Add option to remove hidden files * Fix help markdown message * Rework generator logic * Add descritpion for the file pattern used on linux * Resolve comments * Bump task version Co-authored-by: Alexander Smolyakov <[email protected]> * Fix visibility rule in MavenV2 and MavenV3 tasks (#16081) Co-authored-by: Konstantin Tyukalov <[email protected]> Co-authored-by: Alexander Smolyakov <[email protected]> * CopyFilesOverSSHV0, MavenV2/V3 - bumped tasks versions to 205 sprint (#16314) * Bumped version - DownloadGitHubNugetPackage * Bump version - PipAuthenticate * Bump version - OpenPolicyAgentInstaller * Bump version - JenkinsQueueJob * Bump version - CopyFilesOverSSHV0 * Bump version - Maven tasks * Revert "Bumped version - DownloadGitHubNugetPackage" This reverts commit 04b68ef. * Revert "Bump version - PipAuthenticate" This reverts commit 7957d9d. * Revert "Bump version - OpenPolicyAgentInstaller" This reverts commit c8d9767. * Revert "Bump version - JenkinsQueueJob" This reverts commit 69a86c9. * hotfix package.lock.json * Bump task version Co-authored-by: Kozlov Igor <[email protected]> Co-authored-by: Igor Kozlov <[email protected]> Co-authored-by: Konstantin Tyukalov <[email protected]> Co-authored-by: Alexander Smolyakov <[email protected]> Co-authored-by: Rohit Batra <[email protected]> Co-authored-by: Pavlo Andriiesh <[email protected]> Co-authored-by: Tomáš Hübelbauer <[email protected]> Co-authored-by: Martin Mrazik <[email protected]> Co-authored-by: Tom Hubelbauer <[email protected]> Co-authored-by: triptijain2112 <[email protected]> Co-authored-by: Bishal Prasad <[email protected]> Co-authored-by: Anatoly Bolshakov <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: v-nagarajku <[email protected]> Co-authored-by: v-nagarajku <[email protected]> Co-authored-by: Konstantin Tyukalov <[email protected]> Co-authored-by: Stanislav Balia <[email protected]> Co-authored-by: Andrii Kozin <[email protected]> Co-authored-by: Sergei Fedorov <[email protected]> Co-authored-by: Svetlana Maliugina <[email protected]> Co-authored-by: AndreyIvanov42 <[email protected]> Co-authored-by: Philipson Joseph V <[email protected]> Co-authored-by: Philipson Joseph V <[email protected]> Co-authored-by: Alexey Chernikov <[email protected]> Co-authored-by: Lukas Cenovsky <[email protected]> Co-authored-by: Ondřej Merkun <[email protected]> Co-authored-by: Nikita Ezzhev <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Task name: JavaToolInstallerV0
Description: fixed vulnerabilities - CVE-2019-10744 (lodash 4.17.10), CVE-2019-10746 (mixin-deep 1.3.1) and other minor
Documentation changes required: N
Added unit tests: N
Attached related issue: N
Checklist: