[Security] (CWE-88): Potential HTTP request made with variable url
leecalcote opened this issue Β· 3 comments
leecalcote commented
Current Behavior
This golang security check is failing - https://github.com/meshery/meshery-traefik-mesh/runs/4581108903?check_suite_focus=true with the following details:
[/github/workspace/internal/config/releases.go:70] - G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)
69: // #nosec`
> 70: resp, err := http.Get(releaseAPIURL)
71: if err != nil {
Contributor Guides and Resources
- π Meshery Build & Release Strategy
- π Instructions for contributing to documentation
- π¨ Wireframes and designs for Meshery UI in Figma
- ππΎππΌ Questions: Layer5 Discussion Forum and Layer5 Community Slack
alphaX86 commented
@leecalcote for this adapter, I see that the function fetches a "list" of latest releases... I also referred the Meshkit's code which has a similar function but for only one latest version fetch. So, shall I use it? Or fetching a list is intended for this mesh adapter?
leecalcote commented
@Revolyssup, do you have a perspective here?
saurabh100ni commented
This issue has been open for some time with no recent activity, unassigning to open it up for new contributors to give it a go.