meshery/meshery-traefik-mesh

[Security] (CWE-88): Potential HTTP request made with variable url

leecalcote opened this issue Β· 3 comments

Current Behavior

This golang security check is failing - https://github.com/meshery/meshery-traefik-mesh/runs/4581108903?check_suite_focus=true with the following details:

[/github/workspace/internal/config/releases.go:70] - G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)
    69: 	// #nosec`
  > 70: 	resp, err := http.Get(releaseAPIURL)
    71: 	if err != nil {

Contributor Guides and Resources

@leecalcote for this adapter, I see that the function fetches a "list" of latest releases... I also referred the Meshkit's code which has a similar function but for only one latest version fetch. So, shall I use it? Or fetching a list is intended for this mesh adapter?

@Revolyssup, do you have a perspective here?

This issue has been open for some time with no recent activity, unassigning to open it up for new contributors to give it a go.