[BUG] What to do regarding Security Warnings

Question

[BUG] What to do regarding Security Warnings

gabo1208 opened this issue 3 years ago · 5 comments

gabo1208 commented 3 years ago

Describe the bug
Right now we are having security warnings with one of our libs

To Reproduce
Steps to reproduce the behavior:
Any PR has this right now

Expected behavior
All jobs to pass

Additional context
We should do any change or ignore it for now?

Answer 1 · 2022-02-17T19:24:34.000Z

cc @embano1

Answer 2 · 2022-02-17T21:26:41.000Z

Thanks for flagging this @gabo1208
Does sources-for-knative allow an arbitrary user to define URLs used with go-retryablehttp ? That would raise the exposure according to https://cwe.mitre.org/data/definitions/117.html

From a quick glance, I don't see an upstream issue/patch in https://github.com/hashicorp/go-retryablehttp so it might be worth raising this upstream.

Answer 3 · 2022-02-18T08:47:04.000Z

It's a transitive dependency in vendor/knative.dev/eventing/pkg/kncloudevents/message_sender.go. Looks like we are not seeing this in other kn repos then?

Answer 4 · 2022-03-21T14:21:35.000Z

Do we still have this issue @gabo1208 ?

Answer 5 · 2022-03-29T12:53:53.000Z

Looks like we're good here. Closing this, let me know if you have concerns @gabo1208