Security/upgrade #12
Merged
Security/upgrade #12
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Breaking changed introduced in actions/github-script@v6. https://github.com/actions/github-script#breaking-changes-in-v5
…#12530) The GHA action used for adding comments or labels to issues untrusted by TSCCR have been replaced with an approved set of actions. The updated workflows use actions/github-script for adding comments or labels to an issue. Related to: hashicorp/security-tsccr#608
The action currently fails when trying to remove the stale or waiting-reply labels from issues that do not actually contain the labels in question. This update adds a guard clause to only run the action on issues containing at least one of the labels.
This commit fixes a bug with the first script, as the object passed to the REST API is not closed properly.
HCP supports two types of service principals: Organization-level and project-level. When a user tries to publish to an active HCP Packer registry using a plsp the client fails when configuring the client due to a API permission error; namely plsp do not have the permissions to query an org for a list of projects. Setting the HCP_PROJECT_ID does not resolve the issue because the call to ListProjects is still executed. This changes updates the client configuration params to obtain both the HCP Organization and Project IDs that will be used for connecting to the HCP Packer registry. With this change if a user provides a project Id via the HCP_PROJECT_ID environment variable no call to ListProjects will be made. Instead the value will be take as is and used to create the connection. A user connecting with a project level service principals must provide a valid HCP_PROJECT_ID in order to connect.
When setting a project id via the HCP_PROJECT_ID env the client will try to validate the project by checking that it has an associated registry. If the project is invalid or not a valid UUID an error will be displayed to the user * Add comment to clarify usage of SDK loaded env. variables
`packer init' is meant to be invoked on a template file or a directory. This was described in the command-line help message as `[template.pkr.hcl|folder]'. Because this is encapsulated between square brackets, this could be taken as an option instead of a positional, mandatory argument. This commit changes the wording to adopt a similar convention as `packer build', so the two are consistent in how they are invoked, and to avoid mistaking this argument as optional.
The `packer init' command's wording was not clear, so it was changed in a preceding commit, and this commit aims to add more details on how the command is meant to be used, along with a simple example.
Starting with Go 1.19 the loading of binaries from the current working directory was deemed as a possible security problem. Thus the use of exec.Command or exec.LookPath no longer resolves an executable within the current working directory. This change updates the discover logic to return absolute paths for any discovered plugin, which is called directly when passed to exec.Command or exec.LookPath. By doing this Packer is able to load a custom plugin sitting in the current working directory as it did in version prior to v1.9.2.
When copying a plugin's checksum file (packer-plugin-*_SHA256SUM) installed by `packer plugins install` or `packer init` into a separate directory the file may be copied with the executable bit turned out. If unchanged after the copy, Packer would discover the checksum file as a possible plugin match and error when trying to execute describe on the plugin look a like. This change adds a checksum file test to the plugin matching logic. If the discovered plugin name is a checksum it is excluded from the discovered plugin list.
* Add test case for loading plugin in CWD * Add test case to validate checksume files are ignored * Update Discover to include CWD "." in PluginFolders if KnowPluginFolders is unset
Since the main branch is not called master anymore, and the anchor was renamed, we fix both these changes in the link to that page from the README.
In addition to the `release-light' target, we add a `release_full' target to the Dockerfile, so that we can ship an image of Packer with the official plugins pre-bundled in their latest version.
The Docker images release-light and release-full are not to be built locally from a dev build, but from a release, and the commands to build those images are only referenced in CI, so we don't need to ship them as part of the makefile. In addition, those images are not straightforward to build from the Makefile, as they require quite a few things from the environment, as well as the binary installed in a specific location, which is never setup by the rest of the Makefile. Therefore, we opted to simplify the Makefile so that it only builds docker-dev for local use.
* Remove repetitive log statement The log being removed is duplicated each time evalContext is called, which seems like an unneeded debug log.
The version of the golang.org/x/net we used (v0.8.0), is vulnerable to a rendering issue, potentially escaping text that should not be, which can enable other attacks then. Packer itself is not vulnerable to the CVE as we don't render web pages, but security checks do point it as an issue, so we fix it by updating the dependencies. CVE refrerence: GO-2023-1988
* Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at https://hashi.co/license-faq, and details of the license at www.hashicorp.com/bsl. * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Since we added support for PLSPs recently, and it will be released as part of 1.9.3, we add some documentation regarding the environment variables we added, and a note regarding their relation to PLSP support.
The SDK's Ui interface has had some additions recently for supporting format-strings and their arguments as paramereters to Say, Ask and Error. These changes to the interface means that all the implementations of that interface need to match the definition, so in this case the implementations we had in packer/ui.go need to be updated to support those functions.
Since the SDK was updated and now accepts raw version strings in addition to also supporting metadata officially, we can start using those functions in our version package as well.
….0 (hashicorp#12935) Bumps [github.com/hashicorp/hcp-sdk-go](https://github.com/hashicorp/hcp-sdk-go) from 0.90.0 to 0.92.0. - [Release notes](https://github.com/hashicorp/hcp-sdk-go/releases) - [Changelog](https://github.com/hashicorp/hcp-sdk-go/blob/main/CHANGELOG.md) - [Commits](hashicorp/hcp-sdk-go@v0.90.0...v0.92.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/hcp-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
A bug in the SDK prevents us from calling SemVer on the PluginVersion derived from the rawVersion, as when doing so, we reset the semVer attribute to only use the core part of the version, thereby dropping any information on pre-release/metadata. This is not ideal, and arguably not wanted. So in order to not lose this information, we re-compute the SemVer from rawVersion, this way we don't overwrite it for both structures.
The invalid_inexplicit_source_2 subtest for parse used to fail in previous versions of Packer, but with the latest changes to plugin source management, it won't, at least at parsing time, instead it fails later when the Github getter (the only available for now) cannot get the plugin binary from the source, as the source is not a valid Github URI.
The source parsing logic was heavily directed towards Github compatible source URIs, however if we want to support more cases, we need to make sure we are able to specify those URIs, and to load plugins installed from those sources. Right now, since the getters available are only github.com, we will not support remotely instlling plugins from sources other than github.com, with the same set of constraints as before. However, we do support now installing from a local plugin binary to any kind of source, and we support loading them, including if a template wants this plugin installed locally with version constraints.
….0 (hashicorp#12942) Bumps [github.com/hashicorp/hcp-sdk-go](https://github.com/hashicorp/hcp-sdk-go) from 0.92.0 to 0.93.0. - [Release notes](https://github.com/hashicorp/hcp-sdk-go/releases) - [Changelog](https://github.com/hashicorp/hcp-sdk-go/blob/main/CHANGELOG.md) - [Commits](hashicorp/hcp-sdk-go@v0.92.0...v0.93.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/hcp-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add general code improvements
Bumps [ejs](https://github.com/mde/ejs) to 3.1.10 and updates ancestor dependency [@hashicorp/platform-cli](https://github.com/hashicorp/web-platform-packages/tree/HEAD/packages/cli). These dependencies need to be updated together. Updates `ejs` from 3.1.5 to 3.1.10 - [Release notes](https://github.com/mde/ejs/releases) - [Commits](mde/ejs@v3.1.5...v3.1.10) Updates `@hashicorp/platform-cli` from 2.1.0 to 2.8.0 - [Release notes](https://github.com/hashicorp/web-platform-packages/releases) - [Changelog](https://github.com/hashicorp/web-platform-packages/blob/main/packages/cli/CHANGELOG.md) - [Commits](https://github.com/hashicorp/web-platform-packages/commits/@hashicorp/platform-cli@2.8.0/packages/cli) --- updated-dependencies: - dependency-name: ejs dependency-type: indirect - dependency-name: "@hashicorp/platform-cli" dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
RodrigoCMoraes
force-pushed
the
security/upgrade
branch
from
a537710
to
93d5356
Compare
RodrigoCMoraes
force-pushed
the
security/upgrade
branch
from
cfceba2
to
d081c4a
Compare
…orp#12958) * Bump required actions to address Node.js 16 deprecation issue * Update all tsccr approved actions ```shell tsccr-helper gha update -latest . ```
…com:inloco/packer into security/upgrade
…thub.com:inloco/packer into security/upgrade
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DELETE THIS TEMPLATE BEFORE SUBMITTING
In order to have a good experience with our community, we recommend that you
read the contributing guidelines for making a PR, and understand the lifecycle
of a Packer PR:
https://github.com/hashicorp/packer/blob/master/.github/CONTRIBUTING.md#opening-an-pull-request
Describe the change you are making here!
Please include tests. Check out these examples:
If your PR resolves any open issue(s), please indicate them like this so they will be closed when your PR is merged:
Closes #xxx
Closes #xxx