Project

General

Profile

Actions

Bug #19279

closed

For plugins, we need to skip CVE check on provided dependencies

Added by François ARMAND over 1 year ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Regression:

Description

For plugins, and for reasons (#12171), we need to specify all rudder libraries and dependencies as provided (else they are included in plugins).
The exact version of the lib used can be bit of, because plugins don't use last version of rudder for ABI compat.
All that leads to false positive in CVE check in dependencies.

So we need to skip dependencies with scope "provided" in plugins (of course, the plugin own dependencies, which don't have that scope, will be checked).

Note: perhaps system properties should be skipped too, but I will let them for now, and we will see when the case arise if it's relevant.

Actions #1

Updated by François ARMAND over 1 year ago

  • Target version set to 6.1.14
Actions #2

Updated by François ARMAND over 1 year ago

  • Status changed from New to In progress
Actions #3

Updated by François ARMAND over 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-plugins/pull/375
Actions #4

Updated by François ARMAND over 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #6

Updated by Vincent MEMBRÉ over 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.1.14 and 6.2.8 which were released today.

Actions

Also available in: Atom PDF