greenbone / gvm-tools

Remote control your Greenbone Community Edition or Greenbone Enterprise Appliance
https://greenbone.github.io/gvm-tools/
GNU General Public License v3.0
166 stars 89 forks source link

Add Codecov token to CI workflow #1115

Closed timopollmeier closed 4 months ago

timopollmeier commented 4 months ago

What

Add Codecov token to CI workflow

Why

References

GEA-604

Checklist

github-actions[bot] commented 4 months ago

Conventional Commits Report

:cry: No conventional commits found.

:point_right: Learn more about the conventional commits usage at Greenbone.

github-actions[bot] commented 4 months ago

:mag: Vulnerabilities of harbor-os.greenbone.net/community/gvm-tools:pr-1115

:package: Image Reference harbor-os.greenbone.net/community/gvm-tools:pr-1115
digestsha256:20ca8a5c726dfbff16907db10e4e0368236c73dc4f947f93344c9fc15576d9cd
vulnerabilitiescritical: 2 high: 7 medium: 8 low: 29 unspecified: 6
size73 MB
packages184
:package: Base Image debian:stable-20240612-slim
also known as
  • stable-slim
digestsha256:209d46a45ea90c627bc822331296f99ac62f7e93357aee13acb1856cd7d68ede
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 23
critical: 2 high: 6 medium: 7 low: 0 unspecified: 6stdlib 1.19.8 (golang) pkg:golang/stdlib@1.19.8
critical : CVE--2024--24790
Affected range<1.21.11
Fixed version1.21.11
EPSS Score0.06%
EPSS Percentile27th percentile
Description
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
critical : CVE--2023--24540
Affected range<1.19.9
Fixed version1.19.9
EPSS Score0.26%
EPSS Percentile66th percentile
Description
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
high : CVE--2023--29403
Affected range<1.19.10
Fixed version1.19.10
EPSS Score0.06%
EPSS Percentile24th percentile
Description
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
high : CVE--2023--45287
Affected range<1.20.0
Fixed version1.20.0
EPSS Score0.07%
EPSS Percentile31st percentile
Description
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
high : CVE--2023--45283
Affected range<1.20.11
Fixed version1.20.11
EPSS Score0.10%
EPSS Percentile41st percentile
Description
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.
high : CVE--2023--39325
Affected range<1.20.10
Fixed version1.20.10
EPSS Score0.21%
EPSS Percentile59th percentile
Description
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
high : CVE--2023--29400
Affected range<1.19.9
Fixed version1.19.9
EPSS Score0.14%
EPSS Percentile50th percentile
Description
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
high : CVE--2023--24539
Affected range<1.19.9
Fixed version1.19.9
EPSS Score0.14%
EPSS Percentile50th percentile
Description
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
medium : CVE--2023--29406
Affected range<1.19.11
Fixed version1.19.11
EPSS Score0.09%
EPSS Percentile39th percentile
Description
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
medium : CVE--2023--39319
Affected range<1.20.8
Fixed version1.20.8
EPSS Score0.06%
EPSS Percentile26th percentile
Description
The html/template package does not apply the proper rules for handling occurrences of " contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
medium : CVE--2023--39318
Affected range<1.20.8
Fixed version1.20.8
EPSS Score0.08%
EPSS Percentile36th percentile
Description
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in Githubissues.
  • Githubissues is a development platform for aggregating issues.