exasol / ci-isolation-aws Goto Github PK

View Code? Open in Web Editor NEW

2.0 8.0 2.0 105 KB

AWS account setup for isolating CI builds

License: MIT License

Java 100.00%

exasol-integration aws integration-testing

ci-isolation-aws's People

Contributors

Stargazers

Watchers

Forkers

rohankumardubey muhammetdurmaz54

ci-isolation-aws's Issues

Missing list permissions

Due to missing list permissions the cleanup is not working

Allow persistent s3-buckets

Make it possible to create a s3- bucket that is not deleted or truncated by the cleanup task.

Update architecture diagram

Update the architecture diagram in the README

Cleanup fails if many objects exist in S3 bucket

The cleanup fails if many objects exist in S3 bucket.

Dependency upgrade

See log messages from build job Dependency Check:

io.netty:netty-handler:jar:4.1.86.Final in test
- CVE-2023-34462, severity CWE-770: Allocation of Resources Without Limits or Throttling (6.5)
software.amazon.awscdk:aws-cdk-lib:jar:2.74.0 in compile
- CVE-2023-35165, severity CWE-266: Incorrect Privilege Assignment (6.6)

Fix vulnerabilities in io.netty

io.netty:netty-handler:jar:4.1.94.Final in test
- CVE-2023-4586, severity CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') (6.5)

Remove exclude for E-PK-CORE-53 dependencies.md file has outdated content

After setting required maven version to 3.8.7. or higher with PK ticket #444 (project-keeper release 2.9.6) users can remove the suppressed warning from file .project-keeper.yml:

  - regex: "(?s)E-PK-CORE-53: The dependencies.md file has outdated content.*"

Affected repositories:

Depedency check fails

 Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project ci-isolation-aws: Detected 1 vulnerable components:
Error:    org.yaml:snakeyaml:jar:1.30:compile; https://ossindex.sonatype.org/component/pkg:maven/org.yaml/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2022-25857] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-25857?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2022-38749] CWE-787: Out-of-bounds Write (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-38749?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2022-38751] CWE-787: Out-of-bounds Write (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-38751?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2022-38752] CWE-787: Out-of-bounds Write (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-38752?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2022-38750] CWE-787: Out-of-bounds Write (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-38750?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

ossindex-maven-plugin finds vulnerabilities in dependencies

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.1.0:audit (default-cli) on project ci-isolation-aws: Detected 6 vulnerable components:
Error:    io.netty:netty-codec-http:jar:4.1.68.Final:test; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:      * [CVE-2021-43797] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2021-43797?component-type=maven&component-name=io.netty%2Fnetty-codec-http&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:    io.netty:netty-handler:jar:4.1.68.Final:test; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:      * 1 vulnerability found (6.5); https://ossindex.sonatype.org/vulnerability/sonatype-2020-0026
Error:    commons-codec:commons-codec:jar:1.11:test; https://ossindex.sonatype.org/component/pkg:maven/commons-codec/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:      * 1 vulnerability found (5.3); https://ossindex.sonatype.org/vulnerability/sonatype-2012-0050
Error:    com.google.code.gson:gson:jar:2.8.8:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.code.gson/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:      * 1 vulnerability found (7.5); https://ossindex.sonatype.org/vulnerability/sonatype-2021-1694
Error:    io.netty:netty-common:jar:4.1.68.Final:test; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:      * [CVE-2022-24823] CWE-378: Creation of Temporary File With Insecure Permissions (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-24823?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:    com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:      * [CVE-2020-36518] CWE-787: Out-of-bounds Write (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2020-36518?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:      * 1 vulnerability found (7.5); https://ossindex.sonatype.org/vulnerability/sonatype-2021-4682

🔐 CVE-2024-29025: io.netty:netty-codec-http:jar:4.1.100.Final:test

Summary

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

CVE: CVE-2024-29025
CWE: CWE-770

References

AWS Nuke logs error about missing permissions

See log:

time="2023-05-09T06:01:56Z" level=error msg="Failed to get listed policy protected-s3-files-vs-ci-user-policy-1: AccessDenied: User: arn:aws:sts::XXX:assumed-role/protected-aws-account-cleanup-role/AWSCodeBuild-XXX is not authorized to perform: iam:GetPolicy on resource: policy arn:aws:iam::XXX:policy/protected-s3-files-vs-ci-user-policy-1 with an explicit deny in an identity-based policy\n\tstatus code: 403, request id: XXX"

Fix deletion of a role with a protected prefix

The cleanup stack should deletes all resources in the AWS account except resources prefixed with protected- and persistent-
However, when cleanup is triggered, it deletes a role prefixed with protected- which uses sagemaker service.
This leads to following error: exasol/sagemaker-extension#71