exasol / ci-isolation-aws Goto Github PK
View Code? Open in Web Editor NEWAWS account setup for isolating CI builds
License: MIT License
AWS account setup for isolating CI builds
License: MIT License
Due to missing list permissions the cleanup is not working
Make it possible to create a s3- bucket that is not deleted or truncated by the cleanup task.
Update the architecture diagram in the README
The cleanup fails if many objects exist in S3 bucket.
See log messages from build job Dependency Check:
After setting required maven version to 3.8.7. or higher with PK ticket #444 (project-keeper release 2.9.6) users can remove the suppressed warning from file .project-keeper.yml
:
- regex: "(?s)E-PK-CORE-53: The dependencies.md file has outdated content.*"
Affected repositories:
Error: Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project ci-isolation-aws: Detected 1 vulnerable components:
Error: org.yaml:snakeyaml:jar:1.30:compile; https://ossindex.sonatype.org/component/pkg:maven/org.yaml/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2022-25857] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-25857?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2022-38749] CWE-787: Out-of-bounds Write (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-38749?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2022-38751] CWE-787: Out-of-bounds Write (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-38751?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2022-38752] CWE-787: Out-of-bounds Write (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-38752?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: * [CVE-2022-38750] CWE-787: Out-of-bounds Write (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-38750?component-type=maven&component-name=org.yaml%2Fsnakeyaml&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error: Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.1.0:audit (default-cli) on project ci-isolation-aws: Detected 6 vulnerable components:
Error: io.netty:netty-codec-http:jar:4.1.68.Final:test; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * [CVE-2021-43797] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2021-43797?component-type=maven&component-name=io.netty%2Fnetty-codec-http&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: io.netty:netty-handler:jar:4.1.68.Final:test; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * 1 vulnerability found (6.5); https://ossindex.sonatype.org/vulnerability/sonatype-2020-0026
Error: commons-codec:commons-codec:jar:1.11:test; https://ossindex.sonatype.org/component/pkg:maven/commons-codec/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * 1 vulnerability found (5.3); https://ossindex.sonatype.org/vulnerability/sonatype-2012-0050
Error: com.google.code.gson:gson:jar:2.8.8:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.code.gson/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * 1 vulnerability found (7.5); https://ossindex.sonatype.org/vulnerability/sonatype-2021-1694
Error: io.netty:netty-common:jar:4.1.68.Final:test; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * [CVE-2022-24823] CWE-378: Creation of Temporary File With Insecure Permissions (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-24823?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * [CVE-2020-36518] CWE-787: Out-of-bounds Write (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2020-36518?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * 1 vulnerability found (7.5); https://ossindex.sonatype.org/vulnerability/sonatype-2021-4682
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder
can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData
list. The decoder cumulates bytes in the undecodedChunk
buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
CVE: CVE-2024-29025
CWE: CWE-770
See log:
time="2023-05-09T06:01:56Z" level=error msg="Failed to get listed policy protected-s3-files-vs-ci-user-policy-1: AccessDenied: User: arn:aws:sts::XXX:assumed-role/protected-aws-account-cleanup-role/AWSCodeBuild-XXX is not authorized to perform: iam:GetPolicy on resource: policy arn:aws:iam::XXX:policy/protected-s3-files-vs-ci-user-policy-1 with an explicit deny in an identity-based policy\n\tstatus code: 403, request id: XXX"
Error details:
Detected 6 vulnerable components:
[ERROR] org.apache.commons:commons-compress:jar:1.25.0:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-25710] CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2024-25710?component-type=maven&component-name=org.apache.commons%2Fcommons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-26308] CWE-770: Allocation of Resources Without Limits or Throttling (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2024-26308?component-type=maven&component-name=org.apache.commons%2Fcommons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] org.springframework:spring-web:jar:6.1.3:compile; https://ossindex.sonatype.org/component/pkg:maven/org.springframework/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-22243] CWE-20: Improper Input Validation (8.1); https://ossindex.sonatype.org/vulnerability/CVE-2024-22243?component-type=maven&component-name=org.springframework%2Fspring-web&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] io.jsonwebtoken:jjwt:jar:0.9.1:compile; https://ossindex.sonatype.org/component/pkg:maven/io.jsonwebtoken/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-31033] CWE-327: Use of a Broken or Risky Cryptographic Algorithm (5.9); https://ossindex.sonatype.org/vulnerability/CVE-2024-31033?component-type=maven&component-name=io.jsonwebtoken%2Fjjwt&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] org.springframework.security:spring-security-core:jar:6.1.0:compile; https://ossindex.sonatype.org/component/pkg:maven/org.springframework.security/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-22234] CWE-306: Missing Authentication for Critical Function (7.4); https://ossindex.sonatype.org/vulnerability/CVE-2024-22234?component-type=maven&component-name=org.springframework.security%2Fspring-security-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-22257] CWE-1390 (8.2); https://ossindex.sonatype.org/vulnerability/CVE-2024-22257?component-type=maven&component-name=org.springframework.security%2Fspring-security-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] io.netty:netty-codec-http:jar:4.1.105.Final:runtime; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-29025] CWE-770: Allocation of Resources Without Limits or Throttling (5.3); https://ossindex.sonatype.org/vulnerability/CVE-2024-29025?component-type=maven&component-name=io.netty%2Fnetty-codec-http&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] com.nimbusds:nimbus-jose-jwt:jar:9.28:test; https://ossindex.sonatype.org/component/pkg:maven/com.nimbusds/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2023-52428] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-52428?component-type=maven&component-name=com.nimbusds%2Fnimbus-jose-jwt&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]
[ERROR] Excluded vulnerabilities:
[ERROR] - [CVE-2021-23339] CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2021-23339?component-type=maven&component-name=com.typesafe.akka%2Fakka-http-core_2.13&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2022-36944] CWE-502: Deserialization of Untrusted Data (9.8); https://ossindex.sonatype.org/vulnerability/CVE-2022-36944?component-type=maven&component-name=org.scala-lang%2Fscala-library&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2023-33202] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-33202?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk18on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2022-31159] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-31159?component-type=maven&component-name=com.amazonaws%2Faws-java-sdk-s3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2023-33202] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-33202?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties (7.1); https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2023-51074] CWE-Other (5.3); https://ossindex.sonatype.org/vulnerability/CVE-2023-51074?component-type=maven&component-name=com.jayway.jsonpath%2Fjson-path&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2023-33201] CWE-295: Improper Certificate Validation (5.3); https://ossindex.sonatype.org/vulnerability/CVE-2023-33201?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk18on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2024-21634] CWE-770: Allocation of Resources Without Limits or Throttling (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2024-21634?component-type=maven&component-name=software.amazon.ion%2Fion-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2021-42697] CWE-674: Uncontrolled Recursion (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2021-42697?component-type=maven&component-name=com.typesafe.akka%2Fakka-http-core_2.13&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2023-33201] CWE-295: Improper Certificate Validation (5.3); https://ossindex.sonatype.org/vulnerability/CVE-2023-33201?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions (3.3); https://ossindex.sonatype.org/vulnerability/CVE-2020-8908?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] - [CVE-2023-45865] CWE-532: Information Exposure Through Log Files (4.4); https://ossindex.sonatype.org/vulnerability/CVE-2023-45865?component-type=maven&component-name=com.typesafe.akka%2Fakka-actor_2.13&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]
Create an initial implementation
AWS CDK v1 is deprecated, we need to migrate to v2. See https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html for details.
Added checksum validation for aws-nuke binary
Reason:
Hackers could gain access to the GitHub repo of aws-nuke and replace the binary by an evil bot. By the validation we make sure we always get the expected binary.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.