Commit Graph

25 Commits

Author SHA1 Message Date
sarahalsmiller 17d43c6316
Fix supression (#21744)
fix supression
2024-09-16 18:43:51 +00:00
sarahalsmiller 5a84cd1abf
Update security-scan.hcl (#21739) 2024-09-16 17:42:36 +00:00
sarahalsmiller 667eac2ac5
Suppress CVE-2024-8096 (#21737) 2024-09-16 16:08:29 +00:00
Michael Zalimeni c40eecf8f9
security: update alpine base image to 3.20 (#21729)
* security: update alpine base image to 3.20

* security: update scan config to remove old triage exceptions
2024-09-13 19:02:11 +00:00
sarahalsmiller 876a0a7778
Update security-scan.hcl (#21707) 2024-09-11 19:21:45 +00:00
sarahalsmiller 779d3c3eda
Suppress CVE-2024-7264 (#21590)
supress curl error
2024-08-07 20:55:48 +00:00
Deniz Onur Duzgun 574f53d176
security: enable go stdlib scans (#20905)
* security: enable go stdlib scans

* security: enable go stdlib binary scan

* Fix formating
2024-05-23 13:40:59 -04:00
Michael Zalimeni 86b0818c1f
[NET-8601] security: upgrade vault/api to remove go-jose.v2 (#20910)
security: upgrade vault/api to remove go-jose.v2

This dependency has an open vulnerability (GO-2024-2631), and is no
longer needed by the latest `vault/api`. This is a follow-up to the
upgrade of `go-jose/v3` in this repository to make all our dependencies
consolidate on v3.

Also remove the recently added security scan triage block for
GO-2024-2631, which was added due to incorrect reports that
`go-jose/v3@3.0.3` was impacted; in reality, is was this indirect
client dependency (not impacted by CVE) that the scanner was flagging. A
bug report has been filed to address the incorrect reporting.
2024-05-04 00:18:51 +00:00
Deniz Onur Duzgun 8209b3ff86
security: fine-tune release scanner and bump coredns (#21038)
* security: bump coredns

* add changelog

* Revert "security: bump coredns"

This reverts commit dcca09d83e89b6d5a4f03106e86d72a2b791001d.

* security: bump coredns

* fine-tune security scanner on release

* dismiss changelog
2024-05-03 15:09:40 -04:00
Michael Zalimeni cc959dcdf4
security: triage false positive for go-jose/v3 (#20901)
Per https://osv.dev/vulnerability/GO-2024-2631 this vulnerability is not
present in the version currently used (go-jose/v3@3.0.3).
2024-03-26 21:27:50 +00:00
Michael Zalimeni f942f2dc18
security: fix syntax for release scan config (#20279)
Correct syntax errors introduced in #20264.
2024-01-19 17:08:54 +00:00
Michael Zalimeni b03d770dc3
security: disable Vault secret scans due to false positives (#20264)
This was recently shown to have issues with false positives that blocked
a preview release build, so disabling for now.
2024-01-19 04:00:54 +00:00
Michael Zalimeni d0bc091a60
[NET-6969] security: Re-enable Go Module + secrets security scans for release branches (#19978)
* security: re-enable security scan release block

This was previously disabled due to an unresolved false-positive CVE.
Re-enabling both secrets and OSV + Go Modules scanning, which per our
current scan results should not be a blocker to future releases.

* security: run security scans on main and release branches
2023-12-21 15:11:05 +00:00
Semir Patel 53e28a4963
OSS -> CE (community edition) changes (#18517) 2023-08-22 09:46:03 -05:00
hashicorp-copywrite[bot] 5fb9df1640
[COMPLIANCE] License changes (#18443)
* Adding explicit MPL license for sub-package

This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.

* Adding explicit MPL license for sub-package

This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.

* Updating the license from MPL to Business Source License

Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl.

* add missing license headers

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

---------

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-08-11 09:12:13 -04:00
Ronald e818fdead0
Copyright headers for config files git + circleci (#16703)
* Copyright headers for config files git + circleci

* Release folder copyright headers
2023-03-22 09:17:19 -04:00
Michele Degges 977c6e58de
Turn off sec-scanner check (#13614) 2022-06-27 15:52:51 -07:00
Michele Degges 862ca16301
Update security scanner (#12281) 2022-02-07 12:53:46 -08:00
Claire Labry 12fc63d11c
clean up from testing 2022-02-04 14:59:30 -05:00
Claire Labry 092a27e84d
turning go modules to false due to jwt issue 2022-02-04 14:22:25 -05:00
Claire Labry 20e4f73649
reverting changes for the container + binary blocks 2022-02-04 14:05:28 -05:00
Claire Labry b62c3b4fbc
updating the binary and container blocks in security-scan file 2022-02-04 10:22:37 -05:00
Claire Labry d66f4da7f0
clean up after testing 2022-01-06 09:43:35 -05:00
Claire Labry 1e9b621b00
testing out turining go modules false 2021-12-17 10:20:52 -05:00
Claire Labry 61eca6513b
enabling security scan for CRT 2021-12-16 11:49:22 -05:00