Skip to content

fix(security): remediate OWASP/CWE audit findings (2026-06-30)#244

Merged
fdelbrayelle merged 1 commit into
mainfrom
fix/security-audit-20260630
Jul 1, 2026
Merged

fix(security): remediate OWASP/CWE audit findings (2026-06-30)#244
fdelbrayelle merged 1 commit into
mainfrom
fix/security-audit-20260630

Conversation

@fdelbrayelle

Copy link
Copy Markdown
Member

Summary

Remediates all findings from the 2026-06-30 automated security audit against OWASP Top 10 (2025), CWE Top 25, and OWASP ASVS Level 1.

Findings Fixed

  • HIGH Multiple credential fields in AuthenticationConfig missing @PluginProperty(secret=true) (src/main/java/io/kestra/plugin/databricks/AbstractTask.java:86)

    • Fix: Added @PluginProperty(secret = true) to token, clientSecret, password, googleCredentials, and azureClientSecret fields in AuthenticationConfig so the Kestra UI and serialisation layer correctly mask these values.
  • HIGH Databricks access token embedded in plain-text shell command string (src/main/java/io/kestra/plugin/databricks/cli/DatabricksSQLCLI.java:159)

    • Fix: Resolved the token in run() and passed it to CommandsWrapper.withEnv() as DATABRICKS_TOKEN; the command now references $DATABRICKS_TOKEN instead of embedding the secret value in the process argument list.

Testing

  • ./gradlew build passes
  • No regressions in existing tests
  • Manually verified the patched code paths

References


Automated security fix — please review each change carefully before merging.

…audit

Fixes identified in automated security audit (kestra-plugin-security-auditing skill):
- HIGH: Multiple credential fields in AuthenticationConfig missing @PluginProperty(secret=true)
- HIGH: Databricks access token embedded in plain-text shell command string

Part of security audit EPIC. See kestra-io/kestra-ee#9092 for full scope.
@fdelbrayelle fdelbrayelle added the kind/security Security-related issue label Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

📦 Artifacts

Name Size Updated Expiration
jar 49.92 MB Jun 30, 26, 6:09:35 PM UTC Jul 7, 26, 6:09:33 PM UTC

🛡 Trivy

Vulnerability in: Java

Vulnerability Severity Package Installed Version Fixed Version
CVE-2026-54512 HIGH com.fasterxml.jackson.core:jackson-databind 2.18.7 2.18.8, 3.1.4, 2.21.4
CVE-2026-54513 HIGH com.fasterxml.jackson.core:jackson-databind 2.18.7 2.18.8, 2.21.4, 3.1.4
CVE-2026-54514 MEDIUM com.fasterxml.jackson.core:jackson-databind 2.18.7 2.18.8, 2.21.4, 3.1.4
CVE-2026-54515 MEDIUM com.fasterxml.jackson.core:jackson-databind 2.18.7 3.1.4, 2.18.9, 2.21.5

🧪 Java Unit Tests

TestsPassed ✅Skipped ⚠️FailedTime ⏱
Java Tests Report15 ran6 ✅9 ⚠️0 ❌3s 486ms

🔁 Unreleased Commits

1 commits since v1.4.1

SHA Title Author Date
225ff22 chore(deps): group io.kestra.gradle.* dependabot updates Malay Dewangan Jun 30, 26, 10:12:25 AM UTC

@github-actions

Copy link
Copy Markdown
Contributor

Tests report quick summary:

success ✅ > tests: 15, success: 6, skipped: 9, failed: 0

unfold for details
Project Status Success Skipped Failed
plugin-databricks success ✅ 6 9 0

@fdelbrayelle fdelbrayelle enabled auto-merge (squash) June 30, 2026 20:54
@fdelbrayelle fdelbrayelle disabled auto-merge June 30, 2026 21:09
@fdelbrayelle fdelbrayelle enabled auto-merge (squash) June 30, 2026 21:57
@fdelbrayelle fdelbrayelle disabled auto-merge July 1, 2026 08:36
@fdelbrayelle fdelbrayelle merged commit 778a9d8 into main Jul 1, 2026
7 checks passed
@fdelbrayelle fdelbrayelle deleted the fix/security-audit-20260630 branch July 1, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/security Security-related issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant