Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interface for Grype to query graphql vuln store #734

Merged
merged 18 commits into from
Jun 17, 2022
Merged

Interface for Grype to query graphql vuln store #734

merged 18 commits into from
Jun 17, 2022

Conversation

ajvpot
Copy link
Contributor

@ajvpot ajvpot commented Jun 15, 2022

STOP: Is this a security vulnerability? If so, follow Responsible Disclosure and email us at security@lunasec.io
instead of opening a public PR.

dev-lunatrace-by-lunasec[bot]
dev-lunatrace-by-lunasec bot reviewed Jun 15, 2022
View reviewed changes
Copy link

@dev-lunatrace-by-lunasec dev-lunatrace-by-lunasec bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LUNATRACE IN DEV MODE

Build Snapshot Complete

View Full Report

Security Scan Findings

Showing 17 results.

Package Name Versions Severity Locations
jackson-databind 2.6.4 Critical 1 location Dismiss
redis 2.8.0 Critical 1 location Dismiss
merge 1.2.1 Critical 1 location Dismiss
docs 0.0.0-use.local Critical 1 location Dismiss
through 2.3.8 Critical 1 location Dismiss
pac-resolver 4.2.0 Critical 1 location Dismiss
immer 8.0.1 Critical 1 location Dismiss
vm2 3.9.3 Critical 1 location Dismiss
jsonpointer 5.0.0 Critical 1 location Dismiss
ramda 0.24.1 Critical 1 location Dismiss
shell-quote 1.7.2 Critical 1 location Dismiss
minimist 0.0.8 Critical 1 location Dismiss
minimist 1.2.5 Critical 2 locations Dismiss
eventsource 1.1.0 Critical 1 location Dismiss
ejs 3.1.6 Critical 1 location Dismiss
github.com/hashicorp/go-getter v1.5.9 Critical 1 location Dismiss
ejs 2.7.4 Critical 1 location Dismiss

lunatrace-by-lunasec[bot]
lunatrace-by-lunasec bot reviewed Jun 15, 2022
View reviewed changes
Copy link

@lunatrace-by-lunasec lunatrace-by-lunasec bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build Snapshot Complete

View Full Report

Security Scan Findings

Showing 14 results.

Package Name Versions Severity Locations
merge 1.2.1 Critical 1 location Dismiss
pac-resolver 4.2.0 Critical 1 location Dismiss
immer 8.0.1 Critical 1 location Dismiss
vm2 3.9.3 Critical 1 location Dismiss
jsonpointer 5.0.0 Critical 1 location Dismiss
through 2.3.8 Critical 1 location Dismiss
ramda 0.24.1 Critical 1 location Dismiss
shell-quote 1.7.2 Critical 1 location Dismiss
minimist 0.0.8 Critical 1 location Dismiss
minimist 1.2.5 Critical 1 location Dismiss
eventsource 1.1.0 Critical 1 location Dismiss
ejs 3.1.6 Critical 1 location Dismiss
github.com/hashicorp/go-getter v1.5.9 Critical 1 location Dismiss
ejs 2.7.4 Critical 1 location Dismiss

@ajvpot ajvpot marked this pull request as draft June 15, 2022 00:55
@github-actions
Copy link
Contributor

Hasura Semantic Diff

Hasura config files have changed. This comment shows which fields have changed ignoring formatting.

Click to expand! 
object_relationships
  + one list entry added:
    - name: package
      using:
        foreign_key_constraint_on: package_id


(root level)
+ one map entry added:
  configuration:
    custom_root_fields: {}
    custom_name: vulnerability
    column_config: {}
    custom_column_names: {}

diff --git a/lunatrace/bsl/hasura/migrations/lunatrace/1655260379289_vulnerability-tweaks/down.sql b/lunatrace/bsl/hasura/migrations/lunatrace/1655260379289_vulnerability-tweaks/down.sql
new file mode 100644
index 00000000..aab7998a
--- /dev/null
+++ b/lunatrace/bsl/hasura/migrations/lunatrace/1655260379289_vulnerability-tweaks/down.sql
@@ -0,0 +1,3 @@
+ALTER TABLE vulnerability.affected
+    DROP CONSTRAINT IF EXISTS affected_package_id_fk;
+
diff --git a/lunatrace/bsl/hasura/migrations/lunatrace/1655260379289_vulnerability-tweaks/up.sql b/lunatrace/bsl/hasura/migrations/lunatrace/1655260379289_vulnerability-tweaks/up.sql
new file mode 100644
index 00000000..9e04a1b9
--- /dev/null
+++ b/lunatrace/bsl/hasura/migrations/lunatrace/1655260379289_vulnerability-tweaks/up.sql
@@ -0,0 +1,4 @@
+ALTER TABLE vulnerability.affected
+    ADD CONSTRAINT affected_package_id_fk
+        FOREIGN KEY (package_id) REFERENCES package.package;
+

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ ajvpot
❌ github-actions[bot]
You have signed the CLA already but the status is still pending? Let us recheck it.

@ajvpot ajvpot marked this pull request as ready for review June 15, 2022 22:15
@ajvpot ajvpot merged commit 4ac8fe3 into master Jun 17, 2022
breadchris pushed a commit that referenced this pull request Dec 21, 2022
@ajvpot
Interface for Grype to query graphql vuln store (#734)
2e691b3 
Former-commit-id: 37fa106
Former-commit-id: f87ab33e074a6831837b2a8273e0bda9e64ccbf5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dev-lunatrace-by-lunasec [Dev] LunaTrace by LunaSec dev-lunatrace-by-lunasec left review comments

@lunatrace-by-lunasec LunaTrace by LunaSec lunatrace-by-lunasec left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ajvpot @CLAassistant