Skip to content

fix: do not use download script for Syft #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 17, 2023
Merged

fix: do not use download script for Syft #164

merged 2 commits into from
Apr 17, 2023

Conversation

behnazh-w
Copy link
Member

@behnazh-w behnazh-w commented Apr 17, 2023
edited
Loading

Based on Scorecard report we should avoid downloadThenRun patterns because we won't have a chance to review the download script before running it.

Also see this discussion.

@behnazh-w
fix: do not use download script for Syft
380072e 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w behnazh-w requested a review from tromai as a code owner April 17, 2023 04:59
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 17, 2023
tromai
tromai reviewed Apr 17, 2023
View reviewed changes
.github/workflows/release.yaml
rm -f "$CHECKSUMS"

# Check if artifact is valid.
if [ "$EXPECTED" == "$SYFT_DIGEST" ]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we perform this checking before extracting the tarball as we haven't trusted it yet?

Copy link
Member Author

@behnazh-w behnazh-w Apr 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we perform this checking before extracting the tarball as we haven't trusted it yet?

Good point. See commit 46141d6.

@behnazh-w
chore: extract the tarball after checking checksum
46141d6 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w behnazh-w merged commit b009eb0 into staging Apr 17, 2023
@behnazh-w behnazh-w deleted the fix-insecure-download branch April 19, 2023 05:09
@behnazh-w behnazh-w added this to the Release v0.1.0 milestone Apr 21, 2023
@behnazh-w behnazh-w self-assigned this Apr 21, 2023
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@behnazh-w
fix: do not use download script for Syft (#164)
c50e534 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tromai tromai tromai approved these changes

Assignees

@behnazh-w behnazh-w

Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
Release v0.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@behnazh-w @tromai