Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 005793d644 |
@@ -2,9 +2,9 @@ name: CI
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main, dev, uat]
|
||||
branches: [main]
|
||||
pull_request:
|
||||
branches: [main, dev, uat]
|
||||
branches: [main]
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
|
||||
@@ -1,21 +1,20 @@
|
||||
name: Promotion Gate
|
||||
name: Dual Approval (CTO + QA)
|
||||
|
||||
# Calls the shared promotion gate workflow.
|
||||
# dev PRs: no gate (engineer self-merges).
|
||||
# uat PRs: QA approval required.
|
||||
# main PRs: UAT approval required (uat→main promotions).
|
||||
# Calls the shared dual-approval-check workflow.
|
||||
# Passes when both privilegedescalation-cto and privilegedescalation-qa
|
||||
# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
|
||||
# in branch protection to enforce this gate.
|
||||
|
||||
on:
|
||||
pull_request_review:
|
||||
types: [submitted, dismissed]
|
||||
pull_request:
|
||||
branches: [uat, main]
|
||||
branches: [main]
|
||||
types: [opened, reopened, synchronize]
|
||||
|
||||
jobs:
|
||||
promotion-gate:
|
||||
dual-approval:
|
||||
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
||||
secrets: inherit
|
||||
with:
|
||||
pr_number: ${{ github.event.pull_request.number }}
|
||||
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
name: E2E Tests
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
branches: [main]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
concurrency:
|
||||
group: e2e-${{ github.repository }}
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
e2e:
|
||||
uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@hugh/add-pnpm-support-plugin-e2e
|
||||
with:
|
||||
node-version: '22'
|
||||
headlamp-version: v0.40.1
|
||||
e2e-namespace: headlamp-dev
|
||||
plugin-name: headlamp-kube-vip
|
||||
@@ -1,20 +0,0 @@
|
||||
name: Renovate
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 3 * * 0'
|
||||
workflow_dispatch:
|
||||
jobs:
|
||||
renovate:
|
||||
runs-on: runners-privilegedescalation
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Generate GitHub App token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@v3
|
||||
with:
|
||||
app-id: ${{ secrets.RELEASE_APP_ID }}
|
||||
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
|
||||
- uses: renovatebot/github-action@v40.3.0
|
||||
with:
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
configurationFile: renovate.json
|
||||
@@ -5,9 +5,3 @@ dist/
|
||||
.env
|
||||
.env.local
|
||||
.eslintcache
|
||||
|
||||
# E2E
|
||||
e2e/.auth/
|
||||
.env.e2e
|
||||
playwright-report/
|
||||
test-results/
|
||||
|
||||
-25
@@ -22,28 +22,3 @@ All data is fetched through Headlamp's built-in API proxy, which respects the us
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
|
||||
|
||||
## Known Low-Severity Vulnerabilities
|
||||
|
||||
### GHSA-848j-6mx2-7j84 (elliptic)
|
||||
|
||||
**Severity:** High (but not exploitable in this plugin's context)
|
||||
|
||||
**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`)
|
||||
|
||||
**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
|
||||
- Use of `elliptic` curve operations on untrusted input, AND
|
||||
- Ability for an attacker to influence the `elliptic` curve key generation input
|
||||
|
||||
Neither condition is met in this plugin's runtime context.
|
||||
|
||||
**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint.
|
||||
|
||||
**Risk acceptance rationale:**
|
||||
1. Plugin has no write operations against the cluster
|
||||
2. All data flows through Headlamp's API proxy with standard RBAC enforcement
|
||||
3. The vulnerable dependency is only in the development/build toolchain, not runtime
|
||||
4. No untrusted input can reach `elliptic` curve operations through this plugin
|
||||
|
||||
**Review date:** 2026-05-05
|
||||
**Reviewed by:** Hugh Hackman (VP Engineering Operations)
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
{
|
||||
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
|
||||
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
|
||||
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
|
||||
// and do NOT ship in production plugin artifacts.
|
||||
"allowlist": [
|
||||
{
|
||||
"id": "GHSA-hhpm-516h-p3p6",
|
||||
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
|
||||
},
|
||||
{
|
||||
"id": "GHSA-36xf-7xpp-53w5",
|
||||
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
|
||||
},
|
||||
{
|
||||
"id": "GHSA-jf8v-p3pp-93qh",
|
||||
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
|
||||
}
|
||||
]
|
||||
}
|
||||
+1
-2
@@ -33,8 +33,7 @@
|
||||
"tar": "^7.5.11",
|
||||
"undici": "^7.24.3",
|
||||
"lodash": ">=4.18.0",
|
||||
"vite": ">=6.4.2",
|
||||
"elliptic": ">=6.6.1"
|
||||
"vite": ">=6.4.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@headlamp-k8s/eslint-config": "^0.6.0",
|
||||
|
||||
Generated
+266
-266
File diff suppressed because it is too large
Load Diff
+2
-18
@@ -1,21 +1,5 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": ["github>privilegedescalation/.github:renovate-config"],
|
||||
"packageRules": [
|
||||
{
|
||||
"description": "Auto-merge minor and patch updates for @kinvolk/headlamp-plugin",
|
||||
"matchPackageNames": ["@kinvolk/headlamp-plugin"],
|
||||
"matchUpdateTypes": ["minor", "patch"],
|
||||
"automerge": true,
|
||||
"automergeType": "pr"
|
||||
},
|
||||
{
|
||||
"description": "Auto-merge security patches for @kinvolk/headlamp-plugin immediately",
|
||||
"matchPackageNames": ["@kinvolk/headlamp-plugin"],
|
||||
"matchUpdateTypes": ["security"],
|
||||
"automerge": true,
|
||||
"automergeType": "pr",
|
||||
"labels": ["security"]
|
||||
}
|
||||
]
|
||||
"extends": ["github>privilegedescalation/.github:renovate-config"]
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user