Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 005793d644 |
@@ -2,9 +2,9 @@ name: CI
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches: [main, dev, uat]
|
branches: [main]
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main, dev, uat]
|
branches: [main]
|
||||||
workflow_call:
|
workflow_call:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
|
|||||||
@@ -1,21 +1,20 @@
|
|||||||
name: Promotion Gate
|
name: Dual Approval (CTO + QA)
|
||||||
|
|
||||||
# Calls the shared promotion gate workflow.
|
# Calls the shared dual-approval-check workflow.
|
||||||
# dev PRs: no gate (engineer self-merges).
|
# Passes when both privilegedescalation-cto and privilegedescalation-qa
|
||||||
# uat PRs: QA approval required.
|
# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
|
||||||
# main PRs: UAT approval required (uat→main promotions).
|
# in branch protection to enforce this gate.
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request_review:
|
pull_request_review:
|
||||||
types: [submitted, dismissed]
|
types: [submitted, dismissed]
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [uat, main]
|
branches: [main]
|
||||||
types: [opened, reopened, synchronize]
|
types: [opened, reopened, synchronize]
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
promotion-gate:
|
dual-approval:
|
||||||
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
with:
|
with:
|
||||||
pr_number: ${{ github.event.pull_request.number }}
|
pr_number: ${{ github.event.pull_request.number }}
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,24 @@
|
|||||||
|
name: E2E Tests
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [main]
|
||||||
|
pull_request:
|
||||||
|
branches: [main]
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
concurrency:
|
||||||
|
group: e2e-${{ github.repository }}
|
||||||
|
cancel-in-progress: false
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
e2e:
|
||||||
|
uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@hugh/add-pnpm-support-plugin-e2e
|
||||||
|
with:
|
||||||
|
node-version: '22'
|
||||||
|
headlamp-version: v0.40.1
|
||||||
|
e2e-namespace: headlamp-dev
|
||||||
|
plugin-name: headlamp-kube-vip
|
||||||
@@ -1,20 +0,0 @@
|
|||||||
name: Renovate
|
|
||||||
on:
|
|
||||||
schedule:
|
|
||||||
- cron: '0 3 * * 0'
|
|
||||||
workflow_dispatch:
|
|
||||||
jobs:
|
|
||||||
renovate:
|
|
||||||
runs-on: runners-privilegedescalation
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- name: Generate GitHub App token
|
|
||||||
id: app-token
|
|
||||||
uses: actions/create-github-app-token@v3
|
|
||||||
with:
|
|
||||||
app-id: ${{ secrets.RELEASE_APP_ID }}
|
|
||||||
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
|
|
||||||
- uses: renovatebot/github-action@v40.3.0
|
|
||||||
with:
|
|
||||||
token: ${{ steps.app-token.outputs.token }}
|
|
||||||
configurationFile: renovate.json
|
|
||||||
@@ -5,9 +5,3 @@ dist/
|
|||||||
.env
|
.env
|
||||||
.env.local
|
.env.local
|
||||||
.eslintcache
|
.eslintcache
|
||||||
|
|
||||||
# E2E
|
|
||||||
e2e/.auth/
|
|
||||||
.env.e2e
|
|
||||||
playwright-report/
|
|
||||||
test-results/
|
|
||||||
|
|||||||
-25
@@ -22,28 +22,3 @@ All data is fetched through Headlamp's built-in API proxy, which respects the us
|
|||||||
## Reporting a Vulnerability
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
|
Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
|
||||||
|
|
||||||
## Known Low-Severity Vulnerabilities
|
|
||||||
|
|
||||||
### GHSA-848j-6mx2-7j84 (elliptic)
|
|
||||||
|
|
||||||
**Severity:** High (but not exploitable in this plugin's context)
|
|
||||||
|
|
||||||
**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`)
|
|
||||||
|
|
||||||
**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
|
|
||||||
- Use of `elliptic` curve operations on untrusted input, AND
|
|
||||||
- Ability for an attacker to influence the `elliptic` curve key generation input
|
|
||||||
|
|
||||||
Neither condition is met in this plugin's runtime context.
|
|
||||||
|
|
||||||
**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint.
|
|
||||||
|
|
||||||
**Risk acceptance rationale:**
|
|
||||||
1. Plugin has no write operations against the cluster
|
|
||||||
2. All data flows through Headlamp's API proxy with standard RBAC enforcement
|
|
||||||
3. The vulnerable dependency is only in the development/build toolchain, not runtime
|
|
||||||
4. No untrusted input can reach `elliptic` curve operations through this plugin
|
|
||||||
|
|
||||||
**Review date:** 2026-05-05
|
|
||||||
**Reviewed by:** Hugh Hackman (VP Engineering Operations)
|
|
||||||
|
|||||||
@@ -1,20 +0,0 @@
|
|||||||
{
|
|
||||||
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
|
|
||||||
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
|
|
||||||
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
|
|
||||||
// and do NOT ship in production plugin artifacts.
|
|
||||||
"allowlist": [
|
|
||||||
{
|
|
||||||
"id": "GHSA-hhpm-516h-p3p6",
|
|
||||||
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"id": "GHSA-36xf-7xpp-53w5",
|
|
||||||
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"id": "GHSA-jf8v-p3pp-93qh",
|
|
||||||
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
+1
-2
@@ -33,8 +33,7 @@
|
|||||||
"tar": "^7.5.11",
|
"tar": "^7.5.11",
|
||||||
"undici": "^7.24.3",
|
"undici": "^7.24.3",
|
||||||
"lodash": ">=4.18.0",
|
"lodash": ">=4.18.0",
|
||||||
"vite": ">=6.4.2",
|
"vite": ">=6.4.2"
|
||||||
"elliptic": ">=6.6.1"
|
|
||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@headlamp-k8s/eslint-config": "^0.6.0",
|
"@headlamp-k8s/eslint-config": "^0.6.0",
|
||||||
|
|||||||
Generated
+266
-266
File diff suppressed because it is too large
Load Diff
+2
-18
@@ -1,21 +1,5 @@
|
|||||||
{
|
{
|
||||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||||
"extends": ["github>privilegedescalation/.github:renovate-config"],
|
"extends": ["github>privilegedescalation/.github:renovate-config"]
|
||||||
"packageRules": [
|
|
||||||
{
|
|
||||||
"description": "Auto-merge minor and patch updates for @kinvolk/headlamp-plugin",
|
|
||||||
"matchPackageNames": ["@kinvolk/headlamp-plugin"],
|
|
||||||
"matchUpdateTypes": ["minor", "patch"],
|
|
||||||
"automerge": true,
|
|
||||||
"automergeType": "pr"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"description": "Auto-merge security patches for @kinvolk/headlamp-plugin immediately",
|
|
||||||
"matchPackageNames": ["@kinvolk/headlamp-plugin"],
|
|
||||||
"matchUpdateTypes": ["security"],
|
|
||||||
"automerge": true,
|
|
||||||
"automergeType": "pr",
|
|
||||||
"labels": ["security"]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user