Page MenuHomePhabricator
Create Task
Maniphest T351263

Pin OSV to v1.4.2 (not v1.4.3) until v1.5.0 comes out?
Closed, ResolvedPublic
Actions

Description

Per https://github.com/google/osv-scanner/issues/639 there's a bug upstream that is blocking us from using the Application Security Pipeline for function-orchestrator; it's solved upstream and will be fixed in v1.5.0 when that comes out, but until then would it be possible to pin the ASP to v1.4.2 as they recommend?

I believe that currently we're just pointed at @v1 per https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/blob/main/generic-osv/osv-ci.yaml?ref_type=heads#L33

Details

TitleReferenceAuthorSource BranchDest Branch
Bump version to 1.4.2 due to bug in osv clirepos/security/gitlab-ci-security-templates!26sbassettT351263-bump-osv-version-due-to-errormain
Customize query in GitLab

Related Objects

Event Timeline

Jdforrester-WMF created this task.Nov 14 2023, 9:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 14 2023, 9:41 PM
sbassett added a project: Security-Team.Nov 27 2023, 5:04 PM
sbassett changed the task status from Open to In Progress.Nov 27 2023, 5:11 PM
sbassett claimed this task.
sbassett triaged this task as High priority.
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett added a project: SecTeam-Processed.
CodeReviewBot added a project: Patch-For-Review.Nov 27 2023, 5:29 PM

sbassett opened https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/26

Bump version to 1.4.2 due to bug in osv cli

CodeReviewBot added a comment.Nov 27 2023, 6:57 PM

sbassett merged https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/26

Bump version to 1.4.2 due to bug in osv cli

Maintenance_bot removed a project: Patch-For-Review.Nov 27 2023, 7:11 PM
sbassett closed this task as Resolved.EditedNov 27 2023, 7:11 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.

New release tagged, which incorporates this now-resolved issue: https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/tags/0.1.3

Should be ready for use:

include:
  - project: 'repos/security/gitlab-ci-security-templates'
    ref: 0.1.3
    file: 'generic-osv/osv-ci.yaml'
sbassett moved this task from In Progress to Done on the user-sbassett board.Nov 27 2023, 7:11 PM
Jdforrester-WMF added a comment.Nov 27 2023, 7:49 PM
In T351263#9360824, @sbassett wrote:

New release tagged, which incorporates this now-resolved issue: https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/tags/0.1.3

Should be ready for use:

include:
  - project: 'repos/security/gitlab-ci-security-templates'
    ref: 0.1.3
    file: 'generic-osv/osv-ci.yaml'

Thanks! Unfortunately it looks like the difference from v0.1.2 breaks us in other ways. Will file a follow-up.

sbassett added a comment.Nov 27 2023, 10:06 PM
In T351263#9360995, @Jdforrester-WMF wrote:

Thanks! Unfortunately it looks like the difference from v0.1.2 breaks us in other ways. Will file a follow-up.

I think we're ok now, given our Slack conversation and T352089#9361319?

Jdforrester-WMF added a comment.Nov 28 2023, 2:38 PM
In T351263#9361483, @sbassett wrote:
In T351263#9360995, @Jdforrester-WMF wrote:

Thanks! Unfortunately it looks like the difference from v0.1.2 breaks us in other ways. Will file a follow-up.

I think we're ok now, given our Slack conversation and T352089#9361319?

Yup.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL