From c0f01cb9c9f417d89a6fd2c0be29cc9073db2d74 Mon Sep 17 00:00:00 2001 From: Jin-Sun-tts Date: Mon, 17 Jun 2024 13:08:21 +0000 Subject: [PATCH 1/5] added check for usage of SSL_free_buffers --- Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile b/Makefile index 658f22a1..94fd6614 100644 --- a/Makefile +++ b/Makefile @@ -174,3 +174,6 @@ harvest: # ARGS=gather-consumer make harvest # ARGS=fetch-consumer make harvest docker compose exec ckan ckan harvester $(ARGS) + +test-ssl: + @docker compose exec ckan grep -riI "SSL_" /usr/local/lib/python3.10/site-packages/ || echo "SSL_free_buffers not be used" From 3fb60ef5bc3127c0833b2ca45bb576db52710eb2 Mon Sep 17 00:00:00 2001 From: Jin-Sun-tts Date: Mon, 17 Jun 2024 17:03:44 +0000 Subject: [PATCH 2/5] added option to check vulnerable function --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 94fd6614..0f4d44fd 100644 --- a/Makefile +++ b/Makefile @@ -176,4 +176,5 @@ harvest: docker compose exec ckan ckan harvester $(ARGS) test-ssl: - @docker compose exec ckan grep -riI "SSL_" /usr/local/lib/python3.10/site-packages/ || echo "SSL_free_buffers not be used" + # Check for no usage of SSL_free_buffers. # Details: https://github.com/GSA/data.gov/issues/4781 + ! docker compose run --rm -T ckan grep -riI "SSL_free_buffers" /usr/local/lib/python3.10/site-packages/ && echo "Vulnerable SSL_free_buffers is not used" From 767cb0f007896efbce2f1c0f2636e4002a15e027 Mon Sep 17 00:00:00 2001 From: Jin-Sun-tts Date: Mon, 17 Jun 2024 18:12:22 +0000 Subject: [PATCH 3/5] added step to github commit --- .github/workflows/commit.yml | 9 +++++++++ Makefile | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/commit.yml b/.github/workflows/commit.yml index a8638c0d..12ea089d 100644 --- a/.github/workflows/commit.yml +++ b/.github/workflows/commit.yml @@ -55,6 +55,15 @@ jobs: - name: test_importer run: make test-import-tool + test_vulnerability: + name: test vulnerability + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v4 + - name: test_vulnerability + run: make vulnerability-check + create-cloudgov-services-development: if: github.ref == 'refs/heads/develop' name: create services (development) diff --git a/Makefile b/Makefile index 0f4d44fd..48a43cdd 100644 --- a/Makefile +++ b/Makefile @@ -175,6 +175,6 @@ harvest: # ARGS=fetch-consumer make harvest docker compose exec ckan ckan harvester $(ARGS) -test-ssl: +vulnerability-check: # Check for no usage of SSL_free_buffers. # Details: https://github.com/GSA/data.gov/issues/4781 ! docker compose run --rm -T ckan grep -riI "SSL_free_buffers" /usr/local/lib/python3.10/site-packages/ && echo "Vulnerable SSL_free_buffers is not used" From 5c4d31d9a7d2125c4f3809612c23d6c0d77222ca Mon Sep 17 00:00:00 2001 From: Jin-Sun-tts Date: Mon, 17 Jun 2024 18:16:14 +0000 Subject: [PATCH 4/5] test the failure --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 48a43cdd..60214ed7 100644 --- a/Makefile +++ b/Makefile @@ -177,4 +177,4 @@ harvest: vulnerability-check: # Check for no usage of SSL_free_buffers. # Details: https://github.com/GSA/data.gov/issues/4781 - ! docker compose run --rm -T ckan grep -riI "SSL_free_buffers" /usr/local/lib/python3.10/site-packages/ && echo "Vulnerable SSL_free_buffers is not used" + ! docker compose run --rm -T ckan grep -riI "SSL_sock" /usr/local/lib/python3.10/site-packages/ && echo "Vulnerable SSL_free_buffers is not used" From 016a039fee27521df87cfe2a9f6ecf25524d3ff0 Mon Sep 17 00:00:00 2001 From: Jin-Sun-tts Date: Mon, 17 Jun 2024 18:19:47 +0000 Subject: [PATCH 5/5] added step to github commit --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 60214ed7..48a43cdd 100644 --- a/Makefile +++ b/Makefile @@ -177,4 +177,4 @@ harvest: vulnerability-check: # Check for no usage of SSL_free_buffers. # Details: https://github.com/GSA/data.gov/issues/4781 - ! docker compose run --rm -T ckan grep -riI "SSL_sock" /usr/local/lib/python3.10/site-packages/ && echo "Vulnerable SSL_free_buffers is not used" + ! docker compose run --rm -T ckan grep -riI "SSL_free_buffers" /usr/local/lib/python3.10/site-packages/ && echo "Vulnerable SSL_free_buffers is not used"