Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create CVE Scanning #80

Merged
merged 8 commits into from
Dec 12, 2023
Merged

Create CVE Scanning #80

merged 8 commits into from
Dec 12, 2023

Conversation

josspo
Copy link
Contributor

@josspo josspo commented Dec 12, 2023

CVE Scanning action that use DependencyCheck with allow-list.xml.

Enable <EnableWindowsTargeting>true</EnableWindowsTargeting> in WpfFdc3.csproj because the action was failing if it's set to false.

@josspo josspo requested a review from a team December 12, 2023 13:58
@josspo josspo changed the title Creating CVE Scanning Create CVE Scanning Dec 12, 2023
@codecov Codecov
Copy link

codecov bot commented Dec 12, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (4516824) 77.74% compared to head (56d9f9d) 77.74%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #80   +/-   ##
=======================================
  Coverage   77.74%   77.74%           
=======================================
  Files          49       49           
  Lines         391      391           
  Branches       37       37           
=======================================
  Hits          304      304           
  Misses         73       73           
  Partials       14       14

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@bingenito bingenito merged commit 02cb147 into finos:main Dec 12, 2023
6 checks passed
@bingenito
Copy link
Member

@josspo I think it is trying to interpret some dependency as being node/npm dependencies and reporting CVEs.

https://github.com/morganstanley/fdc3-dotnet/actions/runs/7184323366

@josspo
Copy link
Contributor Author

josspo commented Dec 13, 2023

@bingenito Are the CVEs false positives? If so, I can add them to the allow-list.xml.

@bingenito
Copy link
Member

@josspo I have to look at the nuget one still, but for the others it seems to think that "MorganStanley.Fdc3.Newtonsoft.Json" and "MorganStanley.Fdc3.Newtonsoft.Json.Tests" are the morgan-json and other releted npm packages which is absolutely a false positive

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bingenito bingenito bingenito approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@josspo @bingenito