Add Golang SAST and SCA checks #733
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* fix: allow ssh user to use numbers/capital letters Prior to this change, usernames could not start with numbers and could not contain capital letters at all. Note that the username can also start with capital letters. * fix: update ssh_config with IdentityFiles fix This adds the update that provides the ssh2 defaults for IdentityFiles. This will allow the usual defaults to be searched when none are explicitly provided. * fix: overwrite identity files instead of appending This change makes it so a waveterm configured identity file will overwrite the one in the config instead of attempting to append it. This matches the behavior of openssh. * style: use regular font for markdown user input This makes the Markdown User Input indistinct from user input without markdown. It changes the font and makes a couple small adjustments to the font size and line height. * fix: use font property instead of font-family The markdown css for User Input can be simplified with the font being set by the "font" property rather than the "font-family" property.
* Sign and notarize in CI * add dmg * remove flag * fix env var * add team id * conditionally set apple specific env vars * publish to a staging location * upload unzipped * add script to publish to staging, update publish url * turn off autodiscovery again * update scripts * deprecate old method * move stuff * remove autodiscovery
) * checkpoint some ideas on a new branch * checkpoint on new errors / errorcode passing * get CodedError piped all the way through to infomsg * implement a /reset:cwd command to deal with cases when the cwd is invalid. other assorted debugging, utility, and fixups * on invalid cwd, show message to run /reset:cwd
* clientsettings fixups -- border top, padding, and remove theme dropdown for prod * new cmdinput actions, get the filter commands showing, titlebars for info history and info aichat, toggles for history
* added system level keybindings * added process key event * added fix for code check * add event.returnValue, remove console.logs, change sendSync to send
* Unify color definitions and clean up light mode * consolidate form colors * increase border thickness on dropdown and text * remove dev conditional for theme * fix secondary form element color * increase dropdown border thickness * fix history textinput * make warning a bit darker * attempt to fix rotate icons * fix line actions bg * fix terminal colors * fix broken history colors * fix textinput label padding * fix bottom negative margin * updates for prompt colors. darken magenta, grey out the whites slightly, and sneak in a change for git co. * clean up prompt.tsx * fixing wobbly icons * center svg icon, simplify meta-line1
…startup speed. also only show window after ready-to-show.
…startup speed. also only show window after ready-to-show. (wavetermdev#410)
* fix: set golbal ssh config to correct path This adds the missing "etc" directory to the path for the global config file. * chore: update auth mode tooltip This just changes the text to be slightly more accurate to the current behavior. * feat: add box to disable waveshell install modal This hooks in to the existing don't show this again code that pops up when creating a modal. * refactor: remove install modal in remote creation There used to be a modal that popped up while installing a remote that informed the user that waveshell gets installed on their remote. Since we have a new modal that pops up at the time of install, the older modal can be removed. * fix: allow user to cancel ssh dial The new ssh code broke dial for invalid urls since the context did not cancel the dial or any associated user input. This change reconnects the context along with the context for installing waveshell. * style: widen the rconndetail modal The rconndetail modal is currently narrower than the xtermjs element which results in awkward scrolling if a line is long. This change makes the width auto so it can size itself as needed. * add a max-width for safety
* convert table to div * remove comment * more history UI updates. copy/use controls, change font, fix scroll area * use css variables * fix textfield placeholder color * put back input styles * change overflow-x to auto
* addLineForCmd should only increment for running commands. also openai lines should increment * small fix for openai chat styles
This adds support for Arch Linux via pacman. It also updates the product tagline in package.json and the "About" modal. It also removes the unused "Help" menu and updates the copyright year in About and fixes the window icon display on Linux.
* update mask color for tabswitcher to work on lightmode * fix background color on code blocks in markdown in light mode * update wording on disconnected modal (restart wave backend instead of restart server) * fix tooltip (should be Ctrl-Space) * cleanup line-height/padding for code blocks
* added config api path * addressed feedback * initial change for http file server * removed old handle config func * added user keybind config path * fixed logs
…tory (wavetermdev#683) Bumps the npm_and_yarn group with 1 update in the / directory: [ws](https://github.com/websockets/ws). Updates `ws` from 7.5.9 to 7.5.10 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>7.5.10</h2> <h1>Bug fixes</h1> <ul> <li>Backported e55e5106 to the 7.x release line (22c28763).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/websockets/ws/commit/d962d70649e393841ee1ed726a8f7ffbe90d0c06"><code>d962d70</code></a> [dist] 7.5.10</li> <li><a href="https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f"><code>22c2876</code></a> [security] Fix crash when the Upgrade header cannot be read (<a href="https://redirect.github.com/websockets/ws/issues/2231">#2231</a>)</li> <li>See full diff in <a href="https://github.com/websockets/ws/compare/7.5.9...7.5.10">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/wavetermdev/waveterm/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…rectory (wavetermdev#684) Bumps the npm_and_yarn group with 1 update in the / directory: [braces](https://github.com/micromatch/braces). Updates `braces` from 3.0.2 to 3.0.3 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/micromatch/braces/commit/74b2db2938fad48a2ea54a9c8bf27a37a62c350d"><code>74b2db2</code></a> 3.0.3</li> <li><a href="https://github.com/micromatch/braces/commit/88f1429a0f47e1dd3813de35211fc97ffda27f9e"><code>88f1429</code></a> update eslint. lint, fix unit tests.</li> <li><a href="https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff"><code>415d660</code></a> Snyk js braces 6838727 (<a href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li> <li><a href="https://github.com/micromatch/braces/commit/190510f79db1adf21d92798b0bb6fccc1f72c9d6"><code>190510f</code></a> fix tests, skip 1 test in test/braces.expand</li> <li><a href="https://github.com/micromatch/braces/commit/716eb9f12d820b145a831ad678618731927e8856"><code>716eb9f</code></a> readme bump</li> <li><a href="https://github.com/micromatch/braces/commit/a5851e57f45c3431a94d83fc565754bc10f5bbc3"><code>a5851e5</code></a> Merge pull request <a href="https://redirect.github.com/micromatch/braces/issues/37">#37</a> from coderaiser/fix/vulnerability</li> <li><a href="https://github.com/micromatch/braces/commit/2092bd1fb108d2c59bd62e243b70ad98db961538"><code>2092bd1</code></a> feature: braces: add maxSymbols (<a href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li> <li><a href="https://github.com/micromatch/braces/commit/9f5b4cf47329351bcb64287223ffb6ecc9a5e6d3"><code>9f5b4cf</code></a> fix: vulnerability (<a href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li> <li><a href="https://github.com/micromatch/braces/commit/98414f9f1fabe021736e26836d8306d5de747e0d"><code>98414f9</code></a> remove funding file</li> <li><a href="https://github.com/micromatch/braces/commit/665ab5d561c017a38ba7aafd92cc6655b91d8c14"><code>665ab5d</code></a> update keepEscaping doc (<a href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li> <li>Additional commits viewable in <a href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/wavetermdev/waveterm/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
**Action Required:** We've moved to an authenticated system and you must now provide an authentication key within our script. 1. Create an account or log into https://app.dashcam.io. 2. Copy the API key from https://app.dashcam.io/team. You must be the team "owner" 3. Add the API key as `DASHCAM_API_KEY` within GitHub actions by following the guide [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions). This PR moves to our v3 system which includes - Faster and more stable tests. Notice we're using a `yml` file to guide the test rather than open prompts. This means the AI will follow the same steps every time. - Smarter AI. Better text matching, and more commands. We optimized how the AI matches text and images, making it way faster and more fault-tolerant. - Better summaries. The AI will summarize the full test execution as well as errors - Assertions. We can now explicitly ask the AI to verify things on screen - Embedded tests. We can nest scripts for reusable components. --------- Co-authored-by: orliesaurus <[email protected]>
…cross 1 directory (wavetermdev#717) Bumps the npm_and_yarn group with 1 update in the / directory: [electron-updater](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater). Updates `electron-updater` from 6.1.8 to 6.2.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/electron-userland/electron-builder/releases">electron-updater's releases</a>.</em></p> <blockquote> <h2>[email protected]</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/electron-userland/electron-builder/pull/8091">#8091</a> <a href="https://github.com/electron-userland/electron-builder/commit/e2a181d9fe3fbdd84690359e275daaef24584729"><code>e2a181d9</code></a> Thanks <a href="https://github.com/mmaietta"><code>@mmaietta</code></a>! - fix(mac): revert autoupdate for mac differential</li> </ul> <h2>[email protected]</h2> <h3>Minor Changes</h3> <ul> <li><a href="https://redirect.github.com/electron-userland/electron-builder/pull/7709">#7709</a> <a href="https://github.com/electron-userland/electron-builder/commit/79df54238621fbe48ba20444129950ba2dc49983"><code>79df5423</code></a> Thanks <a href="https://github.com/beyondkmp"><code>@beyondkmp</code></a>! - feat: adding differential downloader for updates on macOS</li> </ul> <h2>[email protected]</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/electron-userland/electron-builder/pull/8051">#8051</a> <a href="https://github.com/electron-userland/electron-builder/commit/48603ba09dc7103849a2975799c19068fd08fc07"><code>48603ba0</code></a> Thanks <a href="https://github.com/mmaietta"><code>@mmaietta</code></a>! - fix: auto-update powershell script requires reset of <code>PSModulePath</code></p> </li> <li> <p><a href="https://redirect.github.com/electron-userland/electron-builder/pull/8057">#8057</a> <a href="https://github.com/electron-userland/electron-builder/commit/ccbb80dea4b6146ea2d2186193a1f307096e4d1e"><code>ccbb80de</code></a> Thanks <a href="https://github.com/mmaietta"><code>@mmaietta</code></a>! - chore: upgrading connected dependencies (typescript requires higher eslint version)</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/electron-userland/electron-builder/commit/ccbb80dea4b6146ea2d2186193a1f307096e4d1e"><code>ccbb80de</code></a>]:</p> <ul> <li>[email protected]</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/electron-userland/electron-builder/blob/master/packages/electron-updater/CHANGELOG.md">electron-updater's changelog</a>.</em></p> <blockquote> <h2>6.2.1</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/electron-userland/electron-builder/pull/8091">#8091</a> <a href="https://github.com/electron-userland/electron-builder/commit/e2a181d9fe3fbdd84690359e275daaef24584729"><code>e2a181d9</code></a> Thanks <a href="https://github.com/mmaietta"><code>@mmaietta</code></a>! - fix(mac): revert autoupdate for mac differential</li> </ul> <h2>6.2.0</h2> <h3>Minor Changes</h3> <ul> <li><a href="https://redirect.github.com/electron-userland/electron-builder/pull/7709">#7709</a> <a href="https://github.com/electron-userland/electron-builder/commit/79df54238621fbe48ba20444129950ba2dc49983"><code>79df5423</code></a> Thanks <a href="https://github.com/beyondkmp"><code>@beyondkmp</code></a>! - feat: adding differential downloader for updates on macOS</li> </ul> <h2>6.1.9</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/electron-userland/electron-builder/pull/8051">#8051</a> <a href="https://github.com/electron-userland/electron-builder/commit/48603ba09dc7103849a2975799c19068fd08fc07"><code>48603ba0</code></a> Thanks <a href="https://github.com/mmaietta"><code>@mmaietta</code></a>! - fix: auto-update powershell script requires reset of <code>PSModulePath</code></p> </li> <li> <p><a href="https://redirect.github.com/electron-userland/electron-builder/pull/8057">#8057</a> <a href="https://github.com/electron-userland/electron-builder/commit/ccbb80dea4b6146ea2d2186193a1f307096e4d1e"><code>ccbb80de</code></a> Thanks <a href="https://github.com/mmaietta"><code>@mmaietta</code></a>! - chore: upgrading connected dependencies (typescript requires higher eslint version)</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/electron-userland/electron-builder/commit/ccbb80dea4b6146ea2d2186193a1f307096e4d1e"><code>ccbb80de</code></a>]:</p> <ul> <li>[email protected]</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/electron-userland/electron-builder/commit/62d1991a7f1a26476100349733588763500ef16a"><code>62d1991</code></a> chore(deploy): Release ([email protected]) (<a href="https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/8092">#8092</a>)</li> <li><a href="https://github.com/electron-userland/electron-builder/commit/e2a181d9fe3fbdd84690359e275daaef24584729"><code>e2a181d</code></a> fix(mac): revert mac differential autoupdate (<a href="https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/8091">#8091</a>)</li> <li><a href="https://github.com/electron-userland/electron-builder/commit/cb335ecfef1f4fd1aef94020c1eaf5ce91bef574"><code>cb335ec</code></a> chore(deploy): Release v24.13.3 ([email protected]) (<a href="https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/8084">#8084</a>)</li> <li><a href="https://github.com/electron-userland/electron-builder/commit/79df54238621fbe48ba20444129950ba2dc49983"><code>79df542</code></a> feat: add support for differential zip updates on macOS (<a href="https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/7709">#7709</a>)</li> <li><a href="https://github.com/electron-userland/electron-builder/commit/89656087d683dbe53240c920a684092b70d638db"><code>8965608</code></a> chore(deploy): Release v24.13.1 ([email protected]) (<a href="https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/8056">#8056</a>)</li> <li><a href="https://github.com/electron-userland/electron-builder/commit/ccbb80dea4b6146ea2d2186193a1f307096e4d1e"><code>ccbb80d</code></a> chore: upgrading connected dependencies (typescript 5.3.3 requires higher esl...</li> <li><a href="https://github.com/electron-userland/electron-builder/commit/48603ba09dc7103849a2975799c19068fd08fc07"><code>48603ba</code></a> fix: auto-update powershell script requires reset of <code>PSModulePath</code> (<a href="https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/8051">#8051</a>)</li> <li>See full diff in <a href="https://github.com/electron-userland/electron-builder/commits/[email protected]/packages/electron-updater">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/wavetermdev/waveterm/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
What's the advantage of these CI tools vs. the CodeQL setup we already have? Also curious if you've taken a look at this repo? https://github.com/securego/gosec If possible, I would like to keep these pipelines feeding to some automated system for analysis so we can track the vulnerabilities. CodeQL is especially nice because it offers a unified view for all our package managers. |
|
golangci-lint is a lint of linters (one of them being gosec). It checks for many different things, not only security related, but also performance etc. Checks more stuff than CodeQL. govulncheck is SCA like Dependabot, but also works with the runtime itself. They can both be integrated with GitHub security alerts. |
|
@esimkowitz let's try to merge #734 first or else golangci-lint will complain a lot. |
Closes wavetermdev#745 --------- Co-authored-by: Evan Simkowitz <[email protected]>
Addresses some security notices
This fix makes it possible to differentiate between keys when multiple are provided by the remote server. It does not solve the case of multiple keys of the same type being shared, but it handles multiple keys of different types being shared, which is much more common. This should address most issues similar to wavetermdev#707.
This will attempt to use the ssh agent before trying other ssh keys in case other integrations are being used through it. --------- Co-authored-by: Evan Simkowitz <[email protected]>
The AI library was outdated and seemed to prevent newer project-based keys from working. This update should hopefully correct that.
|
@kamushadenes sorry I tried to change the base branch for this to our new main branch and it automatically closed the PR. Can you reopen this PR targeting our new main branch? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds security checks for the Golang components