Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test old branch check #11249

Closed
wants to merge 4 commits into from
Closed

Conversation

erikayasuda
Copy link
Contributor

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@datadog-dd-trace-py-rkomorn
Copy link

datadog-dd-trace-py-rkomorn bot commented Oct 31, 2024

Datadog Report

Branch report: erikayasuda/test-failing-old-branch
Commit report: 3b57cee
Test service: dd-trace-py

❌ 238 Failed (0 Known Flaky), 39188 Passed, 26326 Skipped, 37m 7.43s Total duration (33m 12.66s time saved)
❄️ 31 New Flaky

❌ Failed Tests (238)

This report shows up to 5 failed tests.

  • test_template_rendering_snapshot - test_aiohttp_jinja2.py - Details

    Expand for error
     Could not connect to test agent: [Errno 111] Connection refused
    
  • test_template_rendering_snapshot_patched_server[True] - test_aiohttp_jinja2.py - Details

    Expand for error
     Could not connect to test agent: [Errno 111] Connection refused
    
  • test_and_emit_get_version - test_aiomysql_patch.py - Details

    Expand for error
     Subprocess Test "python -m unittest tests.contrib.aiomysql.test_aiomysql_patch.TestAiomysqlPatch.test_and_emit_get_version" Failed (exit code 1):
     E
     ======================================================================
     ERROR: test_and_emit_get_version (tests.contrib.aiomysql.test_aiomysql_patch.TestAiomysqlPatch)
     Each contrib module should implement a get_version() function. This function is used for
     ----------------------------------------------------------------------
     Traceback (most recent call last):
       File "/root/project/tests/contrib/patch.py", line 789, in test_and_emit_get_version
         emit_integration_and_version_to_test_agent(
       File "/root/project/tests/contrib/patch.py", line 121, in emit_integration_and_version_to_test_agent
     ...
    
  • test_and_emit_get_version - test_asyncpg_patch.py - Details

    Expand for error
     Subprocess Test "python -m unittest tests.contrib.asyncpg.test_asyncpg_patch.TestAsyncpgPatch.test_and_emit_get_version" Failed (exit code 1):
     E
     ======================================================================
     ERROR: test_and_emit_get_version (tests.contrib.asyncpg.test_asyncpg_patch.TestAsyncpgPatch)
     Each contrib module should implement a get_version() function. This function is used for
     ----------------------------------------------------------------------
     Traceback (most recent call last):
       File "/root/project/tests/contrib/patch.py", line 789, in test_and_emit_get_version
         emit_integration_and_version_to_test_agent(
       File "/root/project/tests/contrib/patch.py", line 121, in emit_integration_and_version_to_test_agent
     ...
    
  • test_django_iast_disabled_full_sqli_http_path_parameter - test_django_appsec_iast.py - Details

    Expand for error
     connection failed: could not connect to server: Connection refused
     	Is the server running on host "127.0.0.1" and accepting
     	TCP/IP connections on port 5432?
    

New Flaky Tests (31)

  • test_configure_global_service_name_env[v0] - test_aiohttp_client.py - Last Failure

    Expand for error
     Could not connect to test agent: [Errno 111] Connection refused
    
  • test_configure_global_service_name_env[v1] - test_aiohttp_client.py - Last Failure

    Expand for error
     [Errno 111] Connection refused
    
  • test_and_emit_get_version - test_aiohttp_patch.py - Last Failure

    Expand for error
     Subprocess Test "python -m unittest tests.contrib.aiohttp.test_aiohttp_patch.TestAiohttpPatch.test_and_emit_get_version" Failed (exit code 1):
     E
     ======================================================================
     ERROR: test_and_emit_get_version (tests.contrib.aiohttp.test_aiohttp_patch.TestAiohttpPatch)
     Each contrib module should implement a get_version() function. This function is used for
     ----------------------------------------------------------------------
     Traceback (most recent call last):
       File "/root/project/tests/contrib/patch.py", line 789, in test_and_emit_get_version
         emit_integration_and_version_to_test_agent(
       File "/root/project/tests/contrib/patch.py", line 121, in emit_integration_and_version_to_test_agent
     ...
    
  • test_otel_multithreading - test_context.py - Last Failure

    Expand for error
     Could not connect to test agent: [Errno 111] Connection refused
    
  • test_otel_span_parenting - test_context.py - Last Failure

    Expand for error
     Could not connect to test agent: [Errno 111] Connection refused
    

Comment on lines 16 to 27
run: |
# Define regex for branches with major version 0 or 1, or versions from 2.0 to 2.12
old_branch_regex="^(0|1)(\\.|$)|^2\\.([0-9]|1[0-2])(\\.|$)"
target_branch="${{ github.event.pull_request.base.ref }}"

if [[ "$target_branch" =~ $old_branch_regex ]]; then
echo "Old target branch detected: $target_branch"
echo "old_branch=true" >> $GITHUB_ENV
exit 1
else
echo "old_branch=false" >> $GITHUB_ENV
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Possible script injection through user controlled input (...read more)

As detailed in Security hardening for GitHub Actions - GitHub Docs, it is possible for an attacker to inject scripts through PR, branch, commit names, and more.

Avoid using user input in your actions shell scripts, and if you must, consider storing them first in an environment variable to escape them properly.

Read Cycode Discovers a Supply Chain Vulnerability in Bazel - Cycode if you wanna see a concrete exploitation of such mechanism.

View in Datadog  Leave us feedback  Documentation

@@ -0,0 +1,34 @@
name: Check for Old Target Branch
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Datadog’s GitHub organization defines default permissions for the GITHUB_TOKEN to be restricted (contents:read, metadata:read, and packages:read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

View in Datadog  Leave us feedback  Documentation


- name: Old branch warning on PR
if: env.old_branch == 'true'
uses: thollander/actions-comment-pull-request@v2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

Copy link
Contributor

🚫 This target branch is too old or unsupported. Please update the target branch to continue.

Comment on lines +15 to +25
run: |
# Define regex for branches with major version 0 or 1, or versions from 2.0 to 2.12
old_branch_regex="^(0|1)(\\.|$)|^2\\.([0-9]|1[0-2])(\\.|$)"
target_branch="${{ github.event.pull_request.base.ref }}"

if [[ "$target_branch" =~ $old_branch_regex ]]; then
echo "Old target branch detected: $target_branch"
echo "old_branch=true" >> $GITHUB_ENV
else
echo "old_branch=false" >> $GITHUB_ENV
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Possible script injection through user controlled input (...read more)

As detailed in Security hardening for GitHub Actions - GitHub Docs, it is possible for an attacker to inject scripts through PR, branch, commit names, and more.

Avoid using user input in your actions shell scripts, and if you must, consider storing them first in an environment variable to escape them properly.

Read Cycode Discovers a Supply Chain Vulnerability in Bazel - Cycode if you wanna see a concrete exploitation of such mechanism.

View in Datadog  Leave us feedback  Documentation

Copy link
Contributor

🚫 This target branch is too old or unsupported. Please update the target branch to continue.

1 similar comment
Copy link
Contributor

🚫 This target branch is too old or unsupported. Please update the target branch to continue.


- name: Old branch warning on PR
if: env.old_branch == 'true'
uses: thollander/actions-comment-pull-request@v2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

Comment on lines +16 to +26
run: |
# Define regex for branches with major version 0 or 1, or versions from 2.0 to 2.12
old_branch_regex="^(0|1)(\\.|$)|^2\\.([0-9]|1[0-2])(\\.|$)"
target_branch="${{ github.event.pull_request.base.ref }}"

if [[ "$target_branch" =~ $old_branch_regex ]]; then
echo "Old target branch detected: $target_branch"
echo "old_branch=true" >> $GITHUB_ENV
else
echo "old_branch=false" >> $GITHUB_ENV
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Possible script injection through user controlled input (...read more)

As detailed in Security hardening for GitHub Actions - GitHub Docs, it is possible for an attacker to inject scripts through PR, branch, commit names, and more.

Avoid using user input in your actions shell scripts, and if you must, consider storing them first in an environment variable to escape them properly.

Read Cycode Discovers a Supply Chain Vulnerability in Bazel - Cycode if you wanna see a concrete exploitation of such mechanism.

View in Datadog  Leave us feedback  Documentation

@erikayasuda erikayasuda deleted the erikayasuda/test-failing-old-branch branch October 31, 2024 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant