Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove duktape from civetweb to remove debugger #1997

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

fix: remove duktape from civetweb to remove debugger #1997

wants to merge 1 commit into from

Conversation

davdhacs
Copy link

Description

SAST scan showed the duktape dubugger as exploitable (https://cov01.lab.eng.brq2.redhat.com/osh/task/747071/log/rhacs-collector-container-4.6.0-1/scan-results-imp.html previous version ignored manually: https://gitlab.cee.redhat.com/osh/known-false-positives/-/blob/master/rhacs-collector-container/ignore.err?ref_type=heads). Can we remove duktape from the civetweb collector uses? (expecting CI tests to fail if collector relies on the embeeded duktape js engine). Then if it is not found in the scan, we will not need to keep ignoring it after civetweb version updates.

Checklist

  • Investigated and inspected CI test results
  • Updated documentation accordingly

Automated testing

  • Added unit tests
  • Added integration tests
  • Added regression tests

If any of these don't apply, please comment below.

Testing Performed

TODO(replace-me)
Use this space to explain how you tested your PR, or, if you didn't test it, why you did not do so. (Valid reasons include "CI is sufficient" or "No testable changes")
In addition to reviewing your code, reviewers must also review your testing instructions, and make sure they are sufficient.

For more details, ref the Confluence page about this section.

@erthalion
Copy link
Contributor

@davdhacs We can add this to silence the scanner, but AFAICT this variable is set to off by default in civetweb [1]. Do you know by any chance why scanner still shows that as a problem?

@davdhacs
Copy link
Author

davdhacs commented Jan 6, 2025

@davdhacs We can add this to silence the scanner, but AFAICT this variable is set to off by default in civetweb [1]. Do you know by any chance why scanner still shows that as a problem?

I don't know the details of this scan tool (openscanhub), and so I was trying this to test if the scan shows the duktape debugger still after explicitly setting this. But I did not manually run the scan on this build yet. I've not run a scan before, but it looks like there is a way to manually request scans (that I plan to try but I haven't read all of it yet): https://spaces.redhat.com/pages/viewpage.action?spaceKey=PRODSEC&title=Starting+with+OpenScanHub

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge/work-in-progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davdhacs @erthalion