dependabot-azure-devops icon indicating copy to clipboard operation
dependabot-azure-devops copied to clipboard

Published 20 hours ago verified publisher icon tinglesoftware

package with high severity vulnerability not detected as vulnerable

Open pluservice opened this issue 3 years ago • 10 comments
trafficstars

We are evaluating dependabot-azure-devops on a .net 6 test solution which includes the vulnerable package Newtonsoft.Json 12.0.3 (see https://github.com/advisories/GHSA-5crp-9r3c-p9vr)

In order to check this extention's behavior with vulnerabilites, we have followed these instructions which are coherent with the code: https://github.com/tinglesoftware/dependabot-azure-devops/blob/928d35912a33364e52ca3c65141225162de4b2a4/src/script/update-script.rb#L352

Expected behaviour: The plugin should open a PR to update the vulnerable package

Actual behaviour: No PR opened, as if checker.vulnerable==false see log:

/usr/bin/docker run --rm -i -e DEPENDABOT_PACKAGE_MANAGER=nuget -e DEPENDABOT_FAIL_ON_EXCEPTION=true -e DEPENDABOT_EXCLUDE_REQUIREMENTS_TO_UNLOCK= -e AZURE_PROTOCOL=https -e AZURE_HOSTNAME=devops.superdriver.it -e AZURE_ORGANIZATION=DefaultCollection -e AZURE_PROJECT=met -e AZURE_REPOSITORY=supersecure-api -e AZURE_ACCESS_TOKEN=*** -e AZURE_SET_AUTO_COMPLETE=false -e AZURE_MERGE_STRATEGY=2 -e DEPENDABOT_VERSIONING_STRATEGY=auto -e DEPENDABOT_ALLOW_CONDITIONS=[{"dependency-name":"a1","dependency-type":"all"}] -e AZURE_AUTO_APPROVE_PR=false tingle/dependabot-azure-devops:0.7
..
..
Checking if Newtonsoft.Json 12.0.3 needs updating
Requirements to unlock own
Updating Newtonsoft.Json is not allowed

pluservice avatar Sep 23 '22 10:09 pluservice

@pluservice security only updates are not yet supported in this extension. You have linked the correct issue: #161

That said I do expect that the package would be updated unless there's more to it than you have indicated. Could you share the configuration yaml and the pipeline yaml in full?

mburumaxwell avatar Sep 23 '22 11:09 mburumaxwell

This is our simple pipeline yaml, as you can see we don't use the configuration file right now thanks

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
- master

pool:
  name: DevSecOps
  demands: Agent.OS -equals Linux

variables:
  PAT: $(System.AccessToken)
  DEPENDABOT_ALLOW_CONDITIONS: '[{"dependency-name":"a1","dependency-type":"all"}]'

steps:

- task: dependabot@1
  inputs:
    packageManager: 'nuget'
    versioningStrategy: 'auto'
    openPullRequestsLimit: 0
    dockerImageRepository: 'tingle/dependabot-azure-devops'
    azureDevOpsAccessToken: $(PAT)

pluservice avatar Sep 23 '22 11:09 pluservice

Here you can find the .net project repo https://github.com/pluservice/supersecure-api if you need it

pluservice avatar Sep 23 '22 11:09 pluservice

@pluservice I see you have allow conditions in your env. The dependency you expect to be updated is not allowed there. Could you try removing the DEPENDABOT_ALLOW_CONDITIONS variable the report back?

mburumaxwell avatar Sep 23 '22 11:09 mburumaxwell

If we remove DEPENDABOT_ALLOW_CONDITIONS the PR is opened as expected but, but as explained we added it In order to check this extention's behavior with vulnerabilites, So we have followed these instructions which are coherent with the code: https://github.com/tinglesoftware/dependabot-azure-devops/blob/928d35912a33364e52ca3c65141225162de4b2a4/src/script/update-script.rb#L352 So We expect the update to be allowed because checker.vulnerable have precedence over the allowed conditions

pluservice avatar Sep 23 '22 11:09 pluservice

As you can see in the docker command parameters on the opened issue

/usr/bin/docker run --rm -i -e DEPENDABOT_PACKAGE_MANAGER=nuget -e DEPENDABOT_FAIL_ON_EXCEPTION=true -e DEPENDABOT_EXCLUDE_REQUIREMENTS_TO_UNLOCK= -e AZURE_PROTOCOL=https -e AZURE_HOSTNAME=devops.superdriver.it -e AZURE_ORGANIZATION=DefaultCollection -e AZURE_PROJECT=met -e AZURE_REPOSITORY=supersecure-api -e AZURE_ACCESS_TOKEN=*** -e AZURE_SET_AUTO_COMPLETE=false -e AZURE_MERGE_STRATEGY=2 -e DEPENDABOT_VERSIONING_STRATEGY=auto -e DEPENDABOT_ALLOW_CONDITIONS=[{"dependency-name":"a1","dependency-type":"all"}] -e AZURE_AUTO_APPROVE_PR=false tingle/dependabot-azure-devops:0.7

pluservice avatar Sep 23 '22 11:09 pluservice

I would need to investigate further as to why this is happening. Likely involve logging the result of each of condition in the line you referenced.

I suspect the checker.vulnerable? condition is what is failing since it controls vulnerability. That particular piece lives in the core repository hence requiring further investigation.

Is there a particular reason why you're using the `0.7 docker tag?

mburumaxwell avatar Sep 23 '22 13:09 mburumaxwell

This could explain the issue https://github.com/dependabot/dependabot-script/issues/432 there seems to be no SecurityAdvisory implementation in dependabot-core

regarding the "tingle/dependabot-azure-devops:0.7", I don't set this parameter it's up to the dependabot-azure-devops task, I just reported what is logged

pluservice avatar Sep 23 '22 13:09 pluservice

This is an interesting find. So much about this tool still left to learn. This means we need a way to download a list of vulnerabilities for it to work. No clue how to go about that at the moment.

About the docker version tag, seems the default value was forgotten in the update process. Doing an update shortly.

mburumaxwell avatar Sep 23 '22 16:09 mburumaxwell

A starting point could be integrating the GitHub Security Advisories API (GraphQL API) which provide access to the database https://github.com/github/advisory-database

pluservice avatar Sep 26 '22 10:09 pluservice