Cédric Van Rompay issues

Results 8 issues of


                                            Cédric Van Rompay

Why does "func NewP256Signer()" returns an "ed25519Signer"?

From https://github.com/theupdateframework/go-tuf/blob/0e889ad1c/pkg/keys/ed25519.go#L18: ```go func NewP256Signer() Signer { return &ed25519Signer{} } ``` Is this on purpose? Someone calling `NewP256Signer` would probably expect to get a signer using ECDSA over P-256 curve,...

Cannot Build

I joined Datadog a month ago, did the laptop setup script at the time, but it seems that I don't have `dep`: ``` % dep ensure zsh: command not found:...

Add Interactive Confirmation When User Disables Tuf/In-toto Verification in Checks Downloader

From https://github.com/DataDog/integrations-core/pull/14168#discussion_r1178167430 See also https://datadoghq.atlassian.net/browse/SINT-1270

GetSignaturesProtectedBranch Does Not Return ErrBranchNotProtected When it Could

When calling the GitHub API endpoint `https://api.github.com/repos/OWNER/REPO/branches/BRANCH/protection/required_signatures` [(documentation)](https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2022-11-28#get-commit-signature-protection), if the branch does not have any protection rules, the GitHub API will reply with a `HTTP 404 Not Found` code and...

Signing HLKX Packages

How easy/likely is it that JSign supports signing HLKX packages someday soon? I was not able to find any specification for HLKX signing, the closest thing I found to a...

enhancement

helpwanted

GuardDog Only Scans "setup.py" For Code Execution

https://github.com/DataDog/guarddog/blob/e49bf3298e4601ba3e4dc00140bd54d02d14371f/guarddog/analyzer/sourcecode/code-execution.yml#L1 https://github.com/DataDog/guarddog/blob/e49bf3298e4601ba3e4dc00140bd54d02d14371f/guarddog/analyzer/sourcecode/code-execution.yml#L113-L116 This causes a lot of malicious packages not to be detected because they perform code execution in other files. It's true that reporting every single code execution would...

enhancement

false-negative

"failed to run rule potentially_compromised_email_domain: Invalid version [...]" when using Recent "packaging" Package

The rule `potentially_compromised_email_domain` uses `version.parse` (with `version`coming from https://github.com/pypa/packaging/ ) on all versions of a PyPI package https://github.com/DataDog/guarddog/blob/dcc98d70cc357b0d7e68485e2df4d8404605f300/guarddog/analyzer/metadata/pypi/potentially_compromised_email_domain.py#L35 Now, https://github.com/pypa/packaging/releases/tag/22.0 removed support for legacy version identifiers (see changelog), causing `version.parse`...

bug

"failed to run rule repository_integrity_mismatch: Error while cloning repository authentication required but no callback set with github url https://github.com/grpc/grpc"

Example: ``` ➜ guarddog git:(v1.10.0) poetry run guarddog pypi scan --version=1.56.0 grpcio-tools Found 2 potentially malicious indicators in grpcio-tools code-execution: found 2 source code matches * This package is executing...

bug