Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Sharang Parnerkar
|
3edd1d50ac | ||
|
Sharang Parnerkar
|
9ff3b9305c | ||
|
Sharang Parnerkar
|
e02266511a |
@@ -0,0 +1,10 @@
|
|||||||
|
[advisories]
|
||||||
|
ignore = [
|
||||||
|
# hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver.
|
||||||
|
# MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot
|
||||||
|
# upgrade past this without a mongodb release. Both are DNS-layer DoS vectors
|
||||||
|
# requiring a MITM/controlled DNS server against MongoDB's hostname resolution —
|
||||||
|
# not a realistic attack surface here. Revisit when mongodb bumps hickory.
|
||||||
|
"RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
|
||||||
|
"RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
|
||||||
|
]
|
||||||
Generated
+6
-6
@@ -3524,9 +3524,9 @@ checksum = "224484c5d09285a7b8cb0a0c117e847ebd14cb6e4470ecf68cdb89c503b0edb9"
|
|||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "mongodb"
|
name = "mongodb"
|
||||||
version = "3.5.1"
|
version = "3.6.0"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "803dd859e8afa084c255a8effd8000ff86f7c8076a50cd6d8c99e8f3496f75c2"
|
checksum = "1ef2c933617431ad0246fb5b43c425ebdae18c7f7259c87de0726d93b0e7e91b"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"base64",
|
"base64",
|
||||||
"bitflags",
|
"bitflags",
|
||||||
@@ -3570,9 +3570,9 @@ dependencies = [
|
|||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "mongodb-internal-macros"
|
name = "mongodb-internal-macros"
|
||||||
version = "3.5.1"
|
version = "3.6.0"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "a973ef3dd3dbc6f6e65bbdecfd9ec5e781b9e7493b0f369a7c62e35d8e5ae2c8"
|
checksum = "9e5758dc828eb2d02ec30563cba365609d56ddd833190b192beaee2b475a7bb3"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"macro_magic",
|
"macro_magic",
|
||||||
"proc-macro2",
|
"proc-macro2",
|
||||||
@@ -4699,9 +4699,9 @@ dependencies = [
|
|||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "rustls-webpki"
|
name = "rustls-webpki"
|
||||||
version = "0.103.10"
|
version = "0.103.13"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
|
checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"ring",
|
"ring",
|
||||||
"rustls-pki-types",
|
"rustls-pki-types",
|
||||||
|
|||||||
@@ -19,7 +19,9 @@ impl Scanner for GitleaksScanner {
|
|||||||
|
|
||||||
#[tracing::instrument(skip_all)]
|
#[tracing::instrument(skip_all)]
|
||||||
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
|
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
|
||||||
let output = tokio::process::Command::new("gitleaks")
|
let output = tokio::time::timeout(
|
||||||
|
std::time::Duration::from_secs(300),
|
||||||
|
tokio::process::Command::new("gitleaks")
|
||||||
.args([
|
.args([
|
||||||
"detect",
|
"detect",
|
||||||
"--source",
|
"--source",
|
||||||
@@ -33,8 +35,13 @@ impl Scanner for GitleaksScanner {
|
|||||||
"0",
|
"0",
|
||||||
])
|
])
|
||||||
.current_dir(repo_path)
|
.current_dir(repo_path)
|
||||||
.output()
|
.output(),
|
||||||
|
)
|
||||||
.await
|
.await
|
||||||
|
.map_err(|_| CoreError::Scanner {
|
||||||
|
scanner: "gitleaks".to_string(),
|
||||||
|
source: "timed out after 5 minutes".into(),
|
||||||
|
})?
|
||||||
.map_err(|e| CoreError::Scanner {
|
.map_err(|e| CoreError::Scanner {
|
||||||
scanner: "gitleaks".to_string(),
|
scanner: "gitleaks".to_string(),
|
||||||
source: Box::new(e),
|
source: Box::new(e),
|
||||||
|
|||||||
@@ -5,16 +5,22 @@ use compliance_core::CoreError;
|
|||||||
|
|
||||||
#[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
|
#[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
|
||||||
pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
|
pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
|
||||||
let output = tokio::process::Command::new("syft")
|
let output = tokio::time::timeout(
|
||||||
|
std::time::Duration::from_secs(300),
|
||||||
|
tokio::process::Command::new("syft")
|
||||||
.arg(repo_path)
|
.arg(repo_path)
|
||||||
.args(["-o", "cyclonedx-json"])
|
.args(["-o", "cyclonedx-json"])
|
||||||
// Enable remote license lookups for all ecosystems
|
|
||||||
.env("SYFT_GOLANG_SEARCH_REMOTE_LICENSES", "true")
|
.env("SYFT_GOLANG_SEARCH_REMOTE_LICENSES", "true")
|
||||||
.env("SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES", "true")
|
.env("SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES", "true")
|
||||||
.env("SYFT_PYTHON_SEARCH_REMOTE_LICENSES", "true")
|
.env("SYFT_PYTHON_SEARCH_REMOTE_LICENSES", "true")
|
||||||
.env("SYFT_JAVA_USE_NETWORK", "true")
|
.env("SYFT_JAVA_USE_NETWORK", "true")
|
||||||
.output()
|
.output(),
|
||||||
|
)
|
||||||
.await
|
.await
|
||||||
|
.map_err(|_| CoreError::Scanner {
|
||||||
|
scanner: "syft".to_string(),
|
||||||
|
source: "timed out after 5 minutes".into(),
|
||||||
|
})?
|
||||||
.map_err(|e| CoreError::Scanner {
|
.map_err(|e| CoreError::Scanner {
|
||||||
scanner: "syft".to_string(),
|
scanner: "syft".to_string(),
|
||||||
source: Box::new(e),
|
source: Box::new(e),
|
||||||
|
|||||||
@@ -19,11 +19,26 @@ impl Scanner for SemgrepScanner {
|
|||||||
|
|
||||||
#[tracing::instrument(skip_all)]
|
#[tracing::instrument(skip_all)]
|
||||||
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
|
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
|
||||||
let output = tokio::process::Command::new("semgrep")
|
let output = tokio::time::timeout(
|
||||||
.args(["--config=auto", "--json", "--quiet"])
|
std::time::Duration::from_secs(600),
|
||||||
|
tokio::process::Command::new("semgrep")
|
||||||
|
.args([
|
||||||
|
"--config=auto",
|
||||||
|
"--json",
|
||||||
|
"--quiet",
|
||||||
|
"--max-memory",
|
||||||
|
"500",
|
||||||
|
"--jobs",
|
||||||
|
"1",
|
||||||
|
])
|
||||||
.arg(repo_path)
|
.arg(repo_path)
|
||||||
.output()
|
.output(),
|
||||||
|
)
|
||||||
.await
|
.await
|
||||||
|
.map_err(|_| CoreError::Scanner {
|
||||||
|
scanner: "semgrep".to_string(),
|
||||||
|
source: "timed out after 10 minutes".into(),
|
||||||
|
})?
|
||||||
.map_err(|e| CoreError::Scanner {
|
.map_err(|e| CoreError::Scanner {
|
||||||
scanner: "semgrep".to_string(),
|
scanner: "semgrep".to_string(),
|
||||||
source: Box::new(e),
|
source: Box::new(e),
|
||||||
|
|||||||
@@ -32,7 +32,7 @@ pub fn AppShell() -> Element {
|
|||||||
// Not authenticated — redirect to Keycloak login
|
// Not authenticated — redirect to Keycloak login
|
||||||
rsx! {
|
rsx! {
|
||||||
document::Script {
|
document::Script {
|
||||||
dangerous_inner_html: "window.location.href = '/auth';"
|
"window.location.href = '/auth';"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user