Définition des claims amr et acr via la configuration #5

wpetit · 2025-02-17T15:37:40+01:00

wpetit commented

2025-02-17 15:37:40 +01:00

Cette PR permet de configurer les valeurs des claims acr et amr (cf. https://www.rfc-editor.org/rfc/rfc8176) via la configuration de l'instance Werther. Par défaut, ces valeurs sont vides.

Voir les nouveaux paramètres de configuration

Cette PR permet de configurer les valeurs des claims `acr` et `amr` (cf. https://www.rfc-editor.org/rfc/rfc8176) via la configuration de l'instance Werther. Par défaut, ces valeurs sont vides. [Voir les nouveaux paramètres de configuration](https://forge.cadoles.com/Cadoles/hydra-werther/src/commit/986f325909ef7a8fa3b4f7d321c4f4e99803ffd0/conf/hydra-werther.conf#L133-L143)

wpetit added 1 commit 2025-02-17 15:37:41 +01:00

feat: add configurable acr/amr claims

Cadoles/hydra-werther/pipeline/head This commit looks good

Details

Cadoles/hydra-werther/pipeline/pr-develop This commit looks good

Details

986f325909

jenkins commented

2025-02-17 15:41:43 +01:00

Test report for `986f325`

Output

docker build \
	-t "reg.cadoles.com/cadoles/hydra-werther:latest" \
	.	
#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 699B done
#1 DONE 0.2s

#2 [internal] load metadata for docker.io/library/golang:1.21-alpine
#2 DONE 0.4s

#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.2s

#4 [build 1/9] FROM docker.io/library/golang:1.21-alpine@sha256:2414035b086e3c42b99654c8b26e6f5b1b1598080d65fd03c7f499552ff4dc94
#4 DONE 0.0s

#5 [internal] load build context
#5 transferring context: 4.79kB done
#5 DONE 0.2s

#6 [build 3/9] RUN adduser -D -g '' appuser
#6 CACHED

#7 [build 8/9] COPY internal internal
#7 CACHED

#8 [build 9/9] RUN env CGO_ENABLED=0 go install -ldflags="-w -s -X main.version=${VERSION}" ./...
#8 CACHED

#9 [build 2/9] WORKDIR /opt/build
#9 CACHED

#10 [build 5/9] COPY go.mod .
#10 CACHED

#11 [final 1/3] COPY --from=build /etc/passwd /etc/passwd
#11 CACHED

#12 [build 6/9] COPY go.sum .
#12 CACHED

#13 [build 7/9] COPY cmd cmd
#13 CACHED

#14 [final 2/3] COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
#14 CACHED

#15 [build 4/9] RUN apk --update add ca-certificates
#15 CACHED

#16 [final 3/3] COPY --from=build /go/bin/werther /werther
#16 CACHED

#17 exporting to image
#17 exporting layers done
#17 writing image sha256:d5ce55885dd4d0e46c1452052b1facc312cc98011f40fe79a739bda9ba9be1c0 0.0s done
#17 naming to reg.cadoles.com/cadoles/hydra-werther:latest 0.1s done
#17 DONE 0.2s
mkdir -p tools/trivy/bin
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0
aquasecurity/trivy info checking GitHub for tag 'v0.47.0'
aquasecurity/trivy info found version: 0.47.0 for v0.47.0/Linux/64bit
aquasecurity/trivy info installed ./tools/trivy/bin/trivy
mkdir -p .trivy
tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml  reg.cadoles.com/cadoles/hydra-werther:latest
2025-02-17T15:41:08.044+0100	[34mINFO[0m	Need to update DB
2025-02-17T15:41:08.044+0100	[34mINFO[0m	DB Repository: ghcr.io/aquasecurity/trivy-db
2025-02-17T15:41:08.044+0100	[34mINFO[0m	Downloading DB...
7.45 MiB / 59.20 MiB [------->______________________________________________________] 12.59% ? p/s ?15.52 MiB / 59.20 MiB [--------------->_____________________________________________] 26.22% ? p/s ?23.58 MiB / 59.20 MiB [------------------------>____________________________________] 39.83% ? p/s ?31.67 MiB / 59.20 MiB [------------------------->______________________] 53.49% 40.37 MiB p/s ETA 0s39.79 MiB / 59.20 MiB [-------------------------------->_______________] 67.21% 40.37 MiB p/s ETA 0s47.88 MiB / 59.20 MiB [-------------------------------------->_________] 80.88% 40.37 MiB p/s ETA 0s56.25 MiB / 59.20 MiB [--------------------------------------------->__] 95.01% 40.40 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 40.40 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 40.40 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 38.11 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 38.11 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 38.11 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 35.65 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 35.65 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 35.65 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 33.35 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [-------------------------------------------------] 100.00% 18.61 MiB p/s 3.4s2025-02-17T15:41:12.146+0100	[34mINFO[0m	Vulnerability scanning is enabled
2025-02-17T15:41:12.146+0100	[34mINFO[0m	Secret scanning is enabled
2025-02-17T15:41:12.146+0100	[34mINFO[0m	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-17T15:41:12.146+0100	[34mINFO[0m	Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2025-02-17T15:41:30.782+0100	[34mINFO[0m	Number of language-specific files: 1
2025-02-17T15:41:30.782+0100	[34mINFO[0m	Detecting gobinary vulnerabilities...

werther (gobinary)
==================
Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 1)

┌────────────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │         Installed Version          │           Fixed Version           │                            Title                            │
├────────────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/justinas/nosurf │ CVE-2020-36564 │ HIGH     │ fixed  │ v0.0.0-20171023064657-7182011986c4 │ 1.1.1                             │ nosurf vulnerable to improper input validation              │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-36564                  │
├────────────────────────────┼────────────────┼──────────┤        ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto        │ CVE-2024-45337 │ CRITICAL │        │ v0.0.0-20200604202706-70a84ac30bf9 │ 0.31.0                            │ golang.org/x/crypto/ssh: Misuse of                          │
│                            │                │          │        │                                    │                                   │ ServerConfig.PublicKeyCallback may cause authorization      │
│                            │                │          │        │                                    │                                   │ bypass in golang.org/x/crypto                               │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2024-45337                  │
│                            ├────────────────┼──────────┤        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2020-29652 │ HIGH     │        │                                    │ 0.0.0-20201216223049-8b5274cf687f │ golang: crypto/ssh: crafted authentication request can lead │
│                            │                │          │        │                                    │                                   │ to nil pointer dereference                                  │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-29652                  │
│                            ├────────────────┤          │        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-43565 │          │        │                                    │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic    │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-43565                  │
│                            ├────────────────┤          │        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2022-27191 │          │        │                                    │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server           │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                  │
│                            ├────────────────┼──────────┤        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-48795 │ MEDIUM   │        │                                    │ 0.17.0                            │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                            │                │          │        │                                    │                                   │ (BPP)                                                       │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├────────────────────────────┼────────────────┼──────────┤        ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text          │ CVE-2021-38561 │ HIGH     │        │ v0.3.2                             │ 0.3.7                             │ golang: out-of-bounds read in golang.org/x/text/language    │
│                            │                │          │        │                                    │                                   │ leads to DoS                                                │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-38561                  │
│                            ├────────────────┤          │        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2022-32149 │          │        │                                    │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage     │
│                            │                │          │        │                                    │                                   │ takes a long time to parse complex tags                     │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                  │
│                            ├────────────────┼──────────┤        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2020-14040 │ MEDIUM   │        │                                    │ 0.3.3                             │ golang.org/x/text: possibility to trigger an infinite loop  │
│                            │                │          │        │                                    │                                   │ in encoding/unicode could lead to...                        │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-14040                  │
└────────────────────────────┴────────────────┴──────────┴────────┴──────���─────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘

# Test report for 986f325 <details > <summary>Output</summary> ``` docker build \ -t "reg.cadoles.com/cadoles/hydra-werther:latest" \ . #0 building with "default" instance using docker driver #1 [internal] load build definition from Dockerfile #1 transferring dockerfile: 699B done #1 DONE 0.2s #2 [internal] load metadata for docker.io/library/golang:1.21-alpine #2 DONE 0.4s #3 [internal] load .dockerignore #3 transferring context: 2B done #3 DONE 0.2s #4 [build 1/9] FROM docker.io/library/golang:1.21-alpine@sha256:2414035b086e3c42b99654c8b26e6f5b1b1598080d65fd03c7f499552ff4dc94 #4 DONE 0.0s #5 [internal] load build context #5 transferring context: 4.79kB done #5 DONE 0.2s #6 [build 3/9] RUN adduser -D -g '' appuser #6 CACHED #7 [build 8/9] COPY internal internal #7 CACHED #8 [build 9/9] RUN env CGO_ENABLED=0 go install -ldflags="-w -s -X main.version=${VERSION}" ./... #8 CACHED #9 [build 2/9] WORKDIR /opt/build #9 CACHED #10 [build 5/9] COPY go.mod . #10 CACHED #11 [final 1/3] COPY --from=build /etc/passwd /etc/passwd #11 CACHED #12 [build 6/9] COPY go.sum . #12 CACHED #13 [build 7/9] COPY cmd cmd #13 CACHED #14 [final 2/3] COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ #14 CACHED #15 [build 4/9] RUN apk --update add ca-certificates #15 CACHED #16 [final 3/3] COPY --from=build /go/bin/werther /werther #16 CACHED #17 exporting to image #17 exporting layers done #17 writing image sha256:d5ce55885dd4d0e46c1452052b1facc312cc98011f40fe79a739bda9ba9be1c0 0.0s done #17 naming to reg.cadoles.com/cadoles/hydra-werther:latest 0.1s done #17 DONE 0.2s mkdir -p tools/trivy/bin curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0 aquasecurity/trivy info checking GitHub for tag 'v0.47.0' aquasecurity/trivy info found version: 0.47.0 for v0.47.0/Linux/64bit aquasecurity/trivy info installed ./tools/trivy/bin/trivy mkdir -p .trivy tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml reg.cadoles.com/cadoles/hydra-werther:latest 2025-02-17T15:41:08.044+0100 [34mINFO[0m Need to update DB 2025-02-17T15:41:08.044+0100 [34mINFO[0m DB Repository: ghcr.io/aquasecurity/trivy-db 2025-02-17T15:41:08.044+0100 [34mINFO[0m Downloading DB... 7.45 MiB / 59.20 MiB [------->______________________________________________________] 12.59% ? p/s ?15.52 MiB / 59.20 MiB [--------------->_____________________________________________] 26.22% ? p/s ?23.58 MiB / 59.20 MiB [------------------------>____________________________________] 39.83% ? p/s ?31.67 MiB / 59.20 MiB [------------------------->______________________] 53.49% 40.37 MiB p/s ETA 0s39.79 MiB / 59.20 MiB [-------------------------------->_______________] 67.21% 40.37 MiB p/s ETA 0s47.88 MiB / 59.20 MiB [-------------------------------------->_________] 80.88% 40.37 MiB p/s ETA 0s56.25 MiB / 59.20 MiB [--------------------------------------------->__] 95.01% 40.40 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 40.40 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 40.40 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 38.11 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 38.11 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 38.11 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 35.65 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 35.65 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 35.65 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 33.35 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [-------------------------------------------------] 100.00% 18.61 MiB p/s 3.4s2025-02-17T15:41:12.146+0100 [34mINFO[0m Vulnerability scanning is enabled 2025-02-17T15:41:12.146+0100 [34mINFO[0m Secret scanning is enabled 2025-02-17T15:41:12.146+0100 [34mINFO[0m If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2025-02-17T15:41:12.146+0100 [34mINFO[0m Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection 2025-02-17T15:41:30.782+0100 [34mINFO[0m Number of language-specific files: 1 2025-02-17T15:41:30.782+0100 [34mINFO[0m Detecting gobinary vulnerabilities... werther (gobinary) ================== Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 1) ┌────────────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ github.com/justinas/nosurf │ CVE-2020-36564 │ HIGH │ fixed │ v0.0.0-20171023064657-7182011986c4 │ 1.1.1 │ nosurf vulnerable to improper input validation │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-36564 │ ├────────────────────────────┼────────────────┼──────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ │ v0.0.0-20200604202706-70a84ac30bf9 │ 0.31.0 │ golang.org/x/crypto/ssh: Misuse of │ │ │ │ │ │ │ │ ServerConfig.PublicKeyCallback may cause authorization │ │ │ │ │ │ │ │ bypass in golang.org/x/crypto │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45337 │ │ ├────────────────┼──────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2020-29652 │ HIGH │ │ │ 0.0.0-20201216223049-8b5274cf687f │ golang: crypto/ssh: crafted authentication request can lead │ │ │ │ │ │ │ │ to nil pointer dereference │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-29652 │ │ ├────────────────┤ │ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2021-43565 │ │ │ │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43565 │ │ ├────────────────┤ │ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2022-27191 │ │ │ │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27191 │ │ ├────────────────┼──────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2023-48795 │ MEDIUM │ │ │ 0.17.0 │ ssh: Prefix truncation attack on Binary Packet Protocol │ │ │ │ │ │ │ │ (BPP) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48795 │ ├────────────────────────────┼────────────────┼──────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ golang.org/x/text │ CVE-2021-38561 │ HIGH │ │ v0.3.2 │ 0.3.7 │ golang: out-of-bounds read in golang.org/x/text/language │ │ │ │ │ │ │ │ leads to DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-38561 │ │ ├────────────────┤ │ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2022-32149 │ │ │ │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │ │ │ │ │ │ │ │ takes a long time to parse complex tags │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │ │ ├────────────────┼──────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2020-14040 │ MEDIUM │ │ │ 0.3.3 │ golang.org/x/text: possibility to trigger an infinite loop │ │ │ │ │ │ │ │ in encoding/unicode could lead to... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-14040 │ └────────────────────────────┴────────────────┴──────────┴────────┴──────��─────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘ ``` </details>

lgourvenec requested changes 2025-02-17 16:30:45 +01:00

Dismissed

lgourvenec left a comment

Testé OK, quelques 'typos"

conf/hydra-werther.conf Outdated

						
				@ -132,0 +134,4 @@

				  # [description] Authentication Method Reference Values

				  # [type]        Comma-separated list of String

				  # [default]     

				  # [required]   false

lgourvenec commented

2025-02-17 16:20:13 +01:00

manque un espace

👍 1

lgourvenec marked this conversation as resolved

conf/hydra-werther.conf Outdated

						
				@ -132,0 +140,4 @@

				  # [description] Authentication Context Class Reference

				  # [type]        String

				  # [default]     

				  # [required]   false

lgourvenec commented

2025-02-17 16:20:09 +01:00

manque un espace

👍 1

lgourvenec marked this conversation as resolved

internal/hydra/login.go Outdated

						
				@ -38,0 +38,4 @@

						RememberFor int      `json:"remember_for"`

						Subject     string   `json:"subject"`

						ACR         string   `json:"acr,omitempty"`

						AMR         []string `json:"amr,omitempt"`

lgourvenec commented

2025-02-17 16:19:58 +01:00

manque pas un 'y' ?

👍 1

lgourvenec marked this conversation as resolved

internal/identp/identp.go Outdated

						
				@ -32,6 +32,8 @@ type Config struct {

					SessionTTL         time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`

					ClaimScopes        map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`

					FakeTLSTermination bool              `envconfig:"fake_tls_termination" default:"false" desc:"Fake tls termination by adding \"X-Forwarded-Proto: https\" to http headers "`

					ACR                string            `envconfig:"acr" default:"" desc:"Authentication AuthorizationContext Class Reference"`

lgourvenec commented

2025-02-17 16:24:31 +01:00

"Authorization" est en trop, non ? Et pourquoi définir une valeur par défaut ici ? La valeur par défaut du langage est suffisante, non ?

👍 1

lgourvenec marked this conversation as resolved

wpetit force-pushed acr_amr from 986f325909 to 46b279a4f0

2025-02-17 16:42:23 +01:00

Compare

lgourvenec approved these changes 2025-02-17 16:44:13 +01:00

lgourvenec merged commit 8ded23cccc into develop

2025-02-17 16:44:22 +01:00

lgourvenec referenced this issue from a commit

2025-02-17 16:44:22 +01:00

Merge pull request 'Définition des claims `amr` et `acr` via la configuration' (#5) from acr_amr into develop

lgourvenec deleted branch acr_amr

2025-02-17 16:44:23 +01:00

jenkins commented

2025-02-17 16:44:45 +01:00

Test report for `46b279a`

Output

docker build \
	-t "reg.cadoles.com/cadoles/hydra-werther:latest" \
	.	
#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 699B done
#1 DONE 0.1s

#2 [internal] load metadata for docker.io/library/golang:1.21-alpine
#2 DONE 0.6s

#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.1s

#4 [build 1/9] FROM docker.io/library/golang:1.21-alpine@sha256:2414035b086e3c42b99654c8b26e6f5b1b1598080d65fd03c7f499552ff4dc94
#4 DONE 0.0s

#5 [internal] load build context
#5 transferring context: 4.79kB done
#5 DONE 0.1s

#6 [build 4/9] RUN apk --update add ca-certificates
#6 CACHED

#7 [build 9/9] RUN env CGO_ENABLED=0 go install -ldflags="-w -s -X main.version=${VERSION}" ./...
#7 CACHED

#8 [build 2/9] WORKDIR /opt/build
#8 CACHED

#9 [build 7/9] COPY cmd cmd
#9 CACHED

#10 [final 1/3] COPY --from=build /etc/passwd /etc/passwd
#10 CACHED

#11 [build 3/9] RUN adduser -D -g '' appuser
#11 CACHED

#12 [build 5/9] COPY go.mod .
#12 CACHED

#13 [build 8/9] COPY internal internal
#13 CACHED

#14 [final 2/3] COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
#14 CACHED

#15 [build 6/9] COPY go.sum .
#15 CACHED

#16 [final 3/3] COPY --from=build /go/bin/werther /werther
#16 CACHED

#17 exporting to image
#17 exporting layers done
#17 writing image sha256:9a1c8ea0596d06339d4954627ada87fe5bda3e6fcd755c808e7750726fdb41ac 0.1s done
#17 naming to reg.cadoles.com/cadoles/hydra-werther:latest
#17 naming to reg.cadoles.com/cadoles/hydra-werther:latest 0.1s done
#17 DONE 0.1s
mkdir -p tools/trivy/bin
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0
aquasecurity/trivy info checking GitHub for tag 'v0.47.0'
aquasecurity/trivy info found version: 0.47.0 for v0.47.0/Linux/64bit
aquasecurity/trivy info installed ./tools/trivy/bin/trivy
mkdir -p .trivy
tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml  reg.cadoles.com/cadoles/hydra-werther:latest
2025-02-17T16:44:21.434+0100	[34mINFO[0m	Need to update DB
2025-02-17T16:44:21.434+0100	[34mINFO[0m	DB Repository: ghcr.io/aquasecurity/trivy-db
2025-02-17T16:44:21.434+0100	[34mINFO[0m	Downloading DB...
18.37 MiB / 59.20 MiB [------------------>__________________________________________] 31.03% ? p/s ?40.51 MiB / 59.20 MiB [----------------------------------------->___________________] 68.43% ? p/s ?59.20 MiB / 59.20 MiB [----------------------------------------------------------->] 100.00% ? p/s ?59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 67.97 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 67.97 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 67.97 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 63.59 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 63.59 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 63.59 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 59.49 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 59.49 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 59.49 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [-------------------------------------------------] 100.00% 26.86 MiB p/s 2.4s2025-02-17T16:44:24.534+0100	[34mINFO[0m	Vulnerability scanning is enabled
2025-02-17T16:44:24.534+0100	[34mINFO[0m	Secret scanning is enabled
2025-02-17T16:44:24.534+0100	[34mINFO[0m	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-17T16:44:24.534+0100	[34mINFO[0m	Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2025-02-17T16:44:34.857+0100	[34mINFO[0m	Number of language-specific files: 1
2025-02-17T16:44:34.857+0100	[34mINFO[0m	Detecting gobinary vulnerabilities...

werther (gobinary)
==================
Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 1)

┌────────────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │         Installed Version          │           Fixed Version           │                            Title                            │
├────────────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/justinas/nosurf │ CVE-2020-36564 │ HIGH     │ fixed  │ v0.0.0-20171023064657-7182011986c4 │ 1.1.1                             │ nosurf vulnerable to improper input validation              │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-36564                  │
├────────────────────────────┼────────────────┼──────────┤        ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto        │ CVE-2024-45337 │ CRITICAL │        │ v0.0.0-20200604202706-70a84ac30bf9 │ 0.31.0                            │ golang.org/x/crypto/ssh: Misuse of                          │
│                            │                │          │        │                                    │                                   │ ServerConfig.PublicKeyCallback may cause authorization      │
│                            │                │          │        │                                    │                                   │ bypass in golang.org/x/crypto                               │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2024-45337                  │
│                            ├────────────────┼──────────┤        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2020-29652 │ HIGH     │        │                                    │ 0.0.0-20201216223049-8b5274cf687f │ golang: crypto/ssh: crafted authentication request can lead │
│                            │                │          │        │                                    │                                   │ to nil pointer dereference                                  │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-29652                  │
│                            ├────────────────┤          │        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-43565 │          │        │                                    │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic    │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-43565                  │
│                            ├────────────────┤          │        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2022-27191 │          │        │                                    │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server           │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                  │
│                            ├────────────────┼──────────┤        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-48795 │ MEDIUM   │        │                                    │ 0.17.0                            │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                            │                │          │        │                                    │                                   │ (BPP)                                                       │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├────────────────────────────┼────────────────┼──────────┤        ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text          │ CVE-2021-38561 │ HIGH     │        │ v0.3.2                             │ 0.3.7                             │ golang: out-of-bounds read in golang.org/x/text/language    │
│                            │                │          │        │                                    │                                   │ leads to DoS                                                │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-38561                  │
│                            ├────────────────┤          │        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2022-32149 │          │        │                                    │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage     │
│                            │                │          │        │                                    │                                   │ takes a long time to parse complex tags                     │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                  │
│                            ├────────────────┼──────────┤        │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                            │ CVE-2020-14040 │ MEDIUM   │        │                                    │ 0.3.3                             │ golang.org/x/text: possibility to trigger an infinite loop  │
│                            │                │          │        │                                    │                                   │ in encoding/unicode could lead to...                        │
│                            │                │          │        │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-14040                  │
└────────────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────���──────────────┘

# Test report for 46b279a <details > <summary>Output</summary> ``` docker build \ -t "reg.cadoles.com/cadoles/hydra-werther:latest" \ . #0 building with "default" instance using docker driver #1 [internal] load build definition from Dockerfile #1 transferring dockerfile: 699B done #1 DONE 0.1s #2 [internal] load metadata for docker.io/library/golang:1.21-alpine #2 DONE 0.6s #3 [internal] load .dockerignore #3 transferring context: 2B done #3 DONE 0.1s #4 [build 1/9] FROM docker.io/library/golang:1.21-alpine@sha256:2414035b086e3c42b99654c8b26e6f5b1b1598080d65fd03c7f499552ff4dc94 #4 DONE 0.0s #5 [internal] load build context #5 transferring context: 4.79kB done #5 DONE 0.1s #6 [build 4/9] RUN apk --update add ca-certificates #6 CACHED #7 [build 9/9] RUN env CGO_ENABLED=0 go install -ldflags="-w -s -X main.version=${VERSION}" ./... #7 CACHED #8 [build 2/9] WORKDIR /opt/build #8 CACHED #9 [build 7/9] COPY cmd cmd #9 CACHED #10 [final 1/3] COPY --from=build /etc/passwd /etc/passwd #10 CACHED #11 [build 3/9] RUN adduser -D -g '' appuser #11 CACHED #12 [build 5/9] COPY go.mod . #12 CACHED #13 [build 8/9] COPY internal internal #13 CACHED #14 [final 2/3] COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ #14 CACHED #15 [build 6/9] COPY go.sum . #15 CACHED #16 [final 3/3] COPY --from=build /go/bin/werther /werther #16 CACHED #17 exporting to image #17 exporting layers done #17 writing image sha256:9a1c8ea0596d06339d4954627ada87fe5bda3e6fcd755c808e7750726fdb41ac 0.1s done #17 naming to reg.cadoles.com/cadoles/hydra-werther:latest #17 naming to reg.cadoles.com/cadoles/hydra-werther:latest 0.1s done #17 DONE 0.1s mkdir -p tools/trivy/bin curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0 aquasecurity/trivy info checking GitHub for tag 'v0.47.0' aquasecurity/trivy info found version: 0.47.0 for v0.47.0/Linux/64bit aquasecurity/trivy info installed ./tools/trivy/bin/trivy mkdir -p .trivy tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml reg.cadoles.com/cadoles/hydra-werther:latest 2025-02-17T16:44:21.434+0100 [34mINFO[0m Need to update DB 2025-02-17T16:44:21.434+0100 [34mINFO[0m DB Repository: ghcr.io/aquasecurity/trivy-db 2025-02-17T16:44:21.434+0100 [34mINFO[0m Downloading DB... 18.37 MiB / 59.20 MiB [------------------>__________________________________________] 31.03% ? p/s ?40.51 MiB / 59.20 MiB [----------------------------------------->___________________] 68.43% ? p/s ?59.20 MiB / 59.20 MiB [----------------------------------------------------------->] 100.00% ? p/s ?59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 67.97 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 67.97 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 67.97 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 63.59 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 63.59 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 63.59 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 59.49 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 59.49 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [---------------------------------------------->] 100.00% 59.49 MiB p/s ETA 0s59.20 MiB / 59.20 MiB [-------------------------------------------------] 100.00% 26.86 MiB p/s 2.4s2025-02-17T16:44:24.534+0100 [34mINFO[0m Vulnerability scanning is enabled 2025-02-17T16:44:24.534+0100 [34mINFO[0m Secret scanning is enabled 2025-02-17T16:44:24.534+0100 [34mINFO[0m If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2025-02-17T16:44:24.534+0100 [34mINFO[0m Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection 2025-02-17T16:44:34.857+0100 [34mINFO[0m Number of language-specific files: 1 2025-02-17T16:44:34.857+0100 [34mINFO[0m Detecting gobinary vulnerabilities... werther (gobinary) ================== Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 1) ┌────────────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ github.com/justinas/nosurf │ CVE-2020-36564 │ HIGH │ fixed │ v0.0.0-20171023064657-7182011986c4 │ 1.1.1 │ nosurf vulnerable to improper input validation │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-36564 │ ├────────────────────────────┼────────────────┼──────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ │ v0.0.0-20200604202706-70a84ac30bf9 │ 0.31.0 │ golang.org/x/crypto/ssh: Misuse of │ │ │ │ │ │ │ │ ServerConfig.PublicKeyCallback may cause authorization │ │ │ │ │ │ │ │ bypass in golang.org/x/crypto │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45337 │ │ ├────────────────┼──────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2020-29652 │ HIGH │ │ │ 0.0.0-20201216223049-8b5274cf687f │ golang: crypto/ssh: crafted authentication request can lead │ │ │ │ │ │ │ │ to nil pointer dereference │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-29652 │ │ ├────────────────┤ │ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2021-43565 │ │ │ │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43565 │ │ ├────────────────┤ │ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2022-27191 │ │ │ │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27191 │ │ ├────────────────┼──────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2023-48795 │ MEDIUM │ │ │ 0.17.0 │ ssh: Prefix truncation attack on Binary Packet Protocol │ │ │ │ │ │ │ │ (BPP) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48795 │ ├────────────────────────────┼────────────────┼──────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ golang.org/x/text │ CVE-2021-38561 │ HIGH │ │ v0.3.2 │ 0.3.7 │ golang: out-of-bounds read in golang.org/x/text/language │ │ │ │ │ │ │ │ leads to DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-38561 │ │ ├────────────────┤ │ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2022-32149 │ │ │ │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │ │ │ │ │ │ │ │ takes a long time to parse complex tags │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │ │ ├────────────────┼──────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2020-14040 │ MEDIUM │ │ │ 0.3.3 │ golang.org/x/text: possibility to trigger an infinite loop │ │ │ │ │ │ │ │ in encoding/unicode could lead to... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-14040 │ └────────────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────��──────────────┘ ``` </details>

Sign in to join this conversation.

3 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Cadoles/hydra-werther#5

Définition des claims amr et acr via la configuration #5

Test report for 986f325

Test report for 46b279a

Définition des claims `amr` et `acr` via la configuration #5

Test report for `986f325`

Test report for `46b279a`