feat(renovate): Add support for versioning less standard value locations #13406
Conversation
kiblik
force-pushed
the
renovate_workflows_versions
branch
5 times, most recently
from
1f00cfc to
888f0ab
Compare
|
This pull request contains automation/configuration issues: the ShellCheck workflow pins a version but requires manual SHA updates (risking integrity bypass if desynchronized), GitHub Actions node-version entries lack Renovate comments so they won't be auto-updated, and the Renovate config ignores key files (requirements.txt, package.json, Dockerfile) which may let dependencies go stale and vulnerable.
Risk of Integrity Bypass in Dependency Checksum in
|
| Vulnerability | Risk of Integrity Bypass in Dependency Checksum |
|---|---|
| Description | The workflow uses SHELLCHECK_VERSION which is configured for automatic updates by Renovate, but SHELLCHECK_SHA requires manual updates. This creates a desynchronization risk where Renovate could update the version, but the corresponding SHA is not updated. This mismatch could either cause build failures or, more critically, bypass an intended integrity check, opening a window for a supply chain attack if a malicious shellcheck binary is downloaded and executed. |
django-DefectDojo/.github/workflows/shellcheck.yml
Lines 8 to 11 in 380ae36
Outdated Node.js Dependency in .github/workflows/validate_docs_build.yml
| Vulnerability | Outdated Node.js Dependency |
|---|---|
| Description | The node-version in the GitHub Actions workflow files (.github/workflows/validate_docs_build.yml and .github/workflows/gh-pages.yml) is not being managed by Renovate's custom manager. The custom regex manager in .github/renovate.json requires a specific comment format (# renovate: datasource=...) to detect and update versions. The node-version lines lack this required comment, meaning Renovate will not automatically update them. This will lead to the Node.js version becoming stale and potentially vulnerable over time. |
django-DefectDojo/.github/workflows/validate_docs_build.yml
Lines 12 to 24 in 380ae36
Risk of Stale Dependencies due to Renovate Ignore Paths in .github/renovate.json
| Vulnerability | Risk of Stale Dependencies due to Renovate Ignore Paths |
|---|---|
| Description | The Renovate configuration adds an ignorePaths list that prevents automated dependency updates for critical files like requirements.txt, package.json, and Dockerfile. This could lead to dependencies in these files becoming outdated and vulnerable over time, as they will be skipped by the automated update process. Without a clear, verifiable alternative mechanism for updating these dependencies, the project risks accumulating known vulnerabilities. |
django-DefectDojo/.github/renovate.json
Lines 10 to 18 in 380ae36
All finding details can be found in the DryRun Security Dashboard.
kiblik
force-pushed
the
renovate_workflows_versions
branch
from
888f0ab to
4d8020e
Compare
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
kiblik
force-pushed
the
renovate_workflows_versions
branch
from
4d8020e to
71014c7
Compare
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
kiblik
force-pushed
the
renovate_workflows_versions
branch
from
71014c7 to
380ae36
Compare
5 participants
After #13405 is accepted, it might be a good idea to keep track of some other versions to avoid situations like #13401.