mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
38a10d364c
6996 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
JD
|
38a10d364c
|
Add link to Cyber Security Summit blog hero image (#10285) | ||
Artemis Tosini
|
1dcced4554
|
Add Windows 10 CIS 2.3.6.x (#10036)
This adds CIS 2.3.6.x items from Windows 10 Enterprise. I tested all of these on Windows Server 2019 as my Windows 10 machine hasn't arrived yet, but they should be identical. I originally thought this was not possible but I did not realize that the GPO always seems to change the registry key and does not act as the single source of truth, unlike profiles on macOS. |
||
Benjamin Edwards
|
1fb1870ca7
|
add tier trial that behaves the same as premium (#10157) | ||
Zach Wasserman
|
ca2e30e59c
|
Fix error writing coverage when running tests (#10278)
Intended to fix this error we are seeing in CI: ``` error generating coverage report: write |1: file already closed ``` It seems like perhaps a change in the way the test coverage is reported in a recent Go version has interacted with the closing of stdout in these tests. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Added/updated tests |
||
Noah Talerman
|
1e9c928628
|
Issue templates: Update story (#10277)
- Add a reminder to specify any changes to permissions # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). |
||
|
JD
|
14989b24af
|
Seattle Bellevue Cyber Security Summit Blogpost (#10276)
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). --------- Co-authored-by: Andrew Baker <89049099+DrewBakerfdm@users.noreply.github.com> |
||
RachelElysia
|
6b2cebd4f1
|
CIS - WIN10 - 2.3.17.X (#10275) | ||
dependabot[bot]
|
fdc55aabc4
|
Bump actions/cache from 3.0.8 to 3.2.6 (#10268)
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.8 to 3.2.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v3.2.6</h2> <h2>What's Changed</h2> <ul> <li>Updated branch in Force deletion of caches by <a href="https://github.com/t-dedah"><code>@t-dedah</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1108">actions/cache#1108</a></li> <li>Fix zstd not being used after zstd version upgrade to 1.5.4 on hosted runners by <a href="https://github.com/pdotl"><code>@pdotl</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1118">actions/cache#1118</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v3...v3.2.6">https://github.com/actions/cache/compare/v3...v3.2.6</a></p> <h2>v3.2.5</h2> <h2>What's Changed</h2> <ul> <li>Rewrite readmes by <a href="https://github.com/jsoref"><code>@jsoref</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1085">actions/cache#1085</a></li> <li>Fixed typos and formatting in docs by <a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1076">actions/cache#1076</a></li> <li>Fixing paths for OSes by <a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1101">actions/cache#1101</a></li> <li>Release patch version update by <a href="https://github.com/Phantsure"><code>@Phantsure</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1105">actions/cache#1105</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/jsoref"><code>@jsoref</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1085">actions/cache#1085</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v3...v3.2.5">https://github.com/actions/cache/compare/v3...v3.2.5</a></p> <h2>v3.2.4</h2> <h2>What's Changed</h2> <ul> <li>Update json5 package version by <a href="https://github.com/vsvipul"><code>@vsvipul</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1065">actions/cache#1065</a></li> <li>Cache recipes for cache, restore and save actions by <a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1055">actions/cache#1055</a></li> <li>Add gnu tar and zstd as pre-requisites for windows self-hosted runners by <a href="https://github.com/pdotl"><code>@pdotl</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1068">actions/cache#1068</a></li> <li>Fix a whitespace typo by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1074">actions/cache#1074</a></li> <li>📝 <a href="https://github-redirect.dependabot.com/actions/cache/issues/1045">#1045</a> update using the <code>set-output</code> command is deprecated by <a href="https://github.com/siguikesse"><code>@siguikesse</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1046">actions/cache#1046</a></li> <li>Fix referenced output key in save action readme by <a href="https://github.com/ruudk"><code>@ruudk</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1061">actions/cache#1061</a></li> <li>Update workflows to use reusable-workflows by <a href="https://github.com/jongwooo"><code>@jongwooo</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1066">actions/cache#1066</a></li> <li>Introduce add-to-project step & rename workflow files by <a href="https://github.com/pallavx"><code>@pallavx</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1077">actions/cache#1077</a></li> <li>chore: Fix syntax error typo by <a href="https://github.com/vHeemstra"><code>@vHeemstra</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1081">actions/cache#1081</a></li> <li>Update caching-strategies.md by <a href="https://github.com/kpfleming"><code>@kpfleming</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1084">actions/cache#1084</a></li> <li>Added another usage hint to foresee <a href="https://github-redirect.dependabot.com/actions/cache/issues/1072">#1072</a> by <a href="https://github.com/maybeec"><code>@maybeec</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1089">actions/cache#1089</a></li> <li>Add <code>fail-on-cache-miss</code> option by <a href="https://github.com/cdce8p"><code>@cdce8p</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1036">actions/cache#1036</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1074">actions/cache#1074</a></li> <li><a href="https://github.com/siguikesse"><code>@siguikesse</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1046">actions/cache#1046</a></li> <li><a href="https://github.com/ruudk"><code>@ruudk</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1061">actions/cache#1061</a></li> <li><a href="https://github.com/pallavx"><code>@pallavx</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1077">actions/cache#1077</a></li> <li><a href="https://github.com/vHeemstra"><code>@vHeemstra</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1081">actions/cache#1081</a></li> <li><a href="https://github.com/kpfleming"><code>@kpfleming</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1084">actions/cache#1084</a></li> <li><a href="https://github.com/maybeec"><code>@maybeec</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1089">actions/cache#1089</a></li> <li><a href="https://github.com/cdce8p"><code>@cdce8p</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1036">actions/cache#1036</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v3...v3.2.4">https://github.com/actions/cache/compare/v3...v3.2.4</a></p> <h2>v3.2.3</h2> <h2>What's Changed</h2> <ul> <li>Add Mint example by <a href="https://github.com/uhooi"><code>@uhooi</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1051">actions/cache#1051</a></li> <li>Fixed broken link by <a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a href="https://github-redirect.dependabot.com/actions/cache/pull/1057">actions/cache#1057</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h3>3.0.0</h3> <ul> <li>Updated minimum runner version support from node 12 -> node 16</li> </ul> <h3>3.0.1</h3> <ul> <li>Added support for caching from GHES 3.5.</li> <li>Fixed download issue for files > 2GB during restore.</li> </ul> <h3>3.0.2</h3> <ul> <li>Added support for dynamic cache size cap on GHES.</li> </ul> <h3>3.0.3</h3> <ul> <li>Fixed avoiding empty cache save when no files are available for caching. (<a href="https://github-redirect.dependabot.com/actions/cache/issues/624">issue</a>)</li> </ul> <h3>3.0.4</h3> <ul> <li>Fixed tar creation error while trying to create tar with path as <code>~/</code> home folder on <code>ubuntu-latest</code>. (<a href="https://github-redirect.dependabot.com/actions/cache/issues/689">issue</a>)</li> </ul> <h3>3.0.5</h3> <ul> <li>Removed error handling by consuming actions/cache 3.0 toolkit, Now cache server error handling will be done by toolkit. (<a href="https://github-redirect.dependabot.com/actions/cache/pull/834">PR</a>)</li> </ul> <h3>3.0.6</h3> <ul> <li>Fixed <a href="https://github-redirect.dependabot.com/actions/cache/issues/809">#809</a> - zstd -d: no such file or directory error</li> <li>Fixed <a href="https://github-redirect.dependabot.com/actions/cache/issues/833">#833</a> - cache doesn't work with github workspace directory</li> </ul> <h3>3.0.7</h3> <ul> <li>Fixed <a href="https://github-redirect.dependabot.com/actions/cache/issues/810">#810</a> - download stuck issue. A new timeout is introduced in the download process to abort the download if it gets stuck and doesn't finish within an hour.</li> </ul> <h3>3.0.8</h3> <ul> <li>Fix zstd not working for windows on gnu tar in issues <a href="https://github-redirect.dependabot.com/actions/cache/issues/888">#888</a> and <a href="https://github-redirect.dependabot.com/actions/cache/issues/891">#891</a>.</li> <li>Allowing users to provide a custom timeout as input for aborting download of a cache segment using an environment variable <code>SEGMENT_DOWNLOAD_TIMEOUT_MINS</code>. Default is 60 minutes.</li> </ul> <h3>3.0.9</h3> <ul> <li>Enhanced the warning message for cache unavailablity in case of GHES.</li> </ul> <h3>3.0.10</h3> <ul> <li>Fix a bug with sorting inputs.</li> <li>Update definition for restore-keys in README.md</li> </ul> <h3>3.0.11</h3> <ul> <li>Update toolkit version to 3.0.5 to include <code>@actions/core@^1.10.0</code></li> <li>Update <code>@actions/cache</code> to use updated <code>saveState</code> and <code>setOutput</code> functions from <code>@actions/core@^1.10.0</code></li> </ul> <h3>3.1.0-beta.1</h3> <ul> <li>Update <code>@actions/cache</code> on windows to use gnu tar and zstd by default and fallback to bsdtar and zstd if gnu tar is not available. (<a href="https://github-redirect.dependabot.com/actions/cache/issues/984">issue</a>)</li> </ul> <h3>3.1.0-beta.2</h3> <ul> <li>Added support for fallback to gzip to restore old caches on windows.</li> </ul> <h3>3.1.0-beta.3</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Noah Talerman
|
57f628e6e7
|
MDM docs: Add MDM server in Apple Business Manager (#10236)
- Add instructions for creating an MDM server in ABM |
||
Mike McNeil
|
550865e363
|
Update open roles (#10264)
. |
||
Luke Heath
|
b4c9fac47e
|
Add enrollment profile download to okta demo workflow (#10256) | ||
Jacob Shandling
|
c17c7b2b57
|
UI: Add missing step to manual Turn on MDM modal (#10232)
<img width="752" alt="Screenshot 2023-03-01 at 3 04 49 PM" src="https://user-images.githubusercontent.com/61553566/222286958-56cd0bac-0354-47ef-81c7-9ccd41626e2e.png"> **Checklist for submitter** - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com> |
||
|
Zach Wasserman
|
f8f3a1e335
|
Update OSSF Scorecards action (#10255)
Based on the current recommended configuration from https://github.com/ossf/scorecard-action#installation. |
||
Zachary Winnerman
|
23a494e291
|
Remove unused code in dogfood (#10249)
```╷
│ Warning: Argument is deprecated
│
│ with aws_s3_bucket.osquery-results,
│ on firehose.tf line 7, in resource "aws_s3_bucket" "osquery-results":
│ 7: resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
│
│ Use the aws_s3_bucket_lifecycle_configuration resource instead
│
│ (and 9 more similar warnings elsewhere)
╵
Success! The configuration is valid, but there were some validation warnings as shown above.
```
|
||
Sharon Katz
|
8c9d33f455
|
MAC CIS 13_2.1.1.2 (#10161) | ||
|
Sharon Katz
|
a19d73511e
|
MAC CIS 13_2.1.1.1 (#10120) | ||
|
Mike McNeil
|
b016c5546a
|
Maximum allowable adjustments to standard contract terms (#10241)
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). |
||
|
Zach Wasserman
|
2ed2940683
|
Generate targets for osqueryd 5.8.1 (#10245) | ||
Eric
|
4770a780b4
|
Website: Add /demo/okta-webflow (#10238)
Related to: https://github.com/fleetdm/fleet/issues/10210 Changes: - Added `/experimental/okta-webflow` - This page has a login form that accepts any input. When the login form is submitted, the page shows the user a EULA. - Updated policies, importer.less and routes - Updated `layouts/layout-sandbox` to hide the website's header and footer, and disable the Papercups chat widget when a variable named `optimizeForAppleWebview` is set to `true`. --------- Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> |
||
|
Eric
|
e7476c6a9d
|
Website: Remove /osquery-management from download-sitemap.js (#10239)
https://github.com/fleetdm/fleet/pull/10207#issuecomment-1451073086 Changes: - Removed the `/osquery-management` landing page from `download-sitemap.js` |
||
gillespi314
|
615052a9ac
|
Create new API endpoint to provide aggregate status count of MDM profiles applying to hosts (#10194) | ||
Mike Thomas
|
732780a259
|
created-osquery-management-landpage (#10207)
In this PR, I have: - created an osquery management landing page for our upcoming ad campaign. ~The WIP content is where we ended up after our review session.~ ~For reference, the original content can be found on Figma: https://www.figma.com/file/Jzo81K6E4jC0mcjD4JsWM8/%F0%9F%9A%A7-fleetdm.com-(scratchpad)?node-id=389%3A0~ --------- Co-authored-by: Eric <eashaw@sailsjs.com> |
||
Lucas Manuel Rodriguez
|
9864048ee9
|
Allow setting user roles during JIT provisioning (#10193)
#8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ |
||
|
Lucas Manuel Rodriguez
|
2c6bd879f8
|
Notify Go and Integration CI failures to new channel (#10235) | ||
|
dependabot[bot]
|
eb1194a0b4
|
Bump loader-utils from 1.4.0 to 1.4.2 (#10234)
Bumps [loader-utils](https://github.com/webpack/loader-utils) from 1.4.0 to 1.4.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpack/loader-utils/releases">loader-utils's releases</a>.</em></p> <blockquote> <h2>v1.4.2</h2> <h3><a href="https://github.com/webpack/loader-utils/compare/v1.4.1...v1.4.2">1.4.2</a> (2022-11-11)</h3> <h3>Bug Fixes</h3> <ul> <li>ReDoS problem (<a href="https://github-redirect.dependabot.com/webpack/loader-utils/issues/226">#226</a>) (<a href=" |
||
|
dependabot[bot]
|
12751b853f
|
Bump json5 from 1.0.1 to 1.0.2 (#10233)
Bumps [json5](https://github.com/json5/json5) from 1.0.1 to 1.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/json5/json5/releases">json5's releases</a>.</em></p> <blockquote> <h2>v1.0.2</h2> <ul> <li>Fix: Properties with the name <code>__proto__</code> are added to objects and arrays. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/199">#199</a>) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (<a href="https://github-redirect.dependabot.com/json5/json5/issues/295">#295</a>). This has been backported to v1. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/298">#298</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/json5/json5/blob/main/CHANGELOG.md">json5's changelog</a>.</em></p> <blockquote> <h3>Unreleased [<a href="https://github.com/json5/json5/tree/main">code</a>, <a href="https://github.com/json5/json5/compare/v2.2.3...HEAD">diff</a>]</h3> <h3>v2.2.3 [<a href="https://github.com/json5/json5/tree/v2.2.3">code</a>, <a href="https://github.com/json5/json5/compare/v2.2.2...v2.2.3">diff</a>]</h3> <ul> <li>Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/299">#299</a>)</li> </ul> <h3>v2.2.2 [<a href="https://github.com/json5/json5/tree/v2.2.2">code</a>, <a href="https://github.com/json5/json5/compare/v2.2.1...v2.2.2">diff</a>]</h3> <ul> <li>Fix: Properties with the name <code>__proto__</code> are added to objects and arrays. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/199">#199</a>) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (<a href="https://github-redirect.dependabot.com/json5/json5/issues/295">#295</a>).</li> </ul> <h3>v2.2.1 [<a href="https://github.com/json5/json5/tree/v2.2.1">code</a>, <a href="https://github.com/json5/json5/compare/v2.2.0...v2.2.1">diff</a>]</h3> <ul> <li>Fix: Removed dependence on minimist to patch CVE-2021-44906. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/266">#266</a>)</li> </ul> <h3>v2.2.0 [<a href="https://github.com/json5/json5/tree/v2.2.0">code</a>, <a href="https://github.com/json5/json5/compare/v2.1.3...v2.2.0">diff</a>]</h3> <ul> <li>New: Accurate and documented TypeScript declarations are now included. There is no need to install <code>@types/json5</code>. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/236">#236</a>, <a href="https://github-redirect.dependabot.com/json5/json5/issues/244">#244</a>)</li> </ul> <h3>v2.1.3 [<a href="https://github.com/json5/json5/tree/v2.1.3">code</a>, <a href="https://github.com/json5/json5/compare/v2.1.2...v2.1.3">diff</a>]</h3> <ul> <li>Fix: An out of memory bug when parsing numbers has been fixed. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/228">#228</a>, <a href="https://github-redirect.dependabot.com/json5/json5/issues/229">#229</a>)</li> </ul> <h3>v2.1.2 [<a href="https://github.com/json5/json5/tree/v2.1.2">code</a>, <a href="https://github.com/json5/json5/compare/v2.1.1...v2.1.2">diff</a>]</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Zach Wasserman
|
515cdb918c
|
Replace import-glob-loader with node-sass-glob-importer (#10171)
import-glob-loader has a very old loader-utils dependency that triggers security alerting. Hoping that replacing this will allow the loader-utils version to be updated. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Manual QA for all new/changed functionality |
||
|
Zach Wasserman
|
c136b3bdfa
|
Update Fleet library versions used in Sandbox (#10230) | ||
|
JD
|
607a89b527
|
Clarification on NVD for MS Office in 4.28.0 Release Notes (#10226)
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). |
||
|
dependabot[bot]
|
37c9097ac0
|
Bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.1 in /infrastructure/sandbox/JITProvisioner/lambda (#10225)
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.42.0 to 0.43.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/open-policy-agent/opa/releases">github.com/open-policy-agent/opa's releases</a>.</em></p> <blockquote> <h2>v0.43.1</h2> <p>This is a security release fixing the following vulnerabilities:</p> <ul> <li> <p>CVE-2022-36085: Respect unsafeBuiltinMap for 'with' replacements in the compiler</p> <p>See <a href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr">https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr</a> for all details.</p> </li> <li> <p>CVE-2022-27664 and CVE-2022-32190.</p> <p>Fixed by updating the Go version used in our builds to 1.18.6, see <a href="https://groups.google.com/g/golang-announce/c/x49AQzIVX-s">https://groups.google.com/g/golang-announce/c/x49AQzIVX-s</a>. Note that CVE-2022-32190 is most likely not relevant for OPA's usage of net/url. But since these CVEs tend to come up in security assessment tooling regardless, it's better to get it out of the way.</p> </li> </ul> <h2>v0.43.0</h2> <p>This release contains a number of fixes, enhancements, and performance improvements.</p> <h3>Object Insertion Optimization</h3> <p>Rego Object insertion operations did not scale linearly (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4625">#4625</a>) in the past, and experienced noticeable reallocation/memory movement overheads once the Object grew past 120k-150k keys in size.</p> <p>This release introduces different handling of Object internals during insert operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.</p> <h3>Tooling, SDK, and Runtime</h3> <ul> <li>Add lines covered/not covered counts to test coverage report (authored by <a href="https://github.com/FarisR99"><code>@FarisR99</code></a>)</li> <li>Plugins: Status and logs plugins now accept any HTTP 2xx status code (authored by <a href="https://github.com/lvisterin"><code>@lvisterin</code></a>)</li> <li>Runtime: Generalize OS check for MacOS to other Unix-likes (authored by <a href="https://github.com/iamleot"><code>@iamleot</code></a>)</li> </ul> <h4>Bundles Fixes</h4> <p>The Bundles system received several bugfixes and performance improvements in this release:</p> <ul> <li>Bundle: <code>opa bundle</code> command now supports <code>.yml</code> files (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4859">#4859</a>) authored by <a href="https://github.com/Joffref"><code>@Joffref</code></a> reported by <a href="https://github.com/rdrgmnzsakt"><code>@rdrgmnzsakt</code></a></li> <li>Plugins/Bundle: Use unique temporary files for persisting activated bundles to disk (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4782">#4782</a>) authored by <a href="https://github.com/FredrikAppelros"><code>@FredrikAppelros</code></a> reported by <a href="https://github.com/FredrikAppelros"><code>@FredrikAppelros</code></a></li> <li>Server: Old policy path is now checked for bundle ownership before update (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4846">#4846</a>)</li> <li>Storage+Bundle: Old bundle data is now cleaned before new bundle activation (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4940">#4940</a>)</li> <li>Bundle: Paths are now normalized before bundle root check occurs to ensure checks are os-independent</li> </ul> <h4>Storage Fixes</h4> <p>The Storage system received mostly bugfixes, with a notable performance improvement for large bundles in this release:</p> <ul> <li>storage/inmem: Speed up bundle activation by avoiding unnecessary read operations (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4898">#4898</a>)</li> <li>storage/inmem: Paths are now created during truncate operations if they did not exist before</li> <li>storage/disk: Symlinks work with relative paths now (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4869">#4869</a>)</li> </ul> <h3>Rego and Topdown</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md">github.com/open-policy-agent/opa's changelog</a>.</em></p> <blockquote> <h2>0.43.1</h2> <p>This is a security release fixing the following vulnerabilities:</p> <ul> <li> <p>CVE-2022-36085: Respect unsafeBuiltinMap for 'with' replacements in the compiler</p> <p>See <a href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr">https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr</a> for all details.</p> </li> <li> <p>CVE-2022-27664 and CVE-2022-32190.</p> <p>Fixed by updating the Go version used in our builds to 1.18.6, see <a href="https://groups.google.com/g/golang-announce/c/x49AQzIVX-s">https://groups.google.com/g/golang-announce/c/x49AQzIVX-s</a>. Note that CVE-2022-32190 is most likely not relevant for OPA's usage of net/url. But since these CVEs tend to come up in security assessment tooling regardless, it's better to get it out of the way.</p> </li> </ul> <h2>0.43.0</h2> <p>This release contains a number of fixes, enhancements, and performance improvements.</p> <h3>Object Insertion Optimization</h3> <p>Rego Object insertion operations did not scale linearly (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4625">#4625</a>) in the past, and experienced noticeable reallocation/memory movement overheads once the Object grew past 120k-150k keys in size.</p> <p>This release introduces different handling of Object internals during insert operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.</p> <h3>Tooling, SDK, and Runtime</h3> <ul> <li>Add lines covered/not covered counts to test coverage report (authored by <a href="https://github.com/FarisR99"><code>@FarisR99</code></a>)</li> <li>Plugins: Status and logs plugins now accept any HTTP 2xx status code (authored by <a href="https://github.com/lvisterin"><code>@lvisterin</code></a>)</li> <li>Runtime: Generalize OS check for MacOS to other Unix-likes (authored by <a href="https://github.com/iamleot"><code>@iamleot</code></a>)</li> </ul> <h4>Bundles Fixes</h4> <p>The Bundles system received several bugfixes and performance improvements in this release:</p> <ul> <li>Bundle: <code>opa bundle</code> command now supports <code>.yml</code> files (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4859">#4859</a>) authored by <a href="https://github.com/Joffref"><code>@Joffref</code></a> reported by <a href="https://github.com/rdrgmnzsakt"><code>@rdrgmnzsakt</code></a></li> <li>Plugins/Bundle: Use unique temporary files for persisting activated bundles to disk (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4782">#4782</a>) authored by <a href="https://github.com/FredrikAppelros"><code>@FredrikAppelros</code></a> reported by <a href="https://github.com/FredrikAppelros"><code>@FredrikAppelros</code></a></li> <li>Server: Old policy path is now checked for bundle ownership before update (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4846">#4846</a>)</li> <li>Storage+Bundle: Old bundle data is now cleaned before new bundle activation (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4940">#4940</a>)</li> <li>Bundle: Paths are now normalized before bundle root check occurs to ensure checks are os-independent</li> </ul> <h4>Storage Fixes</h4> <p>The Storage system received mostly bugfixes, with a notable performance improvement for large bundles in this release:</p> <ul> <li>storage/inmem: Speed up bundle activation by avoiding unnecessary read operations (<a href="https://github-redirect.dependabot.com/open-policy-agent/opa/issues/4898">#4898</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
1a73517a7f
|
Bump github.com/russellhaering/goxmldsig from 1.1.0 to 1.1.1 in /infrastructure/sandbox/JITProvisioner/lambda (#10224)
Bumps [github.com/russellhaering/goxmldsig](https://github.com/russellhaering/goxmldsig) from 1.1.0 to 1.1.1. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
74e01c36ae
|
Bump github.com/theupdateframework/go-tuf from 0.3.0 to 0.3.2 in /infrastructure/sandbox/PreProvisioner/lambda (#10223)
Bumps [github.com/theupdateframework/go-tuf](https://github.com/theupdateframework/go-tuf) from 0.3.0 to 0.3.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/theupdateframework/go-tuf/releases">github.com/theupdateframework/go-tuf's releases</a>.</em></p> <blockquote> <h2>v0.3.2</h2> <h2>Changelog</h2> <h3>Bug fixes</h3> <ul> <li>b6695e4ba6d0b98beb851054c0f187df8d54a639: fix(verify): backport "Fix a vulnerability in the verification of threshold si… (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/375">#375</a>) (<a href="https://github.com/znewman01"><code>@znewman01</code></a>)</li> </ul> <h2>v0.3.1</h2> <h2>Changelog</h2> <h3>Features</h3> <ul> <li>4bf58eb096f99647e7fd30447396c7a57202982f: feat: add <code>payload</code> and <code>add-signature</code> commands. (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/214">#214</a>) (<a href="https://github.com/znewman01"><code>@znewman01</code></a>)</li> <li>39c23cb5043ad2c0d873f7cc7191a7256f6a3cb6: feat: add workflow responsible for notifying of new TUF spec release (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/287">#287</a>) (<a href="https://github.com/rdimitrov"><code>@rdimitrov</code></a>)</li> <li>355e39cb2df220fc3961396a6d0e30bcf2c9ac12: feat: Implement TAP-12 support (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/310">#310</a>) (<a href="https://github.com/znewman01"><code>@znewman01</code></a>)</li> </ul> <h3>Bug fixes</h3> <ul> <li>9a41055b8eee0fee60650c43037f35b919d72d7c: fix: check root metadata verification before snapshotting (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/293">#293</a>) (<a href="https://github.com/asraa"><code>@asraa</code></a>)</li> <li>e3efe988f0371d41c83686204dc6ae23285bf33c: fix: verify length and hashes of fetched bytes before parsing (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/325">#325</a>) (<a href="https://github.com/joshuagl"><code>@joshuagl</code></a>)</li> </ul> <h3>Others</h3> <ul> <li>ea0f98a4e1b72d7486e4e86baf7fd9a3ec1fc844: chore(deps): bump arnested/go-version-action from 1.0.67 to 1.0.69 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/288">#288</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>6722937104a3178b2b899c5ce1799de129ddb294: chore(deps): bump golangci/golangci-lint-action from 2.5.2 to 3.2.0 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/289">#289</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>e2594e68bf2239a0b60c576c47b5ede7ac8c8fe4: chore(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/290">#290</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>580db1958c1e16ee73d53055eb9793fde1110d8e: chore(deps): bump goreleaser/goreleaser-action from 2.9.1 to 3 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/294">#294</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>5884dab97151c7fd314ee34ac71bf0cf6167e21c: chore(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/295">#295</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>3b26aedfe985198bc88a9dda7525938c575ca046: chore(deps): bump arnested/go-version-action from 1.0.69 to 1.0.70 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/297">#297</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>041e818016131ec500c78ed8eb20fed9a5668861: chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/298">#298</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>ad96eca0239ec2cc9b6e408fbe42b2f9e9d6b1dd: chore(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/299">#299</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>36633af8d7a2162664a58f3fb1fe36a74e10428e: chore(deps): bump arnested/go-version-action from 1.0.70 to 1.1.0 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/300">#300</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>e24b175b00960136ecacb8111d9887d15ce47c6d: chore(deps): bump actions/setup-python from 3.1.2 to 4 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/311">#311</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>1684c680105f90a054f04e05b0f8ac540c4ef885: docs: Update CONTRIBUTING.md, add MAINTAINERS.md (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/309">#309</a>) (<a href="https://github.com/znewman01"><code>@znewman01</code></a>)</li> <li>4139c85cd7632c659bf00f4b2810c37eb8d71a2c: chore(deps): bump arnested/go-version-action from 1.1.0 to 1.1.3 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/316">#316</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>36a29309b2531255fc7d374c4055dcfab0fd04e8: build: update go version to 1.18 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/314">#314</a>) (<a href="https://github.com/asraa"><code>@asraa</code></a>)</li> <li>ae904d2bb977a54e6a5527513c4d398c8d9cc285: docs: Add DCO instructions (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/319">#319</a>) (<a href="https://github.com/znewman01"><code>@znewman01</code></a>)</li> <li>81cd9b36a8023d6e943f0f3cacfe664603fa3177: chore(deps): bump Python from 3.6 to 3.10 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/318">#318</a>) (<a href="https://github.com/rdimitrov"><code>@rdimitrov</code></a>)</li> <li>986a4c5a492be020d0ab16a5ea13b9963bf7af1f: chore(deps): bump requests from 2.27.1 to 2.28.0 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/317">#317</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>439ce47c43c772ad225101494db8307e97f869c3: chore(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/324">#324</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>3bb077e8c246429db8acafc78761de71cc4d6b62: chore(deps): bump requests from 2.28.0 to 2.28.1 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/332">#332</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>eed9e6c4d8eac821593800fd053d8cca5ee56137: chore(deps): bump github.com/stretchr/testify from 1.7.4 to 1.8.0 (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/331">#331</a>) (<a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot])</li> <li>0d40b25637fa35e4e546a0bafebaa7ee4591e172: test: fix flakey util test (<a href="https://github-redirect.dependabot.com/theupdateframework/go-tuf/issues/333">#333</a>) (<a href="https://github.com/asraa"><code>@asraa</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
05d38abc35
|
Bump github/codeql-action from 2.1.21 to 2.2.5 (#10220)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.21 to 2.2.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>2.2.5 - 24 Feb 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.12.3. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1543">#1543</a></li> </ul> <h2>2.2.4 - 10 Feb 2023</h2> <p>No user facing changes.</p> <h2>2.2.3 - 08 Feb 2023</h2> <ul> <li>Update default CodeQL bundle version to 2.12.2. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1518">#1518</a></li> </ul> <h2>2.2.2 - 06 Feb 2023</h2> <ul> <li>Fix an issue where customers using the CodeQL Action with the <a href="https://docs.github.com/en/enterprise-server@3.7/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-codeql-analysis-on-a-server-without-internet-access">CodeQL Action sync tool</a> would not be able to obtain the CodeQL tools. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1517">#1517</a></li> </ul> <h2>2.2.1 - 27 Jan 2023</h2> <p>No user facing changes.</p> <h2>2.2.0 - 26 Jan 2023</h2> <ul> <li>Improve stability when choosing the default version of CodeQL to use in code scanning workflow runs on Actions on GitHub.com. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1475">#1475</a> <ul> <li>This change addresses customer reports of code scanning alerts on GitHub.com being closed and reopened during the rollout of new versions of CodeQL in the GitHub Actions <a href="https://github.com/actions/runner-images">runner images</a>.</li> <li><strong>No change is required for the majority of workflows</strong>, including: <ul> <li>Workflows on GitHub.com hosted runners using the latest version (<code>v2</code>) of the CodeQL Action.</li> <li>Workflows on GitHub.com hosted runners that are pinned to specific versions of the CodeQL Action from <code>v2.2.0</code> onwards.</li> <li>Workflows on GitHub Enterprise Server.</li> </ul> </li> <li><strong>A change may be required</strong> for workflows on GitHub.com hosted runners that are pinned to specific versions of the CodeQL Action before <code>v2.2.0</code> (e.g. <code>v2.1.32</code>): <ul> <li>Previously, these workflows would obtain the latest version of CodeQL from the Actions runner image.</li> <li>Now, these workflows will download an older, compatible version of CodeQL from GitHub Releases. To use this older version, no change is required. To use the newest version of CodeQL, please update your workflows to reference the latest version of the CodeQL Action (<code>v2</code>).</li> </ul> </li> <li><strong>Internal changes</strong> <ul> <li>These changes will not affect the majority of code scanning workflows. Continue reading only if your workflow uses <a href="https://github.com/actions/toolkit/tree/main/packages/tool-cache"><code>@actions/tool-cache</code></a> or relies on the precise location of CodeQL within the Actions tool cache.</li> <li>The tool cache now contains <strong>two</strong> recent CodeQL versions (previously <strong>one</strong>).</li> <li>Each CodeQL version is located under a directory named after the release date and version number, e.g. CodeQL 2.11.6 is now located under <code>CodeQL/2.11.6-20221211/x64/codeql</code> (previously <code>CodeQL/0.0.0-20221211/x64/codeql</code>).</li> </ul> </li> </ul> </li> <li>The maximum number of <a href="https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#run-object">SARIF runs</a> per file has been increased from 15 to 20 for users uploading SARIF files to GitHub.com. This change will help ensure that Code Scanning can process SARIF files generated by third-party tools that have many runs. See the <a href="https://docs.github.com/en/rest/code-scanning#upload-an-analysis-as-sarif-data">GitHub API documentation</a> for a list of all the limits around uploading SARIF. This change will be released to GitHub Enterprise Server as part of GHES 3.9.</li> <li>Update default CodeQL bundle version to 2.12.1. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1498">#1498</a></li> <li>Fix a bug that forced the <code>init</code> Action to run for at least two minutes on JavaScript. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1494">#1494</a></li> </ul> <h2>2.1.39 - 18 Jan 2023</h2> <ul> <li>CodeQL Action v1 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v2. For more information, see <a href="https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/">this changelog post</a>. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1466">#1467</a></li> <li>Python automatic dependency installation will no longer fail for projects using Poetry that specify <code>virtualenvs.options.no-pip = true</code> in their <code>poetry.toml</code>. <a href="https://github-redirect.dependabot.com/github/codeql-action/pull/1431">#1431</a></li> <li>Avoid printing a stack trace and error message when the action fails to find the SHA at the</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
17ecc388ec
|
Bump tfsec/tfsec-sarif-action from 0.1.3 to 0.1.4 (#10219)
Bumps [tfsec/tfsec-sarif-action](https://github.com/tfsec/tfsec-sarif-action) from 0.1.3 to 0.1.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tfsec/tfsec-sarif-action/releases">tfsec/tfsec-sarif-action's releases</a>.</em></p> <blockquote> <h2>v0.1.4</h2> <h2>What's Changed</h2> <ul> <li>Replace deprecated <code>set-output</code> usage with environment file <code>GITHUB_OUTPUT</code> by <a href="https://github.com/sivapalan"><code>@sivapalan</code></a> in <a href="https://github-redirect.dependabot.com/aquasecurity/tfsec-sarif-action/pull/35">aquasecurity/tfsec-sarif-action#35</a></li> <li>Fix conditional expression for setting <code>TFSEC_VERSION</code> by <a href="https://github.com/sivapalan"><code>@sivapalan</code></a> in <a href="https://github-redirect.dependabot.com/aquasecurity/tfsec-sarif-action/pull/36">aquasecurity/tfsec-sarif-action#36</a></li> <li>Forcing wget to use IPv4 by <a href="https://github.com/jasonjanderson"><code>@jasonjanderson</code></a> in <a href="https://github-redirect.dependabot.com/aquasecurity/tfsec-sarif-action/pull/37">aquasecurity/tfsec-sarif-action#37</a></li> <li>add git and hg to docker image by <a href="https://github.com/bobcallaway"><code>@bobcallaway</code></a> in <a href="https://github-redirect.dependabot.com/aquasecurity/tfsec-sarif-action/pull/33">aquasecurity/tfsec-sarif-action#33</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/jasonjanderson"><code>@jasonjanderson</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/aquasecurity/tfsec-sarif-action/pull/37">aquasecurity/tfsec-sarif-action#37</a></li> <li><a href="https://github.com/bobcallaway"><code>@bobcallaway</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/aquasecurity/tfsec-sarif-action/pull/33">aquasecurity/tfsec-sarif-action#33</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/aquasecurity/tfsec-sarif-action/compare/v0.1.3...v0.1.4">https://github.com/aquasecurity/tfsec-sarif-action/compare/v0.1.3...v0.1.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
StepSecurity Bot
|
fb152b9114
|
Pin image SHA in Dockerfiles (#10205)
## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Secure Dockerfiles Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles. - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Zach Wasserman <zach@fleetdm.com> |
||
|
dependabot[bot]
|
74a86ff0ab
|
Bump dawidd6/action-download-artifact from 2.23.0 to 2.26.0 (#10218)
Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 2.23.0 to 2.26.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Zachary Winnerman
|
4b6da3dd62
|
bump version (#10216)
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). |
||
|
Noah Talerman
|
8f84442b9a
|
MDM docs: End user UX for OS updates (#10078)
- Explain that Fleet automatically downloads the macOS update for the end user - Explain how to troubleshoot the scenario when the Mac says it's up to date when it isn't |
||
|
Zachary Winnerman
|
714a628908
|
Update readmes (#10214)
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). |
||
|
RachelElysia
|
4c80e1808b
|
CIS - WIN10 - 2.3.10.X policies (#10178) | ||
Roberto Dip
|
164bb4bf5c
|
add logic to configure FileVault + escrow (#10160)
Related to #9495, this adds the underlying methods to send a configuration profile that enables FileVault and FileVault Escrow, so we can fetch and decrypt the encryption key later on. These methods still need to be called somewhere, and they might need to be moved outside of `Service`, but at least this gives us a start. |
||
|
dependabot[bot]
|
f3ed6f3037
|
Bump github.com/kevinburke/go-bindata from 3.22.0+incompatible to 3.24.0+incompatible (#10186)
Bumps [github.com/kevinburke/go-bindata](https://github.com/kevinburke/go-bindata) from 3.22.0+incompatible to 3.24.0+incompatible. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/kevinburke/go-bindata/releases">github.com/kevinburke/go-bindata's releases</a>.</em></p> <blockquote> <p>v3.24.0</p> <p>v3.23.0</p> <p>test</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/kevinburke/go-bindata/blob/master/CHANGELOG.md">github.com/kevinburke/go-bindata's changelog</a>.</em></p> <blockquote> <h2>3.24.0</h2> <p>Remove uses of io/ioutil; you must use Go 1.18 or higher with this version of go-bindata and its generated asset files.</p> <p>Update generated doc comments for compatibility with Go's updated doc comment guidelines.</p> <h2>3.21.0</h2> <p>Replace "Debug" with "AssetDebug" to reduce the likelihood of conflicts.</p> <h2>3.20.0</h2> <p>Add the "Debug" constant if assets have been generated using the <code>--debug</code> flag at the command line.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Mike McNeil
|
3d1e3b55f7
|
Update ceo-handbook.md (#10203)
. |
||
|
Zach Wasserman
|
1bc41a500e
|
Update oncall escalation docs (#10026)
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> |
||
|
Zach Wasserman
|
9b1583bfc7
|
Fix incorrect integer conversion (#10188)
This was caught by CodeQL. We parsed as a 64 bit but then convert to a (possibly 32 bit) `uint`. It would be 64 bit on most platforms, but we actually use a 32 bit `int` type in MySQL as well. |
||
|
StepSecurity Bot
|
2154c13865
|
Pin actions to commit SHA (#10204)
## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> |
||
|
dependabot[bot]
|
e28288a618
|
Bump github.com/go-kit/log from 0.2.0 to 0.2.1 (#10187)
Bumps [github.com/go-kit/log](https://github.com/go-kit/log) from 0.2.0 to 0.2.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-kit/log/releases">github.com/go-kit/log's releases</a>.</em></p> <blockquote> <h2>v0.2.1</h2> <p>This release fixes a few small bugs and adds <code>level.Parse</code> which allows levels to be set by a string input from e.g. flags or environment variables. Thanks, <a href="https://github.com/mcosta74"><code>@mcosta74</code></a>!</p> <h2>What's Changed</h2> <ul> <li>fix safeError & safeString for json format by <a href="https://github.com/dwiyanr"><code>@dwiyanr</code></a> in <a href="https://github-redirect.dependabot.com/go-kit/log/pull/20">go-kit/log#20</a></li> <li>Update CI and add badges to README by <a href="https://github.com/ChrisHines"><code>@ChrisHines</code></a> in <a href="https://github-redirect.dependabot.com/go-kit/log/pull/21">go-kit/log#21</a></li> <li>Allow to configure allowed levels by string value by <a href="https://github.com/mcosta74"><code>@mcosta74</code></a> in <a href="https://github-redirect.dependabot.com/go-kit/log/pull/22">go-kit/log#22</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dwiyanr"><code>@dwiyanr</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/go-kit/log/pull/20">go-kit/log#20</a></li> <li><a href="https://github.com/mcosta74"><code>@mcosta74</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/go-kit/log/pull/22">go-kit/log#22</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-kit/log/compare/v0.2.0...v0.2.1">https://github.com/go-kit/log/compare/v0.2.0...v0.2.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Zach Wasserman
|
64cd97fc83
|
Remove debug on failure from integration test action (#10202)
This would cause the job to take much longer to report a failure. Instead, just add this line if debugging is necessary. |
||
|
dependabot[bot]
|
0ef74017ea
|
Bump docker/login-action from 2.0.0 to 2.1.0 (#10182)
Bumps [docker/login-action](https://github.com/docker/login-action) from 2.0.0 to 2.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v2.1.0</h2> <h2>What's Changed</h2> <ul> <li>Ensure AWS temp credentials are redacted in workflow logs by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> (<a href="https://github-redirect.dependabot.com/docker/login-action/issues/275">#275</a>)</li> <li>Bump <code>@actions/core</code> from 1.6.0 to 1.10.0 (<a href="https://github-redirect.dependabot.com/docker/login-action/issues/252">#252</a> <a href="https://github-redirect.dependabot.com/docker/login-action/issues/292">#292</a>)</li> <li>Bump <code>@aws-sdk/client-ecr</code> from 3.53.0 to 3.186.0 (<a href="https://github-redirect.dependabot.com/docker/login-action/issues/298">#298</a>)</li> <li>Bump <code>@aws-sdk/client-ecr-public</code> from 3.53.0 to 3.186.0 (<a href="https://github-redirect.dependabot.com/docker/login-action/issues/299">#299</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v2.0.0...v2.1.0">https://github.com/docker/login-action/compare/v2.0.0...v2.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
56b26753a5
|
Bump ossf/scorecard-action from 1.1.2 to 2.1.2 (#10180)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.1.2 to 2.1.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ossf/scorecard-action/releases">ossf/scorecard-action's releases</a>.</em></p> <blockquote> <h2>v2.1.2</h2> <h2>What's Changed</h2> <h3>Fixes</h3> <ul> <li>🌱 Bump scorecard dependency to v4.10.2 to remove a CODEOWNERS printf statement. by <a href="https://github.com/spencerschrock"><code>@spencerschrock</code></a> in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/1054">ossf/scorecard-action#1054</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.1.1...v2.1.2">https://github.com/ossf/scorecard-action/compare/v2.1.1...v2.1.2</a></p> <h2>v2.1.1</h2> <h2>Scorecard version</h2> <p>This release use <a href="https://github.com/ossf/scorecard/releases/tag/v4.10.1">Scorecard's v4.10.1</a></p> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.1.0...v2.1.1">https://github.com/ossf/scorecard-action/compare/v2.1.0...v2.1.1</a></p> <h2>v2.1.0</h2> <h2>What's Changed</h2> <h3>Scorecard version</h3> <p>This release uses <a href="https://github.com/ossf/scorecard/releases/tag/v4.10.0">scorecard v4.10.0</a>.</p> <h3>Improvements</h3> <ul> <li>Docker build workflow by <a href="https://github.com/naveensrinivasan"><code>@naveensrinivasan</code></a> in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/981">ossf/scorecard-action#981</a></li> <li>Use root user in distroless to support GitHub Actions by <a href="https://github.com/spencerschrock"><code>@spencerschrock</code></a> in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/994">ossf/scorecard-action#994</a></li> <li>Disable pull_request_target by <a href="https://github.com/laurentsimon"><code>@laurentsimon</code></a> in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/1031">ossf/scorecard-action#1031</a></li> </ul> <h3>Documentation</h3> <ul> <li>Add PAT section explaining risks by <a href="https://github.com/olivekl"><code>@olivekl</code></a> in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/1024">ossf/scorecard-action#1024</a></li> <li>Make the badge text easier to copy by <a href="https://github.com/rajbos"><code>@rajbos</code></a> in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/1026">ossf/scorecard-action#1026</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/joycebrum"><code>@joycebrum</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/984">ossf/scorecard-action#984</a></li> <li><a href="https://github.com/rajbos"><code>@rajbos</code></a> made their first contribution in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/1026">ossf/scorecard-action#1026</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.0.6...v2.1.0">https://github.com/ossf/scorecard-action/compare/v2.0.6...v2.1.0</a></p> <h2>v2.0.6</h2> <h2>What's Changed</h2> <ul> <li>Fix - Broken dockerfile by <a href="https://github.com/naveensrinivasan"><code>@naveensrinivasan</code></a> in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/979">ossf/scorecard-action#979</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.0.5...v2.0.6">https://github.com/ossf/scorecard-action/compare/v2.0.5...v2.0.6</a></p> <h2>v2.0.5</h2> <h2>What's Changed</h2> <ul> <li>Remove trailing space from example by <a href="https://github.com/jamacku"><code>@jamacku</code></a> in <a href="https://github-redirect.dependabot.com/ossf/scorecard-action/pull/955">ossf/scorecard-action#955</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
