Thomas Montague issues

Results 12 issues of


                                            Thomas Montague

CVE-2022-24785: Moment.js Path Traversal < 2.29.2

https://nvd.nist.gov/vuln/detail/cve-2022-24785 Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N -- 7.5 High Current version in head branch: https://github.com/smartystreets/goconvey/blob/883c12515e6101b79f430987b4fd0ee50841bfe6/web/client/resources/js/lib/moment.js#L1-L2

log-format-json throws panic in v0.5.0

**Describe the bug** When trying to use the `-log-format-json=true` flag, kms panics: ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xafb309]...

bug

Upgrade alpine version

The version of the alpine base image used is EOL. Bump to most recent stable version 3.19 (yes, 3.20 was just released today). Even with the latest alpine 3.19.1 image,...

Rules marked as checkType Platform still being run on Node Scans.

After https://github.com/ComplianceAsCode/content/pull/10464 all but one kubelet rule was being parsed to be under `checkType: Node`. However one rule (`kubelet_configure_tls_min_version`) wasn't updated to remove the `warnings` field. This rule ends up...

Scan pods stuck in pending, detached from ComplianceScan

OpenShift 4.12.33 compliance-operator.v0.1.61 It's possible that a perfectly timed removal of a Node from the cluster can result in leaving an `openscap-pod` stuck in pending forever. If a Node removal...

Automatic remediation updates fail if ComplianceScan is recreated

Maybe this is due to incorrect usage of the operator and CRDs, but we are hitting an issue where automatic remediation updates won't work. https://github.com/ComplianceAsCode/compliance-operator/blob/7f5d1b9f9d7613dec7ad372b69721ca792ff6ae5/pkg/apis/compliance/v1alpha1/compliancesuite_types.go#L80-L82 https://github.com/ComplianceAsCode/compliance-operator/blob/7f5d1b9f9d7613dec7ad372b69721ca792ff6ae5/pkg/apis/compliance/v1alpha1/compliancesuite_types.go#L29-L33 This is primarily due...

Panic: nodeutils.go:182 AreKubeletConfigsRendered

While debugging #60, I deleted the generated kubelet MachineConfig object. This caused a panic in Compliance Operator. https://github.com/ComplianceAsCode/compliance-operator/blob/1de5fdbda560164df5927bd55c31d6998f741a02/pkg/utils/nodeutils.go#L190-L192 ``` {"level":"info","ts":1657049016.1875877,"logger":"suitectrl","msg":"Generating events for suite","Request.Namespace":"openshift-compliance","Request.Name":"rhcos4"} {"level":"info","ts":1657049016.2087462,"logger":"suitectrl","msg":"All scans are in Done phase. Post-processing...

AllowRoot setting to control if a cli is allowed to run as root

Adds new `AllowRoot` boolean setting to control if an implementation of cli App is allowed to run as UID 0 (root). Defaults to `false`. --- This change is [](https://reviewable.io/reviews/palantir/pkg/192)

Fix determine_tld logic for main.

Main cookies use a dash now, but still support old values.

Ignore CancelledError results.

Initialization fails with: ``` Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python3.12/site-packages/amazon_photos/_api.py", line 78, in __init__ self.folders = self.get_folders() ^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/site-packages/amazon_photos/_api.py", line 973, in get_folders...