CVE Fixes by sriramr98 · Pull Request #104 · hashicorp/terraform-aws-consul-lambda

sriramr98 · 2025-03-26T07:30:40Z

Changes proposed in this PR:

Updated go version to 1.23.7 to 1.20.3
Updated multiple dependencies with vulnerabilities to a later version without vulnerabilities
Fixed CI issues
- Deprecated Github Actions have been updated to the latest
- Fixed flaky tests

CVEs Fixed
GHSA-99wr-c2px-grmh
GHSA-5c4w-8hhh-3c3h
GHSA-chgm-7r52-whjj
GHSA-45x7-px36-x8w8
GHSA-v778-237x-gjrc

How I've tested this PR:

Ran tests locally

How I expect reviewers to test this PR:

Checklist:

Tests added
CHANGELOG entry added

hashicorp-cla-app · 2025-03-26T07:30:54Z

All committers have signed the CLA.

srahul3

✅ LGTM

sreeram77

LGTM!

srahul3

✅ LGTM

dduzgun-security

@sriramr98 Thanks a lot for looking into it.
Few comments but the rest looks good. I'll look at the CI too so we can fix it and merge

dduzgun-security · 2025-03-28T15:51:15Z

          -race "${PACKAGE_NAMES[@]}" \
          -- "$FLAG"
-    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+    - uses: actions/upload-artifact@v4


We should pin the GitHub Action for better security.

Suggested change

- uses: actions/upload-artifact@v4

- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

dduzgun-security · 2025-03-28T15:51:40Z

          product: ${{ env.PRD_NAME }}
          repositoryOwner: "hashicorp"
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      - uses: actions/upload-artifact@v4


We should pin the GitHub Action for better security.

Suggested change

- uses: actions/upload-artifact@v4

- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

dduzgun-security · 2025-03-28T15:52:00Z


      - name: Upload consul-lambda-registrator
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@v4


We should pin the GitHub Action for better security.

Suggested change

uses: actions/upload-artifact@v4

uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

dduzgun-security · 2025-03-28T15:52:20Z


      - name: Upload consul-lambda-extension
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@v4


We should pin the GitHub Action for better security.

Suggested change

uses: actions/upload-artifact@v4

uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

dduzgun-security · 2025-03-28T15:53:42Z

    steps:
      - name: Download image artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@v4


We should pin the GitHub Action for better security.

Suggested change

uses: actions/download-artifact@v4

uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e #v4.2.1

dduzgun-security · 2025-03-28T15:54:29Z

          --format standard-verbose -- \
          ./... -p 1 -timeout 90m -v -failfast
-    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+    - uses: actions/upload-artifact@v4


We should pin the GitHub Action for better security.

Suggested change

- uses: actions/upload-artifact@v4

- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

dduzgun-security · 2025-03-28T15:56:14Z


      - name: Docker Build
-        uses: hashicorp/actions-docker-build@v1
+        uses: hashicorp/actions-docker-build@v2


We should pin the GitHub Action for better security.

Suggested change

uses: hashicorp/actions-docker-build@v2

uses: hashicorp/actions-docker-build@11d43ef520c65f58683d048ce9b47d6617893c9a #v2

dduzgun-security · 2025-03-28T15:57:17Z

      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
    - name: Setup Terraform
-      uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+      uses: hashicorp/setup-terraform@v3


We should pin the GitHub Action for better security.

Suggested change

uses: hashicorp/setup-terraform@v3

uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd #v3.1.2

dduzgun-security · 2025-03-28T15:57:42Z

        aws configure set region us-west-2
        aws configure set source_profile lambda_user
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3


We should pin the GitHub Action for better security.

Suggested change

uses: hashicorp/setup-terraform@v3

uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd #v3.1.2

CVEs Fixed CVE-2024-10086 CVE-2024-10006 CVE-2024-10005 CVE-2023-48795 CVE-2024-45337

The main branch (via PR #104) already has the CVE fixes with: - consul/api v1.31.2 - consul/sdk v0.16.2

sriramr98 requested a review from a team as a code owner March 26, 2025 07:30

sriramr98 requested a review from a team as a code owner March 26, 2025 08:57

sriramr98 requested a review from sarahethompson March 26, 2025 08:57

sriramr98 force-pushed the sriramr98/cve_fixes branch from f8bbafe to b8896aa Compare March 26, 2025 09:04

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 26, 2025 15:43 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 26, 2025 15:48 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 26, 2025 15:57 — with GitHub Actions Inactive

srahul3 previously approved these changes Mar 27, 2025

View reviewed changes

sreeram77 reviewed Mar 27, 2025

View reviewed changes

Comment thread consul-lambda/consul-lambda-extension/extension.go Outdated

sriramr98 dismissed srahul3’s stale review via c065c5e March 27, 2025 07:33

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 27, 2025 07:35 — with GitHub Actions Inactive

sreeram77 previously approved these changes Mar 27, 2025

View reviewed changes

sriramr98 dismissed sreeram77’s stale review via 930ee55 March 28, 2025 03:18

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 28, 2025 03:20 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 28, 2025 03:23 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 28, 2025 03:30 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 28, 2025 06:00 — with GitHub Actions Inactive

srahul3 previously approved these changes Mar 28, 2025

View reviewed changes

dduzgun-security reviewed Mar 28, 2025

View reviewed changes

sriramr98 dismissed srahul3’s stale review via cb14b40 March 29, 2025 12:31

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 29, 2025 12:53 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 29, 2025 12:56 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 29, 2025 13:00 — with GitHub Actions Inactive

sriramr98 force-pushed the sriramr98/cve_fixes branch from bccf70f to 76227cc Compare March 29, 2025 13:01

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 29, 2025 13:03 — with GitHub Actions Inactive

sriramr98 force-pushed the sriramr98/cve_fixes branch from 8695981 to 32878aa Compare March 29, 2025 13:08

Vikramarjuna previously approved these changes Mar 29, 2025

View reviewed changes

sriramr98 dismissed Vikramarjuna’s stale review via 3b22ae1 March 31, 2025 12:16

sriramr98 temporarily deployed to dockerhub/hashicorpdev March 31, 2025 12:18 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 7, 2025 08:41 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 14, 2025 06:40 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 14, 2025 07:51 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 14, 2025 10:42 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 15, 2025 12:38 — with GitHub Actions Inactive

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 21, 2025 07:42 — with GitHub Actions Inactive

sriramr98 force-pushed the sriramr98/cve_fixes branch from 94ce0f8 to b447903 Compare April 21, 2025 09:46

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 21, 2025 09:48 — with GitHub Actions Inactive

sriramr98 force-pushed the sriramr98/cve_fixes branch from b447903 to e27b424 Compare April 21, 2025 10:07

Fixed CVEs and CI issues

de13545

CVEs Fixed CVE-2024-10086 CVE-2024-10006 CVE-2024-10005 CVE-2023-48795 CVE-2024-45337

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 21, 2025 10:10 — with GitHub Actions Inactive

sriramr98 force-pushed the sriramr98/cve_fixes branch from e27b424 to de13545 Compare April 21, 2025 10:13

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 21, 2025 10:16 — with GitHub Actions Inactive

Added changelog

431e991

sriramr98 temporarily deployed to dockerhub/hashicorpdev April 21, 2025 10:42 — with GitHub Actions Inactive

Vikramarjuna approved these changes Apr 21, 2025

View reviewed changes

sriramr98 merged commit 216023f into main Apr 21, 2025
21 checks passed

sriramr98 deleted the sriramr98/cve_fixes branch April 21, 2025 14:53

Surabhi-1605 added a commit that referenced this pull request Feb 6, 2026

revert: Match main branch dependencies exactly

c5d3904

The main branch (via PR #104) already has the CVE fixes with: - consul/api v1.31.2 - consul/sdk v0.16.2

	- uses: actions/upload-artifact@v4
	- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

	uses: actions/upload-artifact@v4
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2

	uses: actions/download-artifact@v4
	uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e #v4.2.1

	uses: hashicorp/actions-docker-build@v2
	uses: hashicorp/actions-docker-build@11d43ef520c65f58683d048ce9b47d6617893c9a #v2

	uses: hashicorp/setup-terraform@v3
	uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd #v3.1.2

Conversation

sriramr98 commented Mar 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes proposed in this PR:

How I've tested this PR:

How I expect reviewers to test this PR:

Checklist:

Uh oh!

hashicorp-cla-app Bot commented Mar 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

srahul3 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

sreeram77 left a comment

Choose a reason for hiding this comment

Uh oh!

srahul3 left a comment

Choose a reason for hiding this comment

Uh oh!

dduzgun-security left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

sriramr98 commented Mar 26, 2025 •

edited

Loading

hashicorp-cla-app Bot commented Mar 26, 2025 •

edited

Loading