Skip to content

Support-build-info-collection-for-conan #3287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
reshmifrog wants to merge 10 commits into from
Closed

Support-build-info-collection-for-conan #3287

reshmifrog wants to merge 10 commits into from

Conversation

@reshmifrog
Copy link
Contributor

@reshmifrog reshmifrog commented Dec 23, 2025

  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • The pull request is targeting the master branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....

add support for collectiong build info for conan

@reshmifrog reshmifrog added safe to test Approve running integration tests on a pull request new feature Automatically generated release notes and removed safe to test Approve running integration tests on a pull request labels Dec 23, 2025
naveenku-jfrog
naveenku-jfrog approved these changes Dec 23, 2025
View reviewed changes
Copy link
Collaborator

@naveenku-jfrog naveenku-jfrog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Approved.

@reshmifrog reshmifrog added safe to test Approve running integration tests on a pull request and removed safe to test Approve running integration tests on a pull request labels Dec 23, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 23, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 1 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done
1 Issues Found 1 High
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done Not Found
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

📦 Vulnerable Dependencies

Severity ID Contextual Analysis Direct Dependencies Impacted Dependency Fixed Versions
high (not applicable)
High		 CVE-2025-66564 Not Applicable github.com/sigstore/timestamp-authority:v1.2.8
github.com/jfrog/jfrog-cli-evidence:v0.8.3-0.20251116083852-12dc534b4d13
github.com/sigstore/sigstore-go:v1.1.1		 github.com/sigstore/timestamp-authority v1.2.8 [2.0.3]

🔖 Details

Vulnerability Details
Contextual Analysis: Not Applicable
Direct Dependencies: github.com/sigstore/timestamp-authority:v1.2.8, github.com/jfrog/jfrog-cli-evidence:v0.8.3-0.20251116083852-12dc534b4d13, github.com/sigstore/sigstore-go:v1.1.1
Impacted Dependency: github.com/sigstore/timestamp-authority:v1.2.8
Fixed Versions: [2.0.3]
CVSS V3: 7.5

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.

@reshmifrog reshmifrog closed this by deleting the head repository Dec 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@naveenku-jfrog naveenku-jfrog naveenku-jfrog approved these changes

Assignees

No one assigned

Labels

new feature Automatically generated release notes safe to test Approve running integration tests on a pull request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reshmifrog @naveenku-jfrog