You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2020/11/25 07:51:51 UTC
[GitHub] [incubator-dolphinscheduler] sodul opened a new pull request #4102: SECURITY: SONAR_TOKEN should be a secret
sodul opened a new pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102
The Sonar token was copy pasted plainly in the workflow file, this make use of the SONAR_TOKEN secret instead.
You (repository owners) will need to:
- create a new token on sonar
- set the new SONAR_TOKEN secret for the repository (or GitHub org)
- revoke the leaked token
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-dolphinscheduler] CalvinKirs commented on pull request #4102: SECURITY: SONAR_TOKEN should be a secret
Posted by GitBox <gi...@apache.org>.
CalvinKirs commented on pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102#issuecomment-733546595
> Note that the only change was to update the Sonar CLI options, so any other failures in the checks are completely unrelated.
We need to complete the relevant settings to re-run sonar, currently because the sonar authorization failed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-dolphinscheduler] Jave-Chen commented on pull request #4102: SECURITY: SONAR_TOKEN should be a secret
Posted by GitBox <gi...@apache.org>.
Jave-Chen commented on pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102#issuecomment-733689523
Hi, workflows on pull request events can't read the token of base repository.
Maybe you can work aroud by pull_request_target event.
https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/
https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-dolphinscheduler] sodul commented on pull request #4102: SECURITY: SONAR_TOKEN should be a secret
Posted by GitBox <gi...@apache.org>.
sodul commented on pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102#issuecomment-736697969
Hi @Jave-Chen @CalvinKirs,
Any repository permissions that might need to be changed to enable this security improvement must be done by someone with administrative permission on the repository, and on the SonarCloud side. I personally have neither, nor do I desire to be granted these privileges. My main goal was to inform you that your SonarCloud token is stored in plain text in your repository which is not a good security practice. I consider the project to be informed and I do not plan to take any further action on the matter since I am not related to the project, and my original goal was to find examples of how SonarCloud was integrated with GitHub Actions on other projects.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-dolphinscheduler] CalvinKirs edited a comment on pull request #4102: SECURITY: SONAR_TOKEN should be a secret
Posted by GitBox <gi...@apache.org>.
CalvinKirs edited a comment on pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102#issuecomment-781427670
@chengshiwen PTAL.Thx
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-dolphinscheduler] sodul commented on pull request #4102: SECURITY: SONAR_TOKEN should be a secret
Posted by GitBox <gi...@apache.org>.
sodul commented on pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102#issuecomment-733534507
Note that the only change was to update the Sonar CLI options, so any other failures in the checks are completely unrelated.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-dolphinscheduler] codecov-io commented on pull request #4102: SECURITY: SONAR_TOKEN should be a secret
Posted by GitBox <gi...@apache.org>.
codecov-io commented on pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102#issuecomment-733539813
# [Codecov](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102?src=pr&el=h1) Report
> Merging [#4102](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102?src=pr&el=desc) (0d25893) into [dev](https://codecov.io/gh/apache/incubator-dolphinscheduler/commit/145314b782c765802463031ee3e075de857a823d?el=desc) (145314b) will **decrease** coverage by `0.03%`.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## dev #4102 +/- ##
============================================
- Coverage 39.58% 39.55% -0.04%
+ Complexity 2995 2992 -3
============================================
Files 467 467
Lines 22138 22138
Branches 2714 2714
============================================
- Hits 8763 8756 -7
- Misses 12559 12567 +8
+ Partials 816 815 -1
```
| [Impacted Files](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102?src=pr&el=tree) | Coverage Δ | Complexity Δ | |
|---|---|---|---|
| [...inscheduler/service/zk/CuratorZookeeperClient.java](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102/diff?src=pr&el=tree#diff-ZG9scGhpbnNjaGVkdWxlci1zZXJ2aWNlL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9kb2xwaGluc2NoZWR1bGVyL3NlcnZpY2UvemsvQ3VyYXRvclpvb2tlZXBlckNsaWVudC5qYXZh) | `60.97% <0.00%> (-4.88%)` | `7.00% <0.00%> (-1.00%)` | |
| [...org/apache/dolphinscheduler/remote/utils/Host.java](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102/diff?src=pr&el=tree#diff-ZG9scGhpbnNjaGVkdWxlci1yZW1vdGUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvcmVtb3RlL3V0aWxzL0hvc3QuamF2YQ==) | `13.43% <0.00%> (-2.99%)` | `5.00% <0.00%> (-1.00%)` | |
| [...inscheduler/common/task/sqoop/SqoopParameters.java](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102/diff?src=pr&el=tree#diff-ZG9scGhpbnNjaGVkdWxlci1jb21tb24vc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvY29tbW9uL3Rhc2svc3Fvb3AvU3Fvb3BQYXJhbWV0ZXJzLmphdmE=) | `74.00% <0.00%> (-2.00%)` | `25.00% <0.00%> (ø%)` | |
| [...e/dolphinscheduler/remote/NettyRemotingClient.java](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102/diff?src=pr&el=tree#diff-ZG9scGhpbnNjaGVkdWxlci1yZW1vdGUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvcmVtb3RlL05ldHR5UmVtb3RpbmdDbGllbnQuamF2YQ==) | `51.38% <0.00%> (-1.39%)` | `10.00% <0.00%> (-1.00%)` | |
| [...eduler/server/worker/runner/TaskExecuteThread.java](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102/diff?src=pr&el=tree#diff-ZG9scGhpbnNjaGVkdWxlci1zZXJ2ZXIvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvc2VydmVyL3dvcmtlci9ydW5uZXIvVGFza0V4ZWN1dGVUaHJlYWQuamF2YQ==) | `56.19% <0.00%> (-0.83%)` | `12.00% <0.00%> (-1.00%)` | |
| [...er/master/dispatch/host/assign/RandomSelector.java](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102/diff?src=pr&el=tree#diff-ZG9scGhpbnNjaGVkdWxlci1zZXJ2ZXIvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvc2VydmVyL21hc3Rlci9kaXNwYXRjaC9ob3N0L2Fzc2lnbi9SYW5kb21TZWxlY3Rvci5qYXZh) | `83.33% <0.00%> (+5.55%)` | `4.00% <0.00%> (+1.00%)` | |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102?src=pr&el=footer). Last update [145314b...0d25893](https://codecov.io/gh/apache/incubator-dolphinscheduler/pull/4102?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-dolphinscheduler] CalvinKirs commented on pull request #4102: SECURITY: SONAR_TOKEN should be a secret
Posted by GitBox <gi...@apache.org>.
CalvinKirs commented on pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102#issuecomment-736919446
> Hi @Jave-Chen @CalvinKirs,
>
> Any repository permissions that might need to be changed to enable this security improvement must be done by someone with administrative permission on the repository, and on the SonarCloud side. I personally have neither, nor do I desire to be granted these privileges. My main goal was to inform you that your SonarCloud token is stored in plain text in your repository which is not a good security practice. I consider the project to be informed and I do not plan to take any further action on the matter since I am not related to the project, and my original goal was to find examples of how SonarCloud was integrated with GitHub Actions on other projects.
Thank you very much for your reminder. I am looking for related solutions. If you have a good case, you are also welcome to tell us.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-dolphinscheduler] CalvinKirs commented on pull request #4102: SECURITY: SONAR_TOKEN should be a secret
Posted by GitBox <gi...@apache.org>.
CalvinKirs commented on pull request #4102:
URL: https://github.com/apache/incubator-dolphinscheduler/pull/4102#issuecomment-781427670
@chengshiwen
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org