Run snyk on all project with ignore current issues (#415 )

Adding Snyk to CI (#414 )
upgraded base image to alpine:3.14 following snyk vuln report (#412 )
2026-02-22 13:53:59 +00:00 · 2021-10-28 21:59:42 +03:00 · 2021-10-28 16:37:11 +03:00 · 2021-10-28 15:00:11 +03:00 · 2021-10-28 14:55:33 +03:00 · 2021-10-28 14:53:28 +03:00
11 changed files with 216 additions and 21 deletions
--- a/.github/workflows/security_validation.yml
+++ b/.github/workflows/security_validation.yml
@@ -0,0 +1,25 @@
+name: Security validation
+
+on:
+  pull_request:
+    branches:
+      - 'develop'
+      - 'main'
+
+jobs:
+  security:
+    name: Check for vulnerabilities
+    runs-on: ubuntu-latest
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: snyk/actions/setup@master
+      - name: Set up Go 1.16
+        uses: actions/setup-go@v2
+        with:
+          go-version: '1.16'
+
+      - name: Run snyl on all projects
+        run: snyk test --all-projects
--- a/2
+++ b/2
@@ -44,7 +44,7 @@ RUN go build -ldflags="-s -w \
 COPY devops/build_extensions.sh ..
 RUN cd .. && /bin/bash build_extensions.sh

-FROM alpine:3.13.5
+FROM alpine:3.14

 RUN apk add bash libpcap-dev tcpdump
 WORKDIR /app
--- a/README.md
+++ b/README.md
@@ -171,6 +171,16 @@ against the contracts.

 Please see [CONTRACT MONITORING](docs/CONTRACT_MONITORING.md) page for more details and syntax.

+### Configure proxy host 
+
+By default, mizu will be accessible via local host: 'http://localhost:8899/mizu/', it is possible to change the host,
+for instance, to '0.0.0.0' which can grant access via machine IP address.
+This setting can be changed via command line flag `--set tap.proxy-host=<value>` or via config file:
+tap
+    proxy-host: 0.0.0.0
+and when changed it will support accessing by IP
+
+
 ## How to Run local UI

 - run from mizu/agent `go run main.go --hars-read --hars-dir <folder>`
--- a/agent/.snyk
+++ b/agent/.snyk
@@ -0,0 +1,6 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.14.0
+ignore:
+  SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736:
+    - '*':
+      reason: None Given
--- a/cli/auth/authProvider.go
+++ b/cli/auth/authProvider.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"os"
 	"time"

 	"github.com/google/uuid"
@@ -33,19 +32,8 @@ func Login() error {
 		Token:   token.AccessToken,
 	}

-	configFile, defaultConfigErr := config.GetConfigWithDefaults()
-	if defaultConfigErr != nil {
-		return fmt.Errorf("failed getting config with defaults, err: %v", defaultConfigErr)
-	}
-
-	if err := config.LoadConfigFile(config.Config.ConfigFilePath, configFile); err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("failed getting config file, err: %v", err)
-	}
-
-	configFile.Auth = authConfig
-
-	if err := config.WriteConfig(configFile); err != nil {
-		return fmt.Errorf("failed writing config with auth, err: %v", err)
+	if err := config.UpdateConfig(func(configStruct *config.ConfigStruct) { configStruct.Auth = authConfig }); err != nil {
+		return fmt.Errorf("failed updating config with auth, err: %v", err)
 	}

 	config.Config.Auth = authConfig
--- a/cli/cmd/common.go
+++ b/cli/cmd/common.go
@@ -21,7 +21,7 @@ func GetApiServerUrl() string {
 }

 func startProxyReportErrorIfAny(kubernetesProvider *kubernetes.Provider, cancel context.CancelFunc) {
-	err := kubernetes.StartProxy(kubernetesProvider, config.Config.Tap.GuiPort, config.Config.MizuResourcesNamespace, mizu.ApiServerPodName)
+	err := kubernetes.StartProxy(kubernetesProvider, config.Config.Tap.ProxyHost, config.Config.Tap.GuiPort, config.Config.MizuResourcesNamespace, mizu.ApiServerPodName)
 	if err != nil {
 		logger.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error occured while running k8s proxy %v\n"+
 			"Try setting different port by using --%s", errormessage.FormatError(err), configStructs.GuiPortTapName))
--- a/cli/cmd/tap.go
+++ b/cli/cmd/tap.go
@@ -80,10 +80,19 @@ Supported protocols are HTTP and gRPC.`,

 func askConfirmation(flagName string) {
 	logger.Log.Infof(fmt.Sprintf(uploadTrafficMessageToConfirm, flagName))
+
+	if !config.Config.Tap.AskUploadConfirmation {
+		return
+	}
+
 	if !uiUtils.AskForConfirmation("Would you like to proceed [Y/n]: ") {
 		logger.Log.Infof("You can always run mizu without %s, aborting", flagName)
 		os.Exit(0)
 	}
+
+	if err := config.UpdateConfig(func(configStruct *config.ConfigStruct) { configStruct.Tap.AskUploadConfirmation = false }); err != nil {
+		logger.Log.Debugf("failed updating config with upload confirmation, err: %v", err)
+	}
 }

 func init() {
--- a/cli/config/config.go
+++ b/cli/config/config.go
@@ -40,7 +40,7 @@ func InitConfig(cmd *cobra.Command) error {

 	configFilePathFlag := cmd.Flags().Lookup(ConfigFilePathCommandName)
 	configFilePath := configFilePathFlag.Value.String()
-	if err := LoadConfigFile(configFilePath, &Config); err != nil {
+	if err := loadConfigFile(configFilePath, &Config); err != nil {
 		if configFilePathFlag.Changed || !os.IsNotExist(err) {
 			return fmt.Errorf("invalid config, %w\n"+
 				"you can regenerate the file by removing it (%v) and using `mizu config -r`", err, configFilePath)
@@ -81,7 +81,27 @@ func WriteConfig(config *ConfigStruct) error {
 	return nil
 }

-func LoadConfigFile(configFilePath string, config *ConfigStruct) error {
+type updateConfigStruct func(*ConfigStruct)
+func UpdateConfig(updateConfigStruct updateConfigStruct) error {
+	configFile, err := GetConfigWithDefaults()
+	if err != nil {
+		return fmt.Errorf("failed getting config with defaults, err: %v", err)
+	}
+
+	if err := loadConfigFile(Config.ConfigFilePath, configFile); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed getting config file, err: %v", err)
+	}
+
+	updateConfigStruct(configFile)
+
+	if err := WriteConfig(configFile); err != nil {
+		return fmt.Errorf("failed writing config, err: %v", err)
+	}
+
+	return nil
+}
+
+func loadConfigFile(configFilePath string, config *ConfigStruct) error {
 	reader, openErr := os.Open(configFilePath)
 	if openErr != nil {
 		return openErr
--- a/cli/config/configStructs/tapConfig.go
+++ b/cli/config/configStructs/tapConfig.go
@@ -26,6 +26,7 @@ type TapConfig struct {
 	UploadIntervalSec      int       `yaml:"upload-interval" default:"10"`
 	PodRegexStr            string    `yaml:"regex" default:".*"`
 	GuiPort                uint16    `yaml:"gui-port" default:"8899"`
+	ProxyHost              string    `yaml:"proxy-host" default:"127.0.0.1"`
 	Namespaces             []string  `yaml:"namespaces"`
 	Analysis               bool      `yaml:"analysis" default:"false"`
 	AllNamespaces          bool      `yaml:"all-namespaces" default:"false"`
@@ -37,6 +38,7 @@ type TapConfig struct {
 	Workspace              string    `yaml:"workspace"`
 	EnforcePolicyFile      string    `yaml:"traffic-validation-file"`
 	ContractFile           string    `yaml:"contract"`
+	AskUploadConfirmation  bool      `yaml:"ask-upload-confirmation" default:"true"`
 	ApiServerResources     Resources `yaml:"api-server-resources"`
 	TapperResources        Resources `yaml:"tapper-resources"`
 }
--- a/cli/kubernetes/proxy.go
+++ b/cli/kubernetes/proxy.go
@@ -14,12 +14,12 @@ import (
 const k8sProxyApiPrefix = "/"
 const mizuServicePort = 80

-func StartProxy(kubernetesProvider *Provider, mizuPort uint16, mizuNamespace string, mizuServiceName string) error {
+func StartProxy(kubernetesProvider *Provider, proxyHost string, mizuPort uint16, mizuNamespace string, mizuServiceName string) error {
 	logger.Log.Debugf("Starting proxy. namespace: [%v], service name: [%s], port: [%v]", mizuNamespace, mizuServiceName, mizuPort)
 	filter := &proxy.FilterServer{
 		AcceptPaths:   proxy.MakeRegexpArrayOrDie(proxy.DefaultPathAcceptRE),
 		RejectPaths:   proxy.MakeRegexpArrayOrDie(proxy.DefaultPathRejectRE),
-		AcceptHosts:   proxy.MakeRegexpArrayOrDie(proxy.DefaultHostAcceptRE),
+		AcceptHosts:   proxy.MakeRegexpArrayOrDie("^.*"),
 		RejectMethods: proxy.MakeRegexpArrayOrDie(proxy.DefaultMethodRejectRE),
 	}

@@ -32,7 +32,7 @@ func StartProxy(kubernetesProvider *Provider, mizuPort uint16, mizuNamespace str
 	mux.Handle("/static/", getRerouteHttpHandlerMizuStatic(proxyHandler, mizuNamespace, mizuServiceName))
 	mux.Handle("/mizu/", getRerouteHttpHandlerMizuAPI(proxyHandler, mizuNamespace, mizuServiceName))

-	l, err := net.Listen("tcp", fmt.Sprintf("%s:%d", "127.0.0.1", int(mizuPort)))
+	l, err := net.Listen("tcp", fmt.Sprintf("%s:%d", proxyHost, int(mizuPort)))
 	if err != nil {
 		return err
 	}
--- a/ui/.snyk
+++ b/ui/.snyk
@@ -0,0 +1,135 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.14.0
+ignore:
+  SNYK-JS-AXIOS-1579269:
+      - '*':
+        reason: None Given
+  SNYK-JS-TRIMNEWLINES-1298042:
+      - '*':
+        reason: None Given
+  SNYK-JS-ANSIHTML-1296849:
+      - '*':
+        reason: None Given
+  SNYK-JS-ANSIREGEX-1583908:
+        - '*':
+          reason: None Given
+  SNYK-JS-BROWSERSLIST-1090194:
+        - '*':
+          reason: None Given
+  SNYK-JS-CSSWHAT-1298035:
+        - '*':
+          reason: None Given
+  SNYK-JS-DNSPACKET-1293563:
+        - '*':
+          reason: None Given
+  SNYK-JS-EJS-1049328:
+        - '*':
+          reason: None Given
+  SNYK-JS-GLOBPARENT-1016905:
+        - '*':
+          reason: None Given
+  SNYK-JS-IMMER-1540542:
+        - '*':
+          reason: None Given
+  SNYK-JS-LODASHTEMPLATE-1088054:
+        - '*':
+          reason: None Given
+  SNYK-JS-NODESASS-1059081:
+        - '*':
+          reason: None Given
+  SNYK-JS-NODESASS-535498:
+        - '*':
+          reason: None Given
+  SNYK-JS-NODESASS-535500:
+        - '*':
+          reason: None Given
+  SNYK-JS-NODESASS-535502:
+        - '*':
+          reason: None Given
+  SNYK-JS-NODESASS-540956:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540958:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540964:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540978:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540980:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540990:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540992:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540994:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540996:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-540998:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-541000:
+    - '*':
+        reason: Non given
+  SNYK-JS-NODESASS-541002:
+    - '*':
+        reason: Non given
+  SNYK-JS-NTHCHECK-1586032:
+    - '*':
+        reason: Non given
+  SNYK-JS-PATHPARSE-1077067:
+    - '*':
+        reason: Non given
+  SNYK-JS-POSTCSS-1090595:
+    - '*':
+        reason: Non given
+  SNYK-JS-POSTCSS-1255640:
+    - '*':
+        reason: Non given
+  SNYK-JS-PRISMJS-1314893:
+    - '*':
+        reason: Non given
+  SNYK-JS-PRISMJS-1585202:
+    - '*':
+        reason: Non given
+  SNYK-JS-PROMPTS-1729737:
+    - '*':
+        reason: Non given
+  SNYK-JS-SHELLQUOTE-1766506:
+    - '*':
+        reason: Non given
+  SNYK-JS-TAR-1536528:
+    - '*':
+        reason: Non given
+  SNYK-JS-TAR-1536531:
+    - '*':
+        reason: Non given
+  SNYK-JS-TAR-1536758:
+    - '*':
+        reason: Non given
+  SNYK-JS-TAR-1579147:
+    - '*':
+        reason: Non given
+  SNYK-JS-TAR-1579152:
+    - '*':
+        reason: Non given
+  SNYK-JS-TAR-1579155:
+    - '*':
+        reason: Non given
+  SNYK-JS-TMPL-1583443:
+    - '*':
+        reason: Non given
+  SNYK-JS-URLPARSE-1533425:
+    - '*':
+        reason: Non given
+  SNYK-JS-WS-1296835:
+    - '*':
+        reason: Non given
Author	SHA1	Message	Date
Igor Gov	2c29903910	Run snyk on all project with ignore current issues (#415 )	2021-10-28 21:59:42 +03:00
Igor Gov	f49e29045c	Adding Snyk to CI (#414 )	2021-10-28 16:37:11 +03:00
Alex Haiut	67593345a7	upgraded base image to alpine:3.14 following snyk vuln report (#412 )	2021-10-28 15:00:11 +03:00
RoyUP9	f069fdaae1	changed ask confirmation to be asked only once (#409 )	2021-10-28 14:55:33 +03:00
gadotroee	d478a7ec43	TRA-3867 proxy host from config (#411 )	2021-10-28 14:53:28 +03:00
gadotroee	af96e55f61	running proxy on 0.0.0.0 (#408 )	2021-10-28 11:44:29 +03:00