devtron-labs / devtron Goto Github PK
View Code? Open in Web Editor NEWTool integration platform for Kubernetes
Home Page: https://devtron.ai
License: Apache License 2.0
Tool integration platform for Kubernetes
Home Page: https://devtron.ai
License: Apache License 2.0
Problem Statement
Currently, users need to click around the dashboard interface to navigate around and perform actions.
Why
Inherently, we as individuals try to do things in the easiest way possible if they need to be done again and again. Specifically, developers use the keyboard as their preferred mode of interaction; partly due to the nature of their work (writing code), moreover, it prevents constant switching between keyboard and mouse as input modes, thus saving time.
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11697
Release Date: 2019-09-01
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/node-sass/src/libsass/src/parser.cpp
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Publish Date: 2018-05-26
URL: CVE-2018-11499
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
Release Date: 2018-05-26
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/superagent/docs/tail.html
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/superagent/docs/tail.html
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with WhiteSource here
YAML support for the Go language.
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/go-yaml/yaml/tree/v2.2.8
Release Date: 2020-04-01
Fix Resolution: v2.2.8
Step up your Open Source Security Game with WhiteSource here
user can add chart repos from UI
Golang implementation of JSON Web Tokens (JWT)
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
app name reuse currently deleted app names can't be reused
What all will be covered ?
Milestones
widget
user can upgrade helm chart or change chart repo all-together
Dependency Hierarchy:
Dependency Hierarchy:
Dependency Hierarchy:
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.
Publish Date: 2019-10-17
URL: CVE-2019-11253
Base Score Metrics:
Type: Upgrade version
Origin: kubernetes/kubernetes#83253
Release Date: 2019-10-17
Fix Resolution: v1.13.12;v1.14.8;v1.15.5;v1.16.2
Step up your Open Source Security Game with WhiteSource here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839
Release Date: 2018-12-04
Fix Resolution: Libsass:3.6.0
Step up your Open Source Security Game with WhiteSource here
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/jsdoctypeparser/node_modules/lodash/package.json,devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/jscs/node_modules/lodash/package.json,devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/xmlbuilder/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-08
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Step up your Open Source Security Game with WhiteSource here
replace rollout with deployment
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11694
Release Date: 2018-06-04
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
BYOC
grafana query to support byoc
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution: v2.1.1
Step up your Open Source Security Game with WhiteSource here
support for helm3 in chart
support for latest ACD
deployment manifest creation initially on cd pipeline creation
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.
Publish Date: 2020-04-08
URL: CVE-2020-8828
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8828
Release Date: 2020-04-08
Fix Resolution: v1.5.0-rc3
Step up your Open Source Security Game with WhiteSource here
We're so excited that you've decided to create a new project! Now that you're here, let's make sure you know how to get the most out of GitHub Projects.
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-11698
Release Date: 2018-06-04
Fix Resolution: Libsass-3.6.0
Step up your Open Source Security Game with WhiteSource here
Object value retrieval given a string path
Library home page: https://registry.npmjs.org/pathval/-/pathval-0.1.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/pathval/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
This affects all versions of package pathval.
Publish Date: 2020-10-26
URL: CVE-2020-7751
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
ability to add and modify any helm chart repo from UI
A drop-in replacement for `util` with some additional advantageous functions
Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/utile/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
utile
allocates uninitialized Buffers when number is passed in input.
Before version 0.3.0
Publish Date: 2018-07-16
URL: WS-2018-0148
Step up your Open Source Security Game with WhiteSource here
in global config -> Docker registries we have only two supported registry type ecr and other. add support for docker hub
display value : docker hub
form value: docker-hub
devtron platform monitoring
AB#240
ability to toggle feature based on env variable.
components
cluster upgrade grafana datasource create if not available, currently only update
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.
Publish Date: 2020-04-08
URL: CVE-2020-8826
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8826
Release Date: 2020-04-08
Fix Resolution: v1.5.0-rc1
Step up your Open Source Security Game with WhiteSource here
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.14.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/node-sass/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().
Publish Date: 2018-12-04
URL: CVE-2018-19838
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/sass/libsass/blob/3.6.0/src/ast.cpp
Release Date: 2019-07-01
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
This affects the package y18n before 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
Release Date: 2020-11-17
Fix Resolution: 5.0.5
Step up your Open Source Security Game with WhiteSource here
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Declarative continuous deployment for Kubernetes.
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
Publish Date: 2020-04-08
URL: CVE-2020-11576
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11576
Release Date: 2020-04-08
Fix Resolution: v1.5.1
Step up your Open Source Security Game with WhiteSource here
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Go client for Kubernetes.
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
Publish Date: 2019-08-29
URL: CVE-2019-11250
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11250
Release Date: 2019-08-29
Fix Resolution: 1.16.0
Step up your Open Source Security Game with WhiteSource here
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: devtron/vendor/github.com/argoproj/argo-cd/ui/package.json
Path to vulnerable library: devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/jsdoctypeparser/node_modules/lodash/package.json,devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/jscs/node_modules/lodash/package.json,devtron/vendor/github.com/argoproj/argo-cd/ui/node_modules/xmlbuilder/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: f7db3d4b83b1d3b0008f56e9a649b36ed2ae830d
Found in base branch: main
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-23
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with WhiteSource here
support for visualisation and analysis of helm chart
AB#274
replace argo rollout with deployment object.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.