From 3cf4717e3d31cf7c056da0772ec9f6ba3ec605b6 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Mon, 30 Oct 2023 15:19:02 +0200 Subject: [PATCH 01/16] feat(trivy): Add autoremove ignored CVEs --- .github/workflows/autoremove_trivyignore.yaml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/autoremove_trivyignore.yaml diff --git a/.github/workflows/autoremove_trivyignore.yaml b/.github/workflows/autoremove_trivyignore.yaml new file mode 100644 index 000000000..8d3d1abec --- /dev/null +++ b/.github/workflows/autoremove_trivyignore.yaml @@ -0,0 +1,57 @@ +# Copyright 2023 Canonical Ltd. +# See LICENSE file for licensing details. + +name: Auto-remove ignored CVEs +on: + workflow_call: + +jobs: + autoremove-cves: + permissions: + id-token: write # Enable OIDC + pull-requests: write + contents: write + name: Autoremove ignored CVEs + runs-on: ubuntu-22.04 + steps: + - name: Checkout + uses: actions/checkout@v4.1.1 + with: + fetch-depth: 0 + - name: Check trivyignore + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 + if [ -f ".trivyignore" ] + then + output=$(trivy fs . -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") + newTrivyIgnore=() + for CVE in $(cat .trivyignore) + do + if [[ "$output" != *"$CVE"* ]] + then + echo "$CVE not present anymore, moving out of trivyignore file" + newTrivyIgnore+=( $CVE ) + else + echo "$CVE still present" + fi + done + echo "Removing entries from trivyignore" + for IgnoredCVE in ${newTrivyIgnore[@]} + do + sed -i "/$IgnoredCVE/d" .trivyignore + done + fi + - name: Create pull request + uses: canonical/create-pull-request@main + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "chore: auto-remove ignored CVEs" + branch-name: "chore/autoremove-cves" + title: Auto-remote ignored CVEs + body: | + Automated action to remove ignored CVEs that are fixed. + The branch of this PR will be wiped during the next check. + Unless you really know what you're doing, you most likely don't want + to push any commits to this branch. + upsert: true + ignore-no-changes: true From 131a6164e09897311bf12a9242e5590190a715a7 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Mon, 30 Oct 2023 17:07:47 +0200 Subject: [PATCH 02/16] fix(update-lib): Perms for nested job --- .github/workflows/autoremove_trivyignore.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/autoremove_trivyignore.yaml b/.github/workflows/autoremove_trivyignore.yaml index 8d3d1abec..36c98a5d9 100644 --- a/.github/workflows/autoremove_trivyignore.yaml +++ b/.github/workflows/autoremove_trivyignore.yaml @@ -6,7 +6,7 @@ on: workflow_call: jobs: - autoremove-cves: + update:lib: permissions: id-token: write # Enable OIDC pull-requests: write From c67b8a236ff57e6a836d005af3e41c65f7aa5b89 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Tue, 31 Oct 2023 09:55:46 +0200 Subject: [PATCH 03/16] fix(job): Change hyphen --- .github/workflows/autoremove_trivyignore.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/autoremove_trivyignore.yaml b/.github/workflows/autoremove_trivyignore.yaml index 36c98a5d9..8658fc063 100644 --- a/.github/workflows/autoremove_trivyignore.yaml +++ b/.github/workflows/autoremove_trivyignore.yaml @@ -6,7 +6,7 @@ on: workflow_call: jobs: - update:lib: + update-lib: permissions: id-token: write # Enable OIDC pull-requests: write From ff643d32dc3df34b9e1ea60bc1e718ef37a48dbc Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Tue, 31 Oct 2023 14:13:45 +0200 Subject: [PATCH 04/16] feat(cves): Autoremove CVEs from rocks --- .github/workflows/build_rocks.yaml | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 6da4c5fa2..9c913bacb 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -224,3 +224,43 @@ jobs: env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + - name: Check trivyignore + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 + if [ -f ".trivyignore" ] + then + output=$(trivy image ${{ env.IMAGE_REG }} --severity HIGH,CRITICAL . -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") + newTrivyIgnore=() + for CVE in $(cat .trivyignore) + do + if [[ "$output" != *"$CVE"* ]] + then + echo "$CVE not present anymore, moving out of trivyignore file" + newTrivyIgnore+=( $CVE ) + else + echo "$CVE still present" + fi + done + echo "Removing entries from trivyignore" + for IgnoredCVE in ${newTrivyIgnore[@]} + do + sed -i "/$IgnoredCVE/d" .trivyignore + done + fi + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + - name: Create pull request + uses: canonical/create-pull-request@main + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "chore: auto-remove ignored CVEs" + branch-name: "chore/autoremove-cves" + title: Auto-remote ignored CVEs + body: | + Automated action to remove ignored CVEs that are fixed. + The branch of this PR will be wiped during the next check. + Unless you really know what you're doing, you most likely don't want + to push any commits to this branch. + upsert: true + ignore-no-changes: true From 0e1db6e3958dbac88d9f6bc0eb7d22919a83e2d8 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Tue, 31 Oct 2023 16:17:09 +0200 Subject: [PATCH 05/16] fix(cves): Fix typo --- .github/workflows/build_rocks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 9c913bacb..c9d653356 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -229,7 +229,7 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 if [ -f ".trivyignore" ] then - output=$(trivy image ${{ env.IMAGE_REG }} --severity HIGH,CRITICAL . -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") + output=$(trivy image ${{ env.IMAGE_REF }} --severity HIGH,CRITICAL . -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") newTrivyIgnore=() for CVE in $(cat .trivyignore) do From af1cea5481d678b7fd41f4168ef5b289db371ed3 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Wed, 1 Nov 2023 10:56:04 +0200 Subject: [PATCH 06/16] fix(cves): Use env var --- .github/workflows/build_rocks.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index c9d653356..92d6a9b2d 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -229,7 +229,7 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 if [ -f ".trivyignore" ] then - output=$(trivy image ${{ env.IMAGE_REF }} --severity HIGH,CRITICAL . -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") + output=$(trivy image $ROCK_IMAGE --severity HIGH,CRITICAL -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") newTrivyIgnore=() for CVE in $(cat .trivyignore) do @@ -250,6 +250,7 @@ jobs: env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + ROCK_IMAGE: ${{ env.IMAGE_REF }} - name: Create pull request uses: canonical/create-pull-request@main with: From 07e1f76b296d602b1fea5a0bfca8267c9f73b6af Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Wed, 1 Nov 2023 11:59:10 +0200 Subject: [PATCH 07/16] chore(version): Bump trivy --- .github/workflows/build_rocks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 92d6a9b2d..42887036e 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -226,7 +226,7 @@ jobs: TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Check trivyignore run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.46.0 if [ -f ".trivyignore" ] then output=$(trivy image $ROCK_IMAGE --severity HIGH,CRITICAL -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") From c254f2dad41c75dc2e9834db3be2c89cd0d2bd2a Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Wed, 1 Nov 2023 14:49:24 +0200 Subject: [PATCH 08/16] fix(cves): Omit comments --- .github/workflows/build_rocks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 42887036e..b0fba1f37 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -231,7 +231,7 @@ jobs: then output=$(trivy image $ROCK_IMAGE --severity HIGH,CRITICAL -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") newTrivyIgnore=() - for CVE in $(cat .trivyignore) + for CVE in $(sed '/^#/d' .trivyignore) do if [[ "$output" != *"$CVE"* ]] then From 0160566480c98afac69b635147c9b66e8425797e Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Wed, 1 Nov 2023 16:16:31 +0200 Subject: [PATCH 09/16] fix(cves): Use other pr action --- .github/workflows/build_rocks.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index b0fba1f37..1e4dba164 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -252,16 +252,15 @@ jobs: TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ROCK_IMAGE: ${{ env.IMAGE_REF }} - name: Create pull request - uses: canonical/create-pull-request@main + uses: peter-evans/create-pull-request@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} commit-message: "chore: auto-remove ignored CVEs" - branch-name: "chore/autoremove-cves" - title: Auto-remote ignored CVEs + branch: "chore/remove-ignored-cves" + delete-branch: true + base: main + title: Auto-remove ignored CVEs body: | Automated action to remove ignored CVEs that are fixed. The branch of this PR will be wiped during the next check. Unless you really know what you're doing, you most likely don't want to push any commits to this branch. - upsert: true - ignore-no-changes: true From fc3570780f785a14ab8be2078463195a687223fc Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Wed, 1 Nov 2023 18:17:04 +0200 Subject: [PATCH 10/16] fix(cves): Use canonical action with base --- .github/workflows/build_rocks.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 1e4dba164..9f9c8fa38 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -252,11 +252,11 @@ jobs: TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ROCK_IMAGE: ${{ env.IMAGE_REF }} - name: Create pull request - uses: peter-evans/create-pull-request@v5 + uses: canonical/create-pull-request@main with: + github-token: ${{ secrets.GITHUB_TOKEN }} commit-message: "chore: auto-remove ignored CVEs" - branch: "chore/remove-ignored-cves" - delete-branch: true + branch-name: "chore/remove-ignored-cves" base: main title: Auto-remove ignored CVEs body: | @@ -264,3 +264,4 @@ jobs: The branch of this PR will be wiped during the next check. Unless you really know what you're doing, you most likely don't want to push any commits to this branch. + ignore-no-changes: true From ae018bcd36eace7c5caacb7be70a156db310b533 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Wed, 1 Nov 2023 18:34:27 +0200 Subject: [PATCH 11/16] fix(cves): Get all the refs --- .github/workflows/build_rocks.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 9f9c8fa38..29088cdb8 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -89,6 +89,8 @@ jobs: path: ${{ fromJSON(needs.get-rocks.outputs.rock-paths) }} steps: - uses: actions/checkout@v4.1.1 + with: + fetch-depth: 0 - name: Extract rock information run: | IMAGE_NAME=$(yq '.name' "${{ matrix.path }}/rockcraft.yaml") From 9e54312c1b295c56f01876ab87ee5cd088e21f75 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Thu, 2 Nov 2023 12:23:06 +0200 Subject: [PATCH 12/16] feat(cves): Use suggestion instead of PR --- .github/workflows/build_rocks.yaml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 29088cdb8..1f7f62996 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -253,17 +253,16 @@ jobs: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ROCK_IMAGE: ${{ env.IMAGE_REF }} - - name: Create pull request - uses: canonical/create-pull-request@main + - name: Set up Node.js + uses: actions/setup-node@v1 with: - github-token: ${{ secrets.GITHUB_TOKEN }} - commit-message: "chore: auto-remove ignored CVEs" - branch-name: "chore/remove-ignored-cves" - base: main - title: Auto-remove ignored CVEs - body: | - Automated action to remove ignored CVEs that are fixed. - The branch of this PR will be wiped during the next check. - Unless you really know what you're doing, you most likely don't want - to push any commits to this branch. - ignore-no-changes: true + node-version: 12 + - name: Checkout + uses: actions/checkout@v2 + - name: Install suggestion bot + run: yarn add suggestion-bot --dev + - name: Create suggestions + if: ${{ github.event_name == 'pull_request' }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: yarn suggestion-bot "$(git diff)" From b5a728420acd4138235e4ffa5eaec87943e8d8e3 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Thu, 2 Nov 2023 13:55:39 +0200 Subject: [PATCH 13/16] feat(cves): Bump node to v18 --- .github/workflows/build_rocks.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 1f7f62996..c1ce6f3f8 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -254,11 +254,9 @@ jobs: TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ROCK_IMAGE: ${{ env.IMAGE_REF }} - name: Set up Node.js - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: - node-version: 12 - - name: Checkout - uses: actions/checkout@v2 + node-version: 18 - name: Install suggestion bot run: yarn add suggestion-bot --dev - name: Create suggestions From 1e7d82917f4e59c714fe10ab48ef8a1a6c287905 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Thu, 2 Nov 2023 15:01:36 +0200 Subject: [PATCH 14/16] feat(cves): Use annotations --- .github/workflows/build_rocks.yaml | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index c1ce6f3f8..33e08c836 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -232,35 +232,17 @@ jobs: if [ -f ".trivyignore" ] then output=$(trivy image $ROCK_IMAGE --severity HIGH,CRITICAL -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") - newTrivyIgnore=() - for CVE in $(sed '/^#/d' .trivyignore) + line=0 + while read CVE; do - if [[ "$output" != *"$CVE"* ]] + line=$(( line + 1 )) + if [[ "$output" != *"$CVE"* ]] && [[ ! "$CVE" =~ ^#.* ]] then - echo "$CVE not present anymore, moving out of trivyignore file" - newTrivyIgnore+=( $CVE ) - else - echo "$CVE still present" + echo "::notice file=.trivyignore,line=${line}::$CVE not present anymore, can be safely removed." fi done - echo "Removing entries from trivyignore" - for IgnoredCVE in ${newTrivyIgnore[@]} - do - sed -i "/$IgnoredCVE/d" .trivyignore - done fi env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ROCK_IMAGE: ${{ env.IMAGE_REF }} - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - - name: Install suggestion bot - run: yarn add suggestion-bot --dev - - name: Create suggestions - if: ${{ github.event_name == 'pull_request' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: yarn suggestion-bot "$(git diff)" From 4b6dc49791803890e1d3a021dd48544cc37057c0 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Thu, 2 Nov 2023 15:43:34 +0200 Subject: [PATCH 15/16] fix(cves): Feed in trivyignore --- .github/workflows/build_rocks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml index 33e08c836..40c3fe9cc 100644 --- a/.github/workflows/build_rocks.yaml +++ b/.github/workflows/build_rocks.yaml @@ -240,7 +240,7 @@ jobs: then echo "::notice file=.trivyignore,line=${line}::$CVE not present anymore, can be safely removed." fi - done + done < .trivyignore fi env: TRIVY_USERNAME: ${{ github.actor }} From 3bb7f414586d67611ccf9216b47b36ac0f6bc375 Mon Sep 17 00:00:00 2001 From: Mariyan Dimitrov Date: Wed, 15 Nov 2023 14:57:53 +0200 Subject: [PATCH 16/16] fix(trivy): Remove job --- .github/workflows/autoremove_trivyignore.yaml | 57 ------------------- 1 file changed, 57 deletions(-) delete mode 100644 .github/workflows/autoremove_trivyignore.yaml diff --git a/.github/workflows/autoremove_trivyignore.yaml b/.github/workflows/autoremove_trivyignore.yaml deleted file mode 100644 index 8658fc063..000000000 --- a/.github/workflows/autoremove_trivyignore.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2023 Canonical Ltd. -# See LICENSE file for licensing details. - -name: Auto-remove ignored CVEs -on: - workflow_call: - -jobs: - update-lib: - permissions: - id-token: write # Enable OIDC - pull-requests: write - contents: write - name: Autoremove ignored CVEs - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@v4.1.1 - with: - fetch-depth: 0 - - name: Check trivyignore - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 - if [ -f ".trivyignore" ] - then - output=$(trivy fs . -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found") - newTrivyIgnore=() - for CVE in $(cat .trivyignore) - do - if [[ "$output" != *"$CVE"* ]] - then - echo "$CVE not present anymore, moving out of trivyignore file" - newTrivyIgnore+=( $CVE ) - else - echo "$CVE still present" - fi - done - echo "Removing entries from trivyignore" - for IgnoredCVE in ${newTrivyIgnore[@]} - do - sed -i "/$IgnoredCVE/d" .trivyignore - done - fi - - name: Create pull request - uses: canonical/create-pull-request@main - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - commit-message: "chore: auto-remove ignored CVEs" - branch-name: "chore/autoremove-cves" - title: Auto-remote ignored CVEs - body: | - Automated action to remove ignored CVEs that are fixed. - The branch of this PR will be wiped during the next check. - Unless you really know what you're doing, you most likely don't want - to push any commits to this branch. - upsert: true - ignore-no-changes: true