diff --git a/IaC_scan_output.json b/IaC_scan_output.json new file mode 100644 index 00000000000..f1fe0b4f65f --- /dev/null +++ b/IaC_scan_output.json @@ -0,0 +1,20809 @@ +[ + { + "check_type": "terraform_plan", + "results": { + "passed_checks": [], + "failed_checks": [], + "skipped_checks": [], + "parsing_errors": [ + "/tmp/ws-scm/h2o-opensips/lib/json/Makefile.json" + ] + }, + "summary": { + "passed": 0, + "failed": 0, + "skipped": 0, + "parsing_errors": 1, + "resource_count": 0, + "checkov_version": "3.2.174" + }, + "url": "Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" + }, + { + "check_type": "github_actions", + "results": { + "passed_checks": [ + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + }, + { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + }, + { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + ], + "__startline__": 5, + "__endline__": 26 + } + }, + "code_block": [ + [ + 5, + " runs-on: ubuntu-latest\n" + ], + [ + 6, + " steps:\n" + ], + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 5, + 27 + ], + "resource": "jobs(Fuzzing)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "Fuzzing": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + }, + { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + }, + { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + ], + "__startline__": 5, + "__endline__": 26 + }, + "__startline__": 4, + "__endline__": 26 + } + }, + "code_block": [ + [ + 4, + " Fuzzing:\n" + ], + [ + 5, + " runs-on: ubuntu-latest\n" + ], + [ + 6, + " steps:\n" + ], + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 4, + 27 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "Fuzzing": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + }, + { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + }, + { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + ], + "__startline__": 5, + "__endline__": 26 + }, + "__startline__": 4, + "__endline__": 26 + } + }, + "code_block": [ + [ + 4, + " Fuzzing:\n" + ], + [ + 5, + " runs-on: ubuntu-latest\n" + ], + [ + 6, + " steps:\n" + ], + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 4, + 27 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + }, + { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + }, + { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + ], + "__startline__": 5, + "__endline__": 26 + } + }, + "code_block": [ + [ + 5, + " runs-on: ubuntu-latest\n" + ], + [ + 6, + " steps:\n" + ], + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 5, + 27 + ], + "resource": "jobs(Fuzzing)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + }, + { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + }, + { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + ], + "__startline__": 5, + "__endline__": 26 + } + }, + "code_block": [ + [ + 5, + " runs-on: ubuntu-latest\n" + ], + [ + 6, + " steps:\n" + ], + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 5, + 27 + ], + "resource": "jobs(Fuzzing)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + }, + { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + }, + { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + ], + "__startline__": 5, + "__endline__": 26 + } + }, + "code_block": [ + [ + 5, + " runs-on: ubuntu-latest\n" + ], + [ + 6, + " steps:\n" + ], + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 5, + 27 + ], + "resource": "jobs(Fuzzing)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + } + }, + "code_block": [ + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 7, + 15 + ], + "resource": "jobs(Fuzzing).steps[1](Build Fuzzers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + } + }, + "code_block": [ + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 14, + 21 + ], + "resource": "jobs(Fuzzing).steps[2](Run Fuzzers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + }, + "code_block": [ + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 20, + 27 + ], + "resource": "jobs(Fuzzing).steps[3](Upload Crash)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + } + }, + "code_block": [ + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 7, + 15 + ], + "resource": "jobs(Fuzzing).steps[1](Build Fuzzers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + } + }, + "code_block": [ + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 14, + 21 + ], + "resource": "jobs(Fuzzing).steps[2](Run Fuzzers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + }, + "code_block": [ + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 20, + 27 + ], + "resource": "jobs(Fuzzing).steps[3](Upload Crash)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + } + }, + "code_block": [ + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 7, + 15 + ], + "resource": "jobs(Fuzzing).steps[1](Build Fuzzers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + } + }, + "code_block": [ + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 14, + 21 + ], + "resource": "jobs(Fuzzing).steps[2](Run Fuzzers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + }, + "code_block": [ + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 20, + 27 + ], + "resource": "jobs(Fuzzing).steps[3](Upload Crash)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build Fuzzers", + "id": "build", + "uses": "google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "dry-run": false, + "language": "c", + "__startline__": 11, + "__endline__": 14 + }, + "__startline__": 7, + "__endline__": 14 + } + }, + "code_block": [ + [ + 7, + " - name: Build Fuzzers\n" + ], + [ + 8, + " id: build\n" + ], + [ + 9, + " uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master\n" + ], + [ + 10, + " with:\n" + ], + [ + 11, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 12, + " dry-run: false\n" + ], + [ + 13, + " language: c\n" + ], + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 7, + 15 + ], + "resource": "jobs(Fuzzing).steps[1](Build Fuzzers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run Fuzzers", + "uses": "google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master", + "with": { + "oss-fuzz-project-name": "opensips", + "fuzz-seconds": 600, + "dry-run": false, + "__startline__": 17, + "__endline__": 20 + }, + "__startline__": 14, + "__endline__": 20 + } + }, + "code_block": [ + [ + 14, + " - name: Run Fuzzers\n" + ], + [ + 15, + " uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master\n" + ], + [ + 16, + " with:\n" + ], + [ + 17, + " oss-fuzz-project-name: 'opensips'\n" + ], + [ + 18, + " fuzz-seconds: 600\n" + ], + [ + 19, + " dry-run: false\n" + ], + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 14, + 21 + ], + "resource": "jobs(Fuzzing).steps[2](Run Fuzzers)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Upload Crash", + "uses": "actions/upload-artifact@v1", + "if": "failure() && steps.build.outcome == 'success'", + "with": { + "name": "artifacts", + "path": "./out/artifacts", + "__startline__": 24, + "__endline__": 26 + }, + "__startline__": 20, + "__endline__": 26 + } + }, + "code_block": [ + [ + 20, + " - name: Upload Crash\n" + ], + [ + 21, + " uses: actions/upload-artifact@v1\n" + ], + [ + 22, + " if: failure() && steps.build.outcome == 'success'\n" + ], + [ + 23, + " with:\n" + ], + [ + 24, + " name: artifacts\n" + ], + [ + 25, + " path: ./out/artifacts\n" + ] + ], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 20, + 27 + ], + "resource": "jobs(Fuzzing).steps[3](Upload Crash)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "Fuzzing" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "os": [ + "ubuntu-20.04" + ], + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "include": [ + { + "os": "ubuntu-22.04", + "compiler": "gcc", + "__startline__": 29, + "__endline__": 31 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang", + "__startline__": 31, + "__endline__": 33 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-11", + "__startline__": 33, + "__endline__": 35 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-12", + "__startline__": 35, + "__endline__": 37 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-11", + "__startline__": 37, + "__endline__": 39 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-12", + "__startline__": 39, + "__endline__": 41 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-13", + "__startline__": 41, + "__endline__": 43 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-14", + "__startline__": 43, + "__endline__": 45 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-15", + "__startline__": 45, + "__endline__": 49 + } + ], + "__startline__": 26, + "__endline__": 49 + }, + "__startline__": 25, + "__endline__": 49 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + ], + "__startline__": 19, + "__endline__": 72 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " os: [ubuntu-20.04]\n" + ], + [ + 27, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - os: ubuntu-22.04\n" + ], + [ + 30, + " compiler: 'gcc'\n" + ], + [ + 31, + " - os: ubuntu-22.04\n" + ], + [ + 32, + " compiler: 'clang'\n" + ], + [ + 33, + " - os: ubuntu-22.04\n" + ], + [ + 34, + " compiler: 'gcc-11'\n" + ], + [ + 35, + " - os: ubuntu-22.04\n" + ], + [ + 36, + " compiler: 'gcc-12'\n" + ], + [ + 37, + " - os: ubuntu-22.04\n" + ], + [ + 38, + " compiler: 'clang-11'\n" + ], + [ + 39, + " - os: ubuntu-22.04\n" + ], + [ + 40, + " compiler: 'clang-12'\n" + ], + [ + 41, + " - os: ubuntu-22.04\n" + ], + [ + 42, + " compiler: 'clang-13'\n" + ], + [ + 43, + " - os: ubuntu-22.04\n" + ], + [ + 44, + " compiler: 'clang-14'\n" + ], + [ + 45, + " - os: ubuntu-22.04\n" + ], + [ + 46, + " compiler: 'clang-15'\n" + ], + [ + 47, + "\n" + ], + [ + 48, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 49, + " steps:\n" + ], + [ + 50, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 19, + 73 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "os": [ + "ubuntu-20.04" + ], + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "include": [ + { + "os": "ubuntu-22.04", + "compiler": "gcc", + "__startline__": 29, + "__endline__": 31 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang", + "__startline__": 31, + "__endline__": 33 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-11", + "__startline__": 33, + "__endline__": 35 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-12", + "__startline__": 35, + "__endline__": 37 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-11", + "__startline__": 37, + "__endline__": 39 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-12", + "__startline__": 39, + "__endline__": 41 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-13", + "__startline__": 41, + "__endline__": 43 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-14", + "__startline__": 43, + "__endline__": 45 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-15", + "__startline__": 45, + "__endline__": 49 + } + ], + "__startline__": 26, + "__endline__": 49 + }, + "__startline__": 25, + "__endline__": 49 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + ], + "__startline__": 19, + "__endline__": 72 + }, + "__startline__": 17, + "__endline__": 72 + } + }, + "code_block": [ + [ + 17, + " build:\n" + ], + [ + 18, + " # The type of runner that the job will run on\n" + ], + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " os: [ubuntu-20.04]\n" + ], + [ + 27, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - os: ubuntu-22.04\n" + ], + [ + 30, + " compiler: 'gcc'\n" + ], + [ + 31, + " - os: ubuntu-22.04\n" + ], + [ + 32, + " compiler: 'clang'\n" + ], + [ + 33, + " - os: ubuntu-22.04\n" + ], + [ + 34, + " compiler: 'gcc-11'\n" + ], + [ + 35, + " - os: ubuntu-22.04\n" + ], + [ + 36, + " compiler: 'gcc-12'\n" + ], + [ + 37, + " - os: ubuntu-22.04\n" + ], + [ + 38, + " compiler: 'clang-11'\n" + ], + [ + 39, + " - os: ubuntu-22.04\n" + ], + [ + 40, + " compiler: 'clang-12'\n" + ], + [ + 41, + " - os: ubuntu-22.04\n" + ], + [ + 42, + " compiler: 'clang-13'\n" + ], + [ + 43, + " - os: ubuntu-22.04\n" + ], + [ + 44, + " compiler: 'clang-14'\n" + ], + [ + 45, + " - os: ubuntu-22.04\n" + ], + [ + 46, + " compiler: 'clang-15'\n" + ], + [ + 47, + "\n" + ], + [ + 48, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 49, + " steps:\n" + ], + [ + 50, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 17, + 73 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "os": [ + "ubuntu-20.04" + ], + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "include": [ + { + "os": "ubuntu-22.04", + "compiler": "gcc", + "__startline__": 29, + "__endline__": 31 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang", + "__startline__": 31, + "__endline__": 33 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-11", + "__startline__": 33, + "__endline__": 35 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-12", + "__startline__": 35, + "__endline__": 37 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-11", + "__startline__": 37, + "__endline__": 39 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-12", + "__startline__": 39, + "__endline__": 41 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-13", + "__startline__": 41, + "__endline__": 43 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-14", + "__startline__": 43, + "__endline__": 45 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-15", + "__startline__": 45, + "__endline__": 49 + } + ], + "__startline__": 26, + "__endline__": 49 + }, + "__startline__": 25, + "__endline__": 49 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + ], + "__startline__": 19, + "__endline__": 72 + }, + "__startline__": 17, + "__endline__": 72 + } + }, + "code_block": [ + [ + 17, + " build:\n" + ], + [ + 18, + " # The type of runner that the job will run on\n" + ], + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " os: [ubuntu-20.04]\n" + ], + [ + 27, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - os: ubuntu-22.04\n" + ], + [ + 30, + " compiler: 'gcc'\n" + ], + [ + 31, + " - os: ubuntu-22.04\n" + ], + [ + 32, + " compiler: 'clang'\n" + ], + [ + 33, + " - os: ubuntu-22.04\n" + ], + [ + 34, + " compiler: 'gcc-11'\n" + ], + [ + 35, + " - os: ubuntu-22.04\n" + ], + [ + 36, + " compiler: 'gcc-12'\n" + ], + [ + 37, + " - os: ubuntu-22.04\n" + ], + [ + 38, + " compiler: 'clang-11'\n" + ], + [ + 39, + " - os: ubuntu-22.04\n" + ], + [ + 40, + " compiler: 'clang-12'\n" + ], + [ + 41, + " - os: ubuntu-22.04\n" + ], + [ + 42, + " compiler: 'clang-13'\n" + ], + [ + 43, + " - os: ubuntu-22.04\n" + ], + [ + 44, + " compiler: 'clang-14'\n" + ], + [ + 45, + " - os: ubuntu-22.04\n" + ], + [ + 46, + " compiler: 'clang-15'\n" + ], + [ + 47, + "\n" + ], + [ + 48, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 49, + " steps:\n" + ], + [ + 50, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 17, + 73 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "os": [ + "ubuntu-20.04" + ], + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "include": [ + { + "os": "ubuntu-22.04", + "compiler": "gcc", + "__startline__": 29, + "__endline__": 31 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang", + "__startline__": 31, + "__endline__": 33 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-11", + "__startline__": 33, + "__endline__": 35 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-12", + "__startline__": 35, + "__endline__": 37 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-11", + "__startline__": 37, + "__endline__": 39 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-12", + "__startline__": 39, + "__endline__": 41 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-13", + "__startline__": 41, + "__endline__": 43 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-14", + "__startline__": 43, + "__endline__": 45 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-15", + "__startline__": 45, + "__endline__": 49 + } + ], + "__startline__": 26, + "__endline__": 49 + }, + "__startline__": 25, + "__endline__": 49 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + ], + "__startline__": 19, + "__endline__": 72 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " os: [ubuntu-20.04]\n" + ], + [ + 27, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - os: ubuntu-22.04\n" + ], + [ + 30, + " compiler: 'gcc'\n" + ], + [ + 31, + " - os: ubuntu-22.04\n" + ], + [ + 32, + " compiler: 'clang'\n" + ], + [ + 33, + " - os: ubuntu-22.04\n" + ], + [ + 34, + " compiler: 'gcc-11'\n" + ], + [ + 35, + " - os: ubuntu-22.04\n" + ], + [ + 36, + " compiler: 'gcc-12'\n" + ], + [ + 37, + " - os: ubuntu-22.04\n" + ], + [ + 38, + " compiler: 'clang-11'\n" + ], + [ + 39, + " - os: ubuntu-22.04\n" + ], + [ + 40, + " compiler: 'clang-12'\n" + ], + [ + 41, + " - os: ubuntu-22.04\n" + ], + [ + 42, + " compiler: 'clang-13'\n" + ], + [ + 43, + " - os: ubuntu-22.04\n" + ], + [ + 44, + " compiler: 'clang-14'\n" + ], + [ + 45, + " - os: ubuntu-22.04\n" + ], + [ + 46, + " compiler: 'clang-15'\n" + ], + [ + 47, + "\n" + ], + [ + 48, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 49, + " steps:\n" + ], + [ + 50, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 19, + 73 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "os": [ + "ubuntu-20.04" + ], + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "include": [ + { + "os": "ubuntu-22.04", + "compiler": "gcc", + "__startline__": 29, + "__endline__": 31 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang", + "__startline__": 31, + "__endline__": 33 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-11", + "__startline__": 33, + "__endline__": 35 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-12", + "__startline__": 35, + "__endline__": 37 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-11", + "__startline__": 37, + "__endline__": 39 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-12", + "__startline__": 39, + "__endline__": 41 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-13", + "__startline__": 41, + "__endline__": 43 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-14", + "__startline__": 43, + "__endline__": 45 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-15", + "__startline__": 45, + "__endline__": 49 + } + ], + "__startline__": 26, + "__endline__": 49 + }, + "__startline__": 25, + "__endline__": 49 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + ], + "__startline__": 19, + "__endline__": 72 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " os: [ubuntu-20.04]\n" + ], + [ + 27, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - os: ubuntu-22.04\n" + ], + [ + 30, + " compiler: 'gcc'\n" + ], + [ + 31, + " - os: ubuntu-22.04\n" + ], + [ + 32, + " compiler: 'clang'\n" + ], + [ + 33, + " - os: ubuntu-22.04\n" + ], + [ + 34, + " compiler: 'gcc-11'\n" + ], + [ + 35, + " - os: ubuntu-22.04\n" + ], + [ + 36, + " compiler: 'gcc-12'\n" + ], + [ + 37, + " - os: ubuntu-22.04\n" + ], + [ + 38, + " compiler: 'clang-11'\n" + ], + [ + 39, + " - os: ubuntu-22.04\n" + ], + [ + 40, + " compiler: 'clang-12'\n" + ], + [ + 41, + " - os: ubuntu-22.04\n" + ], + [ + 42, + " compiler: 'clang-13'\n" + ], + [ + 43, + " - os: ubuntu-22.04\n" + ], + [ + 44, + " compiler: 'clang-14'\n" + ], + [ + 45, + " - os: ubuntu-22.04\n" + ], + [ + 46, + " compiler: 'clang-15'\n" + ], + [ + 47, + "\n" + ], + [ + 48, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 49, + " steps:\n" + ], + [ + 50, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 19, + 73 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "os": [ + "ubuntu-20.04" + ], + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "include": [ + { + "os": "ubuntu-22.04", + "compiler": "gcc", + "__startline__": 29, + "__endline__": 31 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang", + "__startline__": 31, + "__endline__": 33 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-11", + "__startline__": 33, + "__endline__": 35 + }, + { + "os": "ubuntu-22.04", + "compiler": "gcc-12", + "__startline__": 35, + "__endline__": 37 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-11", + "__startline__": 37, + "__endline__": 39 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-12", + "__startline__": 39, + "__endline__": 41 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-13", + "__startline__": 41, + "__endline__": 43 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-14", + "__startline__": 43, + "__endline__": 45 + }, + { + "os": "ubuntu-22.04", + "compiler": "clang-15", + "__startline__": 45, + "__endline__": 49 + } + ], + "__startline__": 26, + "__endline__": 49 + }, + "__startline__": 25, + "__endline__": 49 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + ], + "__startline__": 19, + "__endline__": 72 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " os: [ubuntu-20.04]\n" + ], + [ + 27, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - os: ubuntu-22.04\n" + ], + [ + 30, + " compiler: 'gcc'\n" + ], + [ + 31, + " - os: ubuntu-22.04\n" + ], + [ + 32, + " compiler: 'clang'\n" + ], + [ + 33, + " - os: ubuntu-22.04\n" + ], + [ + 34, + " compiler: 'gcc-11'\n" + ], + [ + 35, + " - os: ubuntu-22.04\n" + ], + [ + 36, + " compiler: 'gcc-12'\n" + ], + [ + 37, + " - os: ubuntu-22.04\n" + ], + [ + 38, + " compiler: 'clang-11'\n" + ], + [ + 39, + " - os: ubuntu-22.04\n" + ], + [ + 40, + " compiler: 'clang-12'\n" + ], + [ + 41, + " - os: ubuntu-22.04\n" + ], + [ + 42, + " compiler: 'clang-13'\n" + ], + [ + 43, + " - os: ubuntu-22.04\n" + ], + [ + 44, + " compiler: 'clang-14'\n" + ], + [ + 45, + " - os: ubuntu-22.04\n" + ], + [ + 46, + " compiler: 'clang-15'\n" + ], + [ + 47, + "\n" + ], + [ + 48, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 49, + " steps:\n" + ], + [ + 50, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 19, + 73 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "push": null, + "pull_request": null, + "workflow_dispatch": null, + "__startline__": 8, + "__endline__": 15 + } + }, + "code_block": [ + [ + 8, + " push:\n" + ], + [ + 9, + " pull_request:\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " # Allows you to run this workflow manually from the Actions tab\n" + ], + [ + 12, + " workflow_dispatch:\n" + ], + [ + 13, + "\n" + ], + [ + 14, + "# A workflow run is made up of one or more jobs that can run sequentially or in parallel\n" + ], + [ + 15, + "jobs:\n" + ], + [ + 16, + " # This workflow contains a single job called \"build\"\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 8, + 16 + ], + "resource": "on(Main CI)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + } + }, + "code_block": [ + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 51, + 56 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + } + }, + "code_block": [ + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 55, + 61 + ], + "resource": "jobs(build).steps[2](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + } + }, + "code_block": [ + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 60, + 64 + ], + "resource": "jobs(build).steps[3](Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + }, + "code_block": [ + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 63, + 73 + ], + "resource": "jobs(build).steps[4](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + } + }, + "code_block": [ + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 51, + 56 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + } + }, + "code_block": [ + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 55, + 61 + ], + "resource": "jobs(build).steps[2](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + } + }, + "code_block": [ + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 60, + 64 + ], + "resource": "jobs(build).steps[3](Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + }, + "code_block": [ + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 63, + 73 + ], + "resource": "jobs(build).steps[4](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + } + }, + "code_block": [ + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 51, + 56 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + } + }, + "code_block": [ + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 55, + 61 + ], + "resource": "jobs(build).steps[2](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + } + }, + "code_block": [ + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 60, + 64 + ], + "resource": "jobs(build).steps[3](Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + }, + "code_block": [ + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 63, + 73 + ], + "resource": "jobs(build).steps[4](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 53, + "__endline__": 55 + }, + "__startline__": 51, + "__endline__": 55 + } + }, + "code_block": [ + [ + 51, + " - uses: actions/checkout@v3\n" + ], + [ + 52, + " with:\n" + ], + [ + 53, + " submodules: recursive\n" + ], + [ + 54, + "\n" + ], + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 51, + 56 + ], + "resource": "jobs(build).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 55, + "__endline__": 60 + } + }, + "code_block": [ + [ + 55, + " - name: Install dependencies\n" + ], + [ + 56, + " run: |\n" + ], + [ + 57, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 58, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 55, + 61 + ], + "resource": "jobs(build).steps[2](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 60, + "__endline__": 63 + } + }, + "code_block": [ + [ + 60, + " - name: Build\n" + ], + [ + 61, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 60, + 64 + ], + "resource": "jobs(build).steps[3](Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 66, + "__endline__": 67 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 69, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + }, + "code_block": [ + [ + 63, + " - name: Notify slack fail\n" + ], + [ + 64, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 65, + " env:\n" + ], + [ + 66, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 67, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 68, + " with:\n" + ], + [ + 69, + " channel: devel\n" + ], + [ + 70, + " status: FAILED\n" + ], + [ + 71, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 63, + 73 + ], + "resource": "jobs(build).steps[4](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc-i386-cross", + "clang-i386-cross", + "gcc-mips64-cross", + "gcc-arm32-cross", + "gcc-arm64-cross", + "gcc-arm32-qemu-cross", + "gcc-arm64-qemu-cross", + "clang-arm32-qemu-cross", + "clang-arm64-qemu-cross" + ], + "os": [ + "ubuntu-22.04" + ], + "__startline__": 26, + "__endline__": 30 + }, + "__startline__": 25, + "__endline__": 30 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + ], + "__startline__": 19, + "__endline__": 73 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc-i386-cross', 'clang-i386-cross', 'gcc-mips64-cross', 'gcc-arm32-cross', 'gcc-arm64-cross', 'gcc-arm32-qemu-cross', 'gcc-arm64-qemu-cross', 'clang-arm32-qemu-cross', 'clang-arm64-qemu-cross']\n" + ], + [ + 27, + " os: [ubuntu-22.04]\n" + ], + [ + 28, + "\n" + ], + [ + 29, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 30, + " steps:\n" + ], + [ + 31, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 19, + 74 + ], + "resource": "jobs(build_multiarch)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build_multiarch": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc-i386-cross", + "clang-i386-cross", + "gcc-mips64-cross", + "gcc-arm32-cross", + "gcc-arm64-cross", + "gcc-arm32-qemu-cross", + "gcc-arm64-qemu-cross", + "clang-arm32-qemu-cross", + "clang-arm64-qemu-cross" + ], + "os": [ + "ubuntu-22.04" + ], + "__startline__": 26, + "__endline__": 30 + }, + "__startline__": 25, + "__endline__": 30 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + ], + "__startline__": 19, + "__endline__": 73 + }, + "__startline__": 17, + "__endline__": 73 + } + }, + "code_block": [ + [ + 17, + " build_multiarch:\n" + ], + [ + 18, + " # The type of runner that the job will run on\n" + ], + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc-i386-cross', 'clang-i386-cross', 'gcc-mips64-cross', 'gcc-arm32-cross', 'gcc-arm64-cross', 'gcc-arm32-qemu-cross', 'gcc-arm64-qemu-cross', 'clang-arm32-qemu-cross', 'clang-arm64-qemu-cross']\n" + ], + [ + 27, + " os: [ubuntu-22.04]\n" + ], + [ + 28, + "\n" + ], + [ + 29, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 30, + " steps:\n" + ], + [ + 31, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 17, + 74 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build_multiarch": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc-i386-cross", + "clang-i386-cross", + "gcc-mips64-cross", + "gcc-arm32-cross", + "gcc-arm64-cross", + "gcc-arm32-qemu-cross", + "gcc-arm64-qemu-cross", + "clang-arm32-qemu-cross", + "clang-arm64-qemu-cross" + ], + "os": [ + "ubuntu-22.04" + ], + "__startline__": 26, + "__endline__": 30 + }, + "__startline__": 25, + "__endline__": 30 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + ], + "__startline__": 19, + "__endline__": 73 + }, + "__startline__": 17, + "__endline__": 73 + } + }, + "code_block": [ + [ + 17, + " build_multiarch:\n" + ], + [ + 18, + " # The type of runner that the job will run on\n" + ], + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc-i386-cross', 'clang-i386-cross', 'gcc-mips64-cross', 'gcc-arm32-cross', 'gcc-arm64-cross', 'gcc-arm32-qemu-cross', 'gcc-arm64-qemu-cross', 'clang-arm32-qemu-cross', 'clang-arm64-qemu-cross']\n" + ], + [ + 27, + " os: [ubuntu-22.04]\n" + ], + [ + 28, + "\n" + ], + [ + 29, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 30, + " steps:\n" + ], + [ + 31, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 17, + 74 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc-i386-cross", + "clang-i386-cross", + "gcc-mips64-cross", + "gcc-arm32-cross", + "gcc-arm64-cross", + "gcc-arm32-qemu-cross", + "gcc-arm64-qemu-cross", + "clang-arm32-qemu-cross", + "clang-arm64-qemu-cross" + ], + "os": [ + "ubuntu-22.04" + ], + "__startline__": 26, + "__endline__": 30 + }, + "__startline__": 25, + "__endline__": 30 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + ], + "__startline__": 19, + "__endline__": 73 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc-i386-cross', 'clang-i386-cross', 'gcc-mips64-cross', 'gcc-arm32-cross', 'gcc-arm64-cross', 'gcc-arm32-qemu-cross', 'gcc-arm64-qemu-cross', 'clang-arm32-qemu-cross', 'clang-arm64-qemu-cross']\n" + ], + [ + 27, + " os: [ubuntu-22.04]\n" + ], + [ + 28, + "\n" + ], + [ + 29, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 30, + " steps:\n" + ], + [ + 31, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 19, + 74 + ], + "resource": "jobs(build_multiarch)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc-i386-cross", + "clang-i386-cross", + "gcc-mips64-cross", + "gcc-arm32-cross", + "gcc-arm64-cross", + "gcc-arm32-qemu-cross", + "gcc-arm64-qemu-cross", + "clang-arm32-qemu-cross", + "clang-arm64-qemu-cross" + ], + "os": [ + "ubuntu-22.04" + ], + "__startline__": 26, + "__endline__": 30 + }, + "__startline__": 25, + "__endline__": 30 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + ], + "__startline__": 19, + "__endline__": 73 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc-i386-cross', 'clang-i386-cross', 'gcc-mips64-cross', 'gcc-arm32-cross', 'gcc-arm64-cross', 'gcc-arm32-qemu-cross', 'gcc-arm64-qemu-cross', 'clang-arm32-qemu-cross', 'clang-arm64-qemu-cross']\n" + ], + [ + 27, + " os: [ubuntu-22.04]\n" + ], + [ + 28, + "\n" + ], + [ + 29, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 30, + " steps:\n" + ], + [ + 31, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 19, + 74 + ], + "resource": "jobs(build_multiarch)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc-i386-cross", + "clang-i386-cross", + "gcc-mips64-cross", + "gcc-arm32-cross", + "gcc-arm64-cross", + "gcc-arm32-qemu-cross", + "gcc-arm64-qemu-cross", + "clang-arm32-qemu-cross", + "clang-arm64-qemu-cross" + ], + "os": [ + "ubuntu-22.04" + ], + "__startline__": 26, + "__endline__": 30 + }, + "__startline__": 25, + "__endline__": 30 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + }, + { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + ], + "__startline__": 19, + "__endline__": 73 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc-i386-cross', 'clang-i386-cross', 'gcc-mips64-cross', 'gcc-arm32-cross', 'gcc-arm64-cross', 'gcc-arm32-qemu-cross', 'gcc-arm64-qemu-cross', 'clang-arm32-qemu-cross', 'clang-arm64-qemu-cross']\n" + ], + [ + 27, + " os: [ubuntu-22.04]\n" + ], + [ + 28, + "\n" + ], + [ + 29, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 30, + " steps:\n" + ], + [ + 31, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 19, + 74 + ], + "resource": "jobs(build_multiarch)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "push": null, + "pull_request": null, + "workflow_dispatch": null, + "__startline__": 8, + "__endline__": 15 + } + }, + "code_block": [ + [ + 8, + " push:\n" + ], + [ + 9, + " pull_request:\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " # Allows you to run this workflow manually from the Actions tab\n" + ], + [ + 12, + " workflow_dispatch:\n" + ], + [ + 13, + "\n" + ], + [ + 14, + "# A workflow run is made up of one or more jobs that can run sequentially or in parallel\n" + ], + [ + 15, + "jobs:\n" + ], + [ + 16, + " # This workflow contains a single job called \"build\"\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 8, + 16 + ], + "resource": "on(Multi-Architecture Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + } + }, + "code_block": [ + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 32, + 38 + ], + "resource": "jobs(build_multiarch).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + } + }, + "code_block": [ + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 37, + 47 + ], + "resource": "jobs(build_multiarch).steps[2](Cache the compiler cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + } + }, + "code_block": [ + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 46, + 51 + ], + "resource": "jobs(build_multiarch).steps[3](Start Docker container)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + } + }, + "code_block": [ + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 50, + 54 + ], + "resource": "jobs(build_multiarch).steps[4](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + } + }, + "code_block": [ + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 53, + 58 + ], + "resource": "jobs(build_multiarch).steps[5](Zero out compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + } + }, + "code_block": [ + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 57, + 61 + ], + "resource": "jobs(build_multiarch).steps[6](Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + } + }, + "code_block": [ + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 60, + 65 + ], + "resource": "jobs(build_multiarch).steps[7](Print compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + }, + "code_block": [ + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 64, + 74 + ], + "resource": "jobs(build_multiarch).steps[8](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + } + }, + "code_block": [ + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 32, + 38 + ], + "resource": "jobs(build_multiarch).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + } + }, + "code_block": [ + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 37, + 47 + ], + "resource": "jobs(build_multiarch).steps[2](Cache the compiler cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + } + }, + "code_block": [ + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 46, + 51 + ], + "resource": "jobs(build_multiarch).steps[3](Start Docker container)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + } + }, + "code_block": [ + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 50, + 54 + ], + "resource": "jobs(build_multiarch).steps[4](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + } + }, + "code_block": [ + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 53, + 58 + ], + "resource": "jobs(build_multiarch).steps[5](Zero out compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + } + }, + "code_block": [ + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 57, + 61 + ], + "resource": "jobs(build_multiarch).steps[6](Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + } + }, + "code_block": [ + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 60, + 65 + ], + "resource": "jobs(build_multiarch).steps[7](Print compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + }, + "code_block": [ + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 64, + 74 + ], + "resource": "jobs(build_multiarch).steps[8](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + } + }, + "code_block": [ + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 32, + 38 + ], + "resource": "jobs(build_multiarch).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + } + }, + "code_block": [ + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 37, + 47 + ], + "resource": "jobs(build_multiarch).steps[2](Cache the compiler cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + } + }, + "code_block": [ + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 46, + 51 + ], + "resource": "jobs(build_multiarch).steps[3](Start Docker container)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + } + }, + "code_block": [ + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 50, + 54 + ], + "resource": "jobs(build_multiarch).steps[4](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + } + }, + "code_block": [ + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 53, + 58 + ], + "resource": "jobs(build_multiarch).steps[5](Zero out compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + } + }, + "code_block": [ + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 57, + 61 + ], + "resource": "jobs(build_multiarch).steps[6](Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + } + }, + "code_block": [ + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 60, + 65 + ], + "resource": "jobs(build_multiarch).steps[7](Print compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + }, + "code_block": [ + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 64, + 74 + ], + "resource": "jobs(build_multiarch).steps[8](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 34, + "__endline__": 37 + }, + "__startline__": 32, + "__endline__": 37 + } + }, + "code_block": [ + [ + 32, + " - uses: actions/checkout@v3\n" + ], + [ + 33, + " with:\n" + ], + [ + 34, + " submodules: recursive\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " # Cache the compiler cache\n" + ], + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 32, + 38 + ], + "resource": "jobs(build_multiarch).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 41, + "__endline__": 46 + }, + "__startline__": 37, + "__endline__": 46 + } + }, + "code_block": [ + [ + 37, + " - name: Cache the compiler cache\n" + ], + [ + 38, + " uses: actions/cache@v3\n" + ], + [ + 39, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 40, + " with:\n" + ], + [ + 41, + " path: ccache\n" + ], + [ + 42, + " key: ccache-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 43, + " restore-keys: |\n" + ], + [ + 44, + " ccache-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 37, + 47 + ], + "resource": "jobs(build_multiarch).steps[2](Cache the compiler cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 46, + "__endline__": 50 + } + }, + "code_block": [ + [ + 46, + " - name: Start Docker container\n" + ], + [ + 47, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 48, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 49, + "\n" + ], + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 46, + 51 + ], + "resource": "jobs(build_multiarch).steps[3](Start Docker container)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/install_depends.sh", + "__startline__": 50, + "__endline__": 53 + } + }, + "code_block": [ + [ + 50, + " - name: Install dependencies\n" + ], + [ + 51, + " run: sh -x scripts/build/install_depends.sh\n" + ], + [ + 52, + "\n" + ], + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 50, + 54 + ], + "resource": "jobs(build_multiarch).steps[4](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 53, + "__endline__": 57 + } + }, + "code_block": [ + [ + 53, + " - name: Zero out compiler cache stats\n" + ], + [ + 54, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 55, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 56, + "\n" + ], + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 53, + 58 + ], + "resource": "jobs(build_multiarch).steps[5](Zero out compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build", + "run": "sh -x scripts/build/do_build.sh", + "__startline__": 57, + "__endline__": 60 + } + }, + "code_block": [ + [ + 57, + " - name: Build\n" + ], + [ + 58, + " run: sh -x scripts/build/do_build.sh\n" + ], + [ + 59, + "\n" + ], + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 57, + 61 + ], + "resource": "jobs(build_multiarch).steps[6](Build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 60, + "__endline__": 64 + } + }, + "code_block": [ + [ + 60, + " - name: Print compiler cache stats\n" + ], + [ + 61, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 62, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 63, + "\n" + ], + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 60, + 65 + ], + "resource": "jobs(build_multiarch).steps[7](Print compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 67, + "__endline__": 68 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 70, + "__endline__": 73 + }, + "__startline__": 64, + "__endline__": 73 + } + }, + "code_block": [ + [ + 64, + " - name: Notify slack fail\n" + ], + [ + 65, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 66, + " env:\n" + ], + [ + 67, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 68, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 69, + " with:\n" + ], + [ + 70, + " channel: devel\n" + ], + [ + 71, + " status: FAILED\n" + ], + [ + 72, + " color: danger\n" + ] + ], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 64, + 74 + ], + "resource": "jobs(build_multiarch).steps[8](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_multiarch" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "permissions": { + "issues": "write", + "pull-requests": "write", + "__startline__": 12, + "__endline__": 15 + }, + "steps": [ + { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + ], + "__startline__": 10, + "__endline__": 28 + } + }, + "code_block": [ + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " permissions:\n" + ], + [ + 12, + " issues: write\n" + ], + [ + 13, + " pull-requests: write\n" + ], + [ + 14, + "\n" + ], + [ + 15, + " steps:\n" + ], + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 10, + 29 + ], + "resource": "jobs(stale)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "stale": { + "runs-on": "ubuntu-latest", + "permissions": { + "issues": "write", + "pull-requests": "write", + "__startline__": 12, + "__endline__": 15 + }, + "steps": [ + { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + ], + "__startline__": 10, + "__endline__": 28 + }, + "__startline__": 8, + "__endline__": 28 + } + }, + "code_block": [ + [ + 8, + " stale:\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " permissions:\n" + ], + [ + 12, + " issues: write\n" + ], + [ + 13, + " pull-requests: write\n" + ], + [ + 14, + "\n" + ], + [ + 15, + " steps:\n" + ], + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 8, + 29 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "stale": { + "runs-on": "ubuntu-latest", + "permissions": { + "issues": "write", + "pull-requests": "write", + "__startline__": 12, + "__endline__": 15 + }, + "steps": [ + { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + ], + "__startline__": 10, + "__endline__": 28 + }, + "__startline__": 8, + "__endline__": 28 + } + }, + "code_block": [ + [ + 8, + " stale:\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " permissions:\n" + ], + [ + 12, + " issues: write\n" + ], + [ + 13, + " pull-requests: write\n" + ], + [ + 14, + "\n" + ], + [ + 15, + " steps:\n" + ], + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 8, + 29 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "permissions": { + "issues": "write", + "pull-requests": "write", + "__startline__": 12, + "__endline__": 15 + }, + "steps": [ + { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + ], + "__startline__": 10, + "__endline__": 28 + } + }, + "code_block": [ + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " permissions:\n" + ], + [ + 12, + " issues: write\n" + ], + [ + 13, + " pull-requests: write\n" + ], + [ + 14, + "\n" + ], + [ + 15, + " steps:\n" + ], + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 10, + 29 + ], + "resource": "jobs(stale)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "permissions": { + "issues": "write", + "pull-requests": "write", + "__startline__": 12, + "__endline__": 15 + }, + "steps": [ + { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + ], + "__startline__": 10, + "__endline__": 28 + } + }, + "code_block": [ + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " permissions:\n" + ], + [ + 12, + " issues: write\n" + ], + [ + 13, + " pull-requests: write\n" + ], + [ + 14, + "\n" + ], + [ + 15, + " steps:\n" + ], + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 10, + 29 + ], + "resource": "jobs(stale)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "permissions": { + "issues": "write", + "pull-requests": "write", + "__startline__": 12, + "__endline__": 15 + }, + "steps": [ + { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + ], + "__startline__": 10, + "__endline__": 28 + } + }, + "code_block": [ + [ + 10, + " runs-on: ubuntu-latest\n" + ], + [ + 11, + " permissions:\n" + ], + [ + 12, + " issues: write\n" + ], + [ + 13, + " pull-requests: write\n" + ], + [ + 14, + "\n" + ], + [ + 15, + " steps:\n" + ], + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 10, + 29 + ], + "resource": "jobs(stale)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "schedule": [ + { + "cron": "27 6 * * *", + "__startline__": 5, + "__endline__": 7 + } + ], + "__startline__": 4, + "__endline__": 7 + } + }, + "code_block": [ + [ + 4, + " schedule:\n" + ], + [ + 5, + " - cron: '27 6 * * *'\n" + ], + [ + 6, + "\n" + ], + [ + 7, + "jobs:\n" + ], + [ + 8, + " stale:\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 4, + 8 + ], + "resource": "on(Mark stale issues and pull requests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + }, + "code_block": [ + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 16, + 29 + ], + "resource": "jobs(stale).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + }, + "code_block": [ + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 16, + 29 + ], + "resource": "jobs(stale).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + }, + "code_block": [ + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 16, + 29 + ], + "resource": "jobs(stale).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/stale@v4", + "with": { + "repo-token": "${{ secrets.GITHUB_TOKEN }}", + "stale-issue-message": "Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.", + "close-issue-message": "Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.", + "exempt-issue-labels": "fixed,improvement,low-priority,high-priority,feature request", + "stale-issue-label": "stale", + "days-before-issue-stale": 15, + "days-before-issue-close": 30, + "stale-pr-message": "Any updates here? No progress has been made in the last 30 days, marking as stale.", + "days-before-pr-stale": 30, + "exempt-all-pr-assignees": true, + "__startline__": 18, + "__endline__": 28 + }, + "__startline__": 16, + "__endline__": 28 + } + }, + "code_block": [ + [ + 16, + " - uses: actions/stale@v4\n" + ], + [ + 17, + " with:\n" + ], + [ + 18, + " repo-token: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 19, + " stale-issue-message: 'Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.'\n" + ], + [ + 20, + " close-issue-message: 'Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.'\n" + ], + [ + 21, + " exempt-issue-labels: 'fixed,improvement,low-priority,high-priority,feature request'\n" + ], + [ + 22, + " stale-issue-label: 'stale'\n" + ], + [ + 23, + " days-before-issue-stale: 15\n" + ], + [ + 24, + " days-before-issue-close: 30\n" + ], + [ + 25, + " stale-pr-message: 'Any updates here? No progress has been made in the last 30 days, marking as stale.'\n" + ], + [ + 26, + " days-before-pr-stale: 30\n" + ], + [ + 27, + " exempt-all-pr-assignees: true\n" + ] + ], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 16, + 29 + ], + "resource": "jobs(stale).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "stale" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "os": [ + "ubuntu-20.04" + ], + "include": [ + { + "compiler": "gcc", + "os": "ubuntu-22.04", + "__startline__": 29, + "__endline__": 31 + }, + { + "compiler": "clang", + "os": "ubuntu-22.04", + "__startline__": 31, + "__endline__": 33 + }, + { + "compiler": "gcc-11", + "os": "ubuntu-22.04", + "__startline__": 33, + "__endline__": 35 + }, + { + "compiler": "gcc-12", + "os": "ubuntu-22.04", + "__startline__": 35, + "__endline__": 37 + }, + { + "compiler": "clang-11", + "os": "ubuntu-22.04", + "__startline__": 37, + "__endline__": 39 + }, + { + "compiler": "clang-12", + "os": "ubuntu-22.04", + "__startline__": 39, + "__endline__": 41 + }, + { + "compiler": "clang-13", + "os": "ubuntu-22.04", + "__startline__": 41, + "__endline__": 43 + }, + { + "compiler": "clang-14", + "os": "ubuntu-22.04", + "__startline__": 43, + "__endline__": 45 + }, + { + "compiler": "clang-15", + "os": "ubuntu-22.04", + "__startline__": 45, + "__endline__": 47 + }, + { + "compiler": "gcc-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 47, + "__endline__": 49 + }, + { + "compiler": "gcc-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 49, + "__endline__": 51 + }, + { + "compiler": "clang-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 51, + "__endline__": 53 + }, + { + "compiler": "clang-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 53, + "__endline__": 57 + } + ], + "__startline__": 26, + "__endline__": 57 + }, + "__startline__": 25, + "__endline__": 57 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + }, + { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + }, + { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + }, + { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + }, + { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + }, + { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + ], + "__startline__": 19, + "__endline__": 119 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 27, + " os: [ubuntu-20.04]\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - compiler: 'gcc'\n" + ], + [ + 30, + " os: ubuntu-22.04\n" + ], + [ + 31, + " - compiler: 'clang'\n" + ], + [ + 32, + " os: ubuntu-22.04\n" + ], + [ + 33, + " - compiler: 'gcc-11'\n" + ], + [ + 34, + " os: ubuntu-22.04\n" + ], + [ + 35, + " - compiler: 'gcc-12'\n" + ], + [ + 36, + " os: ubuntu-22.04\n" + ], + [ + 37, + " - compiler: 'clang-11'\n" + ], + [ + 38, + " os: ubuntu-22.04\n" + ], + [ + 39, + " - compiler: 'clang-12'\n" + ], + [ + 40, + " os: ubuntu-22.04\n" + ], + [ + 41, + " - compiler: 'clang-13'\n" + ], + [ + 42, + " os: ubuntu-22.04\n" + ], + [ + 43, + " - compiler: 'clang-14'\n" + ], + [ + 44, + " os: ubuntu-22.04\n" + ], + [ + 45, + " - compiler: 'clang-15'\n" + ], + [ + 46, + " os: ubuntu-22.04\n" + ], + [ + 47, + " - compiler: 'gcc-arm64-qemu-cross'\n" + ], + [ + 48, + " os: ubuntu-22.04\n" + ], + [ + 49, + " - compiler: 'gcc-arm32-qemu-cross'\n" + ], + [ + 50, + " os: ubuntu-22.04\n" + ], + [ + 51, + " - compiler: 'clang-arm64-qemu-cross'\n" + ], + [ + 52, + " os: ubuntu-22.04\n" + ], + [ + 53, + " - compiler: 'clang-arm32-qemu-cross'\n" + ], + [ + 54, + " os: ubuntu-22.04\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 57, + " steps:\n" + ], + [ + 58, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 19, + 120 + ], + "resource": "jobs(build_and_test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build_and_test": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "os": [ + "ubuntu-20.04" + ], + "include": [ + { + "compiler": "gcc", + "os": "ubuntu-22.04", + "__startline__": 29, + "__endline__": 31 + }, + { + "compiler": "clang", + "os": "ubuntu-22.04", + "__startline__": 31, + "__endline__": 33 + }, + { + "compiler": "gcc-11", + "os": "ubuntu-22.04", + "__startline__": 33, + "__endline__": 35 + }, + { + "compiler": "gcc-12", + "os": "ubuntu-22.04", + "__startline__": 35, + "__endline__": 37 + }, + { + "compiler": "clang-11", + "os": "ubuntu-22.04", + "__startline__": 37, + "__endline__": 39 + }, + { + "compiler": "clang-12", + "os": "ubuntu-22.04", + "__startline__": 39, + "__endline__": 41 + }, + { + "compiler": "clang-13", + "os": "ubuntu-22.04", + "__startline__": 41, + "__endline__": 43 + }, + { + "compiler": "clang-14", + "os": "ubuntu-22.04", + "__startline__": 43, + "__endline__": 45 + }, + { + "compiler": "clang-15", + "os": "ubuntu-22.04", + "__startline__": 45, + "__endline__": 47 + }, + { + "compiler": "gcc-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 47, + "__endline__": 49 + }, + { + "compiler": "gcc-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 49, + "__endline__": 51 + }, + { + "compiler": "clang-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 51, + "__endline__": 53 + }, + { + "compiler": "clang-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 53, + "__endline__": 57 + } + ], + "__startline__": 26, + "__endline__": 57 + }, + "__startline__": 25, + "__endline__": 57 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + }, + { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + }, + { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + }, + { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + }, + { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + }, + { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + ], + "__startline__": 19, + "__endline__": 119 + }, + "__startline__": 17, + "__endline__": 119 + } + }, + "code_block": [ + [ + 17, + " build_and_test:\n" + ], + [ + 18, + " # The type of runner that the job will run on\n" + ], + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 27, + " os: [ubuntu-20.04]\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - compiler: 'gcc'\n" + ], + [ + 30, + " os: ubuntu-22.04\n" + ], + [ + 31, + " - compiler: 'clang'\n" + ], + [ + 32, + " os: ubuntu-22.04\n" + ], + [ + 33, + " - compiler: 'gcc-11'\n" + ], + [ + 34, + " os: ubuntu-22.04\n" + ], + [ + 35, + " - compiler: 'gcc-12'\n" + ], + [ + 36, + " os: ubuntu-22.04\n" + ], + [ + 37, + " - compiler: 'clang-11'\n" + ], + [ + 38, + " os: ubuntu-22.04\n" + ], + [ + 39, + " - compiler: 'clang-12'\n" + ], + [ + 40, + " os: ubuntu-22.04\n" + ], + [ + 41, + " - compiler: 'clang-13'\n" + ], + [ + 42, + " os: ubuntu-22.04\n" + ], + [ + 43, + " - compiler: 'clang-14'\n" + ], + [ + 44, + " os: ubuntu-22.04\n" + ], + [ + 45, + " - compiler: 'clang-15'\n" + ], + [ + 46, + " os: ubuntu-22.04\n" + ], + [ + 47, + " - compiler: 'gcc-arm64-qemu-cross'\n" + ], + [ + 48, + " os: ubuntu-22.04\n" + ], + [ + 49, + " - compiler: 'gcc-arm32-qemu-cross'\n" + ], + [ + 50, + " os: ubuntu-22.04\n" + ], + [ + 51, + " - compiler: 'clang-arm64-qemu-cross'\n" + ], + [ + 52, + " os: ubuntu-22.04\n" + ], + [ + 53, + " - compiler: 'clang-arm32-qemu-cross'\n" + ], + [ + 54, + " os: ubuntu-22.04\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 57, + " steps:\n" + ], + [ + 58, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 17, + 120 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build_and_test": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "os": [ + "ubuntu-20.04" + ], + "include": [ + { + "compiler": "gcc", + "os": "ubuntu-22.04", + "__startline__": 29, + "__endline__": 31 + }, + { + "compiler": "clang", + "os": "ubuntu-22.04", + "__startline__": 31, + "__endline__": 33 + }, + { + "compiler": "gcc-11", + "os": "ubuntu-22.04", + "__startline__": 33, + "__endline__": 35 + }, + { + "compiler": "gcc-12", + "os": "ubuntu-22.04", + "__startline__": 35, + "__endline__": 37 + }, + { + "compiler": "clang-11", + "os": "ubuntu-22.04", + "__startline__": 37, + "__endline__": 39 + }, + { + "compiler": "clang-12", + "os": "ubuntu-22.04", + "__startline__": 39, + "__endline__": 41 + }, + { + "compiler": "clang-13", + "os": "ubuntu-22.04", + "__startline__": 41, + "__endline__": 43 + }, + { + "compiler": "clang-14", + "os": "ubuntu-22.04", + "__startline__": 43, + "__endline__": 45 + }, + { + "compiler": "clang-15", + "os": "ubuntu-22.04", + "__startline__": 45, + "__endline__": 47 + }, + { + "compiler": "gcc-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 47, + "__endline__": 49 + }, + { + "compiler": "gcc-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 49, + "__endline__": 51 + }, + { + "compiler": "clang-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 51, + "__endline__": 53 + }, + { + "compiler": "clang-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 53, + "__endline__": 57 + } + ], + "__startline__": 26, + "__endline__": 57 + }, + "__startline__": 25, + "__endline__": 57 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + }, + { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + }, + { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + }, + { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + }, + { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + }, + { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + ], + "__startline__": 19, + "__endline__": 119 + }, + "__startline__": 17, + "__endline__": 119 + } + }, + "code_block": [ + [ + 17, + " build_and_test:\n" + ], + [ + 18, + " # The type of runner that the job will run on\n" + ], + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 27, + " os: [ubuntu-20.04]\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - compiler: 'gcc'\n" + ], + [ + 30, + " os: ubuntu-22.04\n" + ], + [ + 31, + " - compiler: 'clang'\n" + ], + [ + 32, + " os: ubuntu-22.04\n" + ], + [ + 33, + " - compiler: 'gcc-11'\n" + ], + [ + 34, + " os: ubuntu-22.04\n" + ], + [ + 35, + " - compiler: 'gcc-12'\n" + ], + [ + 36, + " os: ubuntu-22.04\n" + ], + [ + 37, + " - compiler: 'clang-11'\n" + ], + [ + 38, + " os: ubuntu-22.04\n" + ], + [ + 39, + " - compiler: 'clang-12'\n" + ], + [ + 40, + " os: ubuntu-22.04\n" + ], + [ + 41, + " - compiler: 'clang-13'\n" + ], + [ + 42, + " os: ubuntu-22.04\n" + ], + [ + 43, + " - compiler: 'clang-14'\n" + ], + [ + 44, + " os: ubuntu-22.04\n" + ], + [ + 45, + " - compiler: 'clang-15'\n" + ], + [ + 46, + " os: ubuntu-22.04\n" + ], + [ + 47, + " - compiler: 'gcc-arm64-qemu-cross'\n" + ], + [ + 48, + " os: ubuntu-22.04\n" + ], + [ + 49, + " - compiler: 'gcc-arm32-qemu-cross'\n" + ], + [ + 50, + " os: ubuntu-22.04\n" + ], + [ + 51, + " - compiler: 'clang-arm64-qemu-cross'\n" + ], + [ + 52, + " os: ubuntu-22.04\n" + ], + [ + 53, + " - compiler: 'clang-arm32-qemu-cross'\n" + ], + [ + 54, + " os: ubuntu-22.04\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 57, + " steps:\n" + ], + [ + 58, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 17, + 120 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "os": [ + "ubuntu-20.04" + ], + "include": [ + { + "compiler": "gcc", + "os": "ubuntu-22.04", + "__startline__": 29, + "__endline__": 31 + }, + { + "compiler": "clang", + "os": "ubuntu-22.04", + "__startline__": 31, + "__endline__": 33 + }, + { + "compiler": "gcc-11", + "os": "ubuntu-22.04", + "__startline__": 33, + "__endline__": 35 + }, + { + "compiler": "gcc-12", + "os": "ubuntu-22.04", + "__startline__": 35, + "__endline__": 37 + }, + { + "compiler": "clang-11", + "os": "ubuntu-22.04", + "__startline__": 37, + "__endline__": 39 + }, + { + "compiler": "clang-12", + "os": "ubuntu-22.04", + "__startline__": 39, + "__endline__": 41 + }, + { + "compiler": "clang-13", + "os": "ubuntu-22.04", + "__startline__": 41, + "__endline__": 43 + }, + { + "compiler": "clang-14", + "os": "ubuntu-22.04", + "__startline__": 43, + "__endline__": 45 + }, + { + "compiler": "clang-15", + "os": "ubuntu-22.04", + "__startline__": 45, + "__endline__": 47 + }, + { + "compiler": "gcc-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 47, + "__endline__": 49 + }, + { + "compiler": "gcc-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 49, + "__endline__": 51 + }, + { + "compiler": "clang-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 51, + "__endline__": 53 + }, + { + "compiler": "clang-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 53, + "__endline__": 57 + } + ], + "__startline__": 26, + "__endline__": 57 + }, + "__startline__": 25, + "__endline__": 57 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + }, + { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + }, + { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + }, + { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + }, + { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + }, + { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + ], + "__startline__": 19, + "__endline__": 119 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 27, + " os: [ubuntu-20.04]\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - compiler: 'gcc'\n" + ], + [ + 30, + " os: ubuntu-22.04\n" + ], + [ + 31, + " - compiler: 'clang'\n" + ], + [ + 32, + " os: ubuntu-22.04\n" + ], + [ + 33, + " - compiler: 'gcc-11'\n" + ], + [ + 34, + " os: ubuntu-22.04\n" + ], + [ + 35, + " - compiler: 'gcc-12'\n" + ], + [ + 36, + " os: ubuntu-22.04\n" + ], + [ + 37, + " - compiler: 'clang-11'\n" + ], + [ + 38, + " os: ubuntu-22.04\n" + ], + [ + 39, + " - compiler: 'clang-12'\n" + ], + [ + 40, + " os: ubuntu-22.04\n" + ], + [ + 41, + " - compiler: 'clang-13'\n" + ], + [ + 42, + " os: ubuntu-22.04\n" + ], + [ + 43, + " - compiler: 'clang-14'\n" + ], + [ + 44, + " os: ubuntu-22.04\n" + ], + [ + 45, + " - compiler: 'clang-15'\n" + ], + [ + 46, + " os: ubuntu-22.04\n" + ], + [ + 47, + " - compiler: 'gcc-arm64-qemu-cross'\n" + ], + [ + 48, + " os: ubuntu-22.04\n" + ], + [ + 49, + " - compiler: 'gcc-arm32-qemu-cross'\n" + ], + [ + 50, + " os: ubuntu-22.04\n" + ], + [ + 51, + " - compiler: 'clang-arm64-qemu-cross'\n" + ], + [ + 52, + " os: ubuntu-22.04\n" + ], + [ + 53, + " - compiler: 'clang-arm32-qemu-cross'\n" + ], + [ + 54, + " os: ubuntu-22.04\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 57, + " steps:\n" + ], + [ + 58, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 19, + 120 + ], + "resource": "jobs(build_and_test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "os": [ + "ubuntu-20.04" + ], + "include": [ + { + "compiler": "gcc", + "os": "ubuntu-22.04", + "__startline__": 29, + "__endline__": 31 + }, + { + "compiler": "clang", + "os": "ubuntu-22.04", + "__startline__": 31, + "__endline__": 33 + }, + { + "compiler": "gcc-11", + "os": "ubuntu-22.04", + "__startline__": 33, + "__endline__": 35 + }, + { + "compiler": "gcc-12", + "os": "ubuntu-22.04", + "__startline__": 35, + "__endline__": 37 + }, + { + "compiler": "clang-11", + "os": "ubuntu-22.04", + "__startline__": 37, + "__endline__": 39 + }, + { + "compiler": "clang-12", + "os": "ubuntu-22.04", + "__startline__": 39, + "__endline__": 41 + }, + { + "compiler": "clang-13", + "os": "ubuntu-22.04", + "__startline__": 41, + "__endline__": 43 + }, + { + "compiler": "clang-14", + "os": "ubuntu-22.04", + "__startline__": 43, + "__endline__": 45 + }, + { + "compiler": "clang-15", + "os": "ubuntu-22.04", + "__startline__": 45, + "__endline__": 47 + }, + { + "compiler": "gcc-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 47, + "__endline__": 49 + }, + { + "compiler": "gcc-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 49, + "__endline__": 51 + }, + { + "compiler": "clang-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 51, + "__endline__": 53 + }, + { + "compiler": "clang-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 53, + "__endline__": 57 + } + ], + "__startline__": 26, + "__endline__": 57 + }, + "__startline__": 25, + "__endline__": 57 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + }, + { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + }, + { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + }, + { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + }, + { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + }, + { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + ], + "__startline__": 19, + "__endline__": 119 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 27, + " os: [ubuntu-20.04]\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - compiler: 'gcc'\n" + ], + [ + 30, + " os: ubuntu-22.04\n" + ], + [ + 31, + " - compiler: 'clang'\n" + ], + [ + 32, + " os: ubuntu-22.04\n" + ], + [ + 33, + " - compiler: 'gcc-11'\n" + ], + [ + 34, + " os: ubuntu-22.04\n" + ], + [ + 35, + " - compiler: 'gcc-12'\n" + ], + [ + 36, + " os: ubuntu-22.04\n" + ], + [ + 37, + " - compiler: 'clang-11'\n" + ], + [ + 38, + " os: ubuntu-22.04\n" + ], + [ + 39, + " - compiler: 'clang-12'\n" + ], + [ + 40, + " os: ubuntu-22.04\n" + ], + [ + 41, + " - compiler: 'clang-13'\n" + ], + [ + 42, + " os: ubuntu-22.04\n" + ], + [ + 43, + " - compiler: 'clang-14'\n" + ], + [ + 44, + " os: ubuntu-22.04\n" + ], + [ + 45, + " - compiler: 'clang-15'\n" + ], + [ + 46, + " os: ubuntu-22.04\n" + ], + [ + 47, + " - compiler: 'gcc-arm64-qemu-cross'\n" + ], + [ + 48, + " os: ubuntu-22.04\n" + ], + [ + 49, + " - compiler: 'gcc-arm32-qemu-cross'\n" + ], + [ + 50, + " os: ubuntu-22.04\n" + ], + [ + 51, + " - compiler: 'clang-arm64-qemu-cross'\n" + ], + [ + 52, + " os: ubuntu-22.04\n" + ], + [ + 53, + " - compiler: 'clang-arm32-qemu-cross'\n" + ], + [ + 54, + " os: ubuntu-22.04\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 57, + " steps:\n" + ], + [ + 58, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 19, + 120 + ], + "resource": "jobs(build_and_test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "${{ matrix.os }}", + "env": { + "COMPILER": "${{ matrix.compiler }}", + "BUILD_OS": "${{ matrix.os }}", + "__startline__": 21, + "__endline__": 24 + }, + "strategy": { + "matrix": { + "compiler": [ + "gcc", + "clang", + "gcc-9", + "gcc-10", + "clang-9", + "clang-10" + ], + "os": [ + "ubuntu-20.04" + ], + "include": [ + { + "compiler": "gcc", + "os": "ubuntu-22.04", + "__startline__": 29, + "__endline__": 31 + }, + { + "compiler": "clang", + "os": "ubuntu-22.04", + "__startline__": 31, + "__endline__": 33 + }, + { + "compiler": "gcc-11", + "os": "ubuntu-22.04", + "__startline__": 33, + "__endline__": 35 + }, + { + "compiler": "gcc-12", + "os": "ubuntu-22.04", + "__startline__": 35, + "__endline__": 37 + }, + { + "compiler": "clang-11", + "os": "ubuntu-22.04", + "__startline__": 37, + "__endline__": 39 + }, + { + "compiler": "clang-12", + "os": "ubuntu-22.04", + "__startline__": 39, + "__endline__": 41 + }, + { + "compiler": "clang-13", + "os": "ubuntu-22.04", + "__startline__": 41, + "__endline__": 43 + }, + { + "compiler": "clang-14", + "os": "ubuntu-22.04", + "__startline__": 43, + "__endline__": 45 + }, + { + "compiler": "clang-15", + "os": "ubuntu-22.04", + "__startline__": 45, + "__endline__": 47 + }, + { + "compiler": "gcc-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 47, + "__endline__": 49 + }, + { + "compiler": "gcc-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 49, + "__endline__": 51 + }, + { + "compiler": "clang-arm64-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 51, + "__endline__": 53 + }, + { + "compiler": "clang-arm32-qemu-cross", + "os": "ubuntu-22.04", + "__startline__": 53, + "__endline__": 57 + } + ], + "__startline__": 26, + "__endline__": 57 + }, + "__startline__": 25, + "__endline__": 57 + }, + "steps": [ + { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + }, + { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + }, + { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + }, + { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + }, + { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + }, + { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + }, + { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + }, + { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + }, + { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + }, + { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + }, + { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + }, + { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + ], + "__startline__": 19, + "__endline__": 119 + } + }, + "code_block": [ + [ + 19, + " runs-on: ${{ matrix.os }}\n" + ], + [ + 20, + " env:\n" + ], + [ + 21, + " COMPILER: ${{ matrix.compiler }}\n" + ], + [ + 22, + " BUILD_OS: ${{ matrix.os }}\n" + ], + [ + 23, + "\n" + ], + [ + 24, + " strategy:\n" + ], + [ + 25, + " matrix:\n" + ], + [ + 26, + " compiler: ['gcc', 'clang', 'gcc-9', 'gcc-10', 'clang-9', 'clang-10']\n" + ], + [ + 27, + " os: [ubuntu-20.04]\n" + ], + [ + 28, + " include:\n" + ], + [ + 29, + " - compiler: 'gcc'\n" + ], + [ + 30, + " os: ubuntu-22.04\n" + ], + [ + 31, + " - compiler: 'clang'\n" + ], + [ + 32, + " os: ubuntu-22.04\n" + ], + [ + 33, + " - compiler: 'gcc-11'\n" + ], + [ + 34, + " os: ubuntu-22.04\n" + ], + [ + 35, + " - compiler: 'gcc-12'\n" + ], + [ + 36, + " os: ubuntu-22.04\n" + ], + [ + 37, + " - compiler: 'clang-11'\n" + ], + [ + 38, + " os: ubuntu-22.04\n" + ], + [ + 39, + " - compiler: 'clang-12'\n" + ], + [ + 40, + " os: ubuntu-22.04\n" + ], + [ + 41, + " - compiler: 'clang-13'\n" + ], + [ + 42, + " os: ubuntu-22.04\n" + ], + [ + 43, + " - compiler: 'clang-14'\n" + ], + [ + 44, + " os: ubuntu-22.04\n" + ], + [ + 45, + " - compiler: 'clang-15'\n" + ], + [ + 46, + " os: ubuntu-22.04\n" + ], + [ + 47, + " - compiler: 'gcc-arm64-qemu-cross'\n" + ], + [ + 48, + " os: ubuntu-22.04\n" + ], + [ + 49, + " - compiler: 'gcc-arm32-qemu-cross'\n" + ], + [ + 50, + " os: ubuntu-22.04\n" + ], + [ + 51, + " - compiler: 'clang-arm64-qemu-cross'\n" + ], + [ + 52, + " os: ubuntu-22.04\n" + ], + [ + 53, + " - compiler: 'clang-arm32-qemu-cross'\n" + ], + [ + 54, + " os: ubuntu-22.04\n" + ], + [ + 55, + "\n" + ], + [ + 56, + " # Steps represent a sequence of tasks that will be executed as part of the job\n" + ], + [ + 57, + " steps:\n" + ], + [ + 58, + " # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it\n" + ], + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 19, + 120 + ], + "resource": "jobs(build_and_test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "push": null, + "pull_request": null, + "workflow_dispatch": null, + "__startline__": 8, + "__endline__": 15 + } + }, + "code_block": [ + [ + 8, + " push:\n" + ], + [ + 9, + " pull_request:\n" + ], + [ + 10, + "\n" + ], + [ + 11, + " # Allows you to run this workflow manually from the Actions tab\n" + ], + [ + 12, + " workflow_dispatch:\n" + ], + [ + 13, + "\n" + ], + [ + 14, + "# A workflow run is made up of one or more jobs that can run sequentially or in parallel\n" + ], + [ + 15, + "jobs:\n" + ], + [ + 16, + " # This workflow contains a single job called \"build\"\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 8, + 16 + ], + "resource": "on(Unit Tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + } + }, + "code_block": [ + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 59, + 64 + ], + "resource": "jobs(build_and_test).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + }, + "code_block": [ + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 63, + 73 + ], + "resource": "jobs(build_and_test).steps[2](Cache the compiler cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + } + }, + "code_block": [ + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 72, + 77 + ], + "resource": "jobs(build_and_test).steps[3](Start Docker container)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + } + }, + "code_block": [ + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 76, + 82 + ], + "resource": "jobs(build_and_test).steps[4](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + } + }, + "code_block": [ + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 81, + 85 + ], + "resource": "jobs(build_and_test).steps[5](Get libtap)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + } + }, + "code_block": [ + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 84, + 89 + ], + "resource": "jobs(build_and_test).steps[6](Zero out compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + } + }, + "code_block": [ + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 88, + 92 + ], + "resource": "jobs(build_and_test).steps[7](Build libtap)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + } + }, + "code_block": [ + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 91, + 95 + ], + "resource": "jobs(build_and_test).steps[8](Build test harness)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + } + }, + "code_block": [ + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 94, + 99 + ], + "resource": "jobs(build_and_test).steps[9](Print compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + } + }, + "code_block": [ + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 98, + 104 + ], + "resource": "jobs(build_and_test).steps[10](Run tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + } + }, + "code_block": [ + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 103, + 114 + ], + "resource": "jobs(build_and_test).steps[11](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + }, + "code_block": [ + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 113, + 120 + ], + "resource": "jobs(build_and_test).steps[12](Collect test logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + } + }, + "code_block": [ + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 59, + 64 + ], + "resource": "jobs(build_and_test).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + }, + "code_block": [ + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 63, + 73 + ], + "resource": "jobs(build_and_test).steps[2](Cache the compiler cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + } + }, + "code_block": [ + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 72, + 77 + ], + "resource": "jobs(build_and_test).steps[3](Start Docker container)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + } + }, + "code_block": [ + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 76, + 82 + ], + "resource": "jobs(build_and_test).steps[4](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + } + }, + "code_block": [ + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 81, + 85 + ], + "resource": "jobs(build_and_test).steps[5](Get libtap)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + } + }, + "code_block": [ + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 84, + 89 + ], + "resource": "jobs(build_and_test).steps[6](Zero out compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + } + }, + "code_block": [ + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 88, + 92 + ], + "resource": "jobs(build_and_test).steps[7](Build libtap)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + } + }, + "code_block": [ + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 91, + 95 + ], + "resource": "jobs(build_and_test).steps[8](Build test harness)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + } + }, + "code_block": [ + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 94, + 99 + ], + "resource": "jobs(build_and_test).steps[9](Print compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + } + }, + "code_block": [ + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 98, + 104 + ], + "resource": "jobs(build_and_test).steps[10](Run tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + } + }, + "code_block": [ + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 103, + 114 + ], + "resource": "jobs(build_and_test).steps[11](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + }, + "code_block": [ + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 113, + 120 + ], + "resource": "jobs(build_and_test).steps[12](Collect test logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + } + }, + "code_block": [ + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 59, + 64 + ], + "resource": "jobs(build_and_test).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + }, + "code_block": [ + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 63, + 73 + ], + "resource": "jobs(build_and_test).steps[2](Cache the compiler cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + } + }, + "code_block": [ + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 72, + 77 + ], + "resource": "jobs(build_and_test).steps[3](Start Docker container)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + } + }, + "code_block": [ + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 76, + 82 + ], + "resource": "jobs(build_and_test).steps[4](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + } + }, + "code_block": [ + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 81, + 85 + ], + "resource": "jobs(build_and_test).steps[5](Get libtap)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + } + }, + "code_block": [ + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 84, + 89 + ], + "resource": "jobs(build_and_test).steps[6](Zero out compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + } + }, + "code_block": [ + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 88, + 92 + ], + "resource": "jobs(build_and_test).steps[7](Build libtap)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + } + }, + "code_block": [ + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 91, + 95 + ], + "resource": "jobs(build_and_test).steps[8](Build test harness)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + } + }, + "code_block": [ + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 94, + 99 + ], + "resource": "jobs(build_and_test).steps[9](Print compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + } + }, + "code_block": [ + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 98, + 104 + ], + "resource": "jobs(build_and_test).steps[10](Run tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + } + }, + "code_block": [ + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 103, + 114 + ], + "resource": "jobs(build_and_test).steps[11](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + }, + "code_block": [ + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 113, + 120 + ], + "resource": "jobs(build_and_test).steps[12](Collect test logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "actions/checkout@v3", + "with": { + "submodules": "recursive", + "__startline__": 61, + "__endline__": 63 + }, + "__startline__": 59, + "__endline__": 63 + } + }, + "code_block": [ + [ + 59, + " - uses: actions/checkout@v3\n" + ], + [ + 60, + " with:\n" + ], + [ + 61, + " submodules: recursive\n" + ], + [ + 62, + "\n" + ], + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 59, + 64 + ], + "resource": "jobs(build_and_test).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache the compiler cache", + "uses": "actions/cache@v3", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "with": { + "path": "ccache", + "key": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}", + "restore-keys": "ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n", + "__startline__": 67, + "__endline__": 72 + }, + "__startline__": 63, + "__endline__": 72 + } + }, + "code_block": [ + [ + 63, + " - name: Cache the compiler cache\n" + ], + [ + 64, + " uses: actions/cache@v3\n" + ], + [ + 65, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 66, + " with:\n" + ], + [ + 67, + " path: ccache\n" + ], + [ + 68, + " key: ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}-${{ github.run_id }}\n" + ], + [ + 69, + " restore-keys: |\n" + ], + [ + 70, + " ccache-ut-${{ matrix.os }}-${{ matrix.compiler }}\n" + ], + [ + 71, + "\n" + ], + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 63, + 73 + ], + "resource": "jobs(build_and_test).steps[2](Cache the compiler cache)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Start Docker container", + "if": "endsWith(matrix.compiler, '-cross')", + "run": "sh -x scripts/build/start_container.sh", + "__startline__": 72, + "__endline__": 76 + } + }, + "code_block": [ + [ + 72, + " - name: Start Docker container\n" + ], + [ + 73, + " if: endsWith(matrix.compiler, '-cross')\n" + ], + [ + 74, + " run: sh -x scripts/build/start_container.sh\n" + ], + [ + 75, + "\n" + ], + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 72, + 77 + ], + "resource": "jobs(build_and_test).steps[3](Start Docker container)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "sh -x scripts/build/reset_sources.sh\nsh -x scripts/build/install_depends.sh\n", + "__startline__": 76, + "__endline__": 81 + } + }, + "code_block": [ + [ + 76, + " - name: Install dependencies\n" + ], + [ + 77, + " run: |\n" + ], + [ + 78, + " sh -x scripts/build/reset_sources.sh\n" + ], + [ + 79, + " sh -x scripts/build/install_depends.sh\n" + ], + [ + 80, + "\n" + ], + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 76, + 82 + ], + "resource": "jobs(build_and_test).steps[4](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Get libtap", + "run": "git clone https://github.com/zorgnax/libtap.git lib/libtap", + "__startline__": 81, + "__endline__": 84 + } + }, + "code_block": [ + [ + 81, + " - name: Get libtap\n" + ], + [ + 82, + " run: git clone https://github.com/zorgnax/libtap.git lib/libtap\n" + ], + [ + 83, + "\n" + ], + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 81, + 85 + ], + "resource": "jobs(build_and_test).steps[5](Get libtap)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Zero out compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/zero_ccache_stats.sh", + "__startline__": 84, + "__endline__": 88 + } + }, + "code_block": [ + [ + 84, + " - name: Zero out compiler cache stats\n" + ], + [ + 85, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 86, + " run: scripts/build/zero_ccache_stats.sh\n" + ], + [ + 87, + "\n" + ], + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 84, + 89 + ], + "resource": "jobs(build_and_test).steps[6](Zero out compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build libtap", + "run": "sh -x scripts/build/build_libtap.sh lib/libtap", + "__startline__": 88, + "__endline__": 91 + } + }, + "code_block": [ + [ + 88, + " - name: Build libtap\n" + ], + [ + 89, + " run: sh -x scripts/build/build_libtap.sh lib/libtap\n" + ], + [ + 90, + "\n" + ], + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 88, + 92 + ], + "resource": "jobs(build_and_test).steps[7](Build libtap)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Build test harness", + "run": "sh -x scripts/build/build_test_harness.sh lib/libtap", + "__startline__": 91, + "__endline__": 94 + } + }, + "code_block": [ + [ + 91, + " - name: Build test harness\n" + ], + [ + 92, + " run: sh -x scripts/build/build_test_harness.sh lib/libtap\n" + ], + [ + 93, + "\n" + ], + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 91, + 95 + ], + "resource": "jobs(build_and_test).steps[8](Build test harness)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Print compiler cache stats", + "if": "endsWith(matrix.compiler, '-qemu-cross')", + "run": "scripts/build/print_ccache_stats.sh", + "__startline__": 94, + "__endline__": 98 + } + }, + "code_block": [ + [ + 94, + " - name: Print compiler cache stats\n" + ], + [ + 95, + " if: endsWith(matrix.compiler, '-qemu-cross')\n" + ], + [ + 96, + " run: scripts/build/print_ccache_stats.sh\n" + ], + [ + 97, + "\n" + ], + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 94, + 99 + ], + "resource": "jobs(build_and_test).steps[9](Print compiler cache stats)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run tests", + "env": { + "MAKE_TGT": "test", + "__startline__": 100, + "__endline__": 101 + }, + "run": "script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'", + "__startline__": 98, + "__endline__": 103 + } + }, + "code_block": [ + [ + 98, + " - name: Run tests\n" + ], + [ + 99, + " env:\n" + ], + [ + 100, + " MAKE_TGT: 'test'\n" + ], + [ + 101, + " run: script -e unit_tests.log -c 'sh -x scripts/build/do_build.sh DEFS_EXTRA_OPTS=\"-DUNIT_TESTS -fPIE -fPIC\"'\n" + ], + [ + 102, + "\n" + ], + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 98, + 104 + ], + "resource": "jobs(build_and_test).steps[10](Run tests)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Notify slack fail", + "if": "failure() && github.repository == 'OpenSIPS/opensips'", + "env": { + "SLACK_BOT_TOKEN": "${{ secrets.SLACK_BOT_TOKEN }}", + "__startline__": 106, + "__endline__": 107 + }, + "uses": "voxmedia/github-action-slack-notify-build@v1", + "with": { + "channel": "devel", + "status": "FAILED", + "color": "danger", + "__startline__": 109, + "__endline__": 113 + }, + "__startline__": 103, + "__endline__": 113 + } + }, + "code_block": [ + [ + 103, + " - name: Notify slack fail\n" + ], + [ + 104, + " if: failure() && github.repository == 'OpenSIPS/opensips'\n" + ], + [ + 105, + " env:\n" + ], + [ + 106, + " SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n" + ], + [ + 107, + " uses: voxmedia/github-action-slack-notify-build@v1\n" + ], + [ + 108, + " with:\n" + ], + [ + 109, + " channel: devel\n" + ], + [ + 110, + " status: FAILED\n" + ], + [ + 111, + " color: danger\n" + ], + [ + 112, + "\n" + ], + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 103, + 114 + ], + "resource": "jobs(build_and_test).steps[11](Notify slack fail)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Collect test logs", + "uses": "actions/upload-artifact@v3", + "with": { + "name": "unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}", + "path": "unit_tests.log\n", + "__startline__": 116, + "__endline__": 119 + }, + "__startline__": 113, + "__endline__": 119 + } + }, + "code_block": [ + [ + 113, + " - name: Collect test logs\n" + ], + [ + 114, + " uses: actions/upload-artifact@v3\n" + ], + [ + 115, + " with:\n" + ], + [ + 116, + " name: unit_tests-logs_${{ matrix.os }}_${{ matrix.compiler }}\n" + ], + [ + 117, + " path: |\n" + ], + [ + 118, + " unit_tests.log\n" + ] + ], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 113, + 120 + ], + "resource": "jobs(build_and_test).steps[12](Collect test logs)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "build_and_test" + ], + "workflow_name": "Unit Tests" + } + ], + "failed_checks": [ + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/cifuzz.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/cifuzz.yml", + "repo_file_path": "/.github/workflows/cifuzz.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(CIFuzz)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "" + ], + "workflow_name": "CIFuzz" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/main.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/main.yml", + "repo_file_path": "/.github/workflows/main.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Main CI)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "" + ], + "workflow_name": "Main CI" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/multiarch.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/multiarch.yml", + "repo_file_path": "/.github/workflows/multiarch.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Multi-Architecture Build)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "" + ], + "workflow_name": "Multi-Architecture Build" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/stale.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/stale.yml", + "repo_file_path": "/.github/workflows/stale.yml", + "file_line_range": [ + 11, + 12 + ], + "resource": "on(Mark stale issues and pull requests)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "" + ], + "workflow_name": "Mark stale issues and pull requests" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/unittests.yml", + "file_abs_path": "/tmp/ws-scm/h2o-opensips/.github/workflows/unittests.yml", + "repo_file_path": "/.github/workflows/unittests.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Unit Tests)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "pull_request", + "push", + "workflow_dispatch" + ] + ], + "job": [ + "" + ], + "workflow_name": "Unit Tests" + } + ], + "skipped_checks": [], + "parsing_errors": [] + }, + "summary": { + "passed": 146, + "failed": 5, + "skipped": 0, + "parsing_errors": 0, + "resource_count": 0, + "checkov_version": "3.2.174" + }, + "url": "Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" + } +]