From d799aba6e98d3b8aff1ca94f01138ab4ec283e1d Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 29 Dec 2025 13:16:09 +1100 Subject: [PATCH 01/17] ci: Add snapshot tests for changes in the API --- gcp/api/cloudbuild.yaml | 8 +++ gcp/api/run_apitester.py | 55 +++++++++++++++++++ gcp/api/run_tests_e2e.sh | 28 ++++++++++ tools/apitester/README.md | 3 +- .../__snapshots__/cassette_TestCommand.snap | 16 +++--- .../cassette_TestCommand_CallAnalysis.snap | 6 +- .../cassette_TestCommand_Transitive.snap | 4 +- .../__snapshots__/cassette_single_query.snap | 10 +++- tools/apitester/internal/vcr/interactions.go | 1 + 9 files changed, 114 insertions(+), 17 deletions(-) create mode 100644 gcp/api/run_apitester.py create mode 100755 gcp/api/run_tests_e2e.sh diff --git a/gcp/api/cloudbuild.yaml b/gcp/api/cloudbuild.yaml index 7190530a129..d27f2b9e47a 100644 --- a/gcp/api/cloudbuild.yaml +++ b/gcp/api/cloudbuild.yaml @@ -43,4 +43,12 @@ steps: - CLOUDBUILD=1 waitFor: ['init', 'sync'] +- name: 'gcr.io/oss-vdb/ci' + id: 'api-snapshot-tests' + dir: gcp/api + args: ['bash', '-ex', 'run_tests_e2e.sh', '/workspace/dummy.json'] + env: + - CLOUDBUILD=1 + waitFor: ['init', 'sync'] + timeout: 7200s diff --git a/gcp/api/run_apitester.py b/gcp/api/run_apitester.py new file mode 100644 index 00000000000..007803d34fc --- /dev/null +++ b/gcp/api/run_apitester.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +import os +import sys +import subprocess +import time +import test_server + +_PORT = 8080 + +def main(): + if len(sys.argv) < 2: + print(f'Usage: {sys.argv[0]} path/to/credential.json') + sys.exit(1) + + credential_path = sys.argv[1] + + # Ensure Docker image is pulled + subprocess.run( + ['docker', 'pull', 'gcr.io/endpoints-release/endpoints-runtime:2'], + check=True) + + print("Starting test server...") + server = test_server.start(credential_path, port=_PORT) + + # Wait for server to start up + time.sleep(10) + + try: + # Determine API URL + if os.getenv('CLOUDBUILD'): + host = test_server.get_cloudbuild_esp_host() + else: + host = 'localhost' + + api_base_url = f"{host}:{_PORT}" + print(f"Running Go tests against {api_base_url}") + + env = os.environ.copy() + env['OSV_API_BASE_URL'] = api_base_url + + # Go tests path + # Assuming this script is in gcp/api/ + go_test_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../tools/apitester')) + + cmd = ['go', 'test', './...'] + print(f"Executing: {' '.join(cmd)} in {go_test_dir}") + + subprocess.run(cmd, cwd=go_test_dir, env=env, check=True) + + finally: + print("Stopping test server...") + server.stop() + +if __name__ == '__main__': + main() diff --git a/gcp/api/run_tests_e2e.sh b/gcp/api/run_tests_e2e.sh new file mode 100755 index 00000000000..0ebd0bd8bdf --- /dev/null +++ b/gcp/api/run_tests_e2e.sh @@ -0,0 +1,28 @@ +#!/bin/bash -x +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ $# -lt 1 ]; then + echo "Usage: $0 /path/to/credential.json" + exit 1 +fi + +export GOOGLE_CLOUD_PROJECT=oss-vdb-test OSV_VULNERABILITIES_BUCKET=osv-test-vulnerabilities + +# Try to start docker if not running (mostly for CI) +service docker start || true + +set -e + +poetry run python run_apitester.py "$1" diff --git a/tools/apitester/README.md b/tools/apitester/README.md index 6b7d142f140..719ae68737a 100644 --- a/tools/apitester/README.md +++ b/tools/apitester/README.md @@ -46,4 +46,5 @@ Before the test suite is actually run, the cassettes will be "cleaned" so that - the `response` is property is not present, to reduce the size of each cassette By default, requests are made against the local instance of the API, but you can -use the `OSV_API_BASE_URL` to point it against other instances. +use the `OSV_API_BASE_URL` to point it against other instances. +E.g. `OSV_API_BASE_URL=api.test.osv.dev go test ./...` diff --git a/tools/apitester/__snapshots__/cassette_TestCommand.snap b/tools/apitester/__snapshots__/cassette_TestCommand.snap index 59066590159..cb8a161e484 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand.snap @@ -3141,11 +3141,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, @@ -3189,11 +3189,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, @@ -3619,11 +3619,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, @@ -3667,11 +3667,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_CallAnalysis.snap b/tools/apitester/__snapshots__/cassette_TestCommand_CallAnalysis.snap index c7fa922010d..012857de860 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_CallAnalysis.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_CallAnalysis.snap @@ -6,7 +6,7 @@ "vulns": [ { "id": "GHSA-c3h9-896r-86jm", - "modified": "" + "modified": "" }, { "id": "GO-2021-0053", @@ -74,7 +74,7 @@ "vulns": [ { "id": "GHSA-c3h9-896r-86jm", - "modified": "" + "modified": "" }, { "id": "GO-2021-0053", @@ -94,7 +94,7 @@ "vulns": [ { "id": "GHSA-c3h9-896r-86jm", - "modified": "" + "modified": "" }, { "id": "GO-2021-0053", diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap index 66c1c427573..59adbdea6f7 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap @@ -634,11 +634,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, diff --git a/tools/apitester/__snapshots__/cassette_single_query.snap b/tools/apitester/__snapshots__/cassette_single_query.snap index 680b407c069..5181c5d1562 100755 --- a/tools/apitester/__snapshots__/cassette_single_query.snap +++ b/tools/apitester/__snapshots__/cassette_single_query.snap @@ -1467,7 +1467,6 @@ "related": [ "ALSA-2025:1671", "ALSA-2025:1673", - "CGA-962m-89hc-rmjq", "RLSA-2025:1673", "SUSE-SU-2024:2784-1", "SUSE-SU-2024:2930-1", @@ -1546,7 +1545,6 @@ "modified": "", "published": "2024-09-11T10:15:02.883Z", "related": [ - "CGA-g55g-qx76-5fjj", "SUSE-SU-2024:3202-1", "SUSE-SU-2024:3203-1", "SUSE-SU-2024:3204-1", @@ -1710,6 +1708,7 @@ "modified": "", "published": "2025-02-05T10:15:22.710Z", "related": [ + "CGA-gr5c-pjrp-3fmw", "MGASA-2025-0123", "SUSE-SU-2025:0369-1", "SUSE-SU-2025:0370-1", @@ -1768,7 +1767,11 @@ "aliases": ["CURL-CVE-2025-0665"], "modified": "", "published": "2025-02-05T10:15:22.857Z", - "related": ["MGASA-2025-0123", "openSUSE-SU-2025:14809-1"], + "related": [ + "CGA-h2f8-6v5h-2qcp", + "MGASA-2025-0123", + "openSUSE-SU-2025:14809-1" + ], "references": [ { "type": "ADVISORY", @@ -1830,6 +1833,7 @@ "modified": "", "published": "2025-02-05T10:15:22.980Z", "related": [ + "CGA-378j-cghq-mmhg", "MGASA-2025-0123", "SUSE-SU-2025:0369-1", "SUSE-SU-2025:0370-1", diff --git a/tools/apitester/internal/vcr/interactions.go b/tools/apitester/internal/vcr/interactions.go index b61b1bdbc6b..a5bd12ab00a 100644 --- a/tools/apitester/internal/vcr/interactions.go +++ b/tools/apitester/internal/vcr/interactions.go @@ -32,6 +32,7 @@ func Play(t *testing.T, interaction *cassette.Interaction) *http.Response { } req.URL.Host = fetchAPIBaseURL() + req.Host = req.URL.Host req.Header.Set("User-Agent", "osv.dev/apitester") req.ContentLength = -1 From dd78e5ba0d98be8e06ae5d9bddf1297fa26cba9e Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 29 Dec 2025 13:30:55 +1100 Subject: [PATCH 02/17] Format and lintttt --- gcp/api/run_apitester.py | 89 +++++++++++++++++++++------------------- 1 file changed, 46 insertions(+), 43 deletions(-) diff --git a/gcp/api/run_apitester.py b/gcp/api/run_apitester.py index 007803d34fc..f8f261094f2 100644 --- a/gcp/api/run_apitester.py +++ b/gcp/api/run_apitester.py @@ -7,49 +7,52 @@ _PORT = 8080 + def main(): - if len(sys.argv) < 2: - print(f'Usage: {sys.argv[0]} path/to/credential.json') - sys.exit(1) - - credential_path = sys.argv[1] - - # Ensure Docker image is pulled - subprocess.run( - ['docker', 'pull', 'gcr.io/endpoints-release/endpoints-runtime:2'], - check=True) - - print("Starting test server...") - server = test_server.start(credential_path, port=_PORT) - - # Wait for server to start up - time.sleep(10) - - try: - # Determine API URL - if os.getenv('CLOUDBUILD'): - host = test_server.get_cloudbuild_esp_host() - else: - host = 'localhost' - - api_base_url = f"{host}:{_PORT}" - print(f"Running Go tests against {api_base_url}") - - env = os.environ.copy() - env['OSV_API_BASE_URL'] = api_base_url - - # Go tests path - # Assuming this script is in gcp/api/ - go_test_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../tools/apitester')) - - cmd = ['go', 'test', './...'] - print(f"Executing: {' '.join(cmd)} in {go_test_dir}") - - subprocess.run(cmd, cwd=go_test_dir, env=env, check=True) - - finally: - print("Stopping test server...") - server.stop() + if len(sys.argv) < 2: + print(f'Usage: {sys.argv[0]} path/to/credential.json') + sys.exit(1) + + credential_path = sys.argv[1] + + # Ensure Docker image is pulled + subprocess.run( + ['docker', 'pull', 'gcr.io/endpoints-release/endpoints-runtime:2'], + check=True) + + print("Starting test server...") + server = test_server.start(credential_path, port=_PORT) + + # Wait for server to start up + time.sleep(10) + + try: + # Determine API URL + if os.getenv('CLOUDBUILD'): + host = test_server.get_cloudbuild_esp_host() + else: + host = 'localhost' + + api_base_url = f"{host}:{_PORT}" + print(f"Running Go tests against {api_base_url}") + + env = os.environ.copy() + env['OSV_API_BASE_URL'] = api_base_url + + # Go tests path + # Assuming this script is in gcp/api/ + go_test_dir = os.path.abspath( + os.path.join(os.path.dirname(__file__), '../../tools/apitester')) + + cmd = ['go', 'test', './...'] + print(f"Executing: {' '.join(cmd)} in {go_test_dir}") + + subprocess.run(cmd, cwd=go_test_dir, env=env, check=True) + + finally: + print("Stopping test server...") + server.stop() + if __name__ == '__main__': - main() + main() From d803086099b25256c3bc2694cb2726a86043a849 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 29 Dec 2025 14:30:24 +1100 Subject: [PATCH 03/17] Fix more lints --- gcp/api/run_apitester.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/gcp/api/run_apitester.py b/gcp/api/run_apitester.py index f8f261094f2..281063a320b 100644 --- a/gcp/api/run_apitester.py +++ b/gcp/api/run_apitester.py @@ -1,4 +1,18 @@ -#!/usr/bin/env python3 +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Run E2E golang cassette API tests.""" + import os import sys import subprocess From e9dfdb78e422575acc82491fc4c9ed76c31873fb Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 29 Dec 2025 14:50:41 +1100 Subject: [PATCH 04/17] Do we actually need cloudbuild esp url? --- gcp/api/run_apitester.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/gcp/api/run_apitester.py b/gcp/api/run_apitester.py index 281063a320b..8d9c996f0cf 100644 --- a/gcp/api/run_apitester.py +++ b/gcp/api/run_apitester.py @@ -42,10 +42,7 @@ def main(): try: # Determine API URL - if os.getenv('CLOUDBUILD'): - host = test_server.get_cloudbuild_esp_host() - else: - host = 'localhost' + host = 'localhost' api_base_url = f"{host}:{_PORT}" print(f"Running Go tests against {api_base_url}") From cf363328c83a8894fd359a699895fe01165d4095 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 29 Dec 2025 15:00:45 +1100 Subject: [PATCH 05/17] Ok maybe it was there for a reason --- gcp/api/run_apitester.py | 5 ++++- tools/apitester/internal/vcr/interactions.go | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/gcp/api/run_apitester.py b/gcp/api/run_apitester.py index 8d9c996f0cf..281063a320b 100644 --- a/gcp/api/run_apitester.py +++ b/gcp/api/run_apitester.py @@ -42,7 +42,10 @@ def main(): try: # Determine API URL - host = 'localhost' + if os.getenv('CLOUDBUILD'): + host = test_server.get_cloudbuild_esp_host() + else: + host = 'localhost' api_base_url = f"{host}:{_PORT}" print(f"Running Go tests against {api_base_url}") diff --git a/tools/apitester/internal/vcr/interactions.go b/tools/apitester/internal/vcr/interactions.go index a5bd12ab00a..c3d41e49961 100644 --- a/tools/apitester/internal/vcr/interactions.go +++ b/tools/apitester/internal/vcr/interactions.go @@ -3,6 +3,7 @@ package vcr import ( "net/http" "os" + "strings" "testing" "gopkg.in/dnaeon/go-vcr.v4/pkg/cassette" @@ -36,7 +37,7 @@ func Play(t *testing.T, interaction *cassette.Interaction) *http.Response { req.Header.Set("User-Agent", "osv.dev/apitester") req.ContentLength = -1 - if req.URL.Hostname() == "localhost" || req.URL.Hostname() == "127.0.0.1" { + if req.URL.Hostname() == "localhost" || req.URL.Hostname() == "127.0.0.1" || strings.HasPrefix(req.URL.Hostname(), "192.168.") { req.URL.Scheme = "http" } From 6e311ab173e01117a50c9af4cb3905c41b6ed4ef Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 29 Dec 2025 15:09:51 +1100 Subject: [PATCH 06/17] Sequential run? --- gcp/api/cloudbuild.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gcp/api/cloudbuild.yaml b/gcp/api/cloudbuild.yaml index d27f2b9e47a..754459fbf7e 100644 --- a/gcp/api/cloudbuild.yaml +++ b/gcp/api/cloudbuild.yaml @@ -49,6 +49,7 @@ steps: args: ['bash', '-ex', 'run_tests_e2e.sh', '/workspace/dummy.json'] env: - CLOUDBUILD=1 - waitFor: ['init', 'sync'] + # Don't run at the same time as api-tests + waitFor: ['init', 'sync', 'api-tests'] timeout: 7200s From 854e49ec543b124bd32a21c3e32a116a5e976f21 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 11:09:17 +1100 Subject: [PATCH 07/17] Update API tests again with the right service account --- deployment/terraform/environments/oss-vdb/unmanaged.md | 1 + gcp/api/cloudbuild.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/deployment/terraform/environments/oss-vdb/unmanaged.md b/deployment/terraform/environments/oss-vdb/unmanaged.md index cc37c133e3e..94a86781c71 100644 --- a/deployment/terraform/environments/oss-vdb/unmanaged.md +++ b/deployment/terraform/environments/oss-vdb/unmanaged.md @@ -42,6 +42,7 @@ Not everything here needs to be managed by Terraform, this is just for reference - `esp-test` - `osv-user` (unused?) - `terraform-plan` + - `api-e2e-tester` - `worker` (unused?) - A number of IAM permissions - `osv-vulnerabilities GCS bucket health` Monitoring Alert Policy diff --git a/gcp/api/cloudbuild.yaml b/gcp/api/cloudbuild.yaml index 754459fbf7e..871ede2bba0 100644 --- a/gcp/api/cloudbuild.yaml +++ b/gcp/api/cloudbuild.yaml @@ -53,3 +53,5 @@ steps: waitFor: ['init', 'sync', 'api-tests'] timeout: 7200s +serviceAccount: 'projects/oss-vdb/serviceAccounts/api-e2e-tester@oss-vdb.iam.gserviceaccount.com' + From d25f92d5d36d1060a4c2afd074d34c824a4c4351 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 11:31:48 +1100 Subject: [PATCH 08/17] Random change to test it out --- go/cmd/gitter/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/cmd/gitter/Dockerfile b/go/cmd/gitter/Dockerfile index 1c5447ae767..ca2158b6057 100644 --- a/go/cmd/gitter/Dockerfile +++ b/go/cmd/gitter/Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 go build -o gitter ./cmd/gitter/ FROM alpine:3.23@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 # Need to install the full tar package, to not use the busybox version, which doesn't have --zstd support. -RUN apk add --no-cache git zstd tar +RUN apk add --no-cache git zstd tar openssh COPY --from=build /src/gitter / From f9d9b2d6b06a8e4f34e85629385d32150972758a Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 11:38:30 +1100 Subject: [PATCH 09/17] Use option b! --- gcp/api/cloudbuild.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gcp/api/cloudbuild.yaml b/gcp/api/cloudbuild.yaml index 871ede2bba0..0bd3e83ceed 100644 --- a/gcp/api/cloudbuild.yaml +++ b/gcp/api/cloudbuild.yaml @@ -54,4 +54,6 @@ steps: timeout: 7200s serviceAccount: 'projects/oss-vdb/serviceAccounts/api-e2e-tester@oss-vdb.iam.gserviceaccount.com' +options: + defaultLogsBucketBehavior: REGIONAL_USER_OWNED_BUCKET From b272bc4915469dd4f473f93d1f31ae84a5fbb6c9 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 11:46:01 +1100 Subject: [PATCH 10/17] No more buckets :( --- gcp/api/cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gcp/api/cloudbuild.yaml b/gcp/api/cloudbuild.yaml index 0bd3e83ceed..a9580e4cac6 100644 --- a/gcp/api/cloudbuild.yaml +++ b/gcp/api/cloudbuild.yaml @@ -55,5 +55,5 @@ steps: timeout: 7200s serviceAccount: 'projects/oss-vdb/serviceAccounts/api-e2e-tester@oss-vdb.iam.gserviceaccount.com' options: - defaultLogsBucketBehavior: REGIONAL_USER_OWNED_BUCKET + logging: CLOUD_LOGGING_ONLY From c03faa2e26528dcd499ccfdd7107c6d21dc77b14 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 11:55:25 +1100 Subject: [PATCH 11/17] Revert change to trigger build --- go/cmd/gitter/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/cmd/gitter/Dockerfile b/go/cmd/gitter/Dockerfile index ca2158b6057..1c5447ae767 100644 --- a/go/cmd/gitter/Dockerfile +++ b/go/cmd/gitter/Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 go build -o gitter ./cmd/gitter/ FROM alpine:3.23@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 # Need to install the full tar package, to not use the busybox version, which doesn't have --zstd support. -RUN apk add --no-cache git zstd tar openssh +RUN apk add --no-cache git zstd tar COPY --from=build /src/gitter / From 3c6e836525a95df943352afd33e1dbce265ef0b5 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 12:31:40 +1100 Subject: [PATCH 12/17] Revert "Revert change to trigger build" This reverts commit c03faa2e26528dcd499ccfdd7107c6d21dc77b14. --- go/cmd/gitter/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/cmd/gitter/Dockerfile b/go/cmd/gitter/Dockerfile index 1c5447ae767..ca2158b6057 100644 --- a/go/cmd/gitter/Dockerfile +++ b/go/cmd/gitter/Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 go build -o gitter ./cmd/gitter/ FROM alpine:3.23@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 # Need to install the full tar package, to not use the busybox version, which doesn't have --zstd support. -RUN apk add --no-cache git zstd tar +RUN apk add --no-cache git zstd tar openssh COPY --from=build /src/gitter / From 484c324ed810c18b3c0b31cdcf2ab1a78d28a839 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 12:44:51 +1100 Subject: [PATCH 13/17] Update all the snapshots --- go/cmd/gitter/Dockerfile | 2 +- .../__snapshots__/cassette_TestCommand.snap | 334 +++++++++-------- .../cassette_TestCommand_MoreLockfiles.snap | 2 +- .../cassette_TestCommand_Transitive.snap | 70 ++-- .../__snapshots__/cassette_single_query.snap | 352 +++++++++++++++--- 5 files changed, 534 insertions(+), 226 deletions(-) diff --git a/go/cmd/gitter/Dockerfile b/go/cmd/gitter/Dockerfile index ca2158b6057..1c5447ae767 100644 --- a/go/cmd/gitter/Dockerfile +++ b/go/cmd/gitter/Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 go build -o gitter ./cmd/gitter/ FROM alpine:3.23@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 # Need to install the full tar package, to not use the busybox version, which doesn't have --zstd support. -RUN apk add --no-cache git zstd tar openssh +RUN apk add --no-cache git zstd tar COPY --from=build /src/gitter / diff --git a/tools/apitester/__snapshots__/cassette_TestCommand.snap b/tools/apitester/__snapshots__/cassette_TestCommand.snap index cb8a161e484..45e25faf249 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand.snap @@ -117,7 +117,7 @@ }, { "id": "GO-2025-3447", - "modified": "" + "modified": "" }, { "id": "GO-2025-3563", @@ -133,51 +133,51 @@ }, { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -257,7 +257,7 @@ }, { "id": "GO-2025-3447", - "modified": "" + "modified": "" }, { "id": "GO-2025-3563", @@ -273,51 +273,51 @@ }, { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -389,7 +389,7 @@ }, { "id": "GO-2025-3447", - "modified": "" + "modified": "" }, { "id": "GO-2025-3563", @@ -405,51 +405,51 @@ }, { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -529,7 +529,7 @@ }, { "id": "GO-2025-3447", - "modified": "" + "modified": "" }, { "id": "GO-2025-3563", @@ -545,51 +545,51 @@ }, { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -1307,6 +1307,10 @@ "id": "DEBIAN-CVE-2024-12133", "modified": "" }, + { + "id": "DEBIAN-CVE-2025-13151", + "modified": "" + }, { "id": "DLA-3263-1", "modified": "" @@ -1529,7 +1533,7 @@ }, { "id": "DEBIAN-CVE-2025-9714", - "modified": "" + "modified": "" }, { "id": "DLA-3012-1", @@ -1815,7 +1819,7 @@ }, { "id": "DEBIAN-CVE-2024-13176", - "modified": "" + "modified": "" }, { "id": "DEBIAN-CVE-2024-2511", @@ -2359,51 +2363,51 @@ "vulns": [ { "id": "GO-2025-3849", - "modified": "" + "modified": "" }, { "id": "GO-2025-3956", - "modified": "" + "modified": "" }, { "id": "GO-2025-4006", - "modified": "" + "modified": "" }, { "id": "GO-2025-4007", - "modified": "" + "modified": "" }, { "id": "GO-2025-4008", - "modified": "" + "modified": "" }, { "id": "GO-2025-4009", - "modified": "" + "modified": "" }, { "id": "GO-2025-4010", - "modified": "" + "modified": "" }, { "id": "GO-2025-4011", - "modified": "" + "modified": "" }, { "id": "GO-2025-4012", - "modified": "" + "modified": "" }, { "id": "GO-2025-4013", - "modified": "" + "modified": "" }, { "id": "GO-2025-4014", - "modified": "" + "modified": "" }, { "id": "GO-2025-4015", - "modified": "" + "modified": "" }, { "id": "GO-2025-4155", @@ -2419,7 +2423,7 @@ "vulns": [ { "id": "GO-2025-3828", - "modified": "" + "modified": "" } ] } @@ -2928,11 +2932,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -2940,11 +2944,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -2952,11 +2956,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -2964,11 +2968,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3012,11 +3016,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -3024,11 +3028,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -3062,19 +3066,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -3082,19 +3086,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -3105,27 +3109,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -3141,11 +3149,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, @@ -3153,27 +3161,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -3189,35 +3201,47 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] } @@ -3406,11 +3430,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3418,11 +3442,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3430,11 +3454,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3442,11 +3466,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -3490,11 +3514,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -3502,11 +3526,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -3540,19 +3564,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -3560,19 +3584,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -3583,27 +3607,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -3619,11 +3647,11 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, @@ -3631,27 +3659,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -3667,35 +3699,47 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] } diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap b/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap index bc802edcf12..e1aad04a757 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap @@ -137,7 +137,7 @@ "vulns": [ { "id": "GHSA-8qvm-5x2c-j2w7", - "modified": "" + "modified": "" } ] } diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap index 59adbdea6f7..31d87aa9714 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap @@ -51,11 +51,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -63,19 +63,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] } @@ -91,11 +91,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -288,11 +288,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -301,19 +301,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] } @@ -550,11 +550,11 @@ "vulns": [ { "id": "GHSA-m2qf-hxjv-5gpq", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-62", - "modified": "" + "modified": "" } ] }, @@ -562,11 +562,11 @@ "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", - "modified": "" + "modified": "" }, { "id": "PYSEC-2024-60", - "modified": "" + "modified": "" } ] }, @@ -578,19 +578,19 @@ "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", - "modified": "" + "modified": "" }, { "id": "GHSA-9wx4-h78v-vm56", - "modified": "" + "modified": "" }, { "id": "GHSA-j8r2-6x86-q33q", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-74", - "modified": "" + "modified": "" } ] }, @@ -598,27 +598,31 @@ "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", - "modified": "" + "modified": "" }, { "id": "GHSA-34jh-p97f-mpxf", - "modified": "" + "modified": "" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "" }, { "id": "GHSA-g4mx-q9vg-27p4", - "modified": "" + "modified": "" }, { "id": "GHSA-gm62-xv2j-4w53", - "modified": "" + "modified": "" }, { "id": "GHSA-pq67-6m6q-mj2v", - "modified": "" + "modified": "" }, { "id": "GHSA-v845-jxx5-vc9f", - "modified": "" + "modified": "" }, { "id": "GHSA-wqvq-5m8c-6g24", @@ -634,19 +638,23 @@ }, { "id": "PYSEC-2023-192", - "modified": "" + "modified": "" }, { "id": "PYSEC-2023-212", - "modified": "" + "modified": "" } ] }, { "vulns": [ + { + "id": "GHSA-87hc-h4r5-73f7", + "modified": "" + }, { "id": "GHSA-hgf8-39gv-g3f2", - "modified": "" + "modified": "" } ] } diff --git a/tools/apitester/__snapshots__/cassette_single_query.snap b/tools/apitester/__snapshots__/cassette_single_query.snap index 5181c5d1562..cd31c4584ce 100755 --- a/tools/apitester/__snapshots__/cassette_single_query.snap +++ b/tools/apitester/__snapshots__/cassette_single_query.snap @@ -82,7 +82,8 @@ { "id": "CVE-2022-33068", "details": "An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.", - "modified": "", + "aliases": ["ROOT-OS-DEBIAN-bullseye-CVE-2022-33068"], + "modified": "", "published": "2022-06-23T17:15:14.350Z", "related": [ "ALSA-2022:8384", @@ -163,7 +164,11 @@ { "id": "CVE-2023-25193", "details": "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.", - "modified": "", + "aliases": [ + "ROOT-OS-DEBIAN-bookworm-CVE-2023-25193", + "ROOT-OS-DEBIAN-bullseye-CVE-2023-25193" + ], + "modified": "", "published": "2023-02-04T20:15:08.027Z", "related": [ "ALSA-2023:4158", @@ -264,6 +269,50 @@ } ] }, + { + "id": "CVE-2026-22693", + "details": "HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.", + "aliases": ["GHSA-xvjr-f2r9-c7ww"], + "modified": "", + "published": "2026-01-10T06:15:52.063Z", + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww" + }, + { + "type": "FIX", + "url": "https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae" + } + ], + "affected": [ + { + "ranges": [ + { + "type": "GIT", + "repo": "https://github.com/harfbuzz/harfbuzz", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1265ff8d990284f04d8768f35b0e20ae5f60daae" + } + ] + } + ], + "versions": 207, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ] + }, { "id": "OSV-2020-484", "summary": "Heap-buffer-overflow in AAT::KerxSubTableFormat4\u003cAAT::KerxSubTableHeader\u003e::driver_context_t::transition", @@ -675,8 +724,8 @@ "id": "CURL-CVE-2024-9681", "summary": "HSTS subdomain overwrites parent cache entry", "details": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", - "aliases": ["CVE-2024-9681"], - "modified": "", + "aliases": ["CVE-2024-9681", "ROOT-OS-DEBIAN-bullseye-CVE-2024-9681"], + "modified": "", "published": "2024-11-05T08:00:00Z", "database_specific": "", "affected": [ @@ -876,12 +925,12 @@ ] }, { - "id": "CURL-CVE-2025-5025", - "summary": "No QUIC certificate pinning with wolfSSL", - "details": "libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing.", - "aliases": ["CVE-2025-5025"], - "modified": "", - "published": "2025-05-28T08:00:00Z", + "id": "CURL-CVE-2025-14017", + "summary": "broken TLS options for threaded LDAPS", + "details": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.", + "aliases": ["CVE-2025-14017"], + "modified": "", + "published": "2026-01-07T08:00:00Z", "database_specific": "", "affected": [ { @@ -890,10 +939,10 @@ "type": "SEMVER", "events": [ { - "introduced": "8.5.0" + "introduced": "7.17.0" }, { - "fixed": "8.14.0" + "fixed": "8.18.0" } ] }, @@ -902,37 +951,37 @@ "repo": "https://github.com/curl/curl.git", "events": [ { - "introduced": "5f78cf503c786a1d48d13528dde038bccfa6c67c" + "introduced": "ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34" }, { - "fixed": "e1f65937a96a451292e9231339672797da86ecc5" + "fixed": "39d1976b7f709a516e3243338ebc0443bdd8d56d" } ] } ], - "versions": 14, + "versions": 143, "database_specific": "" } ], "schema_version": "1.7.3", "credits": [ { - "name": "Hiroki Kurosawa", + "name": "Stanislav Fort (Aisle Research)", "type": "FINDER" }, { - "name": "Stefan Eissing", + "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ] }, { - "id": "CURL-CVE-2025-9086", - "summary": "Out of bounds read for cookie path", - "details": "1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path=\"/\"`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.", - "aliases": ["CVE-2025-9086"], - "modified": "", - "published": "2025-09-10T08:00:00Z", + "id": "CURL-CVE-2025-14524", + "summary": "bearer token leak on cross-protocol redirect", + "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.", + "aliases": ["CVE-2025-14524"], + "modified": "", + "published": "2026-01-06T08:00:00Z", "database_specific": "", "affected": [ { @@ -941,10 +990,10 @@ "type": "SEMVER", "events": [ { - "introduced": "7.31.0" + "introduced": "7.33.0" }, { - "fixed": "8.16.0" + "fixed": "8.18.0" } ] }, @@ -953,10 +1002,10 @@ "repo": "https://github.com/curl/curl.git", "events": [ { - "introduced": "f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d" + "introduced": "06c1bea72faabb6fad4b7ef818aafaa336c9a7aa" }, { - "fixed": "c6ae07c6a541e0e96d0040afb62b45dd37711300" + "fixed": "1a822275d333dc6da6043497160fd04c8fa48640" } ] } @@ -968,7 +1017,109 @@ "schema_version": "1.7.3", "credits": [ { - "name": "Google Big Sleep", + "name": "anonymous237 on hackerone", + "type": "FINDER" + }, + { + "name": "Daniel Stenberg", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-14819", + "summary": "OpenSSL partial chain store policy bypass", + "details": "When doing TLS related transfers with reused easy or multi handles and\naltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not.", + "aliases": ["CVE-2025-14819"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.87.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "3c16697ebd796f799227be293e8689aec5f8190d" + }, + { + "fixed": "cd046f6c93b39d673a58c18648d8906e954c4f5d" + } + ] + } + ], + "versions": 31, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Stanislav Fort (Aisle Research)", + "type": "FINDER" + }, + { + "name": "Daniel Stenberg", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-15079", + "summary": "libssh global known_hosts override", + "details": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.", + "aliases": ["CVE-2025-15079"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.58.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a" + }, + { + "fixed": "adca486c125d9a6d9565b9607a19dce803a8b479" + } + ] + } + ], + "versions": 70, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Harry Sintonen", "type": "FINDER" }, { @@ -977,6 +1128,108 @@ } ] }, + { + "id": "CURL-CVE-2025-15224", + "summary": "libssh key passphrase bypass without agent set", + "details": "When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent.", + "aliases": ["CVE-2025-15224"], + "modified": "", + "published": "2026-01-07T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "7.58.0" + }, + { + "fixed": "8.18.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "c92d2e14cfb0db662f958effd2ac86f995cf1b5a" + }, + { + "fixed": "16d5f2a5660c61cc27bd5f1c7f512391d1c927aa" + } + ] + } + ], + "versions": 70, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Harry Sintonen", + "type": "FINDER" + }, + { + "name": "Harry Sintonen", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, + { + "id": "CURL-CVE-2025-5025", + "summary": "No QUIC certificate pinning with wolfSSL", + "details": "libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing.", + "aliases": ["CVE-2025-5025"], + "modified": "", + "published": "2025-05-28T08:00:00Z", + "database_specific": "", + "affected": [ + { + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "8.5.0" + }, + { + "fixed": "8.14.0" + } + ] + }, + { + "type": "GIT", + "repo": "https://github.com/curl/curl.git", + "events": [ + { + "introduced": "5f78cf503c786a1d48d13528dde038bccfa6c67c" + }, + { + "fixed": "e1f65937a96a451292e9231339672797da86ecc5" + } + ] + } + ], + "versions": 14, + "database_specific": "" + } + ], + "schema_version": "1.7.3", + "credits": [ + { + "name": "Hiroki Kurosawa", + "type": "FINDER" + }, + { + "name": "Stefan Eissing", + "type": "REMEDIATION_DEVELOPER" + } + ] + }, { "id": "CVE-2024-0853", "details": "curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.", @@ -1608,8 +1861,11 @@ { "id": "CVE-2024-9681", "details": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", - "aliases": ["CURL-CVE-2024-9681"], - "modified": "", + "aliases": [ + "CURL-CVE-2024-9681", + "ROOT-OS-DEBIAN-bullseye-CVE-2024-9681" + ], + "modified": "", "published": "2024-11-06T08:15:03.740Z", "related": [ "MGASA-2024-0360", @@ -2251,8 +2507,8 @@ "id": "GHSA-cpwx-vrp4-4pq7", "summary": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method", "details": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.", - "aliases": ["CVE-2025-27516"], - "modified": "", + "aliases": ["CVE-2025-27516", "ROOT-APP-PYPI-CVE-2025-27516"], + "modified": "", "published": "2025-03-05T20:40:14Z", "related": [ "CGA-2h34-36gr-7wjw", @@ -2335,8 +2591,8 @@ "id": "GHSA-gmj6-6f8f-6699", "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", - "aliases": ["CVE-2024-56201"], - "modified": "", + "aliases": ["CVE-2024-56201", "ROOT-APP-PYPI-CVE-2024-56201"], + "modified": "", "published": "2024-12-23T17:54:12Z", "related": [ "CGA-2589-9xpr-fmp7", @@ -2424,8 +2680,8 @@ "id": "GHSA-q2x7-8rv6-6q7h", "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", - "aliases": ["CVE-2024-56326"], - "modified": "", + "aliases": ["CVE-2024-56326", "ROOT-APP-PYPI-CVE-2024-56326"], + "modified": "", "published": "2024-12-23T17:56:08Z", "related": [ "CGA-3cj4-2jg2-4qm3", @@ -2522,8 +2778,8 @@ "id": "GHSA-cpwx-vrp4-4pq7", "summary": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method", "details": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.", - "aliases": ["CVE-2025-27516"], - "modified": "", + "aliases": ["CVE-2025-27516", "ROOT-APP-PYPI-CVE-2025-27516"], + "modified": "", "published": "2025-03-05T20:40:14Z", "related": [ "CGA-2h34-36gr-7wjw", @@ -2606,8 +2862,8 @@ "id": "GHSA-gmj6-6f8f-6699", "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", - "aliases": ["CVE-2024-56201"], - "modified": "", + "aliases": ["CVE-2024-56201", "ROOT-APP-PYPI-CVE-2024-56201"], + "modified": "", "published": "2024-12-23T17:54:12Z", "related": [ "CGA-2589-9xpr-fmp7", @@ -2695,8 +2951,8 @@ "id": "GHSA-q2x7-8rv6-6q7h", "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", - "aliases": ["CVE-2024-56326"], - "modified": "", + "aliases": ["CVE-2024-56326", "ROOT-APP-PYPI-CVE-2024-56326"], + "modified": "", "published": "2024-12-23T17:56:08Z", "related": [ "CGA-3cj4-2jg2-4qm3", @@ -2793,8 +3049,8 @@ "id": "GHSA-cpwx-vrp4-4pq7", "summary": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method", "details": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.", - "aliases": ["CVE-2025-27516"], - "modified": "", + "aliases": ["CVE-2025-27516", "ROOT-APP-PYPI-CVE-2025-27516"], + "modified": "", "published": "2025-03-05T20:40:14Z", "related": [ "CGA-2h34-36gr-7wjw", @@ -2877,8 +3133,8 @@ "id": "GHSA-gmj6-6f8f-6699", "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", - "aliases": ["CVE-2024-56201"], - "modified": "", + "aliases": ["CVE-2024-56201", "ROOT-APP-PYPI-CVE-2024-56201"], + "modified": "", "published": "2024-12-23T17:54:12Z", "related": [ "CGA-2589-9xpr-fmp7", @@ -2966,8 +3222,8 @@ "id": "GHSA-q2x7-8rv6-6q7h", "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", - "aliases": ["CVE-2024-56326"], - "modified": "", + "aliases": ["CVE-2024-56326", "ROOT-APP-PYPI-CVE-2024-56326"], + "modified": "", "published": "2024-12-23T17:56:08Z", "related": [ "CGA-3cj4-2jg2-4qm3", From 9cc3bae1fb77f29e0d830dd80b4dfaadfd327875 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 14:29:56 +1100 Subject: [PATCH 14/17] Update snaps and add makefile to make it easier --- Makefile | 6 +++++ gcp/api/run_tests_e2e.sh | 1 + .../__snapshots__/cassette_single_query.snap | 22 +++++++++++++++---- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index bfd4e43a4c6..17017e4d94e 100644 --- a/Makefile +++ b/Makefile @@ -47,6 +47,12 @@ api-server-tests: test -f $(HOME)/.config/gcloud/application_default_credentials.json || (echo "GCP Application Default Credentials not set, try 'gcloud auth login --update-adc'"; exit 1) cd gcp/api && docker build -f Dockerfile.esp -t osv/esp:latest . cd gcp/api && ./run_tests.sh $(HOME)/.config/gcloud/application_default_credentials.json + cd gcp/api && ./run_tests_e2e.sh $(HOME)/.config/gcloud/application_default_credentials.json + +update-api-snapshots: + test -f $(HOME)/.config/gcloud/application_default_credentials.json || (echo "GCP Application Default Credentials not set, try 'gcloud auth login --update-adc'"; exit 1) + cd gcp/api && docker build -f Dockerfile.esp -t osv/esp:latest . + cd gcp/api && UPDATE_SNAPS=true ./run_tests_e2e.sh $(HOME)/.config/gcloud/application_default_credentials.json lint: GOTOOLCHAIN=go1.25.5 $(run-cmd) tools/lint_and_format.sh diff --git a/gcp/api/run_tests_e2e.sh b/gcp/api/run_tests_e2e.sh index 0ebd0bd8bdf..a1681a885c5 100755 --- a/gcp/api/run_tests_e2e.sh +++ b/gcp/api/run_tests_e2e.sh @@ -25,4 +25,5 @@ service docker start || true set -e +poetry install poetry run python run_apitester.py "$1" diff --git a/tools/apitester/__snapshots__/cassette_single_query.snap b/tools/apitester/__snapshots__/cassette_single_query.snap index cd31c4584ce..789c057daf6 100755 --- a/tools/apitester/__snapshots__/cassette_single_query.snap +++ b/tools/apitester/__snapshots__/cassette_single_query.snap @@ -271,18 +271,32 @@ }, { "id": "CVE-2026-22693", + "summary": "Null Pointer Dereference in SubtableUnicodesCache::create leading to DoS", "details": "HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.", "aliases": ["GHSA-xvjr-f2r9-c7ww"], "modified": "", - "published": "2026-01-10T06:15:52.063Z", + "published": "2026-01-10T05:53:21.019Z", + "database_specific": "", "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/01/11/1" + }, { "type": "ADVISORY", - "url": "https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww" + "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22693.json" }, { "type": "FIX", "url": "https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae" + }, + { + "type": "ADVISORY", + "url": "https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22693" } ], "affected": [ @@ -296,12 +310,12 @@ "introduced": "0" }, { - "fixed": "1265ff8d990284f04d8768f35b0e20ae5f60daae" + "fixed": "b0af59229cc233a66106c696534ac39be56093d8" } ] } ], - "versions": 207, + "versions": 206, "database_specific": "" } ], From 56e6cba43642f48caf96b5d641fea0128da4366d Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 12 Jan 2026 14:32:47 +1100 Subject: [PATCH 15/17] Add docs --- CONTRIBUTING.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 14da6bd5ef1..e6efd4f909f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -142,6 +142,17 @@ gcloud auth login --update-adc make run-api-server ``` +#### API E2E Snapshots + +If you have made any changes to the API, please update the API query snapshots with + +```shell +gcloud auth login --update-adc +make update-api-snapshots +``` + +and check the git diff to see if the API result changes are expected. + ### Making commits Please follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification for commit messages. This helps us to automate processes like changelog generation and ensures a clear and consistent commit history. From 1a9e0b55023470581d38621ca5d49d562159186a Mon Sep 17 00:00:00 2001 From: Rex P Date: Thu, 15 Jan 2026 15:40:12 +1100 Subject: [PATCH 16/17] Address PR comments --- gcp/api/cloudbuild.yaml | 4 +--- gcp/api/run_tests_e2e.sh | 4 +++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/gcp/api/cloudbuild.yaml b/gcp/api/cloudbuild.yaml index f2f21a6f8ce..d7cad579243 100644 --- a/gcp/api/cloudbuild.yaml +++ b/gcp/api/cloudbuild.yaml @@ -45,9 +45,7 @@ steps: id: 'api-snapshot-tests' dir: gcp/api args: ['bash', '-ex', 'run_tests_e2e.sh', '/workspace/dummy.json'] - env: - - CLOUDBUILD=1 - # Don't run at the same time as api-tests + # Don't run at the same time as api-tests waitFor: ['init', 'sync', 'api-tests'] timeout: 7200s diff --git a/gcp/api/run_tests_e2e.sh b/gcp/api/run_tests_e2e.sh index a1681a885c5..aebf45a5e02 100755 --- a/gcp/api/run_tests_e2e.sh +++ b/gcp/api/run_tests_e2e.sh @@ -25,5 +25,7 @@ service docker start || true set -e -poetry install +if [ -z "$CLOUDBUILD" ]; then + poetry sync +fi poetry run python run_apitester.py "$1" From 6a1ba7ffcfa992b6beb258e89e1352c25b2ab6ec Mon Sep 17 00:00:00 2001 From: Rex P Date: Fri, 16 Jan 2026 11:17:20 +1100 Subject: [PATCH 17/17] Update snapsohts --- .../__snapshots__/cassette_TestCommand.snap | 80 ++++++++++--------- ...cassette_TestCommand_JavareachArchive.snap | 16 ++-- .../__snapshots__/cassette_single_query.snap | 20 ++++- 3 files changed, 69 insertions(+), 47 deletions(-) diff --git a/tools/apitester/__snapshots__/cassette_TestCommand.snap b/tools/apitester/__snapshots__/cassette_TestCommand.snap index 45e25faf249..ff2efcb1020 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand.snap @@ -61,35 +61,35 @@ "vulns": [ { "id": "GO-2024-2598", - "modified": "" + "modified": "" }, { "id": "GO-2024-2599", - "modified": "" + "modified": "" }, { "id": "GO-2024-2600", - "modified": "" + "modified": "" }, { "id": "GO-2024-2609", - "modified": "" + "modified": "" }, { "id": "GO-2024-2610", - "modified": "" + "modified": "" }, { "id": "GO-2024-2687", - "modified": "" + "modified": "" }, { "id": "GO-2024-2887", - "modified": "" + "modified": "" }, { "id": "GO-2024-2888", - "modified": "" + "modified": "" }, { "id": "GO-2024-2963", @@ -201,35 +201,35 @@ "vulns": [ { "id": "GO-2024-2598", - "modified": "" + "modified": "" }, { "id": "GO-2024-2599", - "modified": "" + "modified": "" }, { "id": "GO-2024-2600", - "modified": "" + "modified": "" }, { "id": "GO-2024-2609", - "modified": "" + "modified": "" }, { "id": "GO-2024-2610", - "modified": "" + "modified": "" }, { "id": "GO-2024-2687", - "modified": "" + "modified": "" }, { "id": "GO-2024-2887", - "modified": "" + "modified": "" }, { "id": "GO-2024-2888", - "modified": "" + "modified": "" }, { "id": "GO-2024-2963", @@ -333,35 +333,35 @@ "vulns": [ { "id": "GO-2024-2598", - "modified": "" + "modified": "" }, { "id": "GO-2024-2599", - "modified": "" + "modified": "" }, { "id": "GO-2024-2600", - "modified": "" + "modified": "" }, { "id": "GO-2024-2609", - "modified": "" + "modified": "" }, { "id": "GO-2024-2610", - "modified": "" + "modified": "" }, { "id": "GO-2024-2687", - "modified": "" + "modified": "" }, { "id": "GO-2024-2887", - "modified": "" + "modified": "" }, { "id": "GO-2024-2888", - "modified": "" + "modified": "" }, { "id": "GO-2024-2963", @@ -473,35 +473,35 @@ "vulns": [ { "id": "GO-2024-2598", - "modified": "" + "modified": "" }, { "id": "GO-2024-2599", - "modified": "" + "modified": "" }, { "id": "GO-2024-2600", - "modified": "" + "modified": "" }, { "id": "GO-2024-2609", - "modified": "" + "modified": "" }, { "id": "GO-2024-2610", - "modified": "" + "modified": "" }, { "id": "GO-2024-2687", - "modified": "" + "modified": "" }, { "id": "GO-2024-2887", - "modified": "" + "modified": "" }, { "id": "GO-2024-2888", - "modified": "" + "modified": "" }, { "id": "GO-2024-2963", @@ -1491,10 +1491,6 @@ "id": "DEBIAN-CVE-2024-56171", "modified": "" }, - { - "id": "DEBIAN-CVE-2025-12863", - "modified": "" - }, { "id": "DEBIAN-CVE-2025-24928", "modified": "" @@ -1535,6 +1531,18 @@ "id": "DEBIAN-CVE-2025-9714", "modified": "" }, + { + "id": "DEBIAN-CVE-2026-0989", + "modified": "" + }, + { + "id": "DEBIAN-CVE-2026-0990", + "modified": "" + }, + { + "id": "DEBIAN-CVE-2026-0992", + "modified": "" + }, { "id": "DLA-3012-1", "modified": "" diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_JavareachArchive.snap b/tools/apitester/__snapshots__/cassette_TestCommand_JavareachArchive.snap index 194e20f8c60..783c963fe76 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_JavareachArchive.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_JavareachArchive.snap @@ -27,7 +27,7 @@ "vulns": [ { "id": "GHSA-288c-cq4h-88gq", - "modified": "" + "modified": "" }, { "id": "GHSA-4gq5-ch57-c2mg", @@ -39,7 +39,7 @@ }, { "id": "GHSA-57j2-w4cx-62h2", - "modified": "" + "modified": "" }, { "id": "GHSA-5949-rw7g-wx7w", @@ -151,7 +151,7 @@ }, { "id": "GHSA-jjjh-jjxp-wpff", - "modified": "" + "modified": "" }, { "id": "GHSA-m6x4-97wx-4q27", @@ -195,7 +195,7 @@ }, { "id": "GHSA-rgv9-q543-rqg4", - "modified": "" + "modified": "" }, { "id": "GHSA-rpr3-cw39-3pxh", @@ -316,7 +316,7 @@ "vulns": [ { "id": "GHSA-288c-cq4h-88gq", - "modified": "" + "modified": "" }, { "id": "GHSA-4gq5-ch57-c2mg", @@ -328,7 +328,7 @@ }, { "id": "GHSA-57j2-w4cx-62h2", - "modified": "" + "modified": "" }, { "id": "GHSA-5949-rw7g-wx7w", @@ -440,7 +440,7 @@ }, { "id": "GHSA-jjjh-jjxp-wpff", - "modified": "" + "modified": "" }, { "id": "GHSA-m6x4-97wx-4q27", @@ -484,7 +484,7 @@ }, { "id": "GHSA-rgv9-q543-rqg4", - "modified": "" + "modified": "" }, { "id": "GHSA-rpr3-cw39-3pxh", diff --git a/tools/apitester/__snapshots__/cassette_single_query.snap b/tools/apitester/__snapshots__/cassette_single_query.snap index 789c057daf6..c2b16c15bc6 100755 --- a/tools/apitester/__snapshots__/cassette_single_query.snap +++ b/tools/apitester/__snapshots__/cassette_single_query.snap @@ -82,7 +82,10 @@ { "id": "CVE-2022-33068", "details": "An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.", - "aliases": ["ROOT-OS-DEBIAN-bullseye-CVE-2022-33068"], + "aliases": [ + "ROOT-OS-DEBIAN-11-CVE-2022-33068", + "ROOT-OS-DEBIAN-bullseye-CVE-2022-33068" + ], "modified": "", "published": "2022-06-23T17:15:14.350Z", "related": [ @@ -165,6 +168,8 @@ "id": "CVE-2023-25193", "details": "hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.", "aliases": [ + "ROOT-OS-DEBIAN-11-CVE-2023-25193", + "ROOT-OS-DEBIAN-12-CVE-2023-25193", "ROOT-OS-DEBIAN-bookworm-CVE-2023-25193", "ROOT-OS-DEBIAN-bullseye-CVE-2023-25193" ], @@ -273,7 +278,7 @@ "id": "CVE-2026-22693", "summary": "Null Pointer Dereference in SubtableUnicodesCache::create leading to DoS", "details": "HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.", - "aliases": ["GHSA-xvjr-f2r9-c7ww"], + "aliases": ["GHSA-xvjr-f2r9-c7ww", "ROOT-OS-DEBIAN-13-CVE-2026-22693"], "modified": "", "published": "2026-01-10T05:53:21.019Z", "database_specific": "", @@ -282,6 +287,10 @@ "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2026/01/11/1" }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/01/12/1" + }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22693.json" @@ -738,7 +747,11 @@ "id": "CURL-CVE-2024-9681", "summary": "HSTS subdomain overwrites parent cache entry", "details": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", - "aliases": ["CVE-2024-9681", "ROOT-OS-DEBIAN-bullseye-CVE-2024-9681"], + "aliases": [ + "CVE-2024-9681", + "ROOT-OS-DEBIAN-11-CVE-2024-9681", + "ROOT-OS-DEBIAN-bullseye-CVE-2024-9681" + ], "modified": "", "published": "2024-11-05T08:00:00Z", "database_specific": "", @@ -1877,6 +1890,7 @@ "details": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "aliases": [ "CURL-CVE-2024-9681", + "ROOT-OS-DEBIAN-11-CVE-2024-9681", "ROOT-OS-DEBIAN-bullseye-CVE-2024-9681" ], "modified": "",