cyberark · dependabot · Dec 12, 2023 · Dec 6, 2023 · Dec 15, 2023 · Dec 14, 2023
diff --git a/.dockerignore b/.dockerignore
@@ -12,6 +12,7 @@ cucumber
 
 *.deb
 .git
+.idea
 engines/conjur_audit/spec/dummy/log
 coverage
 demo

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,10 +1,12 @@
-* @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
+* @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team @conjur-enterprise/conjur-core @conjur-enterprise/community-and-integrations @conjur-enterprise/transition-tech
 
 # Changes to .trivyignore require Security Architect approval
-.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects  @conjur-enterprise/conjur-security
 
 # Changes to .codeclimate.yml require Quality Architect approval
-.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
+.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects @conjur-enterprise/conjur-quality
+
+*.md @conjur-enterprise/r-d-developers @conjur-enterprise/transition-tech
 
 # Changes to SECURITY.md require Security Architect approval
-SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects @conjur-enterprise/conjur-security
diff --git a/.gitignore b/.gitignore
@@ -48,7 +48,8 @@ api.html
 
 brakeman-output.*
 .idea
-.vscode
+.vscode/*
+!.vscode/launch.json
 TEMP_NOTES.txt
 awstest
 
@@ -74,3 +75,4 @@ conjur_git_commit
 dev/policies/authenticators/authn-oidc/identity-users.yml
 
 VERSION
+key.txt
diff --git a/.simplecov b/.simplecov
@@ -1,3 +1,5 @@
+require 'socket'
+
 SimpleCov.start('rails') do
   command_name "SimpleCov #{rand(1000000)}"
   coverage_dir File.join(ENV['REPORT_ROOT'] || __dir__, 'coverage')
@@ -7,6 +9,9 @@ SimpleCov.start('rails') do
   primary_coverage :branch
 end
 
+# Generate coverage report on exit, this is not going to interfere with the socket server approach and is meant for a
+# different use case. This will generate the report when the process exits and there is no need to keep process running
+# to keep the pod alive until the report can be gathered by the CI.
 SimpleCov.at_exit do
   puts "Formatting SimpleCov coverage report"
   SimpleCov.result.format!
@@ -15,3 +20,25 @@ SimpleCov.at_exit do
     sleep
   end
 end
+
+# We open a UNIX socket server to listen for requests to generate the report. The coverage data is gathered from the
+# service process and integration tests are executed in a separate process. This allows us to generate the report
+# after the integration tests are executed in a synchronous way. This will prevent from attempt go gather the report
+# before it is fully generated since the socket communication will block the request until the report is generated.
+# The socket server will listen for a request to generate the report and will return a message when the report is
+# generated. Intentionally this will support only a single request to generate the report, subsequent requests should
+# be treated as an error.
+server = UNIXServer.new("/tmp/simplecov.sock")
+
+Thread.new do
+  session = server.accept
+  request = session.gets
+
+  if request&.strip == "generate_report"
+    SimpleCov.result.format!
+    session.puts "Report generated"
+  else
+    session.puts "Unknown command"
+  end
+  session.close
+end
diff --git a/.trivyignore b/.trivyignore
@@ -1,93 +0,0 @@
-# OpenSSL CVEs
-#
-# Because of the way OpenSSL 1.0.2 has moved to premium support and our Ubuntu
-# base image, trivy flags a number of OpenSSL issues in Conjur because the fix
-# for most Ubuntu users is to move to 1.1.1 instead of having the continued support
-# in the 1.0.2 line. Additionally, trivy flages 1.0.2zf as vulnerable to issues that
-# only affect 1.1.x. As of the time of this writing, we use 1.0.2zf which either
-# has the fix or is unaffected by these issues.
-CVE-2022-2097
-CVE-2022-2068
-CVE-2022-1292
-CVE-2022-0778
-CVE-2021-23841
-CVE-2021-23840
-CVE-2021-3712
-CVE-2019-1563
-CVE-2019-1551
-CVE-2019-1549
-CVE-2019-1547
-CVE-2018-0735
-CVE-2018-0734
-
-# NULL pointer deref. OpenSSL 1.0.2 is not impacted
-CVE-2021-3449
-
-# We already use a later version than the ones listed as impacted by this
-# CVE, so we believe this is just a scanner issue.
-CVE-2014-7819
-
-# Rake vulnerability for versions < 12.3.3. The version of Rake used by Conjur
-# has been updated to 13.0.1. Some of the Conjur dependencies still declare a
-# vulnerable version of Rake in their development dependencies, but do not pose
-# a risk to Conjur.
-CVE-2020-8130
-
-# Applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake
-# may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert"
-# TLS extension. this issue was fixed in OpenSSL 1.1.1g
-#
-# In order to support fips with openssl we are required to downgrading openssl version to 1.0.2 until openssl will
-# support fips module in newer versions
-# This vulnerability this is not relevant to us as
-# 1. The installed version (1.0.2u) does not support 1.3
-# 2. Trivy detect the usage of openssl 1.0.2 (can be reproduced with
-#    docker run -v /var/run/docker.sock:/var/run/docker.sock
-#   -v $(PWD):/workspace --rm aquasec/trivy -f json -o /workspace/scan_results-conjur-unfixed.json --no-progress
-#   --ignorefile .trivyignore registry.tld/ruby-fips-base-image-phusion:1.0.0)
-#
-# Performed by @yahalomk approved by @shaharglazner
-CVE-2020-1967
-
-# CVE-2020-1971
-# The X.509 GeneralName type is a generic type for representing different types
-# of names. One of those name types is known as EDIPartyName. OpenSSL provides a
-# function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
-# to see if they are equal or not. This function behaves incorrectly when both
-# GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
-# may occur leading to a possible denial of service attack.
-# OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
-#
-# 1) Comparing CRL distribution point names between an available CRL and a CRL
-#    distribution point embedded in an X509 certificate.
-#
-# 2) When verifying that a timestamp response token signer matches the timestamp
-#    authority name (exposed via the API functions TS_RESP_verify_response and
-#    TS_RESP_verify_token) If an attacker can control both items being compared
-#    then that attacker could trigger a crash.
-#
-# All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Fixed in OpenSSL
-# 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
-#
-# In order to support FIPS with OpenSSL we are required to use OpenSSL version
-# 1.0.2 until OpenSSL supports the FIPS module in newer versions. The latest
-# available version to us is 1.0.2u, which does not include this fix.
-#
-# We've determined that we are not impacted by this vulnerability because:
-# - we do not directly perform CRL checks in the Conjur or DAP software
-# - we do not enable automatic CRL checks in openssl tools
-# - we do not call any of the impacted OpenSSL APIs or any of the APIs that expose
-#   impacted behavior.
-#
-# Performed by @micahlee, approved by @andytinkham
-CVE-2020-1971
-
-# CVE-2021-3711
-# The vulnerability is not affected Conjur's version of OpenSSL 1.0.2u (https://www.openssl.org/news/secadv/20210824.txt)
-# Conjur does not use SM2 algorithm (https://www.openssl.org/docs/manmaster/man7/SM2.html)
-CVE-2021-3711
-
-# We have the fix for CVE-2023-0286 in openssl 1.0.2zg, but because OpenSSL 1.0.2 
-# is only available in premium support, trivy thinks we should use something in the 1.1.1
-# line. We can't, due to FIPS compliance, so need to continue to ignore this issue.
-CVE-2023-0286

diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -0,0 +1,15 @@
+{
+    // See CONTRIBUTING.md for more details on debugging Conjur in VSCode
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "type": "rdbg",
+            "request": "attach",
+            "name": "Attach with rdbg (tcp 12345)",
+            "debugPort": "127.0.0.1:12345",
+            "localfsMap": "/src/conjur-server:${workspaceFolder}"
+            // In the conjur container, run:
+            // bundle exec rdbg --open --port=12345 --host=0.0.0.0 -c -- rails server -b 0.0.0.0 -u webrick
+        },
+    ]
+}
diff --git a/API_VERSION b/API_VERSION
@@ -1 +1 @@
-5.3.0
+5.3.1
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,7 @@ cucumber @@
     *.deb
     .git
+    .idea
     engines/conjur_audit/spec/dummy/log
     coverage
     demo
@@ Expand Down @@