mirror of
https://github.com/Mintplex-Labs/anything-llm.git
synced 2024-11-19 12:40:09 +01:00
Merge branch 'master' of github.com:Mintplex-Labs/anything-llm into render
This commit is contained in:
commit
f30e80d109
37
.github/workflows/build-and-push-image.yaml
vendored
37
.github/workflows/build-and-push-image.yaml
vendored
@ -22,7 +22,6 @@ on:
|
|||||||
- '.github/ISSUE_TEMPLATE/**/*'
|
- '.github/ISSUE_TEMPLATE/**/*'
|
||||||
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
|
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
|
||||||
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
|
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
|
||||||
- 'docker/vex/*' # CVE exceptions we know are not in risk
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
push_multi_platform_to_registries:
|
push_multi_platform_to_registries:
|
||||||
@ -95,3 +94,39 @@ jobs:
|
|||||||
labels: ${{ steps.meta.outputs.labels }}
|
labels: ${{ steps.meta.outputs.labels }}
|
||||||
cache-from: type=gha
|
cache-from: type=gha
|
||||||
cache-to: type=gha,mode=max
|
cache-to: type=gha,mode=max
|
||||||
|
|
||||||
|
# For Docker scout there are some intermediary reported CVEs which exists outside
|
||||||
|
# of execution content or are unreachable by an attacker but exist in image.
|
||||||
|
# We create VEX files for these so they don't show in scout summary.
|
||||||
|
- name: Collect known and verified CVE exceptions
|
||||||
|
id: cve-list
|
||||||
|
run: |
|
||||||
|
# Collect CVEs from filenames in vex folder
|
||||||
|
CVE_NAMES=""
|
||||||
|
for file in ./docker/vex/*.vex.json; do
|
||||||
|
[ -e "$file" ] || continue
|
||||||
|
filename=$(basename "$file")
|
||||||
|
stripped_filename=${filename%.vex.json}
|
||||||
|
CVE_NAMES+=" $stripped_filename"
|
||||||
|
done
|
||||||
|
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
|
||||||
|
shell: bash
|
||||||
|
|
||||||
|
# About VEX attestations https://docs.docker.com/scout/explore/exceptions/
|
||||||
|
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
|
||||||
|
- name: Add VEX attestations
|
||||||
|
env:
|
||||||
|
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
|
||||||
|
run: |
|
||||||
|
echo $CVE_EXCEPTIONS
|
||||||
|
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
|
||||||
|
for cve in $CVE_EXCEPTIONS; do
|
||||||
|
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
|
||||||
|
echo "Attaching VEX exception $cve to $tag"
|
||||||
|
docker scout attestation add \
|
||||||
|
--file "./docker/vex/$cve.vex.json" \
|
||||||
|
--predicate-type https://openvex.dev/ns/v0.2.0 \
|
||||||
|
$tag
|
||||||
|
done
|
||||||
|
done
|
||||||
|
shell: bash
|
||||||
|
43
.github/workflows/dev-build.yaml
vendored
43
.github/workflows/dev-build.yaml
vendored
@ -1,4 +1,4 @@
|
|||||||
name: Publish AnythingLLM Development Docker image (amd64)
|
name: AnythingLLM Development Docker image (amd64)
|
||||||
|
|
||||||
concurrency:
|
concurrency:
|
||||||
group: build-${{ github.ref }}
|
group: build-${{ github.ref }}
|
||||||
@ -6,7 +6,7 @@ concurrency:
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches: ['jwt-bump'] # put your current branch to create a build. Core team only.
|
branches: ['vex'] # put your current branch to create a build. Core team only.
|
||||||
paths-ignore:
|
paths-ignore:
|
||||||
- '**.md'
|
- '**.md'
|
||||||
- 'cloud-deployments/*'
|
- 'cloud-deployments/*'
|
||||||
@ -16,7 +16,6 @@ on:
|
|||||||
- '.github/ISSUE_TEMPLATE/**/*'
|
- '.github/ISSUE_TEMPLATE/**/*'
|
||||||
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
|
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
|
||||||
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
|
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
|
||||||
- 'docker/vex/*' # CVE exceptions we know are not in risk
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
push_multi_platform_to_registries:
|
push_multi_platform_to_registries:
|
||||||
@ -75,3 +74,41 @@ jobs:
|
|||||||
labels: ${{ steps.meta.outputs.labels }}
|
labels: ${{ steps.meta.outputs.labels }}
|
||||||
cache-from: type=gha
|
cache-from: type=gha
|
||||||
cache-to: type=gha,mode=max
|
cache-to: type=gha,mode=max
|
||||||
|
|
||||||
|
# For Docker scout there are some intermediary reported CVEs which exists outside
|
||||||
|
# of execution content or are unreachable by an attacker but exist in image.
|
||||||
|
# We create VEX files for these so they don't show in scout summary.
|
||||||
|
- name: Collect known and verified CVE exceptions
|
||||||
|
id: cve-list
|
||||||
|
run: |
|
||||||
|
# Collect CVEs from filenames in vex folder
|
||||||
|
CVE_NAMES=""
|
||||||
|
for file in ./docker/vex/*.vex.json; do
|
||||||
|
[ -e "$file" ] || continue
|
||||||
|
filename=$(basename "$file")
|
||||||
|
stripped_filename=${filename%.vex.json}
|
||||||
|
CVE_NAMES+=" $stripped_filename"
|
||||||
|
done
|
||||||
|
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
|
||||||
|
shell: bash
|
||||||
|
|
||||||
|
# About VEX attestations https://docs.docker.com/scout/explore/exceptions/
|
||||||
|
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
|
||||||
|
- name: Add VEX attestations
|
||||||
|
env:
|
||||||
|
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
|
||||||
|
run: |
|
||||||
|
echo $CVE_EXCEPTIONS
|
||||||
|
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
|
||||||
|
for cve in $CVE_EXCEPTIONS; do
|
||||||
|
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
|
||||||
|
echo "Attaching VEX exception $cve to $tag"
|
||||||
|
docker scout attestation add \
|
||||||
|
--file "./docker/vex/$cve.vex.json" \
|
||||||
|
--predicate-type https://openvex.dev/ns/v0.2.0 \
|
||||||
|
$tag
|
||||||
|
done
|
||||||
|
done
|
||||||
|
shell: bash
|
||||||
|
|
||||||
|
|
@ -11,41 +11,12 @@
|
|||||||
},
|
},
|
||||||
"timestamp": "2024-07-22T13:49:12.883678-07:00",
|
"timestamp": "2024-07-22T13:49:12.883678-07:00",
|
||||||
"products": [
|
"products": [
|
||||||
{
|
|
||||||
"@id": "pkg:docker/mintplexlabs/anythingllm@render",
|
|
||||||
"subcomponents": [
|
|
||||||
{
|
{
|
||||||
"@id": "pkg:npm/taffydb@2.6.2"
|
"@id": "pkg:npm/taffydb@2.6.2"
|
||||||
}
|
}
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"@id": "pkg:docker/mintplexlabs/anythingllm@railway",
|
|
||||||
"subcomponents": [
|
|
||||||
{
|
|
||||||
"@id": "pkg:npm/taffydb@2.6.2"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"@id": "pkg:docker/mintplexlabs/anythingllm@latest",
|
|
||||||
"subcomponents": [
|
|
||||||
{
|
|
||||||
"@id": "pkg:npm/taffydb@2.6.2"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"@id": "pkg:docker/mintplexlabs/anythingllm@master",
|
|
||||||
"subcomponents": [
|
|
||||||
{
|
|
||||||
"@id": "pkg:npm/taffydb@2.6.2"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
],
|
],
|
||||||
"status": "not_affected",
|
"status": "not_affected",
|
||||||
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
|
"justification": "vulnerable_code_not_in_execute_path"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
22
docker/vex/CVE-2024-29415.vex.json
Normal file
22
docker/vex/CVE-2024-29415.vex.json
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
{
|
||||||
|
"@context": "https://openvex.dev/ns/v0.2.0",
|
||||||
|
"@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
|
||||||
|
"author": "tim@mintplexlabs.com",
|
||||||
|
"timestamp": "2024-07-19T16:08:47.147169-07:00",
|
||||||
|
"version": 1,
|
||||||
|
"statements": [
|
||||||
|
{
|
||||||
|
"vulnerability": {
|
||||||
|
"name": "CVE-2024-29415"
|
||||||
|
},
|
||||||
|
"timestamp": "2024-07-19T16:08:47.147172-07:00",
|
||||||
|
"products": [
|
||||||
|
{
|
||||||
|
"@id": "pkg:npm/ip@2.0.0"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"status": "not_affected",
|
||||||
|
"justification": "vulnerable_code_not_present"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
@ -11,41 +11,12 @@
|
|||||||
},
|
},
|
||||||
"timestamp": "2024-07-19T16:08:47.147172-07:00",
|
"timestamp": "2024-07-19T16:08:47.147172-07:00",
|
||||||
"products": [
|
"products": [
|
||||||
{
|
|
||||||
"@id": "pkg:docker/mintplexlabs/anythingllm@render",
|
|
||||||
"subcomponents": [
|
|
||||||
{
|
{
|
||||||
"@id": "pkg:npm/ws@8.14.2"
|
"@id": "pkg:npm/ws@8.14.2"
|
||||||
}
|
}
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"@id": "pkg:docker/mintplexlabs/anythingllm@railway",
|
|
||||||
"subcomponents": [
|
|
||||||
{
|
|
||||||
"@id": "pkg:npm/ws@8.14.2"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"@id": "pkg:docker/mintplexlabs/anythingllm@latest",
|
|
||||||
"subcomponents": [
|
|
||||||
{
|
|
||||||
"@id": "pkg:npm/ws@8.14.2"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"@id": "pkg:docker/mintplexlabs/anythingllm@master",
|
|
||||||
"subcomponents": [
|
|
||||||
{
|
|
||||||
"@id": "pkg:npm/ws@8.14.2"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
],
|
],
|
||||||
"status": "not_affected",
|
"status": "not_affected",
|
||||||
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
|
"justification": "vulnerable_code_not_in_execute_path"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
22
docker/vex/CVE-2024-4068.vex.json
Normal file
22
docker/vex/CVE-2024-4068.vex.json
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
{
|
||||||
|
"@context": "https://openvex.dev/ns/v0.2.0",
|
||||||
|
"@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
|
||||||
|
"author": "tim@mintplexlabs.com",
|
||||||
|
"timestamp": "2024-07-19T16:08:47.147169-07:00",
|
||||||
|
"version": 1,
|
||||||
|
"statements": [
|
||||||
|
{
|
||||||
|
"vulnerability": {
|
||||||
|
"name": "CVE-2024-4068"
|
||||||
|
},
|
||||||
|
"timestamp": "2024-07-19T16:08:47.147172-07:00",
|
||||||
|
"products": [
|
||||||
|
{
|
||||||
|
"@id": "pkg:npm/braces@3.0.2"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"status": "not_affected",
|
||||||
|
"justification": "vulnerable_code_not_present"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user