-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Expand file tree
/
Copy pathWORKSPACE.yaml
More file actions
75 lines (74 loc) · 3.18 KB
/
WORKSPACE.yaml
File metadata and controls
75 lines (74 loc) · 3.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# this file makes this a leeway workspace
defaultTarget: components:all
defaultArgs:
imageRepoBase: "eu.gcr.io/gitpod-dev-artifact/build"
coreYarnLockBase: ../..
npmPublishTrigger: false
publishToNPM: false
publishToJBMarketplace: false
localAppVersion: unknown
codeCommit: ad8e28e2ea7b21673c6ade4f2fbde7ddfa23dc98
codeVersion: 1.111.0
codeQuality: stable
codeWebExtensionCommit: 3953e8160fffa97dd4a4509542b4bf7ff9b704cd
xtermCommit: d547d4ff4590b66c3ea24342fc62e3afcf6b77bc
noVerifyJBPlugin: false
intellijDownloadUrl: "https://download.jetbrains.com/idea/ideaIU-2025.1.1.1.tar.gz"
golandDownloadUrl: "https://download.jetbrains.com/go/goland-2025.1.1.tar.gz"
pycharmDownloadUrl: "https://download.jetbrains.com/python/pycharm-2025.1.1.1.tar.gz"
phpstormDownloadUrl: "https://download.jetbrains.com/webide/PhpStorm-2025.1.1.tar.gz"
rubymineDownloadUrl: "https://download.jetbrains.com/ruby/RubyMine-2025.1.1.tar.gz"
webstormDownloadUrl: "https://download.jetbrains.com/webstorm/WebStorm-2025.1.1.tar.gz"
riderDownloadUrl: "https://download.jetbrains.com/rider/JetBrains.Rider-2024.1.4.tar.gz"
clionDownloadUrl: "https://download.jetbrains.com/cpp/CLion-2025.1.1.tar.gz"
rustroverDownloadUrl: "https://download.jetbrains.com/rustrover/RustRover-2025.1.2.tar.gz"
jbBackendVersion: "latest"
dockerVersion: "27.5.1"
dockerComposeVersion: "2.40.3"
ipfsKuboVersion: "v0.18.0"
ipfsClusterVersion: "v1.0.8"
schedulerExtenderVersion: "c1925d8"
provenance:
enabled: true
slsa: true
sbom:
enabled: true
ignoreVulnerabilities:
- vulnerability: GHSA-fx4w-v43j-vc45
reason: |
This vulnerability in TypeORM's findOne / findOneOrFail functions can improperly interpret a crafted JSON object
and concatenate it into raw SQL, potentially allowing SQL injection attacks.
In Gitpod’s usage, TypeORM is not exposed to arbitrary user input. For example, DB migrations run preset queries;
the server/bridge code does not hand raw JSON from external sources to findOne. Therefore, there is no path for
injecting malicious JSON into a query, rendering the vulnerability non-exploitable.
- vulnerability: GHSA-2jcg-qqmg-46q6
reason: |
This is a false positive. See https://github.com/browserify/resolve/issues/303
- vulnerability: GHSA-p77j-4mvh-x3m3
reason: |
The only remaining instance is in the cloud_sql_proxy binary (v1.37.14, grpc v1.79.2)
bundled in gitpod-db. This component is no longer deployed in any environment.
No upstream cloud_sql_proxy v1.x release includes the fix (grpc v1.79.3).
environmentManifest:
- name: "go"
command: ["sh", "-c", "go version | sed s/arm/amd/"]
- name: "arch"
command: ["sh", "-c", "echo amd64"]
defaultVariant:
env:
- GOARCH=amd64
- DOCKER_DEFAULT_PLATFORM=linux/amd64
- NODE_OPTIONS=--max_old_space_size=8192
- LEEWAY_BUILD=true
srcs:
exclude:
# Make sure we don't include node_modules/**/*.ts by accident
- "**/node_modules/**"
config:
go:
lintCommand:
[
"sh",
"-c",
"golangci-lint run --disable govet,errcheck,staticcheck --allow-parallel-runners --timeout 15m",
]