Skip to content

ci: add dry-run execution of semantic-release for validation purposes#321

Merged
Djaytan merged 1 commit into
mainfrom
ci/semantic-release-dry-run
Aug 10, 2025
Merged

ci: add dry-run execution of semantic-release for validation purposes#321
Djaytan merged 1 commit into
mainfrom
ci/semantic-release-dry-run

Conversation

@Djaytan

@Djaytan Djaytan commented Aug 10, 2025

Copy link
Copy Markdown
Owner

No description provided.

@Djaytan
Djaytan force-pushed the ci/semantic-release-dry-run branch from a3dad76 to 340d523 Compare August 10, 2025 11:49
@sonarqubecloud

Copy link
Copy Markdown

@github-actions

github-actions Bot commented Aug 10, 2025

Copy link
Copy Markdown

Overview

Image reference djaytan/papermc-server:1.21.4 djaytan/papermc-server:test
- digest cb4f787f0dc9 31f0592ee5e1
- tag 1.21.4 test
- stream latest
- provenance d623615
- vulnerabilities critical: 0 high: 5 medium: 5 low: 0 critical: 0 high: 5 medium: 5 low: 0
- platform linux/amd64 linux/amd64
- size 133 MB 144 MB (+10 MB)
- packages 170 177 (+7)
Base Image alpine:3.22.0
also known as:
3
3.22
latest
alpine:3
also known as:
3.22
latest
- vulnerabilities critical: 0 high: 0 medium: 1 low: 0 critical: 0 high: 0 medium: 1 low: 0
Policies (1 improved, 1 worsened, 3 missing data)
Policy Name djaytan/papermc-server:1.21.4 djaytan/papermc-server:test Change Standing
No unapproved base images ❓ No data
Default non-root user No Change
No AGPL v3 licenses No Change
No fixable critical or high vulnerabilities ⚠️ 6 ⚠️ 5 -1 Improved
No high-profile vulnerabilities No Change
No outdated base images ❓ No data
SonarQube quality gates passed ❓ No data ❓ No data
Supply chain attestations ⚠️ 2 +2 Worsened
Packages and Vulnerabilities (9 package changes and 0 vulnerability changes)
  • ➕ 8 packages added
  • ➖ 1 packages removed
  • 165 packages unchanged
Changes for packages of type apk (7 changes)
Package Version
djaytan/papermc-server:1.21.4
Version
djaytan/papermc-server:test
alpine-base 3.22.0-r0
ca-certificates 20241121-r2
gcc 14.2.0-r6
ncurses 6.5_p20250503-r0
openssl 3.5.0-r0
critical: 0 high: 0 medium: 1 low: 0
Added vulnerabilities (1):
  • medium : CVE--2025--4575
pax-utils 1.3.8-r1
xz 5.8.1-r0
Changes for packages of type generic (2 changes)
Package Version
djaytan/papermc-server:1.21.4
Version
djaytan/papermc-server:test
openjdk 21.0.7
openjdk 21.0.7

@github-actions

github-actions Bot commented Aug 10, 2025

Copy link
Copy Markdown

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test
digestsha256:31f0592ee5e1de1930b20901f3f4ec4e9b3e0cbe8907b8381533e718752d478b
vulnerabilitiescritical: 0 high: 5 medium: 5 low: 0
platformlinux/amd64
size144 MB
packages177
📦 Base Image alpine:3
also known as
  • 3.22
  • 3.22.0
  • latest
digestsha256:08001109a7d679fe33b04fa51d681bd40b975d8f5cea8c3ef6c0eccb6a7338ce
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 1 low: 0 org.apache.commons/commons-compress 1.5 (maven)

pkg:maven/org.apache.commons/commons-compress@1.5

high 7.5: CVE--2021--36090 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.279%
EPSS Percentile51st percentile
Description

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

high 7.5: CVE--2021--35517 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.314%
EPSS Percentile54th percentile
Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

high 7.5: CVE--2021--35516 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.311%
EPSS Percentile54th percentile
Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

high 7.5: CVE--2021--35515 Excessive Iteration

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.120%
EPSS Percentile32nd percentile
Description

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

medium 5.9: CVE--2024--25710 Loop with Unreachable Exit Condition ('Infinite Loop')

Affected range>=1.3
<1.26.0
Fixed version1.26.0
CVSS Score5.9
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score0.012%
EPSS Percentile1st percentile
Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

critical: 0 high: 1 medium: 0 low: 0 com.google.protobuf/protobuf-java 4.26.1 (maven)

pkg:maven/com.google.protobuf/protobuf-java@4.26.1

high 8.7: CVE--2024--7254 Improper Input Validation

Affected range>=4.0.0.rc.1
<4.27.5
Fixed version4.27.5
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score0.171%
EPSS Percentile39th percentile
Description

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:

  • protobuf-java (3.25.5, 4.27.5, 4.28.2)
  • protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
  • protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
  • protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
  • com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
critical: 0 high: 0 medium: 2 low: 0 golang.org/x/net 0.34.0 (golang)

pkg:golang/golang.org/x/net@0.34.0

medium 5.3: CVE--2025--22872 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<0.38.0
Fixed version0.38.0
CVSS Score5.3
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS Score0.033%
EPSS Percentile8th percentile
Description

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

medium 4.4: CVE--2025--22870 Misinterpretation of Input

Affected range<0.36.0
Fixed version0.36.0
CVSS Score4.4
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
EPSS Score0.012%
EPSS Percentile1st percentile
Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

critical: 0 high: 0 medium: 1 low: 0 commons-lang/commons-lang 2.6 (maven)

pkg:maven/commons-lang/commons-lang@2.6

medium 6.5: CVE--2025--48924 Uncontrolled Recursion

Affected range>=2.0
<=2.6
Fixed versionNot Fixed
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score0.277%
EPSS Percentile51st percentile
Description

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

critical: 0 high: 0 medium: 1 low: 0 openssl 3.5.0-r0 (apk)

pkg:apk/alpine/openssl@3.5.0-r0?os_name=alpine&os_version=3.22

medium : CVE--2025--4575

Affected range<3.5.1-r0
Fixed version3.5.1-r0
EPSS Score0.030%
EPSS Percentile7th percentile
Description

@Djaytan
Djaytan merged commit 3564903 into main Aug 10, 2025
7 checks passed
@Djaytan
Djaytan deleted the ci/semantic-release-dry-run branch August 10, 2025 11:56
@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 3.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant