Release JavaScript Oracle KMS Storage v1.0.0#873
Release JavaScript Oracle KMS Storage v1.0.0#873stas-schaller wants to merge 17 commits intomasterfrom
Conversation
* Bump version * fix: resolve DOM Clobbering CVE-2024-43788 (#689) * fix: resolve DOM Clobbering CVE-2024-43788 * Upgrade JavaScript tests GHA to use Node 20 * fixed moduleResolution in tsconfig updated all dependencies * Added Oracle KMS support to KSM JavaScript SDK. * fixed markdown syntax * fixed encryption issue and exception handling for get key details functionality --------- Co-authored-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Co-authored-by: satish_chandra <metron_satish@safebreach.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/oracle | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/oracle/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this problem, add a permissions: block either at the root of the workflow file (which will apply to all jobs) or at the jobs.test level if additional jobs are added in the future with different requirements. The minimal required permission for this workflow is likely contents: read, as the workflow only checks out code and runs tests. Add this block immediately after the workflow name: and before on: (for workflow-wide settings), or at the same indentation level as runs-on: inside the test job block.
No new methods, imports, or definitions are required.
| @@ -1,4 +1,6 @@ | ||
| name: Test JavaScript Storage - Oracle KMS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
| needs: generate-sbom | ||
| if: ${{ github.event.inputs.publish == 'true' }} | ||
| environment: prod | ||
| runs-on: ubuntu-latest | ||
|
|
||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/oracle | ||
|
|
||
| steps: | ||
| - name: Get the source code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Retrieve secrets from KSM | ||
| id: ksmsecrets | ||
| uses: Keeper-Security/ksm-action@master | ||
| with: | ||
| keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} | ||
| secrets: | | ||
| NScQiZwrHJFCPv1gL8TX6Q/field/password > env:NPM_TOKEN | ||
|
|
||
| - name: Install dependencies | ||
| run: npm install | ||
|
|
||
| - name: Build package | ||
| run: npm run build | ||
|
|
||
| - name: Publish package | ||
| run: npm publish |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly declare a permissions: block to restrict the default GITHUB_TOKEN permissions to the minimum required. For this workflow, the jobs only need to read repository contents (for actions/checkout) and do not appear to require any write scope to the GitHub API, so contents: read is sufficient.
The best fix with no functional change is to add a single permissions: block at the workflow root (right under name: or on:) so that it applies to all jobs. This avoids repetition and ensures both generate-sbom and publish-npm run with a read-only token. You only need to modify .github/workflows/publish.npm.storage.oracle.kms.yml, adding:
permissions:
contents: readnear the top. No additional imports, methods, or other definitions are required.
| @@ -8,6 +8,9 @@ | ||
| default: true | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| generate-sbom: | ||
| runs-on: ubuntu-latest |
…CVE-2025-13465 - Updates oci-keymanagement from 2.122.0 to 2.124.0 - Updates jws from 3.2.2 to 3.2.3 (via jsonwebtoken) - Updates lodash from 4.17.21 to 4.17.23 (via jsonwebtoken) - Resolves HIGH severity CVE-2025-65945 (CVSS 7.5) - jws HMAC signature bypass - Resolves MEDIUM severity CVE-2025-13465 (CVSS 6.9) - lodash prototype pollution
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Get the source code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: '20' | ||
|
|
||
| - name: Install package dependencies | ||
| run: npm install | ||
| working-directory: ./sdk/javascript/packages/oracle | ||
|
|
||
| - name: Install Syft | ||
| run: | | ||
| echo "Installing Syft v1.18.1..." | ||
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /tmp/bin v1.18.1 | ||
| echo "/tmp/bin" >> $GITHUB_PATH | ||
|
|
||
| - name: Install Manifest CLI | ||
| run: | | ||
| echo "Installing Manifest CLI v0.18.3..." | ||
| curl -sSfL https://raw.githubusercontent.com/manifest-cyber/cli/main/install.sh | sh -s -- -b /tmp/bin v0.18.3 | ||
|
|
||
| - name: Create Syft configuration | ||
| run: | | ||
| cat > syft-config.yaml << 'EOF' | ||
| package: | ||
| search: | ||
| scope: all-layers | ||
| cataloger: | ||
| enabled: true | ||
| java: | ||
| enabled: false | ||
| python: | ||
| enabled: false | ||
| nodejs: | ||
| enabled: true | ||
| EOF | ||
|
|
||
| - name: Generate and upload SBOM | ||
| env: | ||
| MANIFEST_API_KEY: ${{ secrets.MANIFEST_TOKEN }} | ||
| run: | | ||
| JAVASCRIPT_SDK_DIR="./sdk/javascript" | ||
|
|
||
| # Get version from package.json | ||
| echo "Detecting Oracle Storage version..." | ||
| if [ -f "${JAVASCRIPT_SDK_DIR}/packages/oracle/package.json" ]; then | ||
| VERSION=$(grep -o '"version": "[^"]*"' "${JAVASCRIPT_SDK_DIR}/packages/oracle/package.json" | cut -d'"' -f4) | ||
| echo "Detected version: ${VERSION}" | ||
| else | ||
| VERSION="1.0.0" | ||
| echo "Could not detect version, using default: ${VERSION}" | ||
| fi | ||
|
|
||
| echo "Generating SBOM with Manifest CLI..." | ||
| /tmp/bin/manifest sbom "${JAVASCRIPT_SDK_DIR}/packages/oracle" \ | ||
| --generator=syft \ | ||
| --name=keeper-secrets-manager-javascript-storage-oracle-kms \ | ||
| --version=${VERSION} \ | ||
| --output=spdx-json \ | ||
| --file=oracle-storage-sbom.json \ | ||
| --api-key=${MANIFEST_API_KEY} \ | ||
| --publish=true \ | ||
| --asset-label=application,sbom-generated,nodejs,oracle-storage \ | ||
| --generator-config=syft-config.yaml | ||
|
|
||
| echo "SBOM generated and uploaded successfully: oracle-storage-sbom.json" | ||
| echo "---------- SBOM Preview (first 20 lines) ----------" | ||
| head -n 20 oracle-storage-sbom.json | ||
|
|
||
| publish-npm: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, fix this by adding an explicit permissions: block to the workflow (either at the top level or per job) that grants the minimal required scopes, so the GITHUB_TOKEN cannot perform unintended write operations.
For this workflow, there is no evidence that any step needs write access to the repository or other GitHub resources. actions/checkout works with contents: read. None of the steps create or modify issues, pull requests, or releases. Therefore, the best minimal, non‑breaking change is to add a root‑level permissions: block directly under name:/on: that applies to both generate-sbom and publish-npm, setting contents: read. This documents intent and ensures the token remains read‑only even if repo defaults change. No imports or additional methods are needed.
Concretely, edit .github/workflows/publish.npm.storage.oracle.kms.yml to insert:
permissions:
contents: readafter the on: block (or directly after name: if you prefer), keeping indentation consistent.
| @@ -8,6 +8,9 @@ | ||
| default: true | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| generate-sbom: | ||
| runs-on: ubuntu-latest |
Fixes GHSA-7h2j-956f-4vf2 (CVE-2026-25547) DoS vulnerability
Adds existsSync and readFileSync mocks to fix Oracle SDK configuration loading
2 participants
Release of @keeper-security/secrets-manager-oracle-kv v1.0.0
Oracle Cloud Key Management Service integration for secure storage of Keeper Secrets Manager configuration.
Dependencies:
Closes https://keeper.atlassian.net/browse/KSM-705