This is an automated email from the ASF dual-hosted git repository.

jsinovassinnaik pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/unomi.git


The following commit(s) were added to refs/heads/master by this push:
     new 694d671e5 UNOMI-858: Fix CodeQL Java Error + Fix code scanning alert 
no. 11: Insecure randomness (#701)
694d671e5 is described below

commit 694d671e516a0d4ecda1a723ed636d4cc35a6fa0
Author: jsinovassin <[email protected]>
AuthorDate: Mon Oct 14 15:44:30 2024 +0100

    UNOMI-858: Fix CodeQL Java Error + Fix code scanning alert no. 11: Insecure 
randomness (#701)
    
    * Fix code scanning alert no. 11: Insecure randomness
    
    Co-authored-by: Copilot Autofix powered by AI 
<62310815+github-advanced-security[bot]@users.noreply.github.com>
    
    * Fix code scanning alert no. 12: Insecure randomness
    
    Co-authored-by: Copilot Autofix powered by AI 
<62310815+github-advanced-security[bot]@users.noreply.github.com>
    
    * Update index.html
    
    * UNOMI-858: upgrade java version + fix codeQL workflow
    
    ---------
    
    Co-authored-by: Copilot Autofix powered by AI 
<62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/codeql-analysis-java.yml                    | 11 ++++++++---
 .github/workflows/codeql-analysis-javascript.yml              |  2 +-
 .github/workflows/unomi-ci-build-tests.yml                    |  4 ++--
 .github/workflows/unomi-ci-docs-deploy.yml                    |  4 ++--
 .../src/main/webapp/javascript/login-example.js               |  6 +++---
 samples/tweet-button-plugin/src/main/webapp/index.html        |  9 +++------
 6 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/codeql-analysis-java.yml 
b/.github/workflows/codeql-analysis-java.yml
index 7e46387bf..61eff2659 100644
--- a/.github/workflows/codeql-analysis-java.yml
+++ b/.github/workflows/codeql-analysis-java.yml
@@ -26,11 +26,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         config-file: ./.github/codeql/codeql-config.yml
         languages: java
@@ -39,9 +39,14 @@ jobs:
         # Prefix the list here with "+" to use these queries and those in the 
config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
+    - name: Set up JDK 11
+      uses: actions/setup-java@v1
+      with:
+        java-version: 11
+        cache: maven
     - run: mvn -U -ntp -e clean install -DskipTests
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         upload: false
diff --git a/.github/workflows/codeql-analysis-javascript.yml 
b/.github/workflows/codeql-analysis-javascript.yml
index ce6239fd0..94b361d47 100644
--- a/.github/workflows/codeql-analysis-javascript.yml
+++ b/.github/workflows/codeql-analysis-javascript.yml
@@ -35,7 +35,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/.github/workflows/unomi-ci-build-tests.yml 
b/.github/workflows/unomi-ci-build-tests.yml
index 1c3d95b92..37d040c2d 100644
--- a/.github/workflows/unomi-ci-build-tests.yml
+++ b/.github/workflows/unomi-ci-build-tests.yml
@@ -14,7 +14,7 @@ jobs:
     name: Execute unit tests
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set up JDK 11
       uses: actions/setup-java@v1
       with:
@@ -27,7 +27,7 @@ jobs:
     name: Execute integration tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up JDK 11
         uses: actions/setup-java@v1
         with:
diff --git a/.github/workflows/unomi-ci-docs-deploy.yml 
b/.github/workflows/unomi-ci-docs-deploy.yml
index 081b68006..856750220 100644
--- a/.github/workflows/unomi-ci-docs-deploy.yml
+++ b/.github/workflows/unomi-ci-docs-deploy.yml
@@ -12,7 +12,7 @@ jobs:
     name: Publish Javadoc and snapshots
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up JDK 11
         uses: actions/setup-java@v1
         with:
@@ -32,7 +32,7 @@ jobs:
     name: Push Docker image snapshot
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up JDK 11
         uses: actions/setup-java@v1
         with:
diff --git 
a/samples/login-integration/src/main/webapp/javascript/login-example.js 
b/samples/login-integration/src/main/webapp/javascript/login-example.js
index 0ccdcc300..c4c80d88d 100644
--- a/samples/login-integration/src/main/webapp/javascript/login-example.js
+++ b/samples/login-integration/src/main/webapp/javascript/login-example.js
@@ -20,9 +20,9 @@
     // We use this method to generate unique sessions IDs
     function generateGuid() {
         function s4() {
-            return Math.floor((1 + Math.random()) * 0x10000)
-                .toString(16)
-                .substring(1);
+            var array = new Uint16Array(1);
+            window.crypto.getRandomValues(array);
+            return array[0].toString(16).padStart(4, '0');
         }
 
         return s4() + s4() + '-' + s4() + '-' + s4() + '-' +
diff --git a/samples/tweet-button-plugin/src/main/webapp/index.html 
b/samples/tweet-button-plugin/src/main/webapp/index.html
index 244ae438f..7e04c997a 100644
--- a/samples/tweet-button-plugin/src/main/webapp/index.html
+++ b/samples/tweet-button-plugin/src/main/webapp/index.html
@@ -61,12 +61,9 @@
                     if (window.performance && typeof window.performance.now 
=== "function") {
                         d += performance.now();  //use high-precision timer if 
available
                     }
-                    var uuid = 
'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
-                        var r = (d + Math.random() * 16) % 16 | 0;
-                        d = Math.floor(d / 16);
-                        return (c == 'x' ? r : (r & 0x3 | 0x8)).toString(16);
-                    });
-                    return uuid;
+                    return 
"10000000-1000-4000-8000-100000000000".replace(/[018]/g, c =>
+                      (+c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 
>> +c / 4).toString(16)
+                    );
                 }
 
                 function contextRequest(successCallback, errorCallback, 
payload) {

Reply via email to