This is an automated email from the ASF dual-hosted git repository.
jsinovassinnaik pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/unomi.git
The following commit(s) were added to refs/heads/master by this push:
new 694d671e5 UNOMI-858: Fix CodeQL Java Error + Fix code scanning alert
no. 11: Insecure randomness (#701)
694d671e5 is described below
commit 694d671e516a0d4ecda1a723ed636d4cc35a6fa0
Author: jsinovassin <[email protected]>
AuthorDate: Mon Oct 14 15:44:30 2024 +0100
UNOMI-858: Fix CodeQL Java Error + Fix code scanning alert no. 11: Insecure
randomness (#701)
* Fix code scanning alert no. 11: Insecure randomness
Co-authored-by: Copilot Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fix code scanning alert no. 12: Insecure randomness
Co-authored-by: Copilot Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>
* Update index.html
* UNOMI-858: upgrade java version + fix codeQL workflow
---------
Co-authored-by: Copilot Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>
---
.github/workflows/codeql-analysis-java.yml | 11 ++++++++---
.github/workflows/codeql-analysis-javascript.yml | 2 +-
.github/workflows/unomi-ci-build-tests.yml | 4 ++--
.github/workflows/unomi-ci-docs-deploy.yml | 4 ++--
.../src/main/webapp/javascript/login-example.js | 6 +++---
samples/tweet-button-plugin/src/main/webapp/index.html | 9 +++------
6 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/.github/workflows/codeql-analysis-java.yml
b/.github/workflows/codeql-analysis-java.yml
index 7e46387bf..61eff2659 100644
--- a/.github/workflows/codeql-analysis-java.yml
+++ b/.github/workflows/codeql-analysis-java.yml
@@ -26,11 +26,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v2
+ uses: github/codeql-action/init@v3
with:
config-file: ./.github/codeql/codeql-config.yml
languages: java
@@ -39,9 +39,14 @@ jobs:
# Prefix the list here with "+" to use these queries and those in the
config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
+ - name: Set up JDK 11
+ uses: actions/setup-java@v1
+ with:
+ java-version: 11
+ cache: maven
- run: mvn -U -ntp -e clean install -DskipTests
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v2
+ uses: github/codeql-action/analyze@v3
with:
upload: false
diff --git a/.github/workflows/codeql-analysis-javascript.yml
b/.github/workflows/codeql-analysis-javascript.yml
index ce6239fd0..94b361d47 100644
--- a/.github/workflows/codeql-analysis-javascript.yml
+++ b/.github/workflows/codeql-analysis-javascript.yml
@@ -35,7 +35,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
diff --git a/.github/workflows/unomi-ci-build-tests.yml
b/.github/workflows/unomi-ci-build-tests.yml
index 1c3d95b92..37d040c2d 100644
--- a/.github/workflows/unomi-ci-build-tests.yml
+++ b/.github/workflows/unomi-ci-build-tests.yml
@@ -14,7 +14,7 @@ jobs:
name: Execute unit tests
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
@@ -27,7 +27,7 @@ jobs:
name: Execute integration tests
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
diff --git a/.github/workflows/unomi-ci-docs-deploy.yml
b/.github/workflows/unomi-ci-docs-deploy.yml
index 081b68006..856750220 100644
--- a/.github/workflows/unomi-ci-docs-deploy.yml
+++ b/.github/workflows/unomi-ci-docs-deploy.yml
@@ -12,7 +12,7 @@ jobs:
name: Publish Javadoc and snapshots
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
@@ -32,7 +32,7 @@ jobs:
name: Push Docker image snapshot
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
diff --git
a/samples/login-integration/src/main/webapp/javascript/login-example.js
b/samples/login-integration/src/main/webapp/javascript/login-example.js
index 0ccdcc300..c4c80d88d 100644
--- a/samples/login-integration/src/main/webapp/javascript/login-example.js
+++ b/samples/login-integration/src/main/webapp/javascript/login-example.js
@@ -20,9 +20,9 @@
// We use this method to generate unique sessions IDs
function generateGuid() {
function s4() {
- return Math.floor((1 + Math.random()) * 0x10000)
- .toString(16)
- .substring(1);
+ var array = new Uint16Array(1);
+ window.crypto.getRandomValues(array);
+ return array[0].toString(16).padStart(4, '0');
}
return s4() + s4() + '-' + s4() + '-' + s4() + '-' +
diff --git a/samples/tweet-button-plugin/src/main/webapp/index.html
b/samples/tweet-button-plugin/src/main/webapp/index.html
index 244ae438f..7e04c997a 100644
--- a/samples/tweet-button-plugin/src/main/webapp/index.html
+++ b/samples/tweet-button-plugin/src/main/webapp/index.html
@@ -61,12 +61,9 @@
if (window.performance && typeof window.performance.now
=== "function") {
d += performance.now(); //use high-precision timer if
available
}
- var uuid =
'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
- var r = (d + Math.random() * 16) % 16 | 0;
- d = Math.floor(d / 16);
- return (c == 'x' ? r : (r & 0x3 | 0x8)).toString(16);
- });
- return uuid;
+ return
"10000000-1000-4000-8000-100000000000".replace(/[018]/g, c =>
+ (+c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15
>> +c / 4).toString(16)
+ );
}
function contextRequest(successCallback, errorCallback,
payload) {