carverauto/serviceradar

Fork 0

adding actionlint and fixing kong stuff #2432

Merged

mfreeman451 merged 1 commit from refs/pull/2432/head into main

2025-11-20 04:21:08 +00:00

mfreeman451 commented

2025-11-20 04:15:15 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1964
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1964
Original created: 2025-11-20T04:15:15Z
Original updated: 2025-11-20T04:21:24Z
Original head: carverauto/serviceradar:chore/fix_release_kong
Original base: main
Original merged: 2025-11-20T04:21:08Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Other

Description

Add bazelisk version extraction from Kong Makefile
Implement fallback bazelisk installation without make dependency
Support direct binary download for aarch64 and x86_64 architectures
Configure actionlint for self-hosted GitHub Actions runners
Fix GitHub Actions output formatting in release workflow

Diagram Walkthrough

flowchart LR
  A["Kong Build Script"] -->|Extract Version| B["bazelisk_version_from_kong"]
  B -->|Default Version| C["DEFAULT_BAZELISK_VERSION"]
  A -->|Check Make| D{Make Available?}
  D -->|Yes| E["Use make check-bazel"]
  D -->|No| F["Download Binary"]
  F -->|Detect OS/Arch| G["Direct Installation"]
  H["GitHub Actions Config"] -->|Self-hosted| I["actionlint.yaml"]
  J["Release Workflow"] -->|Format Output| K["Grouped GITHUB_OUTPUT"]

File Walkthrough

Relevant files

Enhancement

build-kong-vendor.sh

Add bazelisk fallback installation without make

scripts/build-kong-vendor.sh

Add DEFAULT_BAZELISK_VERSION constant for fallback version
Introduce bazelisk_version_from_kong() function to extract version
from Kong Makefile
Refactor ensure_bazel() to support direct binary download when make is
unavailable
Add OS and architecture detection (aarch64/arm64, x86_64/amd64
mapping)
Download bazelisk binary from GitHub releases as fallback mechanism

+27/-5

Configuration changes

actionlint.yaml

Add actionlint self-hosted runner configuration

.github/actionlint.yaml

Create new actionlint configuration file for GitHub Actions
Configure self-hosted runner with arc-runner-set label

+4/-0

Formatting

release.yml

Fix GitHub Actions output formatting

.github/workflows/release.yml

Refactor GITHUB_OUTPUT writes to use grouped command syntax
Replace individual echo statements with single grouped block
Improves readability and follows GitHub Actions best practices

+9/-7

Imported from GitHub pull request. Original GitHub pull request: #1964 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1964 Original created: 2025-11-20T04:15:15Z Original updated: 2025-11-20T04:21:24Z Original head: carverauto/serviceradar:chore/fix_release_kong Original base: main Original merged: 2025-11-20T04:21:08Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Other ___ ### **Description** - Add bazelisk version extraction from Kong Makefile - Implement fallback bazelisk installation without make dependency - Support direct binary download for aarch64 and x86_64 architectures - Configure actionlint for self-hosted GitHub Actions runners - Fix GitHub Actions output formatting in release workflow ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Kong Build Script"] -->|Extract Version| B["bazelisk_version_from_kong"] B -->|Default Version| C["DEFAULT_BAZELISK_VERSION"] A -->|Check Make| D{Make Available?} D -->|Yes| E["Use make check-bazel"] D -->|No| F["Download Binary"] F -->|Detect OS/Arch| G["Direct Installation"] H["GitHub Actions Config"] -->|Self-hosted| I["actionlint.yaml"] J["Release Workflow"] -->|Format Output| K["Grouped GITHUB_OUTPUT"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>build-kong-vendor.sh<dd><code>Add bazelisk fallback installation without make</code>                    </dd></summary> <hr> scripts/build-kong-vendor.sh <ul><li>Add <code>DEFAULT_BAZELISK_VERSION</code> constant for fallback version <li> Introduce <code>bazelisk_version_from_kong()</code> function to extract version from Kong Makefile <li> Refactor <code>ensure_bazel()</code> to support direct binary download when make is unavailable <li> Add OS and architecture detection (aarch64/arm64, x86_64/amd64 mapping) <li> Download bazelisk binary from GitHub releases as fallback mechanism</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24">+27/-5</a>    </td> </tr> </table></td></tr><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>actionlint.yaml<dd><code>Add actionlint self-hosted runner configuration</code>                    </dd></summary> <hr> .github/actionlint.yaml <ul><li>Create new actionlint configuration file for GitHub Actions <li> Configure self-hosted runner with arc-runner-set label</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1964/files#diff-2f3192c2d25d2b15166a77ea94cd49e18cd97a7862b6e3d67ff5062c097bacb4">+4/-0</a>      </td> </tr> </table></td></tr><tr><td>Formatting</td><td><table> <tr> <td> <details> <summary>release.yml<dd><code>Fix GitHub Actions output formatting</code>                                          </dd></summary> <hr> .github/workflows/release.yml <ul><li>Refactor <code>GITHUB_OUTPUT</code> writes to use grouped command syntax <li> Replace individual echo statements with single grouped block <li> Improves readability and follows GitHub Actions best practices</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1964/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34">+9/-7</a>      </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-20 04:15:41 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1964#issuecomment-3555687139
Original created: 2025-11-20T04:15:41Z

PR Compliance Guide 🔍

(Compliance updated until commit `github.com/carverauto/serviceradar@ad689f2fc8`)

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Unverified binary download Description: The fallback Bazelisk download constructs a URL from `uname` outputs without validating or pinning the binary (no checksum/signature verification), enabling potential supply-chain or MITM attacks and arbitrary binary execution. build-kong-vendor.sh [96-107] Referred Code `os=$(uname \| tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}"`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Action logging: The new installation paths and decisions (make vs direct download) are not logged as audit events beyond brief info messages, which may be insufficient for reconstructing critical actions on build systems. Referred Code if command -v make >/dev/null 2>&1; then info "Installing bazelisk wrapper via make check-bazel" >&2 (cd "${KONG_CLONE_DIR}" && make check-bazel >/dev/null) else local os machine version url os=$(uname \| tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Edge cases: Direct bazelisk download lacks checks for unsupported OS/arch, HTTP errors, or empty version resulting in a 404, and does not validate the downloaded binary beyond chmod. Referred Code `local os machine version url os=$(uname \| tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Download validation: The script downloads an external binary over HTTPS without checksum or signature verification and executes it, lacking integrity validation and architecture whitelist enforcement. Referred Code `local os machine version url os=$(uname \| tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi` Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Previous compliance checks

Compliance check up to commit ad689f2

Security Compliance
⚪	Unverified binary download Description: The fallback path downloads and executes a remote bazelisk binary over HTTPS without verifying its integrity or signature (no checksum/GPG verification), enabling a supply-chain attack if the download is tampered with or the GitHub release URL is compromised. build-kong-vendor.sh [95-107] Referred Code `local os machine version url os=$(uname \| tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}"`
	Insufficient input validation Description: OS/arch is derived from uname and directly interpolated into the download URL without strict allow-listing or validation, which could enable unexpected URLs or wrong binaries on uncommon architectures leading to execution of unintended binaries. build-kong-vendor.sh [96-103] Referred Code `os=$(uname \| tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}"`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Action Logging: The script performs network downloads and tool installation without adding any audit/log entries beyond brief info messages, which may be insufficient for reconstructing critical actions. Referred Code if command -v make >/dev/null 2>&1; then info "Installing bazelisk wrapper via make check-bazel" >&2 (cd "${KONG_CLONE_DIR}" && make check-bazel >/dev/null) else local os machine version url os=$(uname \| tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Curl Failure Handling: The fallback download path uses curl without explicit retries or checksum verification and may not surface actionable error context if the download is corrupt or mismatched for OS/arch. Referred Code `local os machine version url os=$(uname \| tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Binary Integrity: The script downloads a bazelisk binary over HTTPS but does not verify checksums or signatures, leaving potential supply-chain risk unmitigated. Referred Code `version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}"` Learn more about managing compliance generic rules or creating your own custom rules

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1964#issuecomment-3555687139 Original created: 2025-11-20T04:15:41Z --- ## PR Compliance Guide 🔍  #### (Compliance updated until commit https://github.com/carverauto/serviceradar/commit/ad689f2fc89b889716012541d6f11a5f56e6f5be) Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=1>🔴</td> <td><details><summary>Unverified binary download </summary> Description: The fallback Bazelisk download constructs a URL from <code>uname</code> outputs without validating or pinning the binary (no checksum/signature verification), enabling potential supply-chain or MITM attacks and arbitrary binary execution. <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R96-R107'>build-kong-vendor.sh [96-107]</a> <details open><summary>Referred Code</summary> ```shell os=$(uname | tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=3>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=3>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R91-R108'>Action logging</a>: The new installation paths and decisions (make vs direct download) are not logged as audit events beyond brief info messages, which may be insufficient for reconstructing critical actions on build systems. <details open><summary>Referred Code</summary> ```shell if command -v make >/dev/null 2>&1; then info "Installing bazelisk wrapper via make check-bazel" >&2 (cd "${KONG_CLONE_DIR}" && make check-bazel >/dev/null) else local os machine version url os=$(uname | tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R95-R108'>Edge cases</a>: Direct bazelisk download lacks checks for unsupported OS/arch, HTTP errors, or empty version resulting in a 404, and does not validate the downloaded binary beyond chmod. <details open><summary>Referred Code</summary> ```shell local os machine version url os=$(uname | tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R95-R108'>Download validation</a>: The script downloads an external binary over HTTPS without checksum or signature verification and executes it, lacking integrity validation and architecture whitelist enforcement. <details open><summary>Referred Code</summary> ```shell local os machine version url os=$(uname | tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details> ___ #### Previous compliance checks <details> <summary>Compliance check up to commit <a href='https://github.com/carverauto/serviceradar/commit/ad689f2fc89b889716012541d6f11a5f56e6f5be'>ad689f2</a></summary> <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=2>⚪</td> <td><details><summary>Unverified binary download </summary> Description: The fallback path downloads and executes a remote bazelisk binary over HTTPS without verifying its integrity or signature (no checksum/GPG verification), enabling a supply-chain attack if the download is tampered with or the GitHub release URL is compromised. <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R95-R107'>build-kong-vendor.sh [95-107]</a> <details open><summary>Referred Code</summary> ```shell local os machine version url os=$(uname | tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" ``` </details></details></td></tr> <tr><td><details><summary>Insufficient input validation </summary> Description: OS/arch is derived from uname and directly interpolated into the download URL without strict allow-listing or validation, which could enable unexpected URLs or wrong binaries on uncommon architectures leading to execution of unintended binaries. <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R96-R103'>build-kong-vendor.sh [96-103]</a> <details open><summary>Referred Code</summary> ```shell os=$(uname | tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=3>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=3>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R91-R108'>Action Logging</a>: The script performs network downloads and tool installation without adding any audit/log entries beyond brief info messages, which may be insufficient for reconstructing critical actions. <details open><summary>Referred Code</summary> ```shell if command -v make >/dev/null 2>&1; then info "Installing bazelisk wrapper via make check-bazel" >&2 (cd "${KONG_CLONE_DIR}" && make check-bazel >/dev/null) else local os machine version url os=$(uname | tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R95-R108'>Curl Failure Handling</a>: The fallback download path uses curl without explicit retries or checksum verification and may not surface actionable error context if the download is corrupt or mismatched for OS/arch. <details open><summary>Referred Code</summary> ```shell local os machine version url os=$(uname | tr '[:upper:]' '[:lower:]') machine=$(uname -m) case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; esac version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" fi ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R102-R107'>Binary Integrity</a>: The script downloads a bazelisk binary over HTTPS but does not verify checksums or signatures, leaving potential supply-chain risk unmitigated. <details open><summary>Referred Code</summary> ```shell version=$(bazelisk_version_from_kong) url="https://github.com/bazelbuild/bazelisk/releases/download/v${version}/bazelisk-${os}-${machine}" info "Installing bazelisk v${version} for ${os}/${machine} (make not available)" >&2 mkdir -p "$(dirname "${bazel_bin}")" curl -sSfL "${url}" -o "${bazel_bin}" chmod +x "${bazel_bin}" ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> </details>

qodo-code-review[bot] commented

2025-11-20 04:16:38 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1964#issuecomment-3555688552
Original created: 2025-11-20T04:16:38Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Add explicit unsupported architecture handling Add a default case to the architecture `case` statement to handle unsupported architectures by printing an error and exiting. scripts/build-kong-vendor.sh [98-101] `case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; + ) + echo "[kong] Unsupported machine architecture: ${machine}" >&2 + exit 1 + ;; esac` Apply / Chat* Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that the script doesn't handle unsupported architectures and proposes adding a default case to exit with a clear error message, which improves robustness and debuggability.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1964#issuecomment-3555688552 Original created: 2025-11-20T04:16:38Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Add explicit unsupported architecture handling</summary> ___ **Add a default case to the architecture <code>case</code> statement to handle unsupported architectures by printing an error and exiting.** [scripts/build-kong-vendor.sh [98-101]](https://github.com/carverauto/serviceradar/pull/1964/files#diff-60c9831d4f024788268c9fa56e16e212061b7b55939899f04579d8445036df24R98-R101) ```diff case "$machine" in aarch64) machine="arm64" ;; x86_64) machine="amd64" ;; + *) + echo "[kong] Unsupported machine architecture: ${machine}" >&2 + exit 1 + ;; esac ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly identifies that the script doesn't handle unsupported architectures and proposes adding a default case to exit with a clear error message, which improves robustness and debuggability. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>