Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26481

Artifactory should follow Helm semver strictly

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Helm
    • Labels:
      None
    • Location:
      External

      Description

      Feature description:
      Helm CLI version 3.5.2 and later, it will log warnings about any Chart in the index with a version that does not comply with the semver (https://semver.org) standard. Helm very strictly documents that Charts which do not comply with this versioning scheme are invalid and cannot be used with the system. See GitHub issue where this is discussed: https://github.com/helm/helm/issues/9356 and https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx

      Snippet from above link:

      Since Helm 2 was released, a well-documented aspect of Helm is that the Helm chart's version number MUST follow the SemVer2 specification. In the past, Helm would not permit charts with malformed versions. At some point, a patch was merged that changed this: On a version parse error, the version number was simply passed along as-is. This provided a vector for malicious data to be injected into Helm and potentially used in various ways.

      ...

      Further, during evaluation, the Helm maintainers discovered a few other fields that were not properly sanitized when read out of repository index files. This fix remedies all such cases, and once again enforces SemVer2 policies on version fields.

       
      What is the expected behavior?
      Artifactory should refuse to index these charts and log warnings, and potentially offer a mechanism (xray?) to notify publishers that their chart was not indexed. Or at the very least offer the option to not index these charts.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            gmartinez Giancarlo Martinez
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Sync Status

                Connection: RTFACT Sync
                RTMID-26492 -
                SYNCHRONIZED
                • Last Sync Date: