Dependency lookup blocked by IP safelisting for bridgecrewio/checkov-action

[patheard]

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

No response

If you're self-hosting Renovate, select which platform you are using.

No response

If you're self-hosting Renovate, tell us what version of the platform you run.

No response

Was this something which used to work for you, and then stopped?

It used to work, and then stopped

Describe the bug

We're getting a dependency lookup failure for the bridgecrewio/checkov-action GitHub Action that used to work. From what we can see, IP safelisting is causing the problem and blocking the Renovate lookup:

"response": {
    "statusCode": 403,
    "statusMessage": "Forbidden",
    "body": {
        "message": "Although you appear to have the correct authorization credentials, the `bridgecrewio` organization has an IP allow list enabled, and 18.237.254.32 is not permitted to access this resource.",
    }
    // etc.
}

The full log output can be seen in this job log:

• github/cds-snc/scan-files/814142718

I'm assuming all we can do is add this dependency to our ignoreDeps config if we don't want to see the warning on PRs and in our dependency dashboard.

Relevant debug logs

Logs

DEBUG: Unknown GitHub error
{
  "err": {
    "name": "HTTPError",
    "code": "ERR_NON_2XX_3XX_RESPONSE",
    "timings": {
      "start": 1663274118042,
      "socket": 1663274118042,
      "lookup": 1663274118242,
      "connect": 1663274118242,
      "secureConnect": 1663274118260,
      "upload": 1663274118260,
      "response": 1663274118425,
      "end": 1663274118434,
      "phases": {
        "wait": 0,
        "dns": 200,
        "tcp": 0,
        "tls": 18,
        "request": 0,
        "firstByte": 165,
        "download": 9,
        "total": 392
      }
    },
    "message": "Response code 403 (Forbidden)",
    "stack": "HTTPError: Response code 403 (Forbidden)\n    at Request.<anonymous> (/home/ubuntu/renovateapp/node_modules/got/dist/source/as-promise/index.js:118:42)\n    at runMicrotasks (<anonymous>)\n    at processTicksAndRejections (node:internal/process/task_queues:96:5)",
    "options": {
      "headers": {
        "user-agent": "Renovate Bot (GitHub App 2740)",
        "accept": "application/vnd.github.machine-man-preview+json",
        "authorization": "***********",
        "accept-encoding": "gzip, deflate, br"
      },
      "url": "https://api.github.com/repos/bridgecrewio/checkov-action/tags?per_page=100",
      "hostType": "github-tags",
      "username": "",
      "password": "",
      "method": "GET",
      "http2": false
    },
    "response": {
      "statusCode": 403,
      "statusMessage": "Forbidden",
      "body": {
        "message": "Although you appear to have the correct authorization credentials, the `bridgecrewio` organization has an IP allow list enabled, and 18.237.254.32 is not permitted to access this resource.",
        "documentation_url": "https://docs.github.com/rest/reference/repos#list-repository-tags"
      },
      "headers": {
        "server": "GitHub.com",
        "date": "Thu, 15 Sep 2022 20:35:18 GMT",
        "content-type": "application/json; charset=utf-8",
        "transfer-encoding": "chunked",
        "x-github-media-type": "github.v3; param=machine-man-preview; format=json",
        "x-ratelimit-limit": "15000",
        "x-ratelimit-remaining": "14907",
        "x-ratelimit-reset": "1663277402",
        "x-ratelimit-used": "93",
        "x-ratelimit-resource": "core",
        "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset",
        "access-control-allow-origin": "*",
        "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
        "x-frame-options": "deny",
        "x-content-type-options": "nosniff",
        "x-xss-protection": "0",
        "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
        "content-security-policy": "default-src 'none'",
        "vary": "Accept-Encoding, Accept, X-Requested-With",
        "content-encoding": "gzip",
        "x-github-request-id": "A34A:775E:6A6414:6D548F:63238C86",
        "connection": "close"
      },
      "httpVersion": "1.1"
    }
  }
}
DEBUG: Datasource unauthorized
{
  "datasource": "github-tags",
  "packageName": "bridgecrewio/checkov-action",
  "url": "https://api.github.com/repos/bridgecrewio/checkov-action/tags?per_page=100"
}
DEBUG: Failed to look up dependency bridgecrewio/checkov-action (bridgecrewio/checkov-action)(packageFile=".github/workflows/terraform-security-scan.yml", dependency="bridgecrewio/checkov-action")

Have you created a minimal reproduction repository?

I have linked to a minimal reproduction repository in the bug description

[viceice]

This isn't a renovate bug. It's a github restriction and renovate can't skip this.

Also renovate app worker don't have fixed IP's (they will wandomly changed on worker updates), so they can't be whitelisted in any way.

[rarkins]

Bridgecrew are going to need to remove this restriction or separate their open source/ closed source into different orgs

[morremeyer]

Unauthenticated requests for the public resources (in this case tags) for the repository are definitely not affected by this. Is there any way we could disable auth completely for requests to this repository?

I checked the hostRules documentation and don't think there is a way to do this right now. Any other ideas?

[rarkins]

Renovate uses GraphQL to fetch tags and release so it must be authenticated to succeed

[morremeyer]

Quick reproduction script in Python.

You need jwt and requests installed in e.g. a virtualenv for this to work.

Change the config in the Set config in the following block section with the values for your setup

Script

#!/usr/bin/env python3

import jwt
import requests
import time
import json

class graphQL:

    # Authorization is set in __init__
	headers = {}

	def __init__(self, token):
		super(graphQL, self).__init__()
		self.headers["Authorization"] = f"token {token}"

	def run_query(self, query, variables): # A simple function to use requests.post to make the API call. Note the json= section.
		request = requests.post('https://api.github.com/graphql', json={'query': query, 'variables': variables}, headers=self.headers)
		if request.status_code == 200:
			return request.json()
		else:
			raise Exception("Query failed to run by returning code of {}. Message {}".format(request.status_code, request.text))

	def getTags(self, variables):
		listOfNames = []
		query = '''
			    query($owner: String!, $name: String!, $cursor: String, $count: Int!) {
                    repository(owner: $owner, name: $name) {
                        isRepoPrivate: isPrivate
                        payload:
                            refs(
                                first: $count
                                after: $cursor
                                orderBy: {field: TAG_COMMIT_DATE, direction: DESC}
                                refPrefix: \"refs/tags/\"
                            ) {
                                pageInfo {
                                    hasNextPage
                                    endCursor
                                }
                                nodes {
                                    version: name
                                    target {
                                        type: __typename
                                        ... on Commit {
                                        oid
                                        releaseTimestamp: committedDate
                                        }
                                        ... on Tag {
                                            target {
                                                ... on Commit {
                                                oid
                                                }
                                            }
                                            tagger {
                                                releaseTimestamp: date
                                            }
                                        }
                                    }
                                }
                            }
                    }
                }
        '''

		result = self.run_query(query, variables) #execute query
		print(json.dumps(result))

def get_jwt(pem, app_id):
    # Open PEM
    with open(pem, 'rb') as pem_file:
        signing_key = jwt.jwk_from_pem(pem_file.read())

    payload = {
        # Issued at time
        'iat': int(time.time()),
        # JWT expiration time (10 minutes maximum)
        'exp': int(time.time()) + 600,
        # GitHub App's identifier
        'iss': app_id
    }

    # Create JWT
    jwt_instance = jwt.JWT()
    encoded_jwt = jwt_instance.encode(payload, signing_key, alg='RS256')

    return encoded_jwt

########################################
# Set config in the following block
########################################

pem = "key.pem" # Path to the private key of the app
app_id = 123456 # ID of your app
installation_id = 123456 # ID of your app installation

variables = {
    "owner": "bridgecrewio",
    "name": "checkov-action",
    "count": 5,
}
########################################

jwt = get_jwt(pem, app_id)

request = requests.post(f"https://api.github.com/app/installations/{installation_id}/access_tokens", headers={
    "Accept": "application/vnd.github+json",
    "Authorization": f"Bearer {jwt}",
    "X-GitHub-Api-Version": "2022-11-28"
})

token = ""
if request.status_code == 201:
	token = request.json()["token"]
else:
    raise Exception("Query failed to run by returning code of {}. Message {}".format(request.status_code, request.text))

query = graphQL(token)
query.getTags(variables)

[aalvarezaph]

@morremeyer were you able to get a solution from Github?

[morremeyer]

Still talking to them, the issue is known to the responsible engineering team. No solution or ETA for one yet.

[morremeyer]

While I still have an open issue with the GitHub support (see #17826 (reply in thread)), I've been annoyed enough to look for a workaround.

I found one: Using a host rule that uses a PAT (since these are not affected by this bug)

{
  "hostRules": [
    {
      "matchHost": "https://api.github.com/repos/bridgecrewio",
      "token": "FINE_GRAINED_PAT_WITH_PUBLIC_READ_ONLY"
    }
  ]
}

[rarkins]

Does anyone know if GitHub resolved this problem on their own? This repo seems to work and we haven't turned on fixed IPs in the app yet: nabeelsaabnaTests/pdmp-static-ip-test#3

[morremeyer]

They did not resolve the problem. It works for the repo you mentioned because that's a personal repo. The combination that is broken is "org repo" + "GitHub app"

[rarkins]

Thanks! So any org repo fails, any personal repo succeeds?

[morremeyer]

Yup, that’s the current state of my understanding. If we find any where this differs, it might help the GitHub engineers to debug this issues, but it also seems to be very low on their priority list.

[flokoe]

As of today, it seems that the problem is still not solved.

We encountered odd behavior of Renovate opening and auto-closing updates for bridgecrewio/checkov-action with the following error message:

DEBUG: Datasource unknown error
{
  "datasource": "github-tags"
  "packageName": "bridgecrewio/checkov-action"
  "err": {
    "message": "Although you appear to have the correct authorization credentials, the `bridgecrewio` organization has an IP allow list enabled, and your IP address is not permitted to access this resource.",
    "stack": "Error: Although you appear to have the correct authorization credentials, the `bridgecrewio` organization has an IP allow list enabled, and your IP address is not permitted to access this resource.\n    at GithubGraphqlDatasourceFetcher.doRawQuery (/usr/local/renovate/lib/util/github/graphql/datasource-fetcher.ts:135:21)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at GithubGraphqlDatasourceFetcher.doShrinkableQuery (/usr/local/renovate/lib/util/github/graphql/datasource-fetcher.ts:200:20)\n    at GithubGraphqlDatasourceFetcher.doPaginatedFetch (/usr/local/renovate/lib/util/github/graphql/datasource-fetcher.ts:244:27)\n    at GithubGraphqlDatasourceFetcher.doCachedQuery (/usr/local/renovate/lib/util/github/graphql/datasource-fetcher.ts:284:7)\n    at GithubGraphqlDatasourceFetcher.getItems (/usr/local/renovate/lib/util/github/graphql/datasource-fetcher.ts:322:17)\n    at Function.query (/usr/local/renovate/lib/util/github/graphql/datasource-fetcher.ts:59:19)\n    at queryTags (/usr/local/renovate/lib/util/github/graphql/index.ts:15:15)\n    at GithubTagsDatasource.getReleases (/usr/local/renovate/lib/modules/datasource/github-tags/index.ts:78:24)\n    at getRegistryReleases (/usr/local/renovate/lib/modules/datasource/index.ts:77:15)\n    at huntRegistries (/usr/local/renovate/lib/modules/datasource/index.ts:118:13)\n    at fetchReleases (/usr/local/renovate/lib/modules/datasource/index.ts:291:15)\n    at lookupUpdates (/usr/local/renovate/lib/workers/repository/process/lookup/index.ts:134:56)\n    at Function.wrap (/usr/local/renovate/lib/util/stats.ts:38:20)\n    at fetchDepUpdates (/usr/local/renovate/lib/workers/repository/process/fetch.ts:58:42)\n    at /usr/local/renovate/lib/workers/repository/process/fetch.ts:104:23\n    at /usr/local/renovate/node_modules/.pnpm/[email protected]/node_modules/p-map/index.js:57:22"
  }
}

[morremeyer]

Yup, I'm still poking the GitHub support every now and then, this is just very low on their priority list.