Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

neo4j-operations go source included in helm chart release #368

Open
peefourtee opened this issue Jan 4, 2025 · 0 comments
Open

neo4j-operations go source included in helm chart release #368

peefourtee opened this issue Jan 4, 2025 · 0 comments

Comments

@peefourtee
Copy link

Is your feature request related to a problem? Please describe.

I'm unable to use the neo4j helm chart repository in my environment. I have downloaded the helm charts from https://neo4j.com/deployment-center/#tools-tab and extracted them into my ci/cd pipeline.

My ci/cd pipeline recently has been flagged by my dependency scanner as having a critical vulnerability in a dependency, specifically CVE-2024-45337.

Inside of the helm charts release, it appears there's a go app, neo4j-operations that's included in the neo4j helm chart folder. There's an indirect dependency on golang.org/x/crypto in this apps go modules. It doesn't appear this source is used with the helm chart. I see references in the neo4j chart's values

helm-charts/neo4j/values.yaml

Lines 31 to 44 in e0ba3f2

# (Clustering only feature)
# Neo4j operations allows you to enable servers (part of cluster) which are added outside the minimumClusterSize
# When the enableServer flag is set to true , an operations pod is created which performs the following functions
# fetch neo4j creds from the k8s secret (provided by user or created via helm chart)
# Use the cluster ip created as part of the respective release to connect to Neo4j via Go Driver
# Execute the ENABLE SERVER query and enable the server
# The operations pod ends successfully if the server is enabled, or it was already enabled
operations:
enableServer: false
image: "neo4j/helm-charts-operations:5.26.0"
# protocol can be "neo4j or "neo4j+ssc" or "neo4j+s". Default set to neo4j
# Note: Do not specify bolt protocol here...it will FAIL.
protocol: "neo4j"
labels: {}

I'm not configuring this in my helm chart and it appears to be referencing a public image anyway

Can this be removed from the helm charts release?

Describe the solution you'd like

exclude source code neo4j/neo4j-operations from helm charts release

Describe alternatives you've considered

I'm deleting the folder after downloading the helm chart release

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peefourtee