Skip to content

Backlog/fix/false positive tags#2177

Closed
AlexSanchez-bit wants to merge 18 commits into
v11from
backlog/fix/false_positive_tags
Closed

Backlog/fix/false positive tags#2177
AlexSanchez-bit wants to merge 18 commits into
v11from
backlog/fix/false_positive_tags

Conversation

@AlexSanchez-bit

@AlexSanchez-bit AlexSanchez-bit commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

#Ignored false positive tagged alerts on automatic review schedule

Kbayero and others added 18 commits May 19, 2026 11:50
@Kbayero
update actions workflow
0301ad2
@Kbayero
fix(workflows): unblock PR checks on large diffs + private go modules
b11df8a
@Kbayero
fix(approver): use english in sticky PR comments
b0c5b52
@JocLRojas
Feature/cleanup rules and filters (#2091)
bd2c9d2 
* refactor(filters): update macOS filter configuration

* chore(rules): remove Office365 brute force detection rule

* chore(rules): remove PowerShell Empire detection rule

* chore(rules): remove RDP brute force attacks rule
@AlexSanchez-bit
fix[frontend](soar/create-rule): added fixed create/edit rule undefin… (
9682d0d 
#2087)

* fix[frontend](soar/create-rule): added fixed create/edit rule undefined id error

* chore[](): updated go packages

* fix[frontend](environment):environments on gitignore and removed the actual local dev environment

* chore[](): updated go packages
@AlexSanchez-bit
feat[backed](elasticSearchService): added batch processing of request… (
81165da 
#2090)

* feat[backed](elasticSearchService): added batch processing of requests and auto rebuild on IO errors

* chore[backend](): updated go dependencies

* fix[backend](elastic-service): sanitized csv before exportation and changed error messages
@AlexSanchez-bit
fix[frontend](socai): added default template for empty previous socai… (
6e169dd 
#2095)
@AlexSanchez-bit
fix[frontend](build): added environment.ts (#2099)
471839f
@AlexSanchez-bit @osmontero
fix[backend](visualizations): removed utm-geoip legacy index referenc…
8849f1b 
…es on region map visualizations (#2098)

Co-authored-by: Osmany Montero <osmontero@icloud.com>
@AlexSanchez-bit
Hotfix/socai custom header (#2101)
b9d2e20 
* fix[frontend](socai): added default template for empty previous socai config (#2092)

* fix[frontend](socai): added default template for empty previous socai configuration

* fix[frontend](socai): setted customHeaders as password key type

* fix[frontend](socai): dont let empty description on modules

* fix[backend](socai): generate the modulegroup with new keys if no other exists on db

* fix[backend](changeset): added customHeader entries as password type
@osmontero
fix(frontend): update nginx from 1.19.5 to 1.30.1
bea7ab7 
Remediate 22 known CVEs including CVE-2026-42945 (actively
exploited in the wild for RCE). nginx:1.19.5 (Oct 2020) was
affected by buffer overflows, memory disclosure, HTTP/2 injection,
SSL session reuse, and multiple other vulnerabilities patched in
the 1.30.1 stable release.
@AlexSanchez-bit
Backlog/fix/socai module disabled (#2102)
5d3910b 
* fix[backend](socai): changed socai default module keys

* fix[backend](modules): added default keys on module creation response

* fix[frontend](socai): handled empty (disabled) module configuration
@AlexSanchez-bit @osmontero
Backlog/fix/tag rules (#2106)
c2fc584 
* fix[frontend](rules): improved post event count validation

* fix[frontend](tag_rules): added events related fields on tag rule creation

---------

Co-authored-by: Osmany Montero <osmontero@icloud.com>
@AlexSanchez-bit
fix[frontend](alerts-view): added a loading indicator and improved fa…
007d88b 
…st filtering reinforcement (#2107)

* fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement

* chore[](): updated go packages
@osmontero
fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 …
a9d5d3e 
…medium) (#2103)

- google.golang.org/grpc: 1.78.0 -> 1.79.3 (GHSA-p77j-4mvh-x3m3, critical)
- github.com/jackc/pgx/v5: 5.8.0 -> 5.9.2 (GHSA-9jj7-4m8r-rfcm critical, GHSA-j88v-2chj-qfwx low)
- go.opentelemetry.io/otel: 1.39.0 -> 1.41.0 (GHSA-mh2q-q3fh-2475, high)
- com.itextpdf:itext7-core: 7.1.7 -> 7.2.0 (GHSA-hhh6-cm2m-3fhc, GHSA-8c9h-4q7g-fp7h, GHSA-c32g-2mgr-cfq7, medium x3)
- org.postgresql:postgresql: 42.7.2 -> 42.7.11 (GHSA-98qh-xjc8-98pq, high)

Signed-off-by: Osmany Montero <osmontero@icloud.com>
@osmontero
fix(deps): upgrade golang.org/x/sys from v0.44.0 to v0.45.0
aaaf34a
@AlexSanchez-bit
fix[frontend](alerts-view): add a duplication avoid on alert filter f…
a21ec9d 
…ields count (#2127)
@AlexSanchez-bit
fix[backend](tags): removed false positive alerts from releaseToOpen …
c456ca1 
…schedule
@AlexSanchez-bit AlexSanchez-bit requested a review from a team June 8, 2026 16:36
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output 
🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.23
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.22
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.1
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.41.12
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.23
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.22
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.1
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

🛑 AI review — Engineer review required

This PR touches critical paths or introduces changes the model cannot judge with sufficient confidence. @Kbayero @osmontero please review.

🛑 architecture (gemini-3-flash-lite) — Tier 3 — engineer review required

Summary: PR includes significant structural changes to Elasticsearch client handling, CSV export streaming, and CI/CD infrastructure.

  • high backend/src/main/java/com/park/utmstack/service/elasticsearch/OpensearchClientBuilder.java:34 — Introduces a volatile singleton client with a rebuild/retry mechanism. This is a critical path change for DB connectivity that requires careful review to ensure thread safety and avoid connection leaks during rebuilds.
  • medium backend/src/main/java/com/park/utmstack/service/elasticsearch/ElasticsearchService.java:361 — New searchStream method implements manual search_after pagination. This is a complex, stateful operation that should be verified for correctness against the existing SearchUtil/ElasticsearchService patterns.
  • high .github/workflows/pr-checks.yml:1 — Major overhaul of CI/CD infrastructure. Introduces a new tiered approval model, custom AI-based review scripts, and a complex 'approver' job that manages PR state, sticky comments, and auto-merge logic.
  • medium backend/src/main/java/com/park/utmstack/util/UtilCsv.java:115 — New CSV streaming implementation. While it improves memory usage, it introduces custom CSV sanitization logic that must be verified against potential CSV injection vulnerabilities.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Potential resource leak in CSV export and missing error handling in CSV stream.

  • medium backend/src/main/java/com/park/utmstack/web/rest/elasticsearch/ElasticsearchResource.java:200 — The searchToCsv method is truncated in the diff, but the implementation of CSV export in ElasticsearchResource.java lacks a try-with-resources block for the CSVPrinter. This will cause a resource leak if an exception occurs during streaming.
  • medium backend/src/main/java/com/park/utmstack/util/UtilCsv.java:75 — In UtilCsv.java, the prepareToDownload method does not handle potential IOExceptions from the response writer, which could leave the connection in an inconsistent state.

🛑 security (gemini-3-flash-lite) — Tier 3 — engineer review required

Summary: The PR introduces significant changes to the CI/CD pipeline, including a new automated approver system and AI-based review logic, which are security-critical paths.

  • medium .github/workflows/README.md:165 — The documentation contains internal GitHub handles ('Kbayero', 'osmontero') and internal team names ('utmstack/administrators', 'utmstack/core-developers'). These should be removed to prevent internal information disclosure.
  • high .github/scripts/approver.sh:250 — The script performs team membership checks using an API_SECRET. If this secret is compromised or misconfigured, it could lead to unauthorized PR approvals and auto-merges. Ensure the PAT has the minimum required scope (read:org) and is rotated regularly.
  • medium .github/scripts/ai-review.sh:105 — The script uses curl to send PR diffs to an external AI endpoint. Ensure that the THREATWINDS_BASE_URL and the API keys are handled securely and that the AI provider's privacy policy complies with internal data handling requirements.

utmstackprapprover[bot]
utmstackprapprover Bot suggested changes Jun 8, 2026
View reviewed changes

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — see approver comments above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@utmstackprapprover utmstackprapprover[bot] utmstackprapprover[bot] requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AlexSanchez-bit @Kbayero @JocLRojas @osmontero