temporalio / background-checks Goto Github PK
View Code? Open in Web Editor NEWSample application using Temporal
License: Apache License 2.0
background-checks's People
Contributors
Stargazers
Watchers
Forkers
tsurdilo saurabharch vikramspringml zanda256 pedronet4k asamoal isabella232 comerc mbrouns davidfcalle iskakaushik cybermung karanraj22 jcorry bradhoffman96 vellarasan joshmsmith alukito joonas trevinwisaksana nijuyonkadesubackground-checks's Issues
Implement cancel command for company
The company should be able to cancel a background check via cli.
./bgc-cancel <id>
Bug: Employment verification email does not contain details to allow verification
All details that are realistically required to verify an employment should be contained in the email sent to the researcher.
Tech debt: Swap ugly bash pipeline for `tctl dc web --port` once it's released
I've worked around the lack of a stable port for the dataconverter container in our docker compose setup for now, but once the next tctl version is available we should replace the hack with --port.
[Bug] 'CandidateEmail' not supported for standard visibility
What are you really trying to do?
I would like to explore the sample app and verify that list filters work, but get an internal server error instead.
Describe the bug
Cannot execute a filter expression because standard visibility is not enabled.
Minimal Reproduction
$ cd background-checks
$ ./start
$ ./run-cli bgc-company list --email [email protected]
2023/08/17 13:59:37 request error: Internal Server Error: invalid query: unable to convert filter expression: unable to convert left side of "CandidateEmail = '[email protected]'": filter by 'CandidateEmail' not supported for standard visibilityEnvironment/Versions
MacOs Ventura 13.5
Intel i9
Using the default docker compose project included in the repo.
Additional context
[Bug] Email address not mapping to Workflow Id in cancel
Cullys-MBP:background-checks cullywakelin$ ./run-cli bgc-company cancel --email [email protected] --id 75a05d0a-903f-4ec9-852b-09deee46f412
2022/01/20 21:30:43 Internal Server Error: Workflow executionsRow not found. WorkflowId: [email protected], RunId: 75a05d0a-903f-4ec9-852b-09deee46f412
[Bug] Empty Search Attributes
What are you really trying to do?
I would like to view the status of all current workflow executions, but the status is empty.
Describe the bug
I started a new workflow and then listed the running workflows, but the status and email are empty.
Minimal Reproduction
$ cd background-checks
$ ./start
$ ./run-cli bgc-company --email [email protected]
Created check
$ ./run-cli bgc-company list
Background Checks:
ID: <RUN_ID> Email: Status: Environment/Versions
MacOS 13.5 Ventura
Intel i9
commit: 0425e40
Candidate Details not provided during Start or Accept activities
Currently, the only Candidate Details that are entered by the Company or Candidate are the Candidate's email address.
To enable background checks for a set of sample Candidates, we also need to be able to accept:
- Candidate Full Name
- Candidate Employer
- Candidate SSN
Proposed solution is for Full Name, Employer and SSN to be entered by Candidate during Accept step.
github.com/prometheus/client_golang-v1.11.0: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - github.com/prometheus/client_golang-v1.11.0
Prometheus instrumentation library for Go applications
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-21698 |  High |
7.5 | github.com/prometheus/client_golang-v1.11.0 | Direct | v1.11.1 | ❌ |
Details
CVE-2022-21698
Vulnerable Library - github.com/prometheus/client_golang-v1.11.0
Prometheus instrumentation library for Go applications
Dependency Hierarchy:
- ❌ github.com/prometheus/client_golang-v1.11.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Publish Date: 2022-02-15
URL: CVE-2022-21698
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cg3q-j54f-5p7p
Release Date: 2022-02-15
Fix Resolution: v1.11.1
github.com/stretchr/testify-v1.7.0: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - github.com/stretchr/testify-v1.7.0
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-28948 | High |
7.5 | github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc | Transitive | N/A | ❌ |
Details
CVE-2022-28948
Vulnerable Library - github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc
YAML support for the Go language.
Dependency Hierarchy:
- github.com/stretchr/testify-v1.7.0 (Root Library)
- ❌ github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
Publish Date: 2022-05-19
URL: CVE-2022-28948
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hp87-p4gw-j4gq
Release Date: 2022-05-19
Fix Resolution: 3.0.0
github.com/prometheus/Client_golang-v1.11.0: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - github.com/prometheus/Client_golang-v1.11.0
Prometheus instrumentation library for Go applications
Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.11.0.zip
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/prometheus/Client_golang-v1.11.0 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-21698 | High |
7.5 | github.com/prometheus/Client_golang-v1.11.0 | Direct | v1.11.1 | ❌ |
Details
CVE-2022-21698
Vulnerable Library - github.com/prometheus/Client_golang-v1.11.0
Prometheus instrumentation library for Go applications
Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.11.0.zip
Dependency Hierarchy:
- ❌ github.com/prometheus/Client_golang-v1.11.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Publish Date: 2022-02-15
URL: CVE-2022-21698
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cg3q-j54f-5p7p
Release Date: 2022-02-15
Fix Resolution: v1.11.1
Candidate check responses are hard coded. Create Mocks that include response data for 5 example candidates
Need to build mock database and SSN parameter entry for more complete candidate lookups.
github.com/prometheus/client_goLang-v1.11.0: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - github.com/prometheus/client_goLang-v1.11.0
Prometheus instrumentation library for Go applications
Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.11.0.zip
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/prometheus/client_goLang-v1.11.0 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-21698 | High |
7.5 | github.com/prometheus/client_goLang-v1.11.0 | Direct | v1.11.1 | ❌ |
Details
CVE-2022-21698
Vulnerable Library - github.com/prometheus/client_goLang-v1.11.0
Prometheus instrumentation library for Go applications
Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.11.0.zip
Dependency Hierarchy:
- ❌ github.com/prometheus/client_goLang-v1.11.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Publish Date: 2022-02-15
URL: CVE-2022-21698
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cg3q-j54f-5p7p
Release Date: 2022-02-15
Fix Resolution: v1.11.1
[Bug] search attribute CandidateEmail is not defined
What are you really trying to do?
I follow the instructions and it fails on step: ./run-cli bgc-company start --email [email protected] --package full
Describe the bug
When starting workflow, I get an error message: Internal Server Error: search attribute CandidateEmail is not defined
Minimal Reproduction
Clone repo:
git clone [email protected]:temporalio/background-checks.git
cd background-checks
./startand try to run:
./run-cli bgc-company start --email [email protected] --package fullEnvironment/Versions
Latest code from main branch, commit ref f06ca38
- OS and processor: Linux on amd64
- Temporal Version: [e.g. 1.14.0?] and/or SDK version
- using Docker
Additional context
Bug: Failure to verify an SSN should be recorded
Currently our code does not allow an SSN trace to come back as invalid. We should expect this to be possible and cleanly handle this as part of the report. This will be similar to the case when a check was declined, just one step further on.
Refactor: Employment verification state
EmploymentVerified should move to EmploymentVerificationWorkflowResult alongside EmploymentVerificationCompleted rather than living in (a duplicated copy of) CandidateDetails.
[Bug] `--email` flag on `bgc-company list` does not appear to filter
Bug: bgc-company list doesn't complain if it's passed arguments
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.