Zhen Chen created CALCITE-7469:
----------------------------------
Summary: ead-all and Write-all permissions should not be used
Key: CALCITE-7469
URL: https://issues.apache.org/jira/browse/CALCITE-7469
Project: Calcite
Issue Type: Wish
Reporter: Zhen Chen
```
[.github/workflows/{*}stale.yml{*}:34|https://github.com/apache/calcite/blob/5bf40d5dc64cbb2d875737d1e1ebcc699ad73abc/.github/workflows/stale.yml#L34-L34]
|default: 30|
|type: number|
||
|permissions: read-all|
| Warning
Read-all and Write-all permissions should not be used
Replace "read-all" with specific permissions (e.g., "contents: read"). See more
on [SonarQube
Cloud|https://sonarcloud.io/project/issues?id=apache_calcite&issues=AZtI5cnztI5KoMOh1yoM&open=AZtI5cnztI5KoMOh1yoM]
SonarCloud|
|jobs:|
|stale:|
|runs-on: ubuntu-latest|
h2. Rule
h3. Tool
SonarCloud
h3. Rule ID
githubactions:S8234
h3. Description
Using {{permissions: read-all}} or {{permissions: write-all}} grants all read
or write permissions to a job, violating the principle of least privilege. Jobs
should only have the specific permissions they need.
h2. Activity
First detected in commit last week
[!https://avatars.githubusercontent.com/u/77189278?s=40&v=4|width=20,height=20!|https://github.com/caicancai]
{{[[|https://github.com/apache/calcite/commit/ac81f758da2de2023713bbae594b1deea83a9e1d]CALCITE-6300
[] Function MAP_VALUES/MAP_KEYS gives exception when
mapV…|https://github.com/apache/calcite/commit/ac81f758da2de2023713bbae594b1deea83a9e1d]
}}…
{{[ac81f75|https://github.com/apache/calcite/commit/ac81f758da2de2023713bbae594b1deea83a9e1d]}}
.github/workflows/ stale.yml:34 on branch main
Appeared in branch main last week
Commit
[ac81f758|https://github.com/apache/calcite/commit/ac81f758da2de2023713bbae594b1deea83a9e1d]
```
Link is here: https://github.com/apache/calcite/security/code-scanning/173
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
