[jira] [Updated] (CALCITE-7469) Read-all and Write-all permissions should not be used

Sat, 11 Apr 2026 07:10:57 -0700 


     [ 
https://issues.apache.org/jira/browse/CALCITE-7469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Zhen Chen updated CALCITE-7469:
-------------------------------
    Summary: Read-all and Write-all permissions should not be used  (was: 
ead-all and Write-all permissions should not be used)

> Read-all and Write-all permissions should not be used
> -----------------------------------------------------
>
>                 Key: CALCITE-7469
>                 URL: https://issues.apache.org/jira/browse/CALCITE-7469
>             Project: Calcite
>          Issue Type: Wish
>            Reporter: Zhen Chen
>            Priority: Minor
>
> ```
> [.github/workflows/{*}stale.yml{*}:34|https://github.com/apache/calcite/blob/5bf40d5dc64cbb2d875737d1e1ebcc699ad73abc/.github/workflows/stale.yml#L34-L34]
>  
>  
> |default: 30|
> |type: number|
> ||
> |permissions: read-all|
> | Warning
> Read-all and Write-all permissions should not be used
> Replace "read-all" with specific permissions (e.g., "contents: read"). See 
> more on [SonarQube 
> Cloud|https://sonarcloud.io/project/issues?id=apache_calcite&issues=AZtI5cnztI5KoMOh1yoM&open=AZtI5cnztI5KoMOh1yoM]
> SonarCloud|
> |jobs:|
> |stale:|
> |runs-on: ubuntu-latest|
> h2. Rule
> h3. Tool
> SonarCloud
> h3. Rule ID
> githubactions:S8234
> h3. Description
> Using {{permissions: read-all}} or {{permissions: write-all}} grants all read 
> or write permissions to a job, violating the principle of least privilege. 
> Jobs should only have the specific permissions they need.
>  
> h2. Activity
>  
> First detected in commit last week
>  
> [!https://avatars.githubusercontent.com/u/77189278?s=40&v=4|width=20,height=20!|https://github.com/caicancai]
> {{[[|https://github.com/apache/calcite/commit/ac81f758da2de2023713bbae594b1deea83a9e1d]CALCITE-6300
>  [] Function MAP_VALUES/MAP_KEYS gives exception when 
> mapV…|https://github.com/apache/calcite/commit/ac81f758da2de2023713bbae594b1deea83a9e1d]
>  }}…
>  
>  
> {{[ac81f75|https://github.com/apache/calcite/commit/ac81f758da2de2023713bbae594b1deea83a9e1d]}}
> .github/workflows/ stale.yml:34 on branch main
>  
> Appeared in branch main last week
> Commit 
> [ac81f758|https://github.com/apache/calcite/commit/ac81f758da2de2023713bbae594b1deea83a9e1d]
> ```
>  
>  
> Link is here: https://github.com/apache/calcite/security/code-scanning/173
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to