Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] OWSLib Vulnerability #4231

Closed
1 task
nickumia-reisys opened this issue Mar 9, 2023 · 7 comments
Closed
1 task

[Snyk] OWSLib Vulnerability #4231

nickumia-reisys opened this issue Mar 9, 2023 · 7 comments
Assignees
@hkdctol @btylerburton
Labels
bug Software defect or bug compliance Relating to security compliance or documentation
Milestone
March 2023

Comments

@nickumia-reisys
Copy link
Contributor

nickumia-reisys commented Mar 9, 2023
edited
Loading

Please keep any sensitive details in Google Drive.

Date of report: 03/09/2023
Severity: High
Due date: 04/09/2023

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

  • Analysis has been performed and an issue has been linked to address other occurrences for this class of vulnerability* (link)

* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.

Brief description

From our automated snyk scans, the above vulnerability in the owslib package was highlighted. After an investigation of our Github Action Tests, it seems like it is breaking the CSW Harvest Jobs.
@nickumia-reisys nickumia-reisys added compliance Relating to security compliance or documentation bug Software defect or bug labels Mar 9, 2023
@hkdctol hkdctol added this to the March 2023 milestone Mar 9, 2023
@hkdctol hkdctol moved this to 📔 Product Backlog in data.gov team board Mar 9, 2023
@hkdctol
Copy link
Contributor

hkdctol commented Mar 9, 2023
edited
Loading

For one thing--check on the need of the existing CSW harvest sources. Perhaps not use the CSW harvest source at all but get single harvest record.

@hkdctol hkdctol self-assigned this Mar 9, 2023
@hkdctol
Copy link
Contributor

hkdctol commented Mar 9, 2023

We might fix on our own. Also XML from trusted sources.

This was referenced Mar 9, 2023
Closed
Closed
Merged
@nickumia-reisys nickumia-reisys mentioned this issue Mar 20, 2023
Merged
@hkdctol hkdctol moved this from 📔 Product Backlog to 📟 Sprint Backlog [7] in data.gov team board Mar 23, 2023
@hkdctol hkdctol moved this from 📟 Sprint Backlog [7] to 📔 Product Backlog in data.gov team board Mar 23, 2023
@hkdctol hkdctol moved this from 📔 Product Backlog to 📟 Sprint Backlog [7] in data.gov team board Mar 30, 2023
@btylerburton btylerburton self-assigned this Apr 4, 2023
@btylerburton btylerburton moved this from 📟 Sprint Backlog [7] to 🏗 In Progress [8] in data.gov team board Apr 4, 2023
@github-project-automation github-project-automation bot moved this from 🏗 In Progress [8] to ✔ Done in data.gov team board Apr 7, 2023
@btylerburton btylerburton reopened this Apr 7, 2023
@github-project-automation github-project-automation bot moved this from ✔ Done to 📟 Sprint Backlog [7] in data.gov team board Apr 7, 2023
@btylerburton btylerburton moved this from 📟 Sprint Backlog [7] to 🏗 In Progress [8] in data.gov team board Apr 7, 2023
@nickumia-reisys
Copy link
Contributor Author

@btylerburton It seems like the CSW Harvest source is failing on main with the older version of owslib now... so... it might be unrelated now?

000_harvest.cy.js.mp4

nickumia-reisys added a commit to GSA/catalog.data.gov that referenced this issue Apr 11, 2023
@nickumia-reisys
update: extend owslib vulnerability as well
0c4cb3d 
We are still working on the solution... GSA/data.gov#4231
nickumia-reisys added a commit to GSA/catalog.data.gov that referenced this issue Apr 11, 2023
@nickumia-reisys
TEMP: comment out CSW test
cd3eef1 
This is an ongoing issue and it is unnecessarily holding up our pipeline... GSA/data.gov#4231
@nickumia-reisys nickumia-reisys mentioned this issue Apr 11, 2023
Merged
@btylerburton
Copy link
Contributor

The upgrades to owslib broke the CSW service in deep and unidentifiable ways. After some consideration, since CSW is deprecated as a data source, the team has decided to remove support for the CSW format. Closing this.

@github-project-automation github-project-automation bot moved this from 🏗 In Progress [8] to ✔ Done in data.gov team board Apr 12, 2023
@btylerburton btylerburton reopened this Apr 12, 2023
@github-project-automation github-project-automation bot moved this from ✔ Done to 📟 Sprint Backlog [7] in data.gov team board Apr 12, 2023
@btylerburton
Copy link
Contributor

Leaving open as the vulnerability will still need to be addressed. Moving to blocked until we do that.

@btylerburton btylerburton moved this from 📟 Sprint Backlog [7] to 📡 Blocked in data.gov team board Apr 12, 2023
@btylerburton btylerburton mentioned this issue Apr 13, 2023
Merged
@btylerburton
Copy link
Contributor

Fixed in GSA/catalog.data.gov#921

@github-project-automation github-project-automation bot moved this from 📡 Blocked to ✔ Done in data.gov team board Apr 13, 2023
@nickumia-reisys
Copy link
Contributor Author

For full transparency, I believe this is the starting point for why/when/how we stopped supporting CSW Harvesting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hkdctol hkdctol

@btylerburton btylerburton

Labels
bug Software defect or bug compliance Relating to security compliance or documentation
Projects
data.gov team board
Archived in project
Milestone
March 2023
Development

No branches or pull requests
3 participants
@hkdctol @nickumia-reisys @btylerburton