[BP V6] Bug #12827: Fix cas access-log buffering #1860

lgheribi · 2024-05-15T08:08:54Z

Description

Désactivation du buffering des access-logs de CAS + fix du pattern de log (backport v6.x)

Contributeur

VAS (Vitam Accessible en Service)

vitam-devops · 2024-05-15T08:24:22Z

Checkmarx One – Scan Summary & Details – 7360de80-7ac9-4665-b938-9785a13b119e

New Issues

Issue	Source File / Package	Checkmarx Insight
CVE-2015-4852	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2015-6420	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2015-7501	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2016-2170	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2019-15599	Npm-tree-kill-1.2.1	Vulnerable Package
CVE-2020-13936	Maven-org.apache.velocity:velocity-1.7	Vulnerable Package
CVE-2020-28491	Maven-com.fasterxml.jackson.dataformat:jackson-dataformat-cbor-2.6.7	Vulnerable Package
CVE-2020-28502	Npm-xmlhttprequest-ssl-1.5.5	Vulnerable Package
CVE-2020-36048	Npm-engine.io-3.2.1	Vulnerable Package
CVE-2020-36049	Npm-socket.io-parser-3.2.0	Vulnerable Package
CVE-2020-7660	Npm-serialize-javascript-1.9.1	Vulnerable Package
CVE-2020-7788	Npm-ini-1.3.5	Vulnerable Package
CVE-2021-31597	Npm-xmlhttprequest-ssl-1.5.5	Vulnerable Package
CVE-2021-33813	Maven-org.jdom:jdom2-2.0.6	Vulnerable Package
CVE-2021-37136	Maven-io.netty:netty-codec-4.1.65.Final	Vulnerable Package
CVE-2021-37137	Maven-io.netty:netty-codec-4.1.65.Final	Vulnerable Package
CVE-2021-40690	Maven-org.apache.santuario:xmlsec-2.1.6	Vulnerable Package
CVE-2021-43466	Maven-org.thymeleaf:thymeleaf-spring5-3.0.12.RELEASE	Vulnerable Package
CVE-2022-0265	Maven-com.hazelcast:hazelcast-4.2.2	Vulnerable Package
CVE-2022-2421	Npm-socket.io-parser-3.2.0	Vulnerable Package
CVE-2022-25857	Maven-org.yaml:snakeyaml-1.29	Vulnerable Package
CVE-2022-25857	Maven-org.yaml:snakeyaml-1.28	Vulnerable Package
CVE-2022-28366	Maven-net.sourceforge.htmlunit:neko-htmlunit-2.24	Vulnerable Package
CVE-2022-36437	Maven-com.hazelcast:hazelcast-4.2.2	Vulnerable Package
CVE-2022-42252	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63	Vulnerable Package
CVE-2022-45143	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63	Vulnerable Package
CVE-2023-24998	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63	Vulnerable Package
CVE-2023-6378	Maven-ch.qos.logback:logback-classic-1.2.9	Vulnerable Package
CVE-2023-6378	Maven-ch.qos.logback:logback-core-1.2.9	Vulnerable Package
CVE-2023-6481	Maven-ch.qos.logback:logback-core-1.2.9	Vulnerable Package
Client_DOM_XSS	/cas/cas-server/src/main/resources/static/js/duo/Duo-Web-v2.min.js: 136	Attack Vector
Cxb3498186-093f	Maven-org.freemarker:freemarker-2.3.29	Vulnerable Package
Cxb3498186-093f	Maven-org.freemarker:freemarker-2.3.20	Vulnerable Package
Passwords And Secrets - Generic Password	/vitamui_vars.yml: 298	Query to find passwords and secrets in infrastructure code.
Reflected_XSS_All_Clients	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118	Attack Vector
Reflected_XSS_All_Clients	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118	Attack Vector
Absolute_Path_Traversal	/api/api-referential/referential-internal/src/main/java/fr/gouv/vitamui/referential/internal/server/rest/OntologyInternalController.java: 186	Attack Vector
Absolute_Path_Traversal	/ui/ui-pastis/src/main/java/fr/gouv/vitamui/pastis/rest/ProfileController.java: 245	Attack Vector
Absolute_Path_Traversal	/ui/ui-referential/src/main/java/fr/gouv/vitamui/referential/rest/RuleController.java: 219	Attack Vector
Absolute_Path_Traversal	/ui/ui-commons/src/main/java/fr/gouv/vitamui/ui/commons/rest/RuleController.java: 211	Attack Vector
Absolute_Path_Traversal	/ui/ui-pastis/src/main/java/fr/gouv/vitamui/pastis/rest/ArchivalProfileUnitController.java: 211	Attack Vector
Absolute_Path_Traversal	/ui/ui-pastis/src/main/java/fr/gouv/vitamui/pastis/rest/PastisController.java: 99	Attack Vector
Absolute_Path_Traversal	/api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/ProfileExternalController.java: 209	Attack Vector
Absolute_Path_Traversal	/api/api-referential/referential-internal/src/main/java/fr/gouv/vitamui/referential/internal/server/rest/ProfileInternalController.java: 199	Attack Vector
Absolute_Path_Traversal	/api/api-referential/referential-internal/src/main/java/fr/gouv/vitamui/referential/internal/server/rest/FileFormatInternalController.java: 193	Attack Vector
Absolute_Path_Traversal	/api/api-referential/referential-internal/src/main/java/fr/gouv/vitamui/referential/internal/server/rest/ArchivalProfileUnitInternalController.java: 153	Attack Vector
Absolute_Path_Traversal	/api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/ProfileExternalController.java: 150	Attack Vector
CVE-2016-10735	Npm-bootstrap-3.3.6	Vulnerable Package
CVE-2018-14040	Npm-bootstrap-3.3.6	Vulnerable Package
CVE-2018-14042	Npm-bootstrap-3.3.6	Vulnerable Package
CVE-2018-20676	Npm-bootstrap-3.3.6	Vulnerable Package
CVE-2018-20677	Npm-bootstrap-3.3.6	Vulnerable Package
CVE-2019-16769	Npm-serialize-javascript-1.9.1	Vulnerable Package
CVE-2019-8331	Npm-bootstrap-3.3.6	Vulnerable Package
CVE-2020-15366	Npm-ajv-6.10.0	Vulnerable Package
CVE-2020-15366	Npm-ajv-5.5.2	Vulnerable Package
CVE-2020-28481	Npm-socket.io-2.1.1	Vulnerable Package
CVE-2020-7693	Npm-sockjs-0.3.19	Vulnerable Package
CVE-2021-23364	Npm-browserslist-4.5.5	Vulnerable Package
CVE-2022-21704	Npm-log4js-4.5.1	Vulnerable Package
CVE-2022-24823	Maven-io.netty:netty-common-4.1.65.Final	Vulnerable Package
CVE-2022-38749	Maven-org.yaml:snakeyaml-1.28	Vulnerable Package
CVE-2022-38749	Maven-org.yaml:snakeyaml-1.29	Vulnerable Package
CVE-2022-38750	Maven-org.yaml:snakeyaml-1.28	Vulnerable Package
CVE-2022-38750	Maven-org.yaml:snakeyaml-1.29	Vulnerable Package
CVE-2022-38751	Maven-org.yaml:snakeyaml-1.28	Vulnerable Package
CVE-2022-38751	Maven-org.yaml:snakeyaml-1.29	Vulnerable Package
CVE-2022-38752	Maven-org.yaml:snakeyaml-1.29	Vulnerable Package
CVE-2022-38752	Maven-org.yaml:snakeyaml-1.28	Vulnerable Package
CVE-2022-41854	Maven-org.yaml:snakeyaml-1.29	Vulnerable Package
CVE-2022-41854	Maven-org.yaml:snakeyaml-1.28	Vulnerable Package
CVE-2022-41940	Npm-engine.io-3.2.1	Vulnerable Package
CVE-2023-28708	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63	Vulnerable Package
CVE-2024-25710	Maven-org.apache.commons:commons-compress-1.21	Vulnerable Package
CVE-2024-26308	Maven-org.apache.commons:commons-compress-1.21	Vulnerable Package
Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 153	Attack Vector
Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 169	Attack Vector
Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 166	Attack Vector
Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/user/service/UserEmailInternalService.java: 99	Attack Vector
Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 79	Attack Vector
Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/provider/ExternalApiAuthenticationProvider.java: 88	Attack Vector
Client_Privacy_Violation	/cas/cas-server/src/main/resources/static/js/passwordMeter.js: 23	Attack Vector
Container Traffic Not Bound To Host Interface	/mongo_cluster.yml: 58	Incoming container traffic should be bound to a specific host interface
Container Traffic Not Bound To Host Interface	/mongo_cluster.yml: 37	Incoming container traffic should be bound to a specific host interface
Container Traffic Not Bound To Host Interface	/mongo_cluster.yml: 15	Incoming container traffic should be bound to a specific host interface
Cxf0b588a3-5c6f	Npm-jquery-2.2.4	Vulnerable Package
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 3286	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 3300	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 3300	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/doas.py: 118	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 3286	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 809	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 809	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 809	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 3283	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 3300	Attack Vector
Filtering_Sensitive_Logs	/deployment/lib/mitogen-0.2.9/mitogen/core.py: 3300	Attack Vector
Healthcheck Not Set	/mongo_cluster.yml: 26	Check containers periodically to see if they are running properly.
Healthcheck Not Set	/mongo_cluster.yml: 47	Check containers periodically to see if they are running properly.
HttpOnlyCookies	/ui/ui-commons/src/main/java/fr/gouv/vitamui/ui/commons/security/CookieClearingLogoutHandler.java: 64	Attack Vector
Memory Not Limited	/mongo_cluster.yml: 26	Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
Memory Not Limited	/mongo_cluster.yml: 47	Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
Object_Access_Violation	/deployment/lib/mitogen-0.2.9/mitogen/utils.py: 125	Attack Vector
Path_Traversal	/deployment/lib/mitogen-0.2.9/mitogen/compat/tokenize.py: 451	Attack Vector
Privacy_Violation	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118	Attack Vector
Privacy_Violation	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118	Attack Vector
Privacy_Violation	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 110	Attack Vector
Privacy_Violation	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118	Attack Vector
Privacy_Violation	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118	Attack Vector
Privacy_Violation	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 110	Attack Vector
Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 183	Attack Vector
Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 183	Attack Vector
Privacy_Violation	/api/api-iam/iam-internal-client/src/main/java/fr/gouv/vitamui/iam/internal/client/UserInternalRestClient.java: 84	Attack Vector
Privacy_Violation	/ui/ui-identity/src/main/java/fr/gouv/vitamui/identity/service/ProviderService.java: 214	Attack Vector
Privacy_Violation	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 111	Attack Vector
Privacy_Violation	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 110	Attack Vector
Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/idp/converter/IdentityProviderConverter.java: 155	Attack Vector
Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 185	Attack Vector
Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 135	Attack Vector
Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 183	Attack Vector
Privacy_Violation	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 100

More results are available on AST platform

GiooDev · 2024-09-19T16:21:24Z

On merge ? :)

lgheribi added 2 commits May 15, 2024 10:04

Bug #12827: Fix CAS accesslog pattern

2582fc0

Bug #12827: Fix cas access-log buffering

956bf26

lgheribi added the OPS REVIEW Mandatory if deployment/ directory is modified. label May 15, 2024

lgheribi added this to the IT 135 milestone May 15, 2024

lgheribi self-assigned this May 15, 2024

lgheribi changed the base branch from develop to master_6.x May 15, 2024 09:02

GiooDev approved these changes May 15, 2024

View reviewed changes

bbenaissa approved these changes May 15, 2024

View reviewed changes

ebernard approved these changes May 15, 2024

View reviewed changes

GiooDev modified the milestones: IT 135, IT 136 May 17, 2024

GiooDev modified the milestones: IT 136, IT 137 Jun 12, 2024

GiooDev modified the milestones: IT 137, IT 143 Oct 28, 2024

GiooDev merged commit f6b459a into master_6.x Oct 29, 2024
1 check passed

GiooDev deleted the bug_12827_6.x branch October 29, 2024 08:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BP V6] Bug #12827: Fix cas access-log buffering #1860

[BP V6] Bug #12827: Fix cas access-log buffering #1860

lgheribi commented May 15, 2024

vitam-devops commented May 15, 2024

GiooDev commented Sep 19, 2024

[BP V6] Bug #12827: Fix cas access-log buffering #1860

[BP V6] Bug #12827: Fix cas access-log buffering #1860

Conversation

lgheribi commented May 15, 2024

Description

Contributeur

vitam-devops commented May 15, 2024

New Issues

GiooDev commented Sep 19, 2024