Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cactus-example-supply-chain-app): mitigate CVE-2022-24434 and CVE-2022-24999 #2242

Merged

Conversation

aldousalvarez
Copy link
Contributor

Fixes #2041

Signed-off-by: aldousalvarez aldousss.alvarez@gmail.com

@aldousalvarez
Copy link
Contributor Author

aldousalvarez commented Dec 23, 2022

Hello @petermetz , Most of the vulnerabilities are now fixed in cactus-example-supply-chain-app but there are still some that is not yet fixed as you can see here. The only vulnerability (CVE-2022-2421) is still a vulnerability because the latest version of the package that is being used is still the affected version. The changes committed on this PR will fix the 3 out of the 4 remaining vulnerabilities (CVE-2022-24434, CVE-2022-24999, and CVE-2022-24999) once the changes are applied and the new version is released and the packages are updated just like the v1.1 release.

.github/containerscan/allowedlist.yaml Outdated Show resolved Hide resolved
@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2041 branch from c5cd121 to 025e788 Compare January 3, 2023 08:37
Copy link
Contributor

@izuru0 izuru0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2041 branch from 025e788 to 90d8e8a Compare January 5, 2023 06:11
@aldousalvarez aldousalvarez requested review from petermetz and removed request for sandeepnRES, jagpreetsinghsasan and takeutak January 11, 2023 04:46
@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2041 branch from 90d8e8a to 5ea5f51 Compare February 2, 2023 07:05
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez LGTM, thank you!

Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez Sorry, my bad, I do need to ask that you put CVE IDs in the commit subject so that it's unique across the commit log. Other than that, we are good to go.

@gitguardian
Copy link

gitguardian bot commented Mar 29, 2023

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
Once a secret has been leaked into a git repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2041 branch from 2d5cd84 to 9caa028 Compare March 29, 2023 03:28
@aldousalvarez aldousalvarez changed the title fix(security): vulnerabilities found in cactus-example-supply-chain-app fix(cactus-example-supply-chain-app): mitigate CVE-2022-24434 and CVE-2022-24999 Mar 29, 2023
@aldousalvarez
Copy link
Contributor Author

Hello @petermetz also updated the commit subject and PR title as from your requested changes on this one. Thank you.

Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez Great, thank you for the updates, LGTM!

…-2022-24999

Fixes hyperledger-cacti#2041

These changes will fixx the following
vulnerabilities with their CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz force-pushed the aldousalvarez/issue2041 branch from 9caa028 to d28d5e8 Compare April 2, 2023 17:25
@petermetz petermetz merged commit d28d5e8 into hyperledger-cacti:main Apr 2, 2023
@petermetz petermetz deleted the aldousalvarez/issue2041 branch April 2, 2023 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

fix(security): vulnerabilities found in cactus-example-supply-chain-app
3 participants