Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(security): vulnerabilities found in cactus-example-supply-chain-app #2041

Closed
zondervancalvez opened this issue May 24, 2022 · 7 comments · Fixed by #2242
Closed

fix(security): vulnerabilities found in cactus-example-supply-chain-app #2041

zondervancalvez opened this issue May 24, 2022 · 7 comments · Fixed by #2242
Assignees
Labels
documentation Improvements or additions to documentation P3 Priority 3: Medium Security Related to existing or potential security vulnerabilities Tests Anything related to tests be that automatic or manual, integration or unit, etc.

Comments

@zondervancalvez
Copy link
Contributor

List of vulnerabilities found in cactus-example-supply-chain-app image during Azure Container scan.

VULNERABILITY ID PACKAGE NAME SEVERITY
CVE-2021-3807 ansi-regex HIGH
CVE-2021-3807 ansi-regex HIGH
CVE-2021-43138 async HIGH
CVE-2022-22143 convict HIGH
CVE-2020-8203 lodash HIGH
CVE-2021-23337 lodash HIGH
CVE-2022-24771 node-forge HIGH
CVE-2022-24772 node-forge HIGH
CVE-2021-23358 underscore HIGH
@aldousalvarez
Copy link
Contributor

Hi @petermetz Can you assign me on this one? thank you!

@aldousalvarez
Copy link
Contributor

aldousalvarez commented May 30, 2022

Hello @petermetz
While examining each vulnerabilities, both CVE-2021-23337 and CVE-2021-23358 was already fixed by PR #1816 and #1820. Upon investigation package @hyperledger/cactus-plugin-ledger-connector-besu@1.0.0 at examples/cactus-example-supply-chain-backend is still using the web3-eea on its latest version in NPM https://www.npmjs.com/package/@hyperledger/cactus-plugin-ledger-connector-besu . What is the frequency of update for @hyperledger/cactus-plugin-ledger-connector-besu@1.0.0? Update of the said version from the cactus base code will fix the said vulnerabilities above.

Here are the screenshots of my current issue/blocker

  1. Lodash
    lodash supply chain app

  2. Underscore
    UNDERSCORE Vulnerabilities issue

@petermetz petermetz added documentation Improvements or additions to documentation Security Related to existing or potential security vulnerabilities Tests Anything related to tests be that automatic or manual, integration or unit, etc. P3 Priority 3: Medium labels May 31, 2022
@petermetz
Copy link
Contributor

Hi @petermetz Can you assign me on this one? thank you!

@aldousalvarez Done, thank you!

@petermetz
Copy link
Contributor

Hello @petermetz While examining each vulnerabilities, both CVE-2021-23337 and CVE-2021-23358 was already fixed by PR #1816 and #1820. Upon investigation package @hyperledger/cactus-plugin-ledger-connector-besu@1.0.0 at examples/cactus-example-supply-chain-backend is still using the web3-eea on its latest version in NPM https://www.npmjs.com/package/@hyperledger/cactus-plugin-ledger-connector-besu . What is the frequency of update for @hyperledger/cactus-plugin-ledger-connector-besu@1.0.0? Update of the said version from the cactus base code will fix the said vulnerabilities above.

Here are the screenshots of my current issue/blocker

  1. Lodash
    lodash supply chain app
  2. Underscore
    UNDERSCORE Vulnerabilities issue

@aldousalvarez Oh, that's great, thank you for investigating! We will issue a 1.1 release soon which will then propagate the fixes to the containers as well. I assigned the task to you but at this point it's a no-op except for you having to make sure that this is closed with the issuance of the release 1.1.
So your responsibilities here are:

  1. Wait for the 1.1.0 release and when it happens close this issue stating what happened and why (referring to your description above will help a lot)
  2. Mark this issue dependent on that other issue we have for releasing v1.1.0 that I'll create in a second.

@petermetz
Copy link
Contributor

Depends on #2054

@petermetz
Copy link
Contributor

Also marked this as P3 because the vulnerabilities are on a test or example container that does not get used in production at all.

@aldousalvarez
Copy link
Contributor

aldousalvarez commented Jun 2, 2022

Hello @petermetz After examining the remaining vulnerabilities. Below is the table of the proposed solution for the remaining vulnerabilities in the supply-chain-app

<style> </style>
CVE-2021-3807 ansi-regex 6.0.1, 5.0.1, 4.1.1, 3.0.1 Affected versions >= 6.0.0, < 6.0.1 >= 5.0.0, < 5.0.1 >= 4.0.0, < 4.1.1 >= 3.0.0, < 3.0.1 already the Solution (version)
CVE-2021-3807 ansi-regex 6.0.1, 5.0.1, 4.1.1, 3.0.1 Affected versions >= 6.0.0, < 6.0.1 >= 5.0.0, < 5.0.1 >= 4.0.0, < 4.1.1 >= 3.0.0, < 3.0.1 (can be fixed by angular supply chain ticket #2020 )
CVE-2021-43138 async 3.2.2 / 2.6.4 Affected versions >= 3.0.0, < 3.2.2 < 2.6.4 after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-22143 convict 6.2.3 < 6.2.3 already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/cactus-cmd-api-server@1.1.0)
CVE-2020-8203 lodash 4.17.20 < 4.17.20 already done (need to release @hyperledger/cactus-plugin-ledger-connector-besu@1.1.0 version of the package)
CVE-2021-23337 lodash 4.17.21 < 4.17.21 already done (need to release @hyperledger/cactus-plugin-ledger-connector-besu@1.1.0 version of the package)
CVE-2022-24771 node-forge 1.3.0 < 1.3.0 already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/cactus-cmd-api-server@1.1.0)
CVE-2022-24772 node-forge 1.3.0 < 1.3.0 (can be fixed by angular supply chain ticket #2020 )
CVE-2021-23358 underscore 1.12.1 >= 1.3.2, < 1.12.1 already done (need to release @hyperledger/cactus-plugin-ledger-connector-besu@1.1.0 version of the package)
additional vulnerabilities detected in the latest scan        
CVE-2022-24434 dicer None <=0.3.1 can be fixed by upgrading the express-openapi-validator v 4.13.8 at packages/cactus-core/package.json
CVE-2021-3918 json-schema 0.4.0 <0.4.0 already the solution (version) no packages are using the affected version
CVE-2022-21190 convict 6.2.3 <6.2.3 already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/cactus-cmd-api-server@1.1.0)
CVE-2022-25898 jsrsasign 10.5.25 >= 4.8.0, < 10.5.25 already the correct version based on package.json of cactus-plugin-ledger-connector-fabric (need to release @hyperledger/cactus-plugin-ledger-connector-fabric@1.1.0
CVE-2022-29244 npm 8.11.0 >= 7.9.0, < 8.11.0 can be fixed by ticket #2136
  1. ansi-regex
    ansi regex cmd api server

  2. ansi-regex (tested and applied the upgrade angular in supply chain changes)
    ansi-regex after upgrade of angular

  3. async
    image

  4. convict
    image

  5. node-forge
    image

  6. node-forge (tested and applied the upgrade angular in supply chain changes)
    node forge after upgrade angular supply chain

  7. dicer

    • after upgrading express-openapi-validator to 4.13.8 the package that uses dicer which is busboy removes dicer as one of its dependencies in its latest version
      before upgrade
      npm ls dicer at cactus core
      after upgrade
      npm ls dicer at cactus core after upgrade
  8. json-schema
    npm ls json-schema

  9. convict
    same solution with the first issue on convict that fixes the vulnerability
    npm ls convict latest

aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Dec 23, 2022
Fixes hyperledger-cacti#2041

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Dec 23, 2022
Fixes hyperledger-cacti#2041

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 3, 2023
Fixes hyperledger-cacti#2041

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 5, 2023
Fixes hyperledger-cacti#2041

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Feb 2, 2023
Fixes hyperledger-cacti#2041

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Mar 29, 2023
…-2022-24999

Fixes hyperledger-cacti#2041

These changes will fixx the following
vulnerabilities with their CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
sandeepnRES pushed a commit to sandeepnRES/cacti that referenced this issue Apr 3, 2023
…-2022-24999

Fixes hyperledger-cacti#2041

These changes will fixx the following
vulnerabilities with their CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation P3 Priority 3: Medium Security Related to existing or potential security vulnerabilities Tests Anything related to tests be that automatic or manual, integration or unit, etc.
Projects
None yet
3 participants