Update to version v3.2.8 (#185)

CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.8] - 2024-04-15
+
+### Updated
+
+- Updated webpack-dev-middleware from 5.3.3 to 5.3.4 to resolve security vulnerability [CVE-2024-29180]
+- Updated express from 4.18.1 to 4.19.2 to resolve security vulnerability [CVE-2024-29041]
+- Updated follow-redirects from 1.15.4 to 1.15.6 to resolve security vulnerability [CVE-2024-28849]
+- Updated docker image to resolve security vulnerabilities
+
+### Fixed
+
+- Fixed issues pertaining to [https://github.com/aws-solutions/distributed-load-testing-on-aws/issues/170] 
+- Fixed issues pertaining the update stack problem from versions before DLT v3.2.6 to DLT versions after 3.2.6 
+
 ## [3.2.7] - 2024-03-11
 
 ### Fixed

VERSION.txt

@@ -1 +1 @@
-3.2.7
+3.2.8

deployment/ecr/distributed-load-testing-on-aws-load-tester/Dockerfile

@@ -20,16 +20,11 @@ RUN chmod 755 /bzt-configs/ecscontroller.py
 RUN chmod 755 /bzt-configs/jar_updater.py
 RUN python3 /bzt-configs/jar_updater.py
 
-# Fixing CVE-2023-22796
-WORKDIR /usr/local/rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/rbs-2.8.2/steep
-RUN sed -i 's/7.0.4/7.0.7.1/g' Gemfile.lock
-RUN gem install activesupport -v 7.0.7.1
+# Remove K6 as it is not supported in DLT by default
+RUN apt remove -y k6
 
-# Fixing CVE-2023-36617
-WORKDIR /usr/local/rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/specifications/default
-RUN sed -i 's/0.12.1/0.12.2.0/g' uri-0.12.1.gemspec
-RUN mv uri-0.12.1.gemspec uri-0.12.2.gemspec
-RUN gem install --default uri -v 0.12.2.0
+RUN /bin/bash -c "source /etc/profile.d/rbenv.sh && yes | rbenv uninstall $(cat /usr/local/rbenv/version)"
+RUN rm -rf /usr/local/rbenv
 
 # Replacing urllib3 with more stable Versions to resolve vulnerabilities
 RUN pip install urllib3==2.0.7
@@ -48,11 +43,17 @@ RUN cp -r /usr/local/lib/python3.10/dist-packages/cryptography* /root/.bzt/pytho
 
 # Replacing Pillow with more stable version resolve CVE-2023-50447	
 RUN rm -rf /root/.local/lib/python3.10/site-packages/Pillow*
-RUN pip install --upgrade pillow --target /root/.local/lib/python3.10/site-packages/
+RUN pip install pillow==10.3.0 
+RUN cp -r /usr/local/lib/python3.10/dist-packages/pillow* /root/.local/lib/python3.10/site-packages/
 
-# Replaing aiohttp with more stable version to resolve CVE-2024-23334
+# Replacing aiohttp with more stable version to resolve CVE-2024-23334
 RUN rm -rf /usr/local/lib/python3.10/dist-packages/aiohttp* 
 RUN  pip install --upgrade aiohttp
 
+# Replacing idna with more stable version to resolve CVE-2024-3651
+RUN pip install --upgrade idna
+RUN rm -rf /root/.bzt/python-packages/3.10.12/idna*
+RUN cp -r /usr/local/lib/python3.10/dist-packages/idna* /root/.bzt/python-packages/3.10.12/
+
 WORKDIR /bzt-configs/
 ENTRYPOINT ["./load-test.sh"]

deployment/ecr/distributed-load-testing-on-aws-load-tester/jar_updater.py

@@ -17,6 +17,7 @@
     * batik-transcoder v1.14 will be replaced with v1.17
     * lets-plot-batik v2.2.1 will be replaced with 4.2.0
     * commons-net v3.8.0 will be replaced with v3.9.0
+    * tika-core v1.28.3 will be replaced with v2.9.2
 
 Also jmeter plugins manager will be updated to v1.10 to address CVEs and cmdrunner will be updated to v2.3 to accomodate with plugins manager.
 """
@@ -31,7 +32,9 @@
     "batik-bridge": "org/apache/xmlgraphics/batik-bridge/1.17/batik-bridge-1.17.jar",
     "batik-transcoder": "org/apache/xmlgraphics/batik-transcoder/1.17/batik-transcoder-1.17.jar",
     "lets-plot-batik":  "org/jetbrains/lets-plot/lets-plot-batik/4.2.0/lets-plot-batik-4.2.0.jar",
-    "commons-net": "commons-net/commons-net/3.9.0/commons-net-3.9.0.jar"
+    "commons-net": "commons-net/commons-net/3.9.0/commons-net-3.9.0.jar",
+    "tika-core": "org/apache/tika/tika-core/2.9.2/tika-core-2.9.2.jar",
+
 }
 JMETER_VERSION = "5.5"
 JMETER_PLUGINS_MANAGER_VERSION = "1.10"

source/api-services/lib/scenarios/index.js

@@ -252,11 +252,11 @@ const scheduleTest = async (event, context) => {
 
     if (config.scheduleStep === "create") {
       const createRun = new Date(year, parseInt(month, 10) - 1, day, hour, minute);
-
       // Schedule for 1 min prior to account for time it takes to create rule
       // getMonth() returns Jan with index Zero that is why months need a +1
       // refrence https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/getMonth
-      const cronStart = `cron(${createRun.getMinutes() - 1} ${createRun.getHours()} ${createRun.getDate()} ${
+      createRun.setMinutes(createRun.getMinutes() - 1);
+      const cronStart = `cron(${createRun.getMinutes()} ${createRun.getHours()} ${createRun.getDate()} ${
         createRun.getMonth() + 1
       } ? ${createRun.getFullYear()})`;
       scheduleRecurrence = config.recurrence;

source/api-services/package.json

@@ -1,6 +1,6 @@
 {
   "name": "api-services",
-  "version": "3.2.7",
+  "version": "3.2.8",
   "description": "REST API micro services",
   "repository": {
     "type": "git",

source/console/package.json

@@ -1,6 +1,6 @@
 {
   "name": "distributed-load-testing-on-aws-ui",
-  "version": "3.2.7",
+  "version": "3.2.8",
   "private": true,
   "license": "Apache-2.0",
   "author": {