From f0107afc3872b765577cea6791bd90e4c3c98a16 Mon Sep 17 00:00:00 2001
From: aldousalvarez <aldousss.alvarez@gmail.com>
Date: Tue, 26 Mar 2024 18:36:33 +0800
Subject: [PATCH] fix(security): vulnerabilities found in
 example-carbon-accounting

Primary Changes
----------------
1. Modified the Dockerfile to use the updated versions
   of the packages being used
2. Modified the supervisord.conf to use the correct path
   because it has changed after updating the versions

Fixes #2062

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
---
 .../package.json                                |  5 ++++-
 examples/carbon-accounting/Dockerfile           | 14 ++++++++------
 examples/carbon-accounting/supervisord.conf     |  2 +-
 yarn.lock                                       | 17 +++++++++++++++++
 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/examples/cactus-example-carbon-accounting-backend/package.json b/examples/cactus-example-carbon-accounting-backend/package.json
index dc97b1975d7..fb03ba4d02c 100644
--- a/examples/cactus-example-carbon-accounting-backend/package.json
+++ b/examples/cactus-example-carbon-accounting-backend/package.json
@@ -77,12 +77,15 @@
     "@types/express": "4.17.19",
     "@types/fs-extra": "9.0.13",
     "@types/json-stable-stringify": "1.0.34",
+    "@types/qs": "6.9.14",
     "@types/uuid": "9.0.8",
     "express-jwt": "8.4.1",
     "hardhat": "2.17.2",
+    "http-cache-semantics": "4.1.1",
     "http-status-codes": "2.1.4",
     "jose": "4.15.5",
-    "json-stable-stringify": "1.0.2"
+    "json-stable-stringify": "1.0.2",
+    "qs": "6.7.3"
   },
   "engines": {
     "node": ">=18",
diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile
index 89c203dbe59..bc26a92d4c0 100644
--- a/examples/carbon-accounting/Dockerfile
+++ b/examples/carbon-accounting/Dockerfile
@@ -1,4 +1,4 @@
-FROM cruizba/ubuntu-dind:19.03.11 as runner
+FROM cruizba/ubuntu-dind:20.10.18 as runner
 
 USER root
 
@@ -33,12 +33,14 @@ WORKDIR ${APP}
 
 SHELL ["/bin/bash", "--login", "-i", "-c"]
 # Installing Node Version Manager (nvm)
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
 RUN source ~/.bashrc && \
-    nvm install 16.15.1 && \
-    npm install -g yarn && \
-    yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
-
+    nvm install 20.11.1 && \
+    npm install --location=global yarn && \
+    yarn config set nodeLinker node-modules && \
+    yarn set version 4.1.0 && \
+    yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.2
+    
 SHELL ["/bin/bash", "--login", "-c"]
 
 
diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf
index f4349a038c4..e64e2f327a9 100644
--- a/examples/carbon-accounting/supervisord.conf
+++ b/examples/carbon-accounting/supervisord.conf
@@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
 stdout_logfile=/usr/src/app/log/dockerd.out.log
 
 [program:carbon-accounting-app]
-command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
+command=/home/appuser/.nvm/versions/node/v20.11.1/bin/node /usr/src/app/node_modules/@hyperledger/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
 autostart=true
 autorestart=unexpected
 exitcodes=0
diff --git a/yarn.lock b/yarn.lock
index 9184dcbec3c..c0c8b8812a5 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7729,16 +7729,19 @@ __metadata:
     "@types/express": "npm:4.17.19"
     "@types/fs-extra": "npm:9.0.13"
     "@types/json-stable-stringify": "npm:1.0.34"
+    "@types/qs": "npm:^6"
     "@types/uuid": "npm:9.0.8"
     async-exit-hook: "npm:2.0.1"
     express-jwt: "npm:8.4.1"
     fabric-network: "npm:2.2.20"
     fs-extra: "npm:10.1.0"
     hardhat: "npm:2.17.2"
+    http-cache-semantics: "npm:4.1.1"
     http-status-codes: "npm:2.1.4"
     jose: "npm:4.15.5"
     json-stable-stringify: "npm:1.0.2"
     openapi-types: "npm:12.1.3"
+    qs: "npm:6.7.3"
     typescript-optional: "npm:2.0.1"
     uuid: "npm:9.0.1"
     web3-core: "npm:1.6.1"
@@ -15440,6 +15443,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/qs@npm:^6":
+  version: 6.9.14
+  resolution: "@types/qs@npm:6.9.14"
+  checksum: 10/d3b76021d36b86c0063ec4b7373e9fa470754914e486fbfe54b3a8866dad037800a2c2068ecbcaa9399ae3ed15772a26b07e67793ed2519cf2de199104014716
+  languageName: node
+  linkType: hard
+
 "@types/range-parser@npm:*":
   version: 1.2.4
   resolution: "@types/range-parser@npm:1.2.4"
@@ -42480,6 +42490,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"qs@npm:6.7.3":
+  version: 6.7.3
+  resolution: "qs@npm:6.7.3"
+  checksum: 10/b299d27f4ac4e47511dc15ff5650bd7a1c07cfbe514190a479b0b3a0d5b401198ff6910371b473e70fbde8e114f1bcba9c64ea52a147053e3b0b554aeb5a41ad
+  languageName: node
+  linkType: hard
+
 "qs@npm:^6.11.0, qs@npm:^6.9.4":
   version: 6.11.2
   resolution: "qs@npm:6.11.2"