Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cmd-api-server): address CVE-2022-25881 #2899

Merged

Conversation

zondervancalvez
Copy link
Contributor

@zondervancalvez zondervancalvez commented Nov 20, 2023

Commit to be reviewed

fix(cmd-api-server): address GHSA-rc47-6667-2j5j

Primary Changes:
Updated the Dockerfile & https-cache-semantics inside the cmd-api-server package

Fixes: #2862

Signed-off-by: zondervancalvez [email protected]
Signed-off-by: Peter Somogyvari [email protected]

Pull Request Requirements

  • Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.
  • Have git sign off at the end of commit message to avoid being marked red. You can add -s flag when using git commit command. You may refer to this link for more information.
  • Follow the Commit Linting specification. You may refer to this link for more information.

Character Limit

  • Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
  • Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

@zondervancalvez zondervancalvez force-pushed the zondervancalvez/issue2862 branch 3 times, most recently from 1c427ef to 721dda5 Compare November 30, 2023 06:26
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zondervancalvez http-cache-semantics is a transitive dependency. Making it (in addition to being a transitive dependency) a direct dependency of the cmd-api-server package would not have done anything to prevent the older version still being present in the sub-level node_modules dir (the transitive dependency).

With all that said, we've fixed this problem with the bulk CVE fix PR that was sent in a few months back where we added a forced resolution to the package.json in the root folder.

My guess is that the trivy scan was executed against an outdated version of the packages which still haven't had the forced resolution baked into it.

I'm pretty sure that this will be a duplicate based on the above but let's see with the latest release coming up soon and then you can confirm (or not) if it's a duplicate and close this one accordingly.

@petermetz
Copy link
Contributor

@zondervancalvez Are you still working on this?

@zondervancalvez zondervancalvez force-pushed the zondervancalvez/issue2862 branch 2 times, most recently from 07367da to 3d44bec Compare May 27, 2024 08:12
@zondervancalvez
Copy link
Contributor Author

zondervancalvez commented May 27, 2024

@zondervancalvez Are you still working on this?

Hi @petermetz , I've just updated the PR and no more vulnerabilities were found. Thank you

@zondervancalvez zondervancalvez force-pushed the zondervancalvez/issue2862 branch 2 times, most recently from 6a0099b to ffd3933 Compare May 27, 2024 08:31
@zondervancalvez zondervancalvez requested a review from petermetz May 27, 2024 08:32
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zondervancalvez Alright, the fix with the hardcoded image version is good but the http-cache-semantics change is not doing anything to secure the container image build IMO. Let me quickly update that before we merge and then it's good to go from my side.

@petermetz petermetz force-pushed the zondervancalvez/issue2862 branch from ffd3933 to e8e85cb Compare May 29, 2024 16:19
Primary Changes:
	Updated the Dockerfile & https-cache-semantics inside the cmd-api-server package

Fixes: hyperledger-cacti#2862

Signed-off-by: zondervancalvez <[email protected]>
Signed-off-by: Peter Somogyvari <[email protected]>
@petermetz petermetz force-pushed the zondervancalvez/issue2862 branch from e8e85cb to 23d0bc5 Compare May 29, 2024 16:50
@petermetz petermetz enabled auto-merge (rebase) May 29, 2024 16:56
@petermetz petermetz changed the title tools(cmd-api-server): address CVE: CVE-2022-25881 fix(cmd-api-server): address CVE-2022-25881 May 29, 2024
@petermetz petermetz merged commit 81da333 into hyperledger-cacti:main May 29, 2024
144 of 153 checks passed
@petermetz petermetz deleted the zondervancalvez/issue2862 branch May 29, 2024 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

tools(cmd-api-server): address CVE: CVE-2022-25881
4 participants