fix(security): vulnerabilities found in cactus-connector-besu

[zondervancalvez]

List of vulnerabilities found in cactus-connector-besu image during Azure Container scan.

VULNERABILITY ID	PACKAGE NAME	SEVERITY
CVE-2022-24407	libsasl2-2	HIGH
CVE-2022-24407	libsasl2-modules	HIGH
CVE-2022-24407	libsasl2-modules-db	HIGH
CVE-2021-3711	libssl1.1	HIGH
CVE-2022-0778	libssl1.1	HIGH
CVE-2021-3711	openssl	HIGH
CVE-2022-0778	openssl	HIGH
CVE-2021-3807	ansi-regex	HIGH
CVE-2021-3807	ansi-regex	HIGH
CVE-2021-43138	async	HIGH
CVE-2021-3749	axios	HIGH
CVE-2022-22143	convict	HIGH
CVE-2022-21676	engine.io	HIGH
CVE-2020-8203	lodash	HIGH
CVE-2021-23337	lodash	HIGH
CVE-2022-24771	node-forge	HIGH
CVE-2022-24772	node-forge	HIGH
CVE-2021-32803	tar	HIGH
CVE-2021-32804	tar	HIGH
CVE-2021-37701	tar	HIGH
CVE-2021-37712	tar	HIGH
CVE-2021-37713	tar	HIGH
CVE-2021-23358	underscore	HIGH

[petermetz]

Depends on #2054

[aldousalvarez]

Hello @petermetz Can you assign me on this one? Thank you!

[aldousalvarez]

Hello @petermetz after examining the vulnerabilities, Below is the table of the proposed solution for vulnerabilities found in cactus-connector-besu

<style> </style>

VULNERABILITY ID	PACKAGE NAME	SOLUTION (version)	AFFECTED VERSION	PROPOSED SOLUTION
CVE-2022-24407	libsasl2-2			after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-24407	libsasl2-modules			after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-24407	libsasl2-modules-db			after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2021-3711	libssl1.1			after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-0778	libssl1.1	300.0.5 111.18	Affected versions openssl-rc >= 300.0, < 300.0.5 < 111.18	after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2021-3711	openssl			after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-0778	openssl	300.0.5 111.18	Affected versions openssl-rc >= 300.0, < 300.0.5 < 111.18	after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2021-3807	ansi-regex	6.0.1 5.0.1 4.1.1 3.0.1	Affected versions >= 6.0.0, < 6.0.1 >= 5.0.0, < 5.0.1 >= 4.0.0, < 4.1.1 >= 3.0.0, < 3.0.1	already the Solution (version)
CVE-2021-3807	ansi-regex	6.0.1 5.0.1 4.1.1 3.0.1	Affected versions >= 6.0.0, < 6.0.1 >= 5.0.0, < 5.0.1 >= 4.0.0, < 4.1.1 >= 3.0.0, < 3.0.1	already the Solution(version)
CVE-2021-43138	async	3.2.2 2.6.4	Affected versions >= 3.0.0, < 3.2.2 >= 2.0.0, < 2.6.4	after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2021-3749	axios	0.21.2	Affected versions < 0.21.2	after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-22143	convict	6.2.3	Affected versions < 6.2.3	already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/[email protected])
CVE-2022-21676	engine.io	4.1.2 5.2.1 6.1.1	Affected versions >= 4.0.0, < 4.1.2 >= 5.0.0, < 5.2.1 >= 6.0.0, < 6.1.1	the version that is being used is more latest than the solution version
CVE-2020-8203	lodash	4.17.20	Affected versions < 4.17.20	already done (need to release @hyperledger/[email protected] version of the package)
CVE-2021-23337	lodash	4.17.21	Affected versions < 4.17.21	already done (need to release @hyperledger/[email protected] version of the package)
CVE-2022-24771	node-forge	1.3.0	Affected versions < 1.3.0	already the correct version used by cactus (need to release [email protected])
CVE-2022-24772	node-forge	1.3.0	Affected versions < 1.3.0	already the correct version used by cactus (need to release [email protected])
CVE-2021-32803	tar	3.2.3 4.4.15 5.0.7 6.1.2	Affected versions < 3.2.3 >= 4.0.0, < 4.4.15 >= 5.0.0, < 5.0.7 >= 6.0.0, < 6.1.2	This is already fixed in our current package version which is 4.4.19
CVE-2021-32804	tar	3.2.2 4.4.14 5.0.6 6.1.1	Affected versions < 3.2.2 >= 4.0.0, < 4.4.14 >= 5.0.0, < 5.0.6 >= 6.0.0, < 6.1.1	This is already fixed in our current package version which is 4.4.19
CVE-2021-37701	tar	4.4.16 5.0.8 6.1.7	Affected versions < 4.4.16 >= 5.0.0, < 5.0.8 >= 6.0.0, < 6.1.7	This is already fixed in our current package version which is 6.1.11
CVE-2021-37712	tar	4.4.18 5.0.10 6.1.9	Affected versions < 4.4.18 >= 5.0.0, < 5.0.10 >= 6.0.0, < 6.1.9	This is already fixed in our current package version which is 6.1.11
CVE-2021-37713	tar	4.4.18 5.0.10 6.1.9	Affected versions < 4.4.18 >= 5.0.0, < 5.0.10 >= 6.0.0, < 6.1.9	This is already fixed in our current package version which is 6.1.11
CVE-2021-23358	underscore	1.12.1	Affected versions >= 1.3.2, < 1.12.1	already done (need to release @hyperledger/[email protected] version of the package)
additional vulnerabilities detected after the latest scan
CVE-2022-24434	dicer	<= 0.3.1	None	can be fixed by upgrading the express-openapi-validator v 4.13.8 at packages/cactus-core/package.json
CVE-2021-3918	json-schema	<0.4.0	0.4.0	already the solution (version) no packages are using the affected version
CVE-2022-21190	convict	<6.2.3	6.2.3	already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/[email protected])
CVE-2022-25878	protobufjs	6.11.3	Affected versions < 6.11.3	This is already fixed in our current package version which is 6.11.3
CVE-2022-29244	npm	8.11.0	>= 7.9.0, < 8.11.0	needs updated cactus-cmd-api-server image with the fix of this new ticket #2136
CVE-2021-39135	"@npmcli/arborist"	2.8.2	<2.8.2	needs updated cactus-cmd-api-server image with the fix of this ticket #2136

[petermetz]

Fixed in another pull request, see the PR page for details.