fix(security): vulnerabilities found in cactus-example-supply-chain-app

[zondervancalvez]

List of vulnerabilities found in cactus-example-supply-chain-app image during Azure Container scan.

VULNERABILITY ID	PACKAGE NAME	SEVERITY
CVE-2021-3807	ansi-regex	HIGH
CVE-2021-3807	ansi-regex	HIGH
CVE-2021-43138	async	HIGH
CVE-2022-22143	convict	HIGH
CVE-2020-8203	lodash	HIGH
CVE-2021-23337	lodash	HIGH
CVE-2022-24771	node-forge	HIGH
CVE-2022-24772	node-forge	HIGH
CVE-2021-23358	underscore	HIGH

[aldousalvarez]

Hi @petermetz Can you assign me on this one? thank you!

[aldousalvarez]

Hello @petermetz
While examining each vulnerabilities, both CVE-2021-23337 and CVE-2021-23358 was already fixed by PR #1816 and #1820. Upon investigation package @hyperledger/[email protected] at examples/cactus-example-supply-chain-backend is still using the web3-eea on its latest version in NPM https://www.npmjs.com/package/@hyperledger/cactus-plugin-ledger-connector-besu . What is the frequency of update for @hyperledger/[email protected]? Update of the said version from the cactus base code will fix the said vulnerabilities above.

Here are the screenshots of my current issue/blocker

1. Lodash
   

2. Underscore
   

[petermetz]

Hi @petermetz Can you assign me on this one? thank you!

@aldousalvarez Done, thank you!

[petermetz]

Hello @petermetz While examining each vulnerabilities, both CVE-2021-23337 and CVE-2021-23358 was already fixed by PR #1816 and #1820. Upon investigation package @hyperledger/[email protected] at examples/cactus-example-supply-chain-backend is still using the web3-eea on its latest version in NPM https://www.npmjs.com/package/@hyperledger/cactus-plugin-ledger-connector-besu . What is the frequency of update for @hyperledger/[email protected]? Update of the said version from the cactus base code will fix the said vulnerabilities above.

Here are the screenshots of my current issue/blocker

1. Lodash
   
2. Underscore
   

@aldousalvarez Oh, that's great, thank you for investigating! We will issue a 1.1 release soon which will then propagate the fixes to the containers as well. I assigned the task to you but at this point it's a no-op except for you having to make sure that this is closed with the issuance of the release 1.1.
So your responsibilities here are:

1. Wait for the 1.1.0 release and when it happens close this issue stating what happened and why (referring to your description above will help a lot)
2. Mark this issue dependent on that other issue we have for releasing v1.1.0 that I'll create in a second.

[petermetz]

Depends on #2054

[petermetz]

Also marked this as P3 because the vulnerabilities are on a test or example container that does not get used in production at all.

[aldousalvarez]

Hello @petermetz After examining the remaining vulnerabilities. Below is the table of the proposed solution for the remaining vulnerabilities in the supply-chain-app

<style> </style>

CVE-2021-3807	ansi-regex	6.0.1, 5.0.1, 4.1.1, 3.0.1	Affected versions >= 6.0.0, < 6.0.1 >= 5.0.0, < 5.0.1 >= 4.0.0, < 4.1.1 >= 3.0.0, < 3.0.1	already the Solution (version)
CVE-2021-3807	ansi-regex	6.0.1, 5.0.1, 4.1.1, 3.0.1	Affected versions >= 6.0.0, < 6.0.1 >= 5.0.0, < 5.0.1 >= 4.0.0, < 4.1.1 >= 3.0.0, < 3.0.1	(can be fixed by angular supply chain ticket #2020 )
CVE-2021-43138	async	3.2.2 / 2.6.4	Affected versions >= 3.0.0, < 3.2.2 < 2.6.4	after the lastest scan, the vulnerability is already fixed and no packages are using the affected version.
CVE-2022-22143	convict	6.2.3	< 6.2.3	already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/[email protected])
CVE-2020-8203	lodash	4.17.20	< 4.17.20	already done (need to release @hyperledger/[email protected] version of the package)
CVE-2021-23337	lodash	4.17.21	< 4.17.21	already done (need to release @hyperledger/[email protected] version of the package)
CVE-2022-24771	node-forge	1.3.0	< 1.3.0	already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/[email protected])
CVE-2022-24772	node-forge	1.3.0	< 1.3.0	(can be fixed by angular supply chain ticket #2020 )
CVE-2021-23358	underscore	1.12.1	>= 1.3.2, < 1.12.1	already done (need to release @hyperledger/[email protected] version of the package)
additional vulnerabilities detected in the latest scan
CVE-2022-24434	dicer	None	<=0.3.1	can be fixed by upgrading the express-openapi-validator v 4.13.8 at packages/cactus-core/package.json
CVE-2021-3918	json-schema	0.4.0	<0.4.0	already the solution (version) no packages are using the affected version
CVE-2022-21190	convict	6.2.3	<6.2.3	already the correct version based on package.json of cactus-cmd-api-server (need to release @hyperledger/[email protected])
CVE-2022-25898	jsrsasign	10.5.25	>= 4.8.0, < 10.5.25	already the correct version based on package.json of cactus-plugin-ledger-connector-fabric (need to release @hyperledger/[email protected]
CVE-2022-29244	npm	8.11.0	>= 7.9.0, < 8.11.0	can be fixed by ticket #2136

1. ansi-regex
   

2. ansi-regex (tested and applied the upgrade angular in supply chain changes)
   

3. async
   

4. convict
   

5. node-forge
   

6. node-forge (tested and applied the upgrade angular in supply chain changes)
   

7. dicer

   • after upgrading express-openapi-validator to 4.13.8 the package that uses dicer which is busboy removes dicer as one of its dependencies in its latest version
     before upgrade
     
     after upgrade
     

8. json-schema
   

9. convict
   same solution with the first issue on convict that fixes the vulnerability