fix(cmd-api-server): address CVE-2022-25881 #2899
Conversation
zondervancalvez
requested review from
petermetz,
takeutak,
izuru0,
jagpreetsinghsasan,
VRamakrishna,
sandeepnRES and
outSH
as code owners
zondervancalvez
force-pushed
the
zondervancalvez/issue2862
branch
3 times, most recently
from
57f7751
to
1cd8a85
Compare
zondervancalvez
force-pushed
the
zondervancalvez/issue2862
branch
3 times, most recently
from
1c427ef
to
721dda5
Compare
There was a problem hiding this comment.
@zondervancalvez http-cache-semantics is a transitive dependency. Making it (in addition to being a transitive dependency) a direct dependency of the cmd-api-server package would not have done anything to prevent the older version still being present in the sub-level node_modules dir (the transitive dependency).
With all that said, we've fixed this problem with the bulk CVE fix PR that was sent in a few months back where we added a forced resolution to the package.json in the root folder.
My guess is that the trivy scan was executed against an outdated version of the packages which still haven't had the forced resolution baked into it.
I'm pretty sure that this will be a duplicate based on the above but let's see with the latest release coming up soon and then you can confirm (or not) if it's a duplicate and close this one accordingly.
|
@zondervancalvez Are you still working on this? |
zondervancalvez
force-pushed
the
zondervancalvez/issue2862
branch
2 times, most recently
from
07367da
to
3d44bec
Compare
Hi @petermetz , I've just updated the PR and no more vulnerabilities were found. Thank you |
zondervancalvez
force-pushed
the
zondervancalvez/issue2862
branch
2 times, most recently
from
6a0099b
to
ffd3933
Compare
There was a problem hiding this comment.
@zondervancalvez Alright, the fix with the hardcoded image version is good but the http-cache-semantics change is not doing anything to secure the container image build IMO. Let me quickly update that before we merge and then it's good to go from my side.
petermetz
force-pushed
the
zondervancalvez/issue2862
branch
from
ffd3933
to
e8e85cb
Compare
Primary Changes: Updated the Dockerfile & https-cache-semantics inside the cmd-api-server package Fixes: hyperledger-cacti#2862 Signed-off-by: zondervancalvez <[email protected]> Signed-off-by: Peter Somogyvari <[email protected]>
petermetz
force-pushed
the
zondervancalvez/issue2862
branch
from
e8e85cb
to
23d0bc5
Compare
petermetz
changed the title
Commit to be reviewed
fix(cmd-api-server): address GHSA-rc47-6667-2j5j
Primary Changes:
Updated the Dockerfile & https-cache-semantics inside the cmd-api-server package
Fixes: https://github.com/hyperledger/cacti/issues/2862
Signed-off-by: zondervancalvez [email protected]
Signed-off-by: Peter Somogyvari [email protected]
Pull Request Requirements
upstream/mainbranch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.-sflag when usinggit commitcommand. You may refer to this link for more information.Character Limit
A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.