Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JavaToolInstallerV0] Update dependencies to get rid of vulnerabilities #15207

Closed
ghost opened this issue Aug 24, 2021 · 1 comment
Closed

[JavaToolInstallerV0] Update dependencies to get rid of vulnerabilities #15207

ghost opened this issue Aug 24, 2021 · 1 comment
Labels
Area: ABTT Akvelon Build Tasks Team area of work bug Task: JavaToolInstaller

Comments

@ghost
Copy link

ghost commented Aug 24, 2021
edited by ghost
Loading

Required Information

Entering this information will route you directly to the right team and expedite traction.

Question, Bug, or Feature?
Type: Bug

Enter Task Name: JavaToolInstallerV0

Issue Description

This task dependency on "azure-pipelines-tasks-utility-common" that has critical vulnerability in "azure-pipelines-tool-lib > typed-rest-client > underscore".

image

Please update this dependency to the latest version.
This vulnerability was fixed in PR.

These tasks have dependency on "azure-pipelines-tasks-azure-arm-rest-v2" that has critical vulnerability in "typed-rest-client > underscore".

image

Please update this dependency to latest version.
This vulnerability was fixed in PR.

Error logs


                       === npm audit security report ===

# Run  npm install [email protected]  to resolve 1 vulnerability

  High            Arbitrary Code Execution

  Package         underscore

  Dependency of   azure-pipelines-tasks-azure-arm-rest-v2

  Path            azure-pipelines-tasks-azure-arm-rest-v2 > typed-rest-client
                  > underscore

  More info       https://npmjs.com/advisories/1674



# Run  npm install [email protected]  to resolve 1 vulnerability

  High            Arbitrary Code Execution

  Package         underscore

  Dependency of   typed-rest-client

  Path            typed-rest-client > underscore

  More info       https://npmjs.com/advisories/1674



# Run  npm update azure-pipelines-tool-lib --depth 2  to resolve 1 vulnerability

  High            Arbitrary Code Execution

  Package         underscore

  Dependency of   azure-pipelines-tasks-utility-common

  Path            azure-pipelines-tasks-utility-common >
                  azure-pipelines-tool-lib > typed-rest-client > underscore

  More info       https://npmjs.com/advisories/1674



# Run  npm update typed-rest-client --depth 2  to resolve 1 vulnerability

  High            Arbitrary Code Execution

  Package         underscore

  Dependency of   azure-pipelines-tool-lib

  Path            azure-pipelines-tool-lib > typed-rest-client > underscore

  More info       https://npmjs.com/advisories/1674



# Run  npm update path-parse --depth 7  to resolve 7 vulnerabilities

  Moderate        Regular Expression Denial of Service in path-parse

  Package         path-parse

  Dependency of   azp-tasks-az-blobstorage-provider-v2

  Path            azp-tasks-az-blobstorage-provider-v2 > artifact-engine >
                  azure-pipelines-task-lib > shelljs > rechoir > resolve >
                  path-parse

  More info       https://npmjs.com/advisories/1773




  Moderate        Regular Expression Denial of Service in path-parse

  Package         path-parse

  Dependency of   azp-tasks-az-blobstorage-provider-v2

  Path            azp-tasks-az-blobstorage-provider-v2 >
                  azure-pipelines-task-lib > shelljs > rechoir > resolve >
                  path-parse

  More info       https://npmjs.com/advisories/1773




  Moderate        Regular Expression Denial of Service in path-parse

  Package         path-parse

  Dependency of   azure-pipelines-task-lib

  Path            azure-pipelines-task-lib > shelljs > rechoir > resolve >
                  path-parse

  More info       https://npmjs.com/advisories/1773




  Moderate        Regular Expression Denial of Service in path-parse

  Package         path-parse

  Dependency of   azure-pipelines-tasks-azure-arm-rest-v2

  Path            azure-pipelines-tasks-azure-arm-rest-v2 >
                  azure-pipelines-task-lib > shelljs > rechoir > resolve >
                  path-parse

  More info       https://npmjs.com/advisories/1773




  Moderate        Regular Expression Denial of Service in path-parse

  Package         path-parse

  Dependency of   azure-pipelines-tasks-utility-common

  Path            azure-pipelines-tasks-utility-common >
                  azure-pipelines-task-lib > shelljs > rechoir > resolve >
                  path-parse

  More info       https://npmjs.com/advisories/1773




  Moderate        Regular Expression Denial of Service in path-parse

  Package         path-parse

  Dependency of   azure-pipelines-tasks-utility-common

  Path            azure-pipelines-tasks-utility-common >
                  azure-pipelines-tool-lib > azure-pipelines-task-lib >
                  shelljs > rechoir > resolve > path-parse

  More info       https://npmjs.com/advisories/1773




  Moderate        Regular Expression Denial of Service in path-parse

  Package         path-parse

  Dependency of   azure-pipelines-tool-lib

  Path            azure-pipelines-tool-lib > azure-pipelines-task-lib >
                  shelljs > rechoir > resolve > path-parse

  More info       https://npmjs.com/advisories/1773




                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Prototype Pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   azure-pipelines-tasks-azure-arm-rest-v2

  Path            azure-pipelines-tasks-azure-arm-rest-v2 > jsonwebtoken > joi
                  > hoek

  More info       https://npmjs.com/advisories/566


  Moderate        Prototype Pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   azure-pipelines-tasks-azure-arm-rest-v2

  Path            azure-pipelines-tasks-azure-arm-rest-v2 > jsonwebtoken > joi
                  > topo > hoek

  More info       https://npmjs.com/advisories/566

found 13 vulnerabilities (9 moderate, 4 high) in 217 scanned packages
  run `npm audit fix` to fix 11 of them.
  2 vulnerabilities require manual review. See the full report for details.
@github-actions github-actions bot added Area: ABTT Akvelon Build Tasks Team area of work bug Task: JavaToolInstaller labels Aug 24, 2021
@ghost ghost self-assigned this Aug 24, 2021
@ghost ghost mentioned this issue Aug 25, 2021
Merged
2 tasks
@ghost
Copy link
Author

ghost commented Aug 25, 2021

Created PR: #15215

@ghost ghost added the awaiting deployment Related changes are waiting for deployment to be completed label Aug 30, 2021
@ghost ghost removed the awaiting deployment Related changes are waiting for deployment to be completed label Oct 13, 2021
@ghost ghost closed this as completed Oct 13, 2021
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: ABTT Akvelon Build Tasks Team area of work bug Task: JavaToolInstaller
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants