From 50027fc445712353faceb7181886ceb7a5729280 Mon Sep 17 00:00:00 2001 From: Antonio <34042064+Desvelao@users.noreply.github.com> Date: Mon, 23 Sep 2024 12:12:20 +0200 Subject: [PATCH] Merge 4.9.1 into 4.10.0 (#322) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Chantal Belén kelm <99441266+chantal-kelm@users.noreply.github.com> Co-authored-by: JuanGarriuz Co-authored-by: Federico Rodriguez Co-authored-by: Nicolas Agustin Guevara Pihen <42900763+Tostti@users.noreply.github.com> --- CHANGELOG.md | 23 +++++- SECURITY.md | 80 +++++++------------ dev-tools/build-packages/deb/debian/postinst | 2 +- .../build-packages/rpm/wazuh-dashboard.spec | 2 +- .../dashboard_listing.test.tsx.snap | 44 +++++++--- .../utils/get_no_items_message.tsx | 17 ++-- 6 files changed, 93 insertions(+), 75 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f21fc4839312..7af576faf1e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,8 +8,29 @@ All notable changes to the Wazuh app project will be documented in this file. - Removed the setting home:useNewHomePage from the advanced settings because the views are not finished. [#282](https://github.com/wazuh/wazuh-dashboard/pull/282) +## Wazuh dashboard v4.9.1 - OpenSearch Dashboards 2.13.0 - Revision 01 + +### Added + +- Support for Wazuh 4.9.1 + +### Changed + +- Changed link to sample data in the dashboards section and references to Opensearch Dashboards [#311](https://github.com/wazuh/wazuh-dashboard/pull/311) + +### Fixed + +- Fixed bug that caused the terminal to freeze on deb upgrades [#301](https://github.com/wazuh/wazuh-dashboard/pull/301) + ## Wazuh dashboard v4.9.0 - OpenSearch Dashboards 2.13.0 - Revision 07 +### Added + +- Support for Wazuh 4.9.0 + ### Changed -- Changed default value of useExpandedHeader to false. [#247](https://github.com/wazuh/wazuh-dashboard/pull/247) +- Changed default theme [#174](https://github.com/wazuh/wazuh-dashboard/pull/174) +- Changed default logos and main menu app categories [141](https://github.com/wazuh/wazuh-dashboard/pull/141) +- Changed default value of useExpandedHeader to false [#247](https://github.com/wazuh/wazuh-dashboard/pull/247) +- Changed build number to match the Wazuh standard [#284](https://github.com/wazuh/wazuh-dashboard/pull/284) diff --git a/SECURITY.md b/SECURITY.md index 22c3b51933e3..164723b5d872 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,67 +1,45 @@ -## Reporting a Vulnerability +# Wazuh Open Source Project Security Policy -If you discover a potential security issue in this project we ask that you notify OpenSearch Security directly via email to security@opensearch.org. Please do **not** create a public GitHub issue. +Version: 2023-06-12 -## Fixing a Vulnerability +## Introduction +This document outlines the Security Policy for Wazuh's open source projects. It emphasizes our commitment to maintain a secure environment for our users and contributors, and reflects our belief in the power of collaboration to identify and resolve security vulnerabilities. -- For direct dependencies (listed explicitly in `package.json`) - After identifying a version of the package that is both compatible with OpenSearch Dashboards and includes a fix for the vulnerability, update the dependency in `package.json` and run `yarn osd bootstrap` to build the project and update the `yarn.lock` file. +## Scope +This policy applies to all open source projects developed, maintained, or hosted by Wazuh. -- For nested dependencies (sub-dependencies) +## Reporting Security Vulnerabilities +If you believe you've discovered a potential security vulnerability in one of our open source projects, we strongly encourage you to report it to us responsibly. - - Check the package range in package.json: Open the `package.json` file and locate the dependency entry for the package you're interested in. The version range is specified after the package name, using a combination of version numbers and symbols. Examples of version ranges are ^1.0.0, ~1.0.0, or >=1.0.0 <2.0.0. Ensure that the desired version falls within the specified range. +Please submit your findings as security advisories under the "Security" tab in the relevant GitHub repository. Alternatively, you may send the details of your findings to [security@wazuh.com](mailto:security@wazuh.com). - - Check the desired version in `yarn.lock`: Open the `yarn.lock` file and search for the package name. If the package is listed, check the version number specified for the package. Compare this version number with the desired version. +## Vulnerability Disclosure Policy +Upon receiving a report of a potential vulnerability, our team will initiate an investigation. If the reported issue is confirmed as a vulnerability, we will take the following steps: - - If the package range is suitable but `yarn.lock` does not include the desired version, edit the `yarn.lock` file and remove the lines corresponding to the package. Then, run `yarn osd bootstrap` to have the latest version of the package, that satisfies the range from `package.json`, added to `yarn.lock`. +1. Acknowledgment: We will acknowledge the receipt of your vulnerability report and begin our investigation. +2. Validation: We will validate the issue and work on reproducing it in our environment. +3. Remediation: We will work on a fix and thoroughly test it +4. Release & Disclosure: After 90 days from the discovery of the vulnerability, or as soon as a fix is ready and thoroughly tested (whichever comes first), we will release a security update for the affected project. We will also publicly disclose the vulnerability by publishing a CVE (Common Vulnerabilities and Exposures) and acknowledging the discovering party. +5. Exceptions: In order to preserve the security of the Wazuh community at large, we might extend the disclosure period to allow users to patch their deployments. - - If the package range is not suitable and there is no resolutions or the package range in the resolutions is not correct, we can add or update version in the resolutions for all the package sub-deps or specific package sub-dep. For more on version updates please see [Why](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-why-would-you-want-to-do-this) and [How](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-how-to-use-it) to upgrade. +This 90-day period allows for end-users to update their systems and minimizes the risk of widespread exploitation of the vulnerability. - ``` - Example: If foobar@1.x exists for subdeps in yarn.lock file. But foobar@1.y is the target version. +## Automatic Scanning +We leverage GitHub Actions to perform automated scans of our supply chain. These scans assist us in identifying vulnerabilities and outdated dependencies in a proactive and timely manner. - Step 1: remove the entry from lockfile and bootstrap; if a suitable version was installed, you can stop. - Step 2: use resolutions to require a specific range for the nested dependency in package.json: - 'resolutions': { "**/foobar": "^1.y", - "**/foo": "^2.x" , - "**/bar": "^3.k"} - Step 3: repeat step 1 +## Credit +We believe in giving credit where credit is due. If you report a security vulnerability to us, and we determine that it is a valid vulnerability, we will publicly credit you for the discovery when we disclose the vulnerability. If you wish to remain anonymous, please indicate so in your initial report. - ``` +We do appreciate and encourage feedback from our community, but currently we do not have a bounty program. We might start bounty programs in the future. - Please be aware of that fixing nested dependencies can be tricky. Sometimes, bumping a parent package of the nested dependency can upgrade several of the nested dependencies at once to solve multiple security vulnerabilities and provide a more maintainable code base. +## Compliance with this Policy +We consider the discovery and reporting of security vulnerabilities an important public service. We encourage responsible reporting of any vulnerabilities that may be found in our site or applications. -## Backport a Vulnerability Fix +Furthermore, we will not take legal action against or suspend or terminate access to the site or services of those who discover and report security vulnerabilities in accordance with this policy because of the fact. -To backport a CVE fix to previous versions of OpenSearch Dashboards, add the desired backport labels (e.g., backport 1.x) to the PR. Upon merging the PR, a workflow will attempt to backport it. If this process fails, the PR will be updated with a comment detailing the failure, and you'll need to follow the provided instructions to manually backport the changes in a new PR. Keep in mind that some CVEs may require distinct resolutions for each branch, such as a major version bump in the main branch, a minor version bump in the 2.x branch, and a specific resolution in the 1.x branch. Refer to the following steps for guidance: +We ask that all users and contributors respect this policy and the security of our community's users by disclosing vulnerabilities to us in accordance with this policy. -1. Identify the pull request you want to backport and the target backport version. -2. Create a new local branch from the target version. -3. Cherry-pick the changes from the pull request into the new branch. To do this, you can use the `git cherry-pick` command followed by the hash of the pull request commit. For example: `git cherry-pick 123456`. -4. Resolve any conflicts. This step may require some manual intervention. -5. Run `yarn osd bootstrap` in the root directory. This will update the dependencies, install the latest version of the package that satisfies the range from `package.json`, and add the updated package information to the `yarn.lock` file. -5. Test the changes thoroughly. -6. Push the new branch to the appropriate remote repository. -7. Submit a new pull request to the target version for the backported changes. +## Changes to this Security Policy +This policy may be revised from time to time. Each version of the policy will be identified at the top of the page by its effective date. -``` - Example: backport a pull request with hash 123 in main to 1.3 - - * Fetch the latest changes from upstream repo: - git pull upstream - - * Create a new local branch from the target version: - git checkout -b backport-cve upstream/1.3 - - * Cherry pick the changes: - git cherry-pick 123 - - * Resolve any conflicts. - - * Push to your origin forked repo: - git push -u origin backport-cve - - * Submit a new pull request to 1.3. - -``` - -It's worth noting that backporting a pull request can be a complex process and depending on the changes involved, additional steps might be required to resolve conflicts. It's important to carefully review and test the changes to ensure they are compatible with the version of OpenSearch Dashboards in the target branch and that the changes are applied correctly. +If you have any questions about this Security Policy, please contact us at [security@wazuh.com](mailto:security@wazuh.com) diff --git a/dev-tools/build-packages/deb/debian/postinst b/dev-tools/build-packages/deb/debian/postinst index 87f734aad01b..3c5f0e031b39 100644 --- a/dev-tools/build-packages/deb/debian/postinst +++ b/dev-tools/build-packages/deb/debian/postinst @@ -35,7 +35,7 @@ configure) service wazuh-dashboard restart >/dev/null 2>&1 fi fi - if [ ! -f "${INSTALLATION_DIR}"/config/opensearch_dashboards.keystore ]; then + if [ ! -f "${CONFIG_DIR}"/opensearch_dashboards.keystore ]; then runuser "${NAME}" --shell="/bin/bash" --command="${INSTALLATION_DIR}/bin/opensearch-dashboards-keystore create" >/dev/null 2>&1 runuser "${NAME}" --shell="/bin/bash" --command="echo kibanaserver | ${INSTALLATION_DIR}/bin/opensearch-dashboards-keystore add opensearch.username --stdin" >/dev/null 2>&1 runuser "${NAME}" --shell="/bin/bash" --command="echo kibanaserver | ${INSTALLATION_DIR}/bin/opensearch-dashboards-keystore add opensearch.password --stdin" >/dev/null 2>&1 diff --git a/dev-tools/build-packages/rpm/wazuh-dashboard.spec b/dev-tools/build-packages/rpm/wazuh-dashboard.spec index 2c9496aaa053..b6ca32c3c761 100644 --- a/dev-tools/build-packages/rpm/wazuh-dashboard.spec +++ b/dev-tools/build-packages/rpm/wazuh-dashboard.spec @@ -130,7 +130,7 @@ fi setcap 'cap_net_bind_service=+ep' %{INSTALL_DIR}/node/bin/node setcap 'cap_net_bind_service=+ep' %{INSTALL_DIR}/node/fallback/bin/node -if [ ! -f %{INSTALLATION_DIR}/config/opensearch_dashboards.keystore ]; then +if [ ! -f %{CONFIG_DIR}/opensearch_dashboards.keystore ]; then runuser %{USER} --shell="/bin/bash" --command="%{INSTALL_DIR}/bin/opensearch-dashboards-keystore create" > /dev/null 2>&1 runuser %{USER} --shell="/bin/bash" --command="echo kibanaserver | %{INSTALL_DIR}/bin/opensearch-dashboards-keystore add opensearch.username --stdin" > /dev/null 2>&1 runuser %{USER} --shell="/bin/bash" --command="echo kibanaserver | %{INSTALL_DIR}/bin/opensearch-dashboards-keystore add opensearch.password --stdin" > /dev/null 2>&1 diff --git a/src/plugins/dashboard/public/application/components/dashboard_listing/__snapshots__/dashboard_listing.test.tsx.snap b/src/plugins/dashboard/public/application/components/dashboard_listing/__snapshots__/dashboard_listing.test.tsx.snap index 4501759b3017..99bb2a78c79a 100644 --- a/src/plugins/dashboard/public/application/components/dashboard_listing/__snapshots__/dashboard_listing.test.tsx.snap +++ b/src/plugins/dashboard/public/application/components/dashboard_listing/__snapshots__/dashboard_listing.test.tsx.snap @@ -2334,17 +2334,22 @@ exports[`dashboard listing render table listing with initial filters from URL 1`

@@ -3589,17 +3594,22 @@ exports[`dashboard listing renders call to action when no dashboards exist 1`] =

@@ -4844,17 +4854,22 @@ exports[`dashboard listing renders table rows 1`] = `

@@ -6099,17 +6114,22 @@ exports[`dashboard listing renders warning when listingLimit is exceeded 1`] = `

diff --git a/src/plugins/dashboard/public/application/utils/get_no_items_message.tsx b/src/plugins/dashboard/public/application/utils/get_no_items_message.tsx index 460fbe9b877d..f51fbea13dec 100644 --- a/src/plugins/dashboard/public/application/utils/get_no_items_message.tsx +++ b/src/plugins/dashboard/public/application/utils/get_no_items_message.tsx @@ -8,6 +8,7 @@ import { FormattedMessage } from '@osd/i18n/react'; import { EuiSmallButton, EuiEmptyPrompt, EuiLink, EuiText } from '@elastic/eui'; import { ApplicationStart } from 'opensearch-dashboards/public'; +const appName = 'Wazuh dashboard'; export const getNoItemsMessage = ( hideWriteControls: boolean, createItem: () => void, @@ -49,22 +50,20 @@ export const getNoItemsMessage = (

- application.navigateToApp('home', { - path: '#/tutorial_directory/sampleData', - }) - } - > + application.navigateToApp('sample-data')}>