search

NASA-PDS / doi-ui

The web interface for the PDS DOI Service providing the ability management PDS archive DOIs. See the DOI Service for more details on the available capabilities. https://nasa-pds.github.io/doi-service/
Apache License 2.0
0 stars 4 forks source link

Remove vulnerabilities from the package per npm audit #130

Closed tloubrieu-jpl closed 1 year ago

tloubrieu-jpl commented 2 years ago

🐛 Describe the bug

Some critical/high vulnerabilities shows when one build the application.

📜 To Reproduce

Steps to reproduce the behavior:

Run npm install

See output:

% npm install

up to date, audited 2018 packages in 5s

143 packages are looking for funding
  run `npm fund` for details

32 vulnerabilities (1 low, 16 moderate, 12 high, 3 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

🕵️ Expected behavior

There should not be critical or high vulnerabilities.

📚 Version of Software Used

🩺 Test Data / Additional context

🏞Screenshots

🖥 System Info

🦄 Related requirements

⚙️ Engineering Details

eddiesarevalo commented 2 years ago

@tloubrieu-jpl Running npm audit fix will fix 6 moderate, 1 high and 1 critical All the left overs are caused by one react dependency: react-scripts@5.0.1, which is a breaking change. This one update will break react and all the remaining dependencies and the doi-ui. They need to be fixed by the dependency's developers.

Also just some more details about the vulnerabilities. The vulnerabilities are on the tool side. Not exactly on the built code side. So deployed versions would not have all these vulnerabilities exposed. However without reading into each individual dependency's code we wouldn’t be able to tell.

jordanpadams commented 2 years ago

🕐 Updated dependencies to remove most of the vulnerabilities

tloubrieu-jpl commented 1 year ago

Re-opened because of I&T of build 13.0

tloubrieu-jpl commented 1 year ago

These vulnerabilities are related to the build process but once the application is build these vulnerabilities are not in the online application.

We (dev team ) need to provide a better way to asses the security of the application for the I&T team to test.

miguelp1986 commented 1 year ago

@tloubrieu-jpl which Node/NPM version are we using for this repo?

tloubrieu-jpl commented 1 year ago

@eddiesarevalo can you answer Miguel ? Thanks

miguelp1986 commented 1 year ago

@eddiesarevalo answered my question in today's breakout: npm -v 8.19.3 node -v v19.1.0

miguelp1986 commented 1 year ago

@eddiesarevalo @tloubrieu-jpl running npm install yields 31 vulnerabilities (1 low, 1 moderate, 20 high, 9 critical):

node -v                                                                                                                                             ─╯
v19.1.0
npm -v                                                                                                                                              ─╯
8.19.3
npm install
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated rollup-plugin-terser@5.3.1: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-terser
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated @material-ui/core@4.12.3: You can now upgrade to @mui/material. See the guide: https://mui.com/guides/migration-v4/
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated

added 2034 packages, and audited 2035 packages in 1m

187 packages are looking for funding
run npm fund for details

31 vulnerabilities (1 low, 1 moderate, 20 high, 9 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.
tloubrieu-jpl commented 1 year ago

thanks @miguelp1986 , @eddiesarevalo should we run npm audit fix so that the critical vulnerability occurring in the build phase (and which do not apply when the application is deployed) do not show anymore ?

eddiesarevalo commented 1 year ago

@tloubrieu-jpl Yes, you can run npm audit fix often and then do quick testing to see if it still runs and builds. The audit will apply fixes that are available but it won't fix anything if none are available.

miguelp1986 commented 1 year ago

@eddiesarevalo @tloubrieu-jpl npm audix fix didn't fix the issue:

npm audit fix                                                                                                                                                    

added 1 package, removed 3 packages, changed 4 packages, and audited 2035 packages in 4s

189 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-html  <0.0.8
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/ansi-html
  @pmmmwh/react-refresh-webpack-plugin  <=0.5.0-rc.6
  Depends on vulnerable versions of ansi-html
  node_modules/@pmmmwh/react-refresh-webpack-plugin
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of optimize-css-assets-webpack-plugin
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    Depends on vulnerable versions of workbox-webpack-plugin
    node_modules/react-scripts
  webpack-dev-server  2.0.0-beta - 4.7.2
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of selfsigned
  node_modules/webpack-dev-server

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix`
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  0.5.2 - 12.0.0-next.60
  Depends on vulnerable versions of browserslist
  Depends on vulnerable versions of immer
  Depends on vulnerable versions of loader-utils
  Depends on vulnerable versions of recursive-readdir
  Depends on vulnerable versions of shell-quote
  node_modules/react-dev-utils

ejs  <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/ejs
  @surma/rollup-plugin-off-main-thread  <=2.1.0
  Depends on vulnerable versions of ejs
  node_modules/@surma/rollup-plugin-off-main-thread
    workbox-build  5.0.0-alpha.0 - 6.3.0
    Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
    node_modules/workbox-build
      workbox-webpack-plugin  5.0.0-alpha.0 - 5.1.4 || 6.2.2 - 6.3.0
      Depends on vulnerable versions of workbox-build
      node_modules/workbox-webpack-plugin

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack

immer  <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-c36v-fmgq-m8hx
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
fix available via `npm audit fix`
node_modules/react-dev-utils/node_modules/immer

loader-utils  2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
fix available via `npm audit fix`
node_modules/loader-utils

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/recursive-readdir/node_modules/minimatch
  recursive-readdir  1.2.0 - 2.2.2
  Depends on vulnerable versions of minimatch
  node_modules/recursive-readdir

node-forge  <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

shell-quote  <=1.7.2
Severity: critical
Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7
fix available via `npm audit fix`
node_modules/shell-quote

xlsx  *
Severity: high
Prototype Pollution in sheetJS - https://github.com/advisories/GHSA-4r6h-8v6p-xvw6
No fix available
node_modules/xlsx

32 vulnerabilities (1 low, 1 moderate, 21 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

npm install                                                                                                                                                          ─╯

up to date, audited 2035 packages in 1s

189 packages are looking for funding
  run `npm fund` for details

32 vulnerabilities (1 low, 1 moderate, 21 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

npm start                                                                                                                                                            ─╯

> @nasa_pds/pds-doi-ui@1.0.0 start
> react-scripts start

ℹ 「wds」: Project is running at http://0.0.0.0:3000/
ℹ 「wds」: webpack output is served from
ℹ 「wds」: Content not from webpack is served from /Users/MPena/repositories/doi-ui/public
ℹ 「wds」: 404s will fallback to /
Starting the development server...

Browserslist: caniuse-lite is outdated. Please run:
  npx update-browserslist-db@latest
  Why you should do it regularly: https://github.com/browserslist/update-db#readme
/Users/MPena/repositories/doi-ui/node_modules/react-scripts/scripts/start.js:19
  throw err;
  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:71:19)
    at Object.createHash (node:crypto:140:10)
    at module.exports (/Users/MPena/repositories/doi-ui/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/Users/MPena/repositories/doi-ui/node_modules/webpack/lib/NormalModule.js:417:16)
    at /Users/MPena/repositories/doi-ui/node_modules/webpack/lib/NormalModule.js:452:10
    at /Users/MPena/repositories/doi-ui/node_modules/webpack/lib/NormalModule.js:323:13
    at /Users/MPena/repositories/doi-ui/node_modules/loader-runner/lib/LoaderRunner.js:367:11
    at /Users/MPena/repositories/doi-ui/node_modules/loader-runner/lib/LoaderRunner.js:233:18
    at context.callback (/Users/MPena/repositories/doi-ui/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
    at /Users/MPena/repositories/doi-ui/node_modules/babel-loader/lib/index.js:59:103 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Node.js v19.1.0