search

NASA-PDS / doi-ui

The web interface for the PDS DOI Service providing the ability management PDS archive DOIs. See the DOI Service for more details on the available capabilities. https://nasa-pds.github.io/doi-service/
Apache License 2.0
0 stars 4 forks source link

As a SA, I don't want security vulnerabilities in the public UI #35

Closed tloubrieu-jpl closed 3 years ago

tloubrieu-jpl commented 3 years ago

When we npm install the UI, we was some warning on vulnerabilities, see

$ npm install

core-js@2.6.11 postinstall /data/home/pds4/pds-doi-ui/node_modules/babel-runtime/node_modules/core-js node -e "try{require('./postinstall')}catch(e){}"

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:

https://opencollective.com/core-js https://www.patreon.com/zloirock

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

core-js@3.6.5 postinstall /data/home/pds4/pds-doi-ui/node_modules/core-js node -e "try{require('./postinstall')}catch(e){}"

core-js-pure@3.6.5 postinstall /data/home/pds4/pds-doi-ui/node_modules/core-js-pure node -e "try{require('./postinstall')}catch(e){}"

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/webpack-dev-server/node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/jest-haste-map/node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.1.2 (node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

added 1691 packages from 810 contributors and audited 1699 packages in 32.942s

76 packages are looking for funding run npm fund for details

found 6 vulnerabilities (1 low, 2 moderate, 3 high) run npm audit fix to fix them, or npm audit for details

tloubrieu-jpl commented 3 years ago

When I run 

% npm install
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
npm WARN pds-doi-ui@0.1.0-dev No repository field.
npm WARN pds-doi-ui@0.1.0-dev No license field.

audited 1699 packages in 6.738s

76 packages are looking for funding
  run `npm fund` for details

found 4601 vulnerabilities (1 low, 163 moderate, 4437 high)

We need to know how critical these vulnerabilities are.

I think we will go straight to the SA on this question.

jordanpadams commented 3 years ago

@tloubrieu-jpl is there a report we could briefly review to identify what these vulnerabilities are? some of them may be simple programming logic vulnerabilities we should address before going to the SAs?

tloubrieu-jpl commented 3 years ago

@jordanpadams @eddiesarevalo yes, maybe we should find a way to get which vulnerabilities come from our code and which come from dependencies.

eddiesarevalo commented 3 years ago

@jordanpadams @tloubrieu-jpl If you run the npm audit command you get the full list detailing the vulnerabilities. These all come from the dependencies not from our code. We can try to do the npm audit fix command but not all of them will be fixed There are at least 80 that require manual attention but might prove difficult to fix since it is from a third party. I wanted to post the full list but the text is report is long. Let me know if I should try sending it to you through email. If these are too serious to allow to deploy then we can consider using alternate less vulnerable technologies.

eddiesarevalo commented 3 years ago

A majority of the high risk vulnerabilities come from lodash a react dependency which from what I can tell is not actually used in our built code but in the react build process.

jordanpadams commented 3 years ago

@eddiesarevalo are there newer versions of our dependencies we could upgrade to that potentially remove these vulnerabilities?

eddiesarevalo commented 3 years ago

@jordanpadams Yes that is probably the second thing I can try after the npm audit fix

eddiesarevalo commented 3 years ago

@jordanpadams @tloubrieu-jpl Using npm audit fix and npm audit fix --forcegot rid of over 4000 vulnerabilities leaving all but 80. Updating all the dependency versions gives the same result. The final 80 need to be manually updated but they are all moderate. There are no high vulnerabilities remaining.

jordanpadams commented 3 years ago

@eddiesarevalo per discussions today, feel free to create a PR for these updates, and we will deal with the other moderate vulnerabilities.

gxtchen commented 2 years ago

@jordanpadams @tloubrieu-jpl when I run npm install in my mac, I am seeing this numbers: 58 vulnerabilities (16 moderate, 40 high, 2 critical) after running npm audit fix --force. What can I show in testing report?

tloubrieu-jpl commented 2 years ago

@gxtchen yes this is a good feedback. We fixed that in the past but it came back. You should also create a specific ticket for this issue, @eddiesarevalo should be albe to correct that.