Security Vulnerabilities

[Kesavadas]

While trying to use the docker image of artillery from the docker hub https://hub.docker.com/r/artilleryio/artillery/tags

docker image tag: 2.0.0-34 (docker pull artilleryio/artillery:2.0.0-34)

It has about 13 vulnerabilities high and medium included which prohibits us from pulling the image

could you please push a latest image with no vulnerabilities

below is the screenshot of the vulnerabilities

[hassy]

Thanks @Kesavadas. Dependencies with high severity CVEs will be addressed in the next release.

[Kesavadas]

Thank you @hassy for the quick response. much appreciated.

[MatthewClark2]

I'd just like to share that there still seem to be some open security vulnerabilities in 2.0.0-35.

# npm audit report

dot-prop  <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - https://github.com/advisories/GHSA-ff7x-qrg7-qggm
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/utils-is-little-endian/node_modules/dot-prop
  configstore  2.0.0 - 2.1.0 || 3.1.3
  Depends on vulnerable versions of dot-prop
  node_modules/utils-is-little-endian/node_modules/configstore
    update-notifier  0.2.0 - 5.1.0
    Depends on vulnerable versions of configstore
    Depends on vulnerable versions of latest-version
    node_modules/artillery-pro/node_modules/update-notifier
    node_modules/ava/node_modules/update-notifier
    node_modules/update-notifier
    node_modules/utils-is-little-endian/node_modules/update-notifier
      artillery  >=1.5.7-0
      Depends on vulnerable versions of artillery-pro
      Depends on vulnerable versions of ava
      Depends on vulnerable versions of sketches-js-hassy
      Depends on vulnerable versions of update-notifier
      node_modules/artillery
      ava  0.1.0 - 4.0.0-rc.1
      Depends on vulnerable versions of update-notifier
      node_modules/ava

ejs  <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/ejs
  artillery-pro  *
  Depends on vulnerable versions of cfn
  Depends on vulnerable versions of dependency-tree
  Depends on vulnerable versions of ejs
  Depends on vulnerable versions of jsonwebtoken
  Depends on vulnerable versions of update-notifier
  node_modules/artillery-pro

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/artillery-pro/node_modules/package-json/node_modules/got
node_modules/package-json/node_modules/got
node_modules/utils-is-little-endian/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/artillery-pro/node_modules/package-json
  node_modules/package-json
  node_modules/utils-is-little-endian/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/artillery-pro/node_modules/latest-version
    node_modules/latest-version
    node_modules/utils-is-little-endian/node_modules/latest-version

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/jsonwebtoken

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix`
node_modules/protobufjs
  sketches-js-hassy  *
  Depends on vulnerable versions of protobufjs
  node_modules/sketches-js-hassy

semver  <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/typescript-eslint-parser/node_modules/semver
  typescript-eslint-parser  3.0.0 - 18.0.0
  Depends on vulnerable versions of semver
  node_modules/typescript-eslint-parser
    detective-typescript  2.0.0 - 4.1.2
    Depends on vulnerable versions of typescript-eslint-parser
    node_modules/detective-typescript
      precinct  4.0.0 - 5.3.1
      Depends on vulnerable versions of detective-typescript
      node_modules/precinct
        dependency-tree  6.0.0 - 6.5.0
        Depends on vulnerable versions of precinct
        node_modules/dependency-tree

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    cfn  >=1.6.0
    Depends on vulnerable versions of meow
    node_modules/cfn

21 vulnerabilities (10 moderate, 8 high, 3 critical)

[jcollum-nutrien]

I'm still seeing two in 2.0.0-37

proxy: Improper Handling of Undefined Values

semver: Regular Expression Denial of Service (ReDoS)

[bernardobridge]

Should not be present in latest artillery releases. Please open a new issue if that is the case. Thank you!