Update bootstrap in the webapps

[ThorbenLindhauer]

This issue was imported from JIRA:

Field	Value
JIRA Link	CAM-14882
Reporter	@ThorbenLindhauer
Has restricted visibility comments	true

---

Acceptance Criteria (Required on creation):

• Bootstrap is updated to the latest version

Breakdown

Migrating to Bootstrap 4

Effort: S

• [ ] Replace the npm package angular-ui-bootstrap with ui-bootstrap4
• [ ] Bump the bootstrap npm package to version 4

Migrating to Bootstrap 5

Effort: M

• [ ] Merge the needed components of ui-bootstrap4 into our codebase
• [ ] Bump the bootstrap npm package to version 5
• [ ] Migrate the merged components of ui-bootstrap4 to bootstrap@5
• [ ] Understand, and decide which tests should be taken over and how they can be integrated into our CI
• [ ] Write internal documentation on how to work with the migrated components

Generic tasks

Effort: M

• [ ] Migrate custom LESS styles to SCSS, aka SASS
• [ ] [OPTIONAL] Make custom styles independent from Bootstrap to avoid breaking changes in the future (potentially when we need to migrate to bootstrap@6)
  • Remove/refactor Bootstrap references to functions / mixins / variables
• [ ] Adjust names of CSS classes in custom styles and template files (*.html)
  • Here is a list of renamed/removed classes for bootstrap@4: http://upgrade-bootstrap.bootply.com/
  • Search & replace might be acceptable unless the respective CSS class was removed or the DOM structure has changed
  • Review code produced via search & replace carefully
• [ ] Reintroduce the icon font "Glyphicon" since it has been removed with Bootstrap 4
• [ ] Review migration guides, understand the implications, take necessary actions
  • Migrating to v4
  • Migrating to v5
• [ ] Review the behavior and look & feel of all the views and apply changes as needed to fix problems and bring back the previous look & feel (pay attention to the style (size, position, and color) of UI elements as well as their behavior)
  • IMHO, it is not necessary to be nitpicking here; a little face-lift of the Webapps is acceptable, probably unavoidable, and lies in the nature of things; however, users should be able to recognize the Webapps after migrating it
• [ ] Work in small iterations, release often to get feedback early (i.e., merge code at an early stage, so it's included in alpha releases), and involve the QA team from the beginning

Hints (optional)

Screencast of Cockpit with Bootstrap 4 without further optimizations:

https://user-images.githubusercontent.com/3015690/202664590-a9b5927d-dd54-4edc-bb4a-942d6f521bd7.mov

Links

• is depended on by https://jira.camunda.com/browse/SEC-161
• WIP branches of the Bootstrap 4 update:
  • https://github.com/camunda/camunda-bpm-platform/tree/bootstrap4
  • https://github.com/camunda/camunda-bpm-platform-ee/tree/bootstrap4

[davidmstirn]

Any update on this? RetireJS via the OWASP Dependency Checker is reporting Bootstrap versions < 4.0.0 as EOL and flagging the Camunda Webapps for usage of Bootstrap version 3.4.1.

[davidmstirn]

Update: RetireJS via the OWASP Dependency Checker is reporting Bootstrap versions <= 3.4.1 as having a XSS vulnerability in the carousel component and flagging the Camunda Webapps for usage of Bootstrap version 3.4.1.

Any update as to when this library will be updated would be greatly appreciated @ThorbenLindhauer @tasso94

[tasso94]

Hi @davidmstirn,

Thank you for bringing this to our attention.

We are aware of the vulnerabilities, but we believe the Camunda 7 Web apps are not affected.

In our code, we don't use any of those plugins and attributes affected by the security vulnerabilities:

• Carousel component data-slide and data-slide-to attributes: CE
• Button plugin data--text attribute: [CE](https://github.com/search?q=repo%3Acamunda%2Fcamunda-bpm-platform+%2Fdata-%5B%5Cw%5D-text%2F&type=code)

On top of this, our default Content Security Policy configuration prevents XSS attacks: https://docs.camunda.org/manual/7.21/webapps/shared-options/header-security/#content-security-policy

If you are still concerned about the vulnerability scanner hits, we are exploring options for fixing these vulnerabilities nonetheless. We will post an update once we can share more information.

Best, Tassilo

[davidmstirn]

Thank you for the reply @tasso94 , that satisfies my concern regarding the scanner findings.