Open ThorbenLindhauer opened 1 year ago
Any update on this? RetireJS via the OWASP Dependency Checker is reporting Bootstrap versions < 4.0.0 as EOL and flagging the Camunda Webapps for usage of Bootstrap version 3.4.1.
Update: RetireJS via the OWASP Dependency Checker is reporting Bootstrap versions <= 3.4.1 as having a XSS vulnerability in the carousel component and flagging the Camunda Webapps for usage of Bootstrap version 3.4.1.
Any update as to when this library will be updated would be greatly appreciated @ThorbenLindhauer @tasso94
Hi @davidmstirn,
Thank you for bringing this to our attention.
We are aware of the vulnerabilities, but we believe the Camunda 7 Web apps are not affected.
In our code, we don't use any of those plugins and attributes affected by the security vulnerabilities:
On top of this, our default Content Security Policy configuration prevents XSS attacks: https://docs.camunda.org/manual/7.21/webapps/shared-options/header-security/#content-security-policy
If you are still concerned about the vulnerability scanner hits, we are exploring options for fixing these vulnerabilities nonetheless. We will post an update once we can share more information.
Best, Tassilo
Thank you for the reply @tasso94 , that satisfies my concern regarding the scanner findings.
This issue was imported from JIRA:
Acceptance Criteria (Required on creation):
Breakdown
Migrating to Bootstrap 4
Effort:
S
angular-ui-bootstrap
withui-bootstrap4
bootstrap
npm package to version 4Migrating to Bootstrap 5
Effort:
M
ui-bootstrap4
into our codebasebootstrap
npm package to version 5ui-bootstrap4
tobootstrap@5
Generic tasks
Effort:
M
bootstrap@6
)*.html
)bootstrap@4
: http://upgrade-bootstrap.bootply.com/Hints (optional)
Screencast of Cockpit with Bootstrap 4 without further optimizations:
https://user-images.githubusercontent.com/3015690/202664590-a9b5927d-dd54-4edc-bb4a-942d6f521bd7.mov
Links