security vulnerabilities

betterltn commented 3 years ago

Ran grype(https://github.com/anchore/grype) scan against latest release 8.2.2 and git following results

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY base 0.11.2 CVE-2014-2980 Medium base 0.11.2 CVE-2009-4590 Medium base 0.11.2 CVE-2009-4591 High base 0.11.2 CVE-2009-4592 High cookie 0.4.0 CVE-2017-18589 High dot-prop 4.2.1 CVE-2020-8116 High editor 1.0.0 CVE-2015-0903 High formidable 1.2.2 CVE-2019-15780 Critical fresh 0.5.2 CVE-2013-1779 Low ftp 0.3.10 CVE-1999-0082 High ftp 0.3.10 CVE-1999-0201 Medium glob-parent 3.1.0 5.1.2 GHSA-ww39-953v-wcq6 High glob-parent 3.1.0 CVE-2020-28469 High jose 1.28.1 CVE-2021-29444 Medium jose 1.28.1 CVE-2021-29445 Medium jose 1.28.1 CVE-2021-29446 Medium path-parse 1.0.6 CVE-2021-23343 High rc 1.2.8 CVE-2014-1936 High rc 1.2.8 CVE-2020-17753 Medium slash 2.0.0 CVE-2002-1647 Medium slash 3.0.0 CVE-2002-1647 Medium through 2.3.8 CVE-2021-29940 Critical

Can you please advice on all High and critical severity vulnerabilities reported? I understand ftp, rc , editor and cookie related are false positives.

Flydiverny commented 3 years ago

glob-parent is a transitive build time dependency in the implementation of the akeyless dependency used for akeyless backend.

❯ npm ls glob-parent
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ akeyless@2.4.2
│ └─┬ @babel/cli@7.14.3
│   └─┬ @nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents
│     └── glob-parent@3.1.0
├─┬ eslint@7.12.1
│ └── glob-parent@5.1.2
└─┬ mocha@8.2.0
  └─┬ chokidar@3.4.3
    └── glob-parent@5.1.2 deduped

jose is unlikely to be updatable due to kubernetes-client, our direct dependency for interacting with kubernetes being stale for >1 year.

❯ npm ls jose
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ kubernetes-client@9.0.0
  └─┬ openid-client@3.15.10
    └── jose@1.28.1

dot-prop is a dev time dependency and also a false positive 🤔

kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ nodemon@2.0.6
│ └─┬ update-notifier@4.1.3
│   └─┬ configstore@5.0.1
│     └── dot-prop@5.3.0
└─┬ standard-version@9.2.0
  └─┬ conventional-changelog-conventionalcommits@4.5.0
    └─┬ compare-func@2.0.0
      └── dot-prop@5.3.0 deduped

path-parse is a transitive dev time dependency for code linting.

❯ npm ls path-parse
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ eslint-plugin-import@2.22.1
  └─┬ resolve@1.20.0
    └── path-parse@1.0.6

betterltn commented 3 years ago

Thanks !! can you comment on following as well

through 2.3.8 CVE-2021-29940 Critical formidable 1.2.2 CVE-2019-15780 Critical base 0.11.2 CVE-2009-4591 High

Flydiverny commented 3 years ago

They all look like false positives.

formidable, CVE-2019-15780, is related to a wordpress plugin, so false positive Otherwise formidable is used by superagent which is for http requests (used by akeyless library, and supertest which KES uses for some unit test mocking)

❯ npm ls formidable
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ akeyless@2.5.3
│ └─┬ superagent@3.7.0
│   └── formidable@1.2.2
└─┬ supertest@6.0.1
  └─┬ superagent@6.1.0
    └── formidable@1.2.2 deduped

base, CVE-2009-4591 is related to SQL Basic Analysis and Security Engine (BASE), so false positive As opposed to https://github.com/node-base/base, which looks like a dev time dependency to me (in our dependency tree anyway)

❯ npm ls base
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ akeyless@2.5.3
  └─┬ @babel/cli@7.14.3
    └─┬ @nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents
      └─┬ braces@2.3.2
        └─┬ snapdragon@0.8.2
          └── base@0.11.2

through, CVE-2021-29940, is related to a rust library, so false positive Colliding with the name for https://www.npmjs.com/package/through which is used far down the dependency tree for our release script dependencies

❯ npm ls through
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ standard-version@9.2.0
  ├─┬ conventional-changelog@3.1.24
  │ └─┬ conventional-changelog-core@4.2.2
  │   └─┬ conventional-changelog-writer@4.1.0
  │     └─┬ split@1.0.1
  │       └── through@2.3.8 deduped
  └─┬ conventional-recommended-bump@6.1.0
    └─┬ conventional-commits-parser@3.2.1
      └─┬ JSONStream@1.3.5
        └── through@2.3.8

@renanaAkeyless @OriMankali Would be great if akeyless dependency could move @babel/cli from dependencies to dev dependencies? I don't see any reason for it to be listed as a dependency.

renanaAkeyless commented 2 years ago

Hi, Sure, I will take a look Thanks Renana

בתאריך יום ד׳, 28 ביולי 2021, 9:10, מאת Markus Maga ‏< @.***>:

They all look like false positives.

formidable, CVE-2019-15780, is related to a wordpress plugin, so false positive Otherwise formidable is used by superagent which is for http requests (used by akeyless library, and supertest which KES uses for some unit test mocking)

❯ npm ls formidable

@.*** /home/flydiverny/Code/github/kubernetes-external-secrets

├─┬ @.***

│ └─┬ @.***

│ └── @.***

└─┬ @.***

└─┬ @.***
└── ***@***.*** deduped
base, CVE-2009-4591 is related to SQL Basic Analysis and Security Engine (BASE), so false positive As opposed to https://github.com/node-base/base, which looks like a dev time dependency to me.

❯ npm ls base

@.*** /home/flydiverny/Code/github/kubernetes-external-secrets

└─┬ @.***

└─┬ @@.***
└─┬ @***@***.***

  └─┬ ***@***.***

    └─┬ ***@***.***

      └── ***@***.***
through, CVE-2021-29940, is related to a rust library, so false positive Colliding with the name for https://www.npmjs.com/package/through which is used far down the dependency tree for our release script dependencies

❯ npm ls through

@.*** /home/flydiverny/Code/github/kubernetes-external-secrets

└─┬ @.***

├─┬ @.***

│ └─┬ @.***

│ └─┬ @.***

│ └─┬ @.***

│ └── @.*** deduped

└─┬ @.***
└─┬ ***@***.***

  └─┬ ***@***.***

    └── ***@***.***
@renanaAkeyless https://github.com/renanaAkeyless @OriMankali https://github.com/OriMankali Would be great if akeyless dependency could move @babel/cli from dependencies to dev dependencies? I don't see any reason for it to be listed as a dependency.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/external-secrets/kubernetes-external-secrets/issues/805#issuecomment-888038980, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN6MSGWGDTRJXO5T2RA4GFLTZ6NNNANCNFSM5BBKQHIA .

haf-tech commented 2 years ago

still same sec vuln issues with 8.3.0 - could you provide an updated version?

# npm audit report

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix`
node_modules/@nicolo-ribaudo/chokidar-2/node_modules/glob-parent
  @nicolo-ribaudo/chokidar-2  <=2.1.8-no-fsevents.2
  Depends on vulnerable versions of glob-parent
  node_modules/@nicolo-ribaudo/chokidar-2
    @babel/cli  >=7.12.7
    Depends on vulnerable versions of @nicolo-ribaudo/chokidar-2
    node_modules/@babel/cli

trim-newlines  <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix`
node_modules/get-pkg-repo/node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/get-pkg-repo/node_modules/meow

5 vulnerabilities (3 moderate, 2 high)

To address all issues, run:
  npm audit fix

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] commented 2 years ago

This issue was closed because it has been stalled for 30 days with no activity.

external-secrets / kubernetes-external-secrets

security vulnerabilities #805