search

fecgov / openFEC

The first RESTful API for the Federal Election Commission. We're aiming to make campaign finance more accessible for journalists, academics, developers, and other transparency seekers.
https://api.open.fec.gov/developers
Other
479 stars 106 forks source link

Check logs sprint 8.5 week 1 #3655

Closed JonellaCulmer closed 5 years ago

JonellaCulmer commented 5 years ago

Log review needs to be completed for Sprint 8.5 (week 1) per the Security Event Review Checklist (https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist)

fec-jli commented 5 years ago

Vulnerabilities found this week:

OPENFEC: Total 2

  1. package.json 0
  2. requirements.txt: 1 medium Race Condition Vulnerable module: webargs Introduced through: webargs@0.18.0 and flask-apispec@0.7.0 https://github.com/fecgov/openFEC/issues/3642
  3. data/flyway/build.gradle: 1 HIGH details here: https://app.snyk.io/org/fecgov/project/e6c155e9-f0ac-4a49-98fa-83c24f5b74b3/ added a new ticket here: https://github.com/fecgov/openFEC/issues/3654

FEC-EREGS: total 2

  1. package.json 1 medium (1)Denial of Service (DoS) --MEDIUM SEVERITY Vulnerable module: mem Introduced through: npm@6.8.0 https://app.snyk.io/vuln/npm:mem:20180117 create new issue: (https://github.com/fecgov/fec-eregs/issues/437)
  2. requirements.txt 1 Medium Race Condition - medium Vulnerable module: webargs Introduced through: regcore@4.2.0 and webargs@1.8.1 (https://github.com/fecgov/fec-eregs/issues/435)

FEC-PATTERN-LIBRARY: Total 1

  1. package.json 1 medium Vulnerable module: jquery Introduced through: datatables.net-responsive@2.0.1, typeahead.js@0.11.1 and others https://app.snyk.io/vuln/SNYK-JS-JQUERY-174006 https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/?severity=high&severity=medium&severity=low&policy=open&fromGitHubAuth=true create new issue: https://github.com/fecgov/fec-pattern-library/issues/133

FEC-CMS: Total 2

  1. package.json 2 medium (1)Denial of Service (DoS) --MEDIUM SEVERITY Vulnerable module: mem Introduced through: npm@6.8.0 https://app.snyk.io/vuln/npm:mem:20180117 (fecgov/fec-cms#2690)

(2)Prototype Pollution --MEDIUM SEVERITY Vulnerable module: jquery Introduced through: datatables.net-responsive@2.0.1, typeahead.js@0.11.1 and others https://app.snyk.io/vuln/SNYK-JS-JQUERY-174006 https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/?severity=high&severity=medium&severity=low&policy=open&fromGitHubAuth=true create new issue: https://github.com/fecgov/fec-cms/issues/2792

2.requirements.txt 0 None

Account approvals: One open issues - Onboard Jason Upchurch https://github.com/fecgov/fec-accounts/issues/166

Search logs: one user added to cms image (for @rfultz to access wagtail, refer to onboard ticket https://github.com/fecgov/fec-accounts/issues/155, this ticket can be closed now)

Cloud.gov Dashboard: 9 deployer accounts, same as last week.

fec-jli commented 5 years ago

Check logs for sprint 8.5 week 1 done. created three new tickets (one in each FEC-CMS, FEC-PATTERN-LIBRAR, FEC-EREGS) so close this issue.