nsano-rururu
commented
10 months ago @turvas There is no obligation to respond. If you're in a hurry, you should do it.
Open turvas opened 10 months ago
nsano-rururu
commented
10 months ago @turvas There is no obligation to respond. If you're in a hurry, you should do it.
nsano-rururu
commented
10 months ago It is necessary to adapt from Vue 2 to 3, and it is not possible to adapt everything at once.
nsano-rururu
commented
10 months ago Library changes and program modifications should also occur. Recognition is not an easy task.
nsano-rururu
commented
10 months ago In some cases, it may be difficult to resolve because other modules specify a vulnerable version due to dependencies. So it's not easy.
nsano-rururu
commented
10 months ago investigating
"vue-native-websocket": "2.0.15" to "vue-native-websocket": "github:nsano-rururu/vue-native-websocket#master",
current
77 vulnerabilities (4 low, 22 moderate, 40 high, 11 critical)
fix
11 vulnerabilities (6 moderate, 4 high, 1 critical)
nsano-rururu
commented
10 months ago nsano-rururu
commented
10 months ago Since it's an OSS, it's natural that you won't receive any money by responding to this issue, but if they are not cooperative, we will lower the priority of responding to that issue. Because time is not infinite
nsano-rururu
commented
10 months ago We have released Docker image 1.8.17, which changes vue-native-websocket from 2.0.15 to github:nsano-rururu/vue-native-websocket#master.
https://hub.docker.com/r/praecoapp/praeco/tags
In 1.8.18, we plan to do the following: Vue3 support continues in a separate repository
https://github.com/johnsusek/praeco/milestone/18
turvas
commented
10 months ago 1 Review and update the libraries you are using 2 Node version upgrade (16→ 18 ro 20) 3 Change the docker image used in dockerfile 4 Migration from vue2 to vue3
I have done 2) and 3) from above list. if you are interesed, I can share my Dockerfile, where High and Critical OS level vulns are removed.
nsano-rururu
commented
10 months ago @turvas Please share.
turvas
commented
10 months ago Dockerfile: ` FROM node:lts-hydrogen AS base
RUN apt update && \ export DEBIAN_FRONTEND=noninteractive && \ apt install -y nginx
RUN mkdir -p /tmp/nginx/praeco RUN mkdir -p /var/log/nginx RUN mkdir -p /var/www/html RUN chown www-data:www-data /var/www/html WORKDIR /tmp/nginx/praeco COPY package.json .
RUN apt install -y openssh-client curl postgresql-15 libde265-0 RUN apt remove -y aom-tools
FROM base AS dependencies RUN npm install --legacy-peer-deps --loglevel error
FROM base AS release COPY --from=dependencies /tmp/nginx/praeco/node_modules ./node_modules COPY . .
RUN npm run build RUN cp -r dist/* /var/www/html EXPOSE 8080 ENTRYPOINT ["./entrypoint.sh"] `
nsano-rururu
commented
10 months ago RUN apt install -y openssh-client curl postgresql-15 libde265-0
What is this used for? I feel like it's not necessary
turvas
commented
10 months ago node:lts-hydrogen contains 5 critical vulns, and those 2 lines update 4 vulnearable packages and uninstall the last one, which does not have fix
nsano-rururu
commented
10 months ago Thank you for your answer. We will use this as a reference when making the next release compatible with node18.
nsano-rururu
commented
10 months ago docker run aquasec/trivy image praecoapp/praeco:1.8.16
praecoapp/praeco:1.8.16 (debian 10.13)
======================================
Total: 3020 (UNKNOWN: 32, LOW: 1420, MEDIUM: 989, HIGH: 542, CRITICAL: 37)
~~~~~~~~~~~~~~~~~~~~~~~
Node.js (node-pkg)
==================
Total: 127 (UNKNOWN: 0, LOW: 6, MEDIUM: 46, HIGH: 57, CRITICAL: 18)docker run aquasec/trivy image praecoapp/praeco:1.8.17
praecoapp/praeco:1.8.17 (debian 10.13)
======================================
Total: 3018 (UNKNOWN: 32, LOW: 1420, MEDIUM: 987, HIGH: 542, CRITICAL: 37)
~~~~~~~~~~~~~~~~~~~~~~~
Node.js (node-pkg)
==================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 2, CRITICAL: 0)docker run aquasec/trivy image praecoapp/praeco:1.8.18
node 16 to 18
praecoapp/praeco:1.8.18 (debian 12.4)
=====================================
Total: 767 (UNKNOWN: 0, LOW: 491, MEDIUM: 223, HIGH: 51, CRITICAL: 2)
~~~~~~~~~~~~~~~~~~~~~~~
Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)docker run aquasec/trivy image praecoapp/elastalert-server:20231126
praecoapp/elastalert-server:20231126 (alpine 3.18.3)
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
2024-01-03T17:36:05.145Z INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Node.js (node-pkg)
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬─────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼─────────────────────────────────────────────────────┤
│ semver (package.json) │ CVE-2022-25883 │ MEDIUM │ fixed │ 7.3.7 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴─────────────────────────────────────────────────────┘
Python (python-pkg)
===================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ cryptography (METADATA) │ CVE-2023-49083 │ MEDIUM │ fixed │ 41.0.5 │ 41.0.6 │ python-cryptography: NULL-dereference when loading PKCS7 │
│ │ │ │ │ │ │ certificates │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-49083 │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘Praeco
elastalert-server
turvas
commented
10 months ago thank you, great progress
nsano-rururu
commented
10 months ago docker run aquasec/trivy image praecoapp/elastalert-server:20240104
node 16 to 18
praecoapp/elastalert-server:20240104 (alpine 3.19.0)
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
/home/node/.local/lib/python3.11/site-packages/PyJWT-2.8.0.dist-info/METADATA (secrets)
=======================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
🎉 Minimize vulnerabilities
So that no Critical and High severity vulerabilities exist at released images.
💪 Currenltly praeco npm dependencies have more than 100 vulnearabilities, including 16 critical and 41 high severity ones, reported by Docker Scout.
It's important to eliminate High and Critical vulnerabilities ASAP.
📖 Reference (optional)
Below is Docker Scout vulnerabilities (first page of 7) view at build step COPY:
📆 Schedule (optional)
TBD
📎 Tasks (optional)