[1.3] Dependencies in 1.3 branch that cannot be updated (CVE Related)

[RyanL1997]

Description

Let us use this issue as a placeholder to capture some of the transient dependencies in 1.3 branch.

Here are the transient dependencies in 1.3/1.x branches that cannot be update.

The following saml-related dependencies cannot be updated:

• ejs [1] from CVE-2022-29078
• xmldom [2] from CVE-2022-39353, CVE-2022-37616, CVE-2021-21366, and CVE-2021-32796
• node-forge [3], [4] from CVE-2022-24771, CVE-2022-24772, CVE-2022-0122, and CVE-2022-24773
• moment [5] from CVE-2022-31129 and CVE-2022-24785
• async [6] from CVE-2021-43138
• xmldom [7] from GMS-2022-6132
• hbs[8] - already on latest version (v4.2.0) from CVE-2021-32822

Here are some other transient dependencies

• semver [9] [10] from CVE-2022-25883

What is your host/environment? security-dashboards-plugin 1.3 Branch

Reference

[1] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L2778 [2] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L2753 [3] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L3414 [4] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L2766 [5] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L2763 [6] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L2762 [7] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L2731 [8] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L2727 [9] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L1160 [10] : https://github.com/opensearch-project/security-dashboards-plugin/blob/1.3/yarn.lock#L1950

[cwperks]

These are dev dependencies used for the SAML integration tests.

The problem is that 5.x of node-samlp requires node >= 12: https://www.npmjs.com/package/samlp

and saml-idp has not had a new version in 3 years: https://www.npmjs.com/package/saml-idp

The SAML integration tests have been causing many issues. I would like to see if there is a different IdP server that can be used.

[scrawfor99]

[Triage] One of the SAML packages has not been updated for years. @RyanL1997 would you be willing to look into alternative solutions? This can then lead to a swap of libraries once we have further test coverage. Thank you.

[scrawfor99]

Status update:

ejs: 2.5.5 xmldom: 0.7.9 from xml-crypto 2.0.0 and xml-crypto 2.1.3, 0.7.0 from xml-encryption 1.2.1, 0.3.0 from saml-idp 1.2.1, 0.7.4 from saml 1.0.0. Directly used as version 0.3.0, 0.7.0, 0.7.4, and 0.7.9 forge: 0.10.0 directly and 1.3.1 directly. 1 from self-signed 2.0.1, 0.10.1 from xml-encryption moment: 2.19.3 from saml 1.0 and directly. async: 0.2.9 from saml 1.0.0 hbs: On latest version already semver: Comes as version 5.3.0 from eslint-import-resolver-webpack@0.11.1 and version 5.6.0 from make-dir@2.0.0

This is the saml library that has all of the dependencies: https://github.com/cultureamp/local-saml-idp/tree/main.

Still cannot update it since we are on the newest version from 2021.