search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.48k stars 3.02k forks source link

Add frontend dependencies security audit #23437

Open glebcha opened 2 months ago

glebcha commented 2 months ago

The idea is to add security analysis tool like auditjs to eliminate potential risks in release flow.

This can be done both for current and new ui.

Output made with auditjs for current frontend dependencies (also can be exported in json or xml):

[1/1] - pkg:npm/lodash@4.17.14 - 3 vulnerabilities found!

  Vulnerability Title:  [CVE-2020-8203] CWE-471: Modification of Assumed-Immutable Data (MAID)
  ID:  CVE-2020-8203
  Description:  lodash - Prototype Pollution [ CVE-2020-8203 ] 

  The software does not properly protect an assumed-immutable element from being modified by an attacker.

  Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-8203 for details
  CVSS Score:  7.5
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  CVE:  CVE-2020-8203
  Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2020-8203?component-type=npm&component-name=lodash&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45

  Vulnerability Title:  [CVE-2021-23337] CWE-94: Improper Control of Generation of Code ('Code Injection')
  ID:  CVE-2021-23337
  Description:  Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
  CVSS Score:  7.2
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  CVE:  CVE-2021-23337
  Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2021-23337?component-type=npm&component-name=lodash&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45

  Vulnerability Title:  [CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
  ID:  CVE-2020-28500
  Description:  Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

  Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-28500 for details
  CVSS Score:  5.3
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  CVE:  CVE-2020-28500
  Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2020-28500?component-type=npm&component-name=lodash&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45

I can make a PR if this proposal will be approved by maintainers.

wendigo commented 2 months ago

cc @mosabua @electrum

mosabua commented 1 month ago

I think this could be useful if we end up managing the alters and making sure we upgrade. Not sure however if we are in a position to do that on the frontend codebase. I think it is worth a try. What do you think @martint @dain @electrum ..

Also @glebcha could we just run this locally for starters to test it out? Maybe an initial PR could just document how to do that manually, and we can talk about automation later

wendigo commented 1 month ago

Yeah let's add a script to package.json first and go from there

glebcha commented 1 month ago

I think this could be useful if we end up managing the alters and making sure we upgrade. Not sure however if we are in a position to do that on the frontend codebase. I think it is worth a try. What do you think @martint @dain @electrum ..

Also @glebcha could we just run this locally for starters to test it out? Maybe an initial PR could just document how to do that manually, and we can talk about automation later

@mosabua, created a PR with scripts in package.json both for current and new ui. Also added instructions in README.

glebcha commented 2 weeks ago

@mosabua Any chance for a quick review of PR?