search

wazuh / wazuh-api

Wazuh - RESTful API
https://wazuh.com
GNU General Public License v2.0
69 stars 57 forks source link

Update Wazuh API dependencies #427

Closed BraulioV closed 5 years ago

BraulioV commented 5 years ago

Hi team,

This is the vulnerability report of the NodeJS dependencies of the Wazuh API:

[root@1b1488bb98b3 wazuh-api-3.9.3]# npm audit

                       === npm audit security report ===                        

# Run  npm install --save-dev mocha@6.2.0  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Critical        Command Injection                                             

  Package         growl                                                         

  Dependency of   mocha [dev]                                                   

  Path            mocha > growl                                                 

  More info       https://nodesecurity.io/advisories/146                        

  Low             Regular Expression Denial of Service                          

  Package         debug                                                         

  Dependency of   mocha [dev]                                                   

  Path            mocha > debug                                                 

  More info       https://nodesecurity.io/advisories/534                        

                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           

  Low             Large gzip Denial of Service                                  

  Package         superagent                                                    

  Patched in      >=3.7.0                                                       

  Dependency of   supertest [dev]                                               

  Path            supertest > superagent                                        

  More info       https://nodesecurity.io/advisories/479                        

found 3 vulnerabilities (2 low, 1 critical) in 439 scanned packages
  2 vulnerabilities require semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.

As you can see there's a critical vulnerability which requires a manual review and the other ones require an update.

Regards

druizz90 commented 5 years ago

Hi team,

I updated the version of these dependencies (branch update-api-dev-dependencies-427) and there are not more vulnerabilities when we execute npm audit:

# npm audit

                       === npm audit security report ===                        

found 0 vulnerabilities
 in 621 scanned packages

I ran mocha tests after applying changes and all is OK.

Best regards,

Demetrio.