#50499 The tracking issue for npm audit fix commits
Closed: wontfix 2 months ago by spichugi. Opened a year ago by spichugi.

Issue Description

New vulnerabilities can arise from time to time in npm audit reports and they should be addressed by running npm audit fix. Sometimes it can require manual intrusion.

The PRs can be linked to this issue.


Metadata Update from @spichugi:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

a year ago

Metadata Update from @mreynolds:
- Issue set to the milestone: FUTURE

a year ago
NPM audit report JSON:
{
  "actions": [
    {
      "action": "update",
      "resolves": [
        {
          "id": 1118,
          "path": "eslint>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-plugin-es>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "eslint-utils",
      "target": "1.4.2",
      "depth": 3
    }
  ],
  "advisories": {
    "1118": {
      "findings": [
        {
          "version": "1.3.1",
          "paths": [
            "eslint>eslint-utils",
            "eslint-plugin-node>eslint-plugin-es>eslint-utils",
            "eslint-plugin-node>eslint-utils"
          ]
        }
      ],
      "id": 1118,
      "created": "2019-08-20T15:17:53.538Z",
      "updated": "2019-08-22T18:54:18.136Z",
      "deleted": null,
      "title": "Arbitrary Code Execution",
      "found_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "reported_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "module_name": "eslint-utils",
      "cves": [],
      "vulnerable_versions": ">=1.2.0 <1.4.1",
      "patched_versions": ">=1.4.1",
      "overview": "Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The `getStaticValue` does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The `getStringIfConstant` and `getPropertyName` functions are not affected.",
      "recommendation": "Upgrade to version 1.4.1 or later.",
      "references": "- [ESLint release](https://eslint.org/blog/2019/08/eslint-v6.2.1-released)\n- [eslint-utils advisory](https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3)",
      "access": "public",
      "severity": "critical",
      "cwe": "CWE-94",
      "metadata": {
        "module_type": "",
        "exploitability": 3,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1118"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 0,
      "critical": 3
    },
    "dependencies": 2883,
    "devDependencies": 7047,
    "optionalDependencies": 280,
    "totalDependencies": 10113
  },
  "runId": "1dbb03fb-3b04-452f-8254-4440e9691b7b"
}
Failed security audit due to critical vulnerabilities.
Exiting...
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! 389-console@1.0.0 audit-ci: `audit-ci --config audit-ci.json`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the 389-console@1.0.0 audit-ci script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2019-08-23T07_50_04_578Z-debug.log

Commit 2e85b4a relates to this ticket

Fixes npm "handlebar" audit alert

Commit 2e85b4a relates to this ticket

67d69bf..4f84db6 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

Commit 5202ad8 relates to this ticket

Fixes npm "handlebar" audit alert - again

1299143..5202ad8 master -> master
9c210f7..49c7044 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

Commit b1d67c1 relates to this ticket

Commit 9f47598 relates to this ticket

Commit 80e0ce2 relates to this ticket
a9fa0ad..d619905 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

Commit a66fe15 relates to this ticket

bf8b4af..a66fe15 master -> master
74046ab..1cda41b 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
610d2f5..88b5cd3 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

@spichugi, nightly build failed due to https://www.npmjs.com/advisories/1179

    "vulnerabilities": {                                                                                                                          
      "info": 0,                                                                                                                                  
      "low": 0,                                                                                                                                   
      "moderate": 126,                                                                                                                            
      "high": 0,                                                                                                                                  
      "critical": 0                                                                                                                               
    }, 

Could you please take a look?

The build now works, since the vulnerability got lower severity, but it still needs to be fixed.

    "vulnerabilities": {
      "info": 0,
      "low": 126,
      "moderate": 0,
      "high": 0,
      "critical": 0
    },

Fixed latest audit issues, updated existing npm packages, and removed unused packages...

https://pagure.io/389-ds-base/pull-request/51049

Commit 53e9d9f relates to this ticket

Nightly build failed due to npm audit ci:

    "vulnerabilities": {
      "info": 0,
      "low": 8,
      "moderate": 17,
      "high": 0,
      "critical": 0
    },

https://npmjs.com/advisories/1500
https://npmjs.com/advisories/1518

Commit 9afa669 relates to this ticket

Commit 9afa669 relates to this ticket

d3ae07a..d411837 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

703d857..14c7a3c 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

41e0f4b..62cc505 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3555

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata
Related Pull Requests