Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NO_ISSUE: Fix CVE-2022-48345 (@braintree/sanitize-url) & CVE-2022-25883(semver) #1907

Merged
merged 1 commit into from
Nov 1, 2023

Conversation

pefernan
Copy link
Contributor

CVE-2022-48345: @braintree/sanitize-url Cross-site Scripting vulnerability
CVE-2022-25883: semver vulnerable to Regular Expression Denial of Service

Many thanks for submitting your Pull Request ❤️!

Please make sure that your PR meets the following requirements:

  • You have read the contributors guide
  • Pull Request title is properly formatted: KOGITO-XYZ Subject
  • Pull Request title contains the target branch if not targeting main: [0.9.x] KOGITO-XYZ Subject
  • Pull Request contains link to the JIRA issue
  • Pull Request contains link to any dependent or related Pull Request
  • Pull Request contains description of the issue
  • Pull Request does not include fixes for issues other than the main ticket
How to replicate CI configuration locally?

Build Chain tool does "simple" maven build(s), the builds are just Maven commands, but because the repositories relates and depends on each other and any change in API or class method could affect several of those repositories there is a need to use build-chain tool to handle cross repository builds and be sure that we always use latest version of the code for each repository.

build-chain tool is a build tool which can be used on command line locally or in Github Actions workflow(s), in case you need to change multiple repositories and send multiple dependent pull requests related with a change you can easily reproduce the same build by executing it on Github hosted environment or locally in your development environment. See local execution details to get more information about it.

How to retest this PR or trigger a specific build:
  • for pull request checks
    Please add comment: Jenkins retest this

  • for a specific pull request check
    Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] tests

  • for quarkus branch checks
    Run checks against Quarkus current used branch
    Please add comment: Jenkins run quarkus-branch

  • for a quarkus branch specific check
    Run checks against Quarkus current used branch
    Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] quarkus-branch

  • for quarkus main checks
    Run checks against Quarkus main branch
    Please add comment: Jenkins run quarkus-main

  • for a specific quarkus main check
    Run checks against Quarkus main branch
    Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] quarkus-main

  • for quarkus lts checks
    Run checks against Quarkus lts branch
    Please add comment: Jenkins run quarkus-lts

  • for a specific quarkus lts check
    Run checks against Quarkus lts branch
    Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] quarkus-lts

  • for native checks
    Run native checks
    Please add comment: Jenkins run native

  • for a specific native check
    Run native checks
    Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] native

  • for native lts checks
    Run native checks against quarkus lts branch
    Please add comment: Jenkins run native-lts

  • for a specific native lts check
    Run native checks against quarkus lts branch
    Please add comment: Jenkins (re)run [kogito-apps|kogito-examples] native-lts

How to backport a pull request to a different branch?

In order to automatically create a backporting pull request please add one or more labels having the following format backport-<branch-name>, where <branch-name> is the name of the branch where the pull request must be backported to (e.g., backport-7.67.x to backport the original PR to the 7.67.x branch).

NOTE: backporting is an action aiming to move a change (usually a commit) from a branch (usually the main one) to another one, which is generally referring to a still maintained release branch. Keeping it simple: it is about to move a specific change or a set of them from one branch to another.

Once the original pull request is successfully merged, the automated action will create one backporting pull request per each label (with the previous format) that has been added.

If something goes wrong, the author will be notified and at this point a manual backporting is needed.

NOTE: this automated backporting is triggered whenever a pull request on main branch is labeled or closed, but both conditions must be satisfied to get the new PR created.

Quarkus-3 PR check is failing ... what to do ? The Quarkus 3 check is applying patches from the `.ci/environments/quarkus-3/patches`.

The first patch, called 0001_before_sh.patch, is generated from Openrewrite .ci/environments/quarkus-3/quarkus3.yml recipe. The patch is created to speed up the check. But it may be that some changes in the PR broke this patch.
No panic, there is an easy way to regenerate it. You just need to comment on the PR:

jenkins rewrite quarkus-3

and it should, after some minutes (~20/30min) apply a commit on the PR with the patch regenerated.

Other patches were generated manually. If any of it fails, you will need to manually update it... and push your changes.

…ility

CVE-2022-25883: semver vulnerable to Regular Expression Denial of Service
@pefernan pefernan requested a review from paulovmr as a code owner October 27, 2023 11:53
@kie-ci3
Copy link
Contributor

kie-ci3 commented Oct 30, 2023

PR job #2 was: UNSTABLE
Possible explanation: This should be test failures

Reproducer

build-chain build full_downstream -f 'https://raw.githubusercontent.com/${AUTHOR:apache}/incubator-kie-kogito-pipelines/${BRANCH:main}/.ci/buildchain-config-pr-cdb.yaml' -o 'bc' -p apache/incubator-kie-kogito-apps -u #1907 --skipParallelCheckout

NOTE: To install the build-chain tool, please refer to https://github.com/kiegroup/github-action-build-chain#local-execution

Please look here: https://ci-builds.apache.org/job/KIE/job/temporary/job/kogito-apps-1.40.x-pr/job/PR-1907/2/display/redirect
See console log:

Console Logs [INFO] Execution summary for apache/incubator-kie-kogito-examples
# [BEFORE] [apache/incubator-kie-kogito-examples] export INTEGRATION_BRANCH=
[INFO] OK [Executed in 0.181219 ms]

# [BEFORE] [apache/incubator-kie-kogito-examples] bash -c "if [ ! -z '' ] && [ -f .ci/environments/update.sh ]; then .ci/environments/update.sh ; fi"
[INFO] OK [Executed in 15.475233 ms]

# [COMMANDS] [apache/incubator-kie-kogito-examples] mvn dependency:tree clean install -DskipTests -DskipITs -s /home/jenkins/jenkins-agent/workspace/ry_kogito-apps-1.40.x-pr_PR-1907/kogito-pipelines@tmp/config10731027822991881872tmp -Dmaven.wagon.http.ssl.insecure=true -Dmaven.test.failure.ignore=true -nsu -ntp -fae -e -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.retryHandler.count=3 -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn -B
[INFO] OK [Executed in 1788801.176936 ms]

[INFO] [AFTER] No commands were found for apache/incubator-kie-kogito-examples

# Uploading artifacts
[INFO] Will not upload any artifacts in CLI environment

[Pipeline] sh
+ find . -type d -name node_modules -exec rm -rf '{}' ';'
find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/node/node_modules�: No such file or directory
find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/node_modules�: No such file or directory
find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/runtime-tools-dev-ui-webapp/node_modules�: No such file or directory
find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/management-console-webapp/node_modules�: No such file or directory
find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/patternfly-base/node_modules�: No such file or directory
find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/common/node_modules�: No such file or directory
find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/trusty/node_modules�: No such file or directory
find: �./bc/apache_incubator-kie-kogito-apps/ui-packages/packages/components-common/node_modules�: No such file or directory
+ true
[Pipeline] junit
Recording test results
[Checks API] No suitable checks publisher found.
[Pipeline] archiveArtifacts
Archiving artifacts
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
Deleting 1 temporary files
[Pipeline] // configFileProvider
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Sonar analysis)
[Pipeline] }
[Pipeline] // stage
[Pipeline] echo
Got build result UNSTABLE
[Pipeline] sh
+ wget --no-check-certificate -qO - 'https://ci-builds.apache.org/job/KIE/job/temporary/job/kogito-apps-1.40.x-pr/job/PR-1907/2/api/json?depth=0'
[Pipeline] readJSON
[Pipeline] sh
+ wget --no-check-certificate -qO - https://ci-builds.apache.org/job/KIE/job/temporary/job/kogito-apps-1.40.x-pr/job/PR-1907/2/consoleText
+ tail -n 50

@kie-ci3
Copy link
Contributor

kie-ci3 commented Oct 30, 2023

PR job #3 was: UNSTABLE
Possible explanation: This should be test failures

Reproducer

build-chain build full_downstream -f 'https://raw.githubusercontent.com/${AUTHOR:apache}/incubator-kie-kogito-pipelines/${BRANCH:main}/.ci/buildchain-config-pr-cdb.yaml' -o 'bc' -p apache/incubator-kie-kogito-apps -u #1907 --skipParallelCheckout

NOTE: To install the build-chain tool, please refer to https://github.com/kiegroup/github-action-build-chain#local-execution

Please look here: https://ci-builds.apache.org/job/KIE/job/temporary/job/kogito-apps-1.40.x-pr/job/PR-1907/3/display/redirect

Test results:

  • PASSED: 3099
  • FAILED: 1

Those are the test failures:

org.kie.kogito.index.infinispan.ProcessDataIndexInfinispanKafkaIT.testProcessInstanceEvents 1 expectation failed.
JSON path errors doesn't match.
Expected: null
Actual: <[{message=Exception while fetching data (/UserTaskInstanceCommentUpdate) : Index 0 out of bounds for length 0, locations=[{line=1, column=12}], path=[UserTaskInstanceCommentUpdate], extensions={classification=DataFetchingException}}]>

@pefernan
Copy link
Contributor Author

@paulovmr would you mind taking a look?

Copy link
Member

@porcelli porcelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@tiagobento tiagobento merged commit 56c9c32 into apache:1.40.x Nov 1, 2023
@pefernan pefernan deleted the CVEs_sanitize_semver_1.40.x branch March 7, 2024 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants