merge security scan resolutions (#206)

* [service] security: update file-type dependency for cve https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36313 * [service] security: CVE-2020-28498 upgrade elliptical via pem2jwk * [web-app] change about page links to https * [service] security: use sha-256 for token hash * [service] log message typo * [service] improve log message * changelog * [service] upgrade geopackage dependency for transitive file-type library upgrade * [web-app] security: remove unused bootstrap vendor source to address cve * [web-app] add missing properties to mock observations for feed preview * [web-app] properly close directive tags which the latest angular.js 1.8/jquery 3.7.1 requires due to addressing XSS CVEs; white space consistency * [web-app] add provider for moment pipe so feed item component can inject it properly * fix express type def discrepancy in service and arcgis plugin * [plugins/arcgis] downgrade package-lock to v1 with npm v6 until angular upgrade * [web-app] use promises instead of deprecated success/error callbacks for https requests; remove some instances of $deferred and $q in favor of promises * [web-app] typo in route to event from layers page * [web-app] clean up some map symbology edit component code * [web-app] do not retain old search results for user search when a new search yields no results * [web-app] add angular route prefix to match default prefix of angular 1.8 using html5 mode for future upgrade * [web-app] upgrade jquery to 3.7.1; add missing @uirouter/core dependency * changelog * set version to 6.2.12-beta.1 * update plugin peer dependencies on core service
ngageoint · May 23, 2024 · 8102758 · 8102758
1 parent b4697c4
commit 8102758
Show file tree

Hide file tree

Showing 58 changed files with 10,882 additions and 32,893 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,29 @@ MAGE adheres to [Semantic Versioning](http://semver.org/).
 
 ##### Features
 
+## [6.2.12](https://github.com/ngageoint/mage-server/releases/tag/6.2.12)
+### Service
+#### Security
+* [CVE-2022-36313](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36313).
+  * Upgrade [`file-type`](https://www.npmjs.com/package/file-type).
+  * Upgrade [`@ngageoint/geopackage`](https://www.npmjs.com/package/@ngageoint/geopackage) dependency which upgrades `file-type`.
+* [CVE-2020-28498](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498)
+  * Upgrade [`elliptic`](https://npmjs.com/package/elliptic) via [`pem2jwk`](https://www.npmjs.com/package/pem2jwk).
+* Use SHA-256 for token hash.
+### Web App
+#### Bug Fixes
+* Use native promises instead deprecated callbacks for `$http` in AngularJS.
+* Replace some `$deferred` and `$q` calls with native promises in AngularJS.
+* Broken navigation to event from layer page.
+* The event form _Feed Configuration_ page had a null reference error when generating the preview.
+#### Security
+* Change _About_ page links to HTTPS.
+* Remove unused Bootstrap JS vendor source from web-app to address several CVE reports.
+* Upgrade jQuery to 3.7.1.
+* Replace null/self-closing directive tags with properly closed tags.
+
+
+
 ## [6.2.11](https://github.com/ngageoint/mage-server/releases/tag/6.2.11)
 #### Features
 * Core web app now shares `@angular/animations` to web plugins.

diff --git a/aws_amazon_linux_2023.md b/aws_amazon_linux_2023.md
@@ -0,0 +1,24 @@
+MAGE 6.2.x on Amazon Linux 2023
+
+1. Install docker
+```
+sudo yum install -y docker
+# get latest docker compose release from github - https://github.com/docker/compose/releases
+compose_version=v2.20.2
+curl -LO https://github.com/docker/compose/releases/download/${compose_version}/docker-compose-linux-x86_64
+sudo mkdir -p /usr/local/lib/docker/cli-plugins
+cd /usr/local/lib/docker/cli-plugins
+sudo mv docker-compose-linux-x86_64 /usr/local/lib/docker/cli-plugins/docker-compose-${compose_version}-linux-x86_64
+cd /usr/local/lib/docker/cli-plugins
+sudo chmod +x ./docker-compose-${compose_version}-linux-x86_64
+ln -s docker-compose-${compose_version}-linux-x86_64 docker-compose
+```
+
+1. Install Node Version Manager (NVM)
+Install NVM from Github - https://github.com/nvm-sh/nvm#installing-and-updating.
+For example
+```
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.4/install.sh | bash
+```
+
+1. Install MongoDB
diff --git a/instance/package.json b/instance/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@ngageoint/mage.dev-instance",
-  "version": "6.2.11",
+  "version": "6.2.12-beta.1",
   "description": "Assemble a MAGE Server deployment from the core service, the web-app, and selected plugins.  This is primarily a development tool because the dependencies point to relative directories instead of production packages.  This can however serve as a starting point to create a production MAGE instance package.json.",
   "scripts": {
     "start": "npm run start:dev-env",

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -2,7 +2,7 @@
   "name": "@ngageoint/mage.project",
   "description": "This is the root package definition for the mage-server monorepo.",
   "private": true,
-  "version": "6.2.11",
+  "version": "6.2.12-beta.1",
   "files": [],
   "scripts": {
     "postinstall": "npm-run-all service:ci web-app:ci image.service:ci nga-msi:ci",