tools(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918 #2864

zondervancalvez · 2023-11-06T05:38:07Z

Description

Vulnerabilities were found during the container scan of connector-fabric image using Trivy.
See the list below:

LIBRARY	VULNERABILITY	INSTALLED VERSION	FIXED VERSION
libsasl2-2 libsasl2-modules libsasl2-modules-db	CVE-2022-24407	2.1.27+dfsg-2	2.1.27+dfsg-2ubuntu0.1
libssl1.1	CVE-2021-3711 CVE-2022-0778 CVE-2023-0286	1.1.1f-1ubuntu2.5	1.1.1f-1ubuntu2.8 1.1.1f-1ubuntu2.12 1.1.1f-1ubuntu2.17
openssl	CVE-2021-3711 CVE-2022-0778 CVE-2023-0286		1.1.1f-1ubuntu2.8 1.1.1f-1ubuntu2.12 1.1.1f-1ubuntu2.17
@npmcli/arborist (package.json)	CVE-2021-39134 CVE-2021-39135	2.6.4	2.8.2
ansi-regex (package.json)	CVE-2021-3807	3.0.0, 5.0.0	6.0.1, 5.0.1, 4.1.1, 3.0.1
axios (package.json)	CVE-2021-3749	0.21.1	0.21.2
convict (package.json)	CVE-2022-21190 CVE-2022-22143 CVE-2023-0163	6.0.0	6.2.3 6.2.3 6.2.4
engine.io (package.json)	CVE-2022-21676	5.0.0	4.1.2, 5.2.1, 6.1.1
http-cache-semantics (package.json)	CVE-2022-25881	4.1.0	4.1.1
json-schema (package.json)	CVE-2021-3918	0.2.3	0.4.0
minimatch (package.json)	CVE-2022-3517	3.0.4	3.0.5
node-forge (package.json)	CVE-2022-24771 CVE-2022-24772	0.10.0	1.3.0
npm (package.json)	CVE-2022-29244	7.19.1	8.11.0
qs (package.json)	CVE-2022-24999	6.5.2, 6.7.0	6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4
socket.io-parser (package.json)	CVE-2023-32695	4.0.5	4.2.3, 3.4.3
tar (package.json)	CVE-2021-32803 CVE-2021-32804 CVE-2021-37701 CVE-2021-37712 CVE-2021-37713	6.1.0	3.2.3, 4.4.15, 5.0.7, 6.1.2 3.2.2, 4.4.14, 5.0.6, 6.1.1 4.4.16, 5.0.8, 6.1.7 4.4.18, 5.0.10, 6.1.9

petermetz · 2023-11-06T20:26:21Z

@zondervancalvez Could you please make the issue title unique according to the guidelines we talked about previously?

petermetz · 2023-11-07T19:17:20Z

@zondervancalvez Please shorten it to adhere to the commit lint max length requirements. What I do in these situations is pick the top (most severe) 1 or 2 or 3 CVE IDs (depending on how many characters do you have left) and use only those.

zondervancalvez · 2023-11-08T08:29:45Z

@zondervancalvez Please shorten it to adhere to the commit lint max length requirements. What I do in these situations is pick the top (most severe) 1 or 2 or 3 CVE IDs (depending on how many characters do you have left) and use only those.

Hi @petermetz The title is now shortened and I've only indicated the Critical CVEs.

petermetz · 2023-11-10T04:29:23Z

@zondervancalvez Please shorten it to adhere to the commit lint max length requirements. What I do in these situations is pick the top (most severe) 1 or 2 or 3 CVE IDs (depending on how many characters do you have left) and use only those.

Hi @petermetz The title is now shortened and I've only indicated the Critical CVEs.

@zondervancalvez Thank you very much!

the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <[email protected]>

Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <[email protected]>

adrianbatuto · 2024-01-02T08:16:23Z

Can you assign this to me? @jagpreetsinghsasan

Fixes hyperledger-cacti#2864 Signed-off-by: adrianbatuto <[email protected]>

Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <[email protected]>

Fixes hyperledger-cacti#2864 Signed-off-by: adrianbatuto <[email protected]>

Fixes #2864 Signed-off-by: adrianbatuto <[email protected]>

Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <[email protected]>

zondervancalvez mentioned this issue Nov 10, 2023

ci: add container scanning to default checks #2870

Merged

5 tasks

jagpreetsinghsasan assigned adrianbatuto Jan 2, 2024

jagpreetsinghsasan added this to Cacti_Scrum_Project_v2_Release Jan 2, 2024

jagpreetsinghsasan moved this to In Progress in Cacti_Scrum_Project_v2_Release Jan 2, 2024

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Jan 3, 2024

tools(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918

df095a9

Fixes hyperledger-cacti#2864 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto mentioned this issue Jan 3, 2024

fix(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918 #2967

Merged

5 tasks

adrianbatuto moved this from In Progress to In review in Cacti_Scrum_Project_v2_Release Jan 11, 2024

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Jan 23, 2024

tools(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918

a5d2748

Fixes hyperledger-cacti#2864 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Jan 23, 2024

fix(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918

43a4433

Fixes hyperledger-cacti#2864 Signed-off-by: adrianbatuto <[email protected]>

petermetz pushed a commit to adrianbatuto/cacti that referenced this issue Jan 25, 2024

fix(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918

e6662f5

Fixes hyperledger-cacti#2864 Signed-off-by: adrianbatuto <[email protected]>

petermetz closed this as completed in #2967 Jan 25, 2024

petermetz pushed a commit that referenced this issue Jan 25, 2024

fix(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918

11e775d

Fixes #2864 Signed-off-by: adrianbatuto <[email protected]>

github-project-automation bot moved this from In review to Done in Cacti_Scrum_Project_v2_Release Jan 25, 2024

jagpreetsinghsasan removed this from Cacti_Scrum_Project_v2_Release Apr 15, 2024

petermetz mentioned this issue Jun 14, 2024

chore(release): publish v2.0.0-rc.1 #3324

Merged

5 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tools(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918 #2864

tools(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918 #2864

zondervancalvez commented Nov 6, 2023

petermetz commented Nov 6, 2023

petermetz commented Nov 7, 2023

zondervancalvez commented Nov 8, 2023

petermetz commented Nov 10, 2023

adrianbatuto commented Jan 2, 2024

tools(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918 #2864

tools(connector-fabric): address CVEs: CVE-2022-21190, CVE-2021-3918 #2864

Comments

zondervancalvez commented Nov 6, 2023

Description

petermetz commented Nov 6, 2023

petermetz commented Nov 7, 2023

zondervancalvez commented Nov 8, 2023

petermetz commented Nov 10, 2023

adrianbatuto commented Jan 2, 2024