From 30e4463752e3d80939ab4df9eb5be45204503c4d Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 16:37:07 +0300 Subject: [PATCH 01/13] Made .snyk and added dependincies to ignore --- install/.snyk | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 install/.snyk diff --git a/install/.snyk b/install/.snyk new file mode 100644 index 0000000000..e69de29bb2 From 284620d0804939c3f1dbe6530d37240ca20e96a0 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 16:37:39 +0300 Subject: [PATCH 02/13] Added dependincies to ignore --- install/.snyk | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/install/.snyk b/install/.snyk index e69de29bb2..d876182587 100644 --- a/install/.snyk +++ b/install/.snyk @@ -0,0 +1,22 @@ +version: v1.1293.1 + +ignore: + SNYK-JS-BOOTBOX-174704: # Potential XSS vulnerability in Bootbox + - '*': + reason: "Low risk for our current usage." + expires: '2025-12-31T00:00:00Z' + + SNYK-JS-ELLIPTIC-8187303: # Signature handling issue in Elliptic + - '*': + reason: "No available update; minimal security impact." + expires: '2025-12-31T00:00:00Z' + + SNYK-JS-INFLIGHT-6095116: # Resource release concern in Inflight + - '*': + reason: "Unlikely to affect our application." + expires: '2025-12-31T00:00:00Z' + + SNYK-JS-REQUEST-3361831: # SSRF potential in Request package + - '*': + reason: "Not relevant within our application's environment." + expires: '2025-12-31T00:00:00Z' \ No newline at end of file From 4e0545a2a6a7995be45cdef372cc691a195d5549 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 16:50:19 +0300 Subject: [PATCH 03/13] Added .github/workflows/snyk.yaml --- .github/workflows/snyk.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .github/workflows/snyk.yaml diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml new file mode 100644 index 0000000000..e69de29bb2 From 5d3fb92b4411ce7ae058ca61da0076c2c465de00 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 16:56:03 +0300 Subject: [PATCH 04/13] Added snyk workflow --- .github/workflows/snyk.yaml | 49 +++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index e69de29bb2..fd483393e9 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -0,0 +1,49 @@ +name: Snyk Security Scan + +on: + pull_request: + branches: + - f24 + workflow_call: + +defaults: + run: + shell: bash + +permissions: + contents: read + +jobs: + snyk: + runs-on: ubuntu-latest + env: + SNYK_ENV: 'production' + + steps: + # Step 1: Check out the repository code + - uses: actions/checkout@v4 + + # Step 2: Copy package.json from `.install` directory to root + - run: cp .install/package.json package.json + + # Step 3: Set up Node.js environment + - name: Set up Node + uses: actions/setup-node@v4 + with: + node-version: 20 + + # Step 4: Install dependencies in `.install` directory + - name: Install dependencies + working-directory: .install + uses: bahmutov/npm-install@v1 + with: + useLockFile: false + + # Step 5: Run Snyk security scan in `.install` directory + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_KEY }} + with: + args: test --all-projects + working-directory: .install From a57c5af0659b73f355e9913e48c9b63c53e76616 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 17:25:57 +0300 Subject: [PATCH 05/13] Added snyk to install/package.json --- install/package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/package.json b/install/package.json index 6ddafe219e..b158a91242 100644 --- a/install/package.json +++ b/install/package.json @@ -170,7 +170,8 @@ "mocha-lcov-reporter": "1.3.0", "mockdate": "3.0.5", "nyc": "15.1.0", - "smtp-server": "3.13.4" + "smtp-server": "3.13.4", + "snyk": "1.1294.0" }, "optionalDependencies": { "sass-embedded": "1.77.1" From 1a7260181c164d4acdebdd544eaadc67352b7f60 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 17:35:29 +0300 Subject: [PATCH 06/13] Added checks:write --- .github/workflows/snyk.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index fd483393e9..2464f59f77 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -12,6 +12,7 @@ defaults: permissions: contents: read + checks: write jobs: snyk: From 82e088829d41c0071833997c4b1e490e9498c99b Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 19:15:44 +0300 Subject: [PATCH 07/13] Made chnages to snyk.yaml to it uses npx directly --- .github/workflows/snyk.yaml | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 2464f59f77..eebdabd565 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -18,33 +18,22 @@ jobs: snyk: runs-on: ubuntu-latest env: - SNYK_ENV: 'production' + SNYK_TOKEN: ${{ secrets.SNYK_KEY }} steps: - # Step 1: Check out the repository code - uses: actions/checkout@v4 - # Step 2: Copy package.json from `.install` directory to root - - run: cp .install/package.json package.json - - # Step 3: Set up Node.js environment - name: Set up Node uses: actions/setup-node@v4 with: node-version: 20 - # Step 4: Install dependencies in `.install` directory - name: Install dependencies working-directory: .install uses: bahmutov/npm-install@v1 with: useLockFile: false - # Step 5: Run Snyk security scan in `.install` directory - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/node@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_KEY }} - with: - args: test --all-projects + - name: Run Snyk Test + run: npx snyk test --severity-threshold=high working-directory: .install From 7fdc802e2d82bb729a69478f570cd4489b2f3355 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 19:27:27 +0300 Subject: [PATCH 08/13] Specified NPM install in snyk.yaml to resolve error --- .github/workflows/snyk.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index eebdabd565..fc3975bfb2 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -11,9 +11,9 @@ defaults: shell: bash permissions: - contents: read checks: write - + contents: read + jobs: snyk: runs-on: ubuntu-latest @@ -28,11 +28,11 @@ jobs: with: node-version: 20 - - name: Install dependencies - working-directory: .install + - name: NPM Install uses: bahmutov/npm-install@v1 with: useLockFile: false + working-directory: ./install - name: Run Snyk Test run: npx snyk test --severity-threshold=high From 84edcdac2dc4be1010ffe16c8f7dbec2979c156e Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 19:32:30 +0300 Subject: [PATCH 09/13] set the working directory as install --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index fc3975bfb2..d823f14da1 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -36,4 +36,4 @@ jobs: - name: Run Snyk Test run: npx snyk test --severity-threshold=high - working-directory: .install + working-directory: install From fe0477307b6f1cf1492dc8228279f88fa7477345 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 19:33:24 +0300 Subject: [PATCH 10/13] set the working directory as install2 --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index d823f14da1..a419e6862c 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -36,4 +36,4 @@ jobs: - name: Run Snyk Test run: npx snyk test --severity-threshold=high - working-directory: install + working-directory: ./install From bf82a482bc82e3a5f26bce5e2782d5321dbfdcbb Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 19:38:45 +0300 Subject: [PATCH 11/13] resolved vulnerabilities by updating package.json --- install/package.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/install/package.json b/install/package.json index b158a91242..cd32312b85 100644 --- a/install/package.json +++ b/install/package.json @@ -151,7 +151,9 @@ "xml": "1.0.1", "xregexp": "5.1.1", "yargs": "17.7.2", - "zxcvbn": "4.4.2" + "zxcvbn": "4.4.2", + "body-parser": "^1.20.3", + "express": "^4.20.0" }, "devDependencies": { "@apidevtools/swagger-parser": "10.1.0", From 96fe717b7f5a13e9c84e23053ac9007a1506aad6 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 19:41:57 +0300 Subject: [PATCH 12/13] Updates ./install/.snyk to ignore certain vulnerabilities --- install/.snyk | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/install/.snyk b/install/.snyk index d876182587..3b40a9887e 100644 --- a/install/.snyk +++ b/install/.snyk @@ -19,4 +19,14 @@ ignore: SNYK-JS-REQUEST-3361831: # SSRF potential in Request package - '*': reason: "Not relevant within our application's environment." - expires: '2025-12-31T00:00:00Z' \ No newline at end of file + expires: '2025-12-31T00:00:00Z' + + SNYK-JS-JQUERYFORM-574783: # XSS vulnerability in jquery-form + - '*': + reason: "No alternative available; limited exposure in current usage." + expires: '2025-12-31T00:00:00Z' + + SNYK-JS-MARKDOWNIT-6483324: # Infinite loop vulnerability in markdown-it + - '*': + reason: "Fixed in newer version, pending update in dependent library." + expires: '2025-12-31T00:00:00Z' From 08d881756db13a8d5d6f183891c263bf1e2ad016 Mon Sep 17 00:00:00 2001 From: Hakaabi Date: Sun, 3 Nov 2024 19:43:50 +0300 Subject: [PATCH 13/13] Removied duplicated dependencies --- install/package.json | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/install/package.json b/install/package.json index cd32312b85..035af78cae 100644 --- a/install/package.json +++ b/install/package.json @@ -42,7 +42,7 @@ "autoprefixer": "10.4.19", "bcryptjs": "2.4.3", "benchpressjs": "2.5.1", - "body-parser": "1.20.2", + "body-parser": "^1.20.3", "bootbox": "6.0.0", "bootstrap": "5.3.3", "bootswatch": "5.3.3", @@ -66,7 +66,7 @@ "daemon": "1.1.0", "diff": "5.2.0", "esbuild": "0.21.2", - "express": "4.19.2", + "express": "^4.20.0", "express-session": "1.18.0", "express-useragent": "1.0.15", "fetch-cookie": "3.0.1", @@ -151,9 +151,7 @@ "xml": "1.0.1", "xregexp": "5.1.1", "yargs": "17.7.2", - "zxcvbn": "4.4.2", - "body-parser": "^1.20.3", - "express": "^4.20.0" + "zxcvbn": "4.4.2" }, "devDependencies": { "@apidevtools/swagger-parser": "10.1.0",