Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cactus-example-supply-chain-app): mitigate CVE-2022-24434 and CVE-2022-24999 #2242

Merged
merged 1 commit into from
Apr 2, 2023
Merged

fix(cactus-example-supply-chain-app): mitigate CVE-2022-24434 and CVE-2022-24999 #2242

merged 1 commit into from
Apr 2, 2023

Conversation

aldousalvarez
Copy link
Contributor

Fixes #2041

Signed-off-by: aldousalvarez aldousss.alvarez@gmail.com

@aldousalvarez
Copy link
Contributor Author

aldousalvarez commented Dec 23, 2022
edited
Loading

Hello @petermetz , Most of the vulnerabilities are now fixed in cactus-example-supply-chain-app but there are still some that is not yet fixed as you can see here. The only vulnerability (CVE-2022-2421) is still a vulnerability because the latest version of the package that is being used is still the affected version. The changes committed on this PR will fix the 3 out of the 4 remaining vulnerabilities (CVE-2022-24434, CVE-2022-24999, and CVE-2022-24999) once the changes are applied and the new version is released and the packages are updated just like the v1.1 release.

petermetz
petermetz requested changes Dec 24, 2022
View reviewed changes
.github/containerscan/allowedlist.yaml Outdated Show resolved Hide resolved
izuru0
izuru0 approved these changes Jan 4, 2023
View reviewed changes
Copy link
Contributor

@izuru0 izuru0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aldousalvarez aldousalvarez requested review from petermetz and removed request for sandeepnRES, jagpreetsinghsasan and takeutak January 11, 2023 04:46
petermetz
petermetz approved these changes Mar 27, 2023
View reviewed changes
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez LGTM, thank you!

petermetz
petermetz requested changes Mar 27, 2023
View reviewed changes
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez Sorry, my bad, I do need to ask that you put CVE IDs in the commit subject so that it's unique across the commit log. Other than that, we are good to go.

@gitguardian
Copy link

gitguardian bot commented Mar 29, 2023
edited
Loading

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
Once a secret has been leaked into a git repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

@aldousalvarez aldousalvarez changed the title fix(security): vulnerabilities found in cactus-example-supply-chain-app fix(cactus-example-supply-chain-app): mitigate CVE-2022-24434 and CVE-2022-24999 Mar 29, 2023
@aldousalvarez
Copy link
Contributor Author

Hello @petermetz also updated the commit subject and PR title as from your requested changes on this one. Thank you.

petermetz
petermetz approved these changes Mar 29, 2023
View reviewed changes
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez Great, thank you for the updates, LGTM!

@aldousalvarez @petermetz
fix(cactus-example-supply-chain-app): mitigate CVE-2022-24434 and CVE…
d28d5e8 
…-2022-24999

Fixes hyperledger-cacti#2041

These changes will fixx the following
vulnerabilities with their CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz merged commit d28d5e8 into hyperledger-cacti:main Apr 2, 2023
@petermetz petermetz deleted the aldousalvarez/issue2041 branch April 2, 2023 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petermetz petermetz petermetz approved these changes

@izuru0 izuru0 izuru0 approved these changes

@VRamakrishna VRamakrishna Awaiting requested review from VRamakrishna VRamakrishna is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(security): vulnerabilities found in cactus-example-supply-chain-app
3 participants
@aldousalvarez @petermetz @izuru0