Resolve Dependabot Alerts. #1967
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ryanrath
changed the title
**Note: The upgrade won't pass because the patch files have lines that have trailing whitespace in them. But if the whitespace is removed the patches no longer work soooo... yeah, that's a thing.**
- `.circleci/config.yml`:
- Removed the sections where we install php7.4, development libraries, and
pecl install mongodb as these steps have already been included in the current image.
- `BaseControllerProvider.php`: the namespace for the `ControllerProviderInterface;` interface changed in the latest version of Silex ( from `Silex\ControllerProviderInterface` to `Silex\Api\ControllerProviderInterface`).
- `XdmodApplicationFactory.php`:
- `UrlGeneratorServiceProvider` has been changed to `RoutingServiceProvider`.
- there is no more `app->share` function, you just use an anonymous function.
- the `Request $request` argument has been added to the anonymous function called by the `$app->error` helper
function.
- `composer.json`:
- Updated silex to the latest ( last ) version `v2.3.0`, this resolves the following dependabot alerts:
- https://github.com/ubccr/xdmod/security/dependabot/10 (CVE-2022-24894)
- Here's the commit with the fix: symfony/symfony@d2f6322
- And here is where you can find the updated file: `vendor/symfony/http-kernel/HttpCache/Store.php`. Specifically lines `49-51`, and `228-230`.
- https://github.com/ubccr/xdmod/security/dependabot/11 (CVE-2019-18888)
- this is fixed as the current version `v4.4.49` is >= `3.4.35`.
- Here's the commit w/ the fix: symfony/symfony@691486e
- And here's the updated file: `vendor/symfony/http-foundation/File/MimeType/FileBinaryMimeTypeGuesser.php`
- https://github.com/ubccr/xdmod/security/dependabot/12 (CVE-2019-10913)
- Here's the commit w/ the fix: symfony/symfony@944e60f
- Here's the updated file: `vendor/symfony/http-foundation/Request.php`
- https://github.com/ubccr/xdmod/security/dependabot/13 (CVE-2019-18887)
- Here's the commit w/ the fix: symfony/symfony@cccefe6
- And here's the updated file: `vendor/symfony/http-kernel/UriSigner.php`
- https://github.com/ubccr/xdmod/security/dependabot/14 (CVE-2018-14773)
- Here's the commit with the fix: symfony/symfony@e447e8b
- Here's the updated file: `vendor/symfony/http-foundation/Request.php`
- Updated `mongodb/mongodb` to the latest version `v1.19.0`
- `open_xdmod/modules/xdmod/assets/setup.sh`:
- Removed the Composer Install section as this + the dangling `cd` was causing the composer dependencies of `qa` to be installed in the xdmod directory. This probably wasn't a problem or caught before because we were not previously patching files.
- Changed the `cd $xdmod_dir`to a `pushd | popd` so that we reset the cwd after the script runs.
- `open_xdmod/modules/xdmod/build.json`
- Added the patches to resolve:
- https://github.com/ubccr/xdmod/security/dependabot/1
- https://github.com/ubccr/xdmod/security/dependabot/2
- https://github.com/ubccr/xdmod/security/dependabot/22
- `tests/ci/scripts/qa-test-setup.sh`:
- Taking care of the other part of the **Case of the Mysterious Disappearing Dependencies**. Just made sure to save the existing `$COMPOSER` env variable so that we can restore it after we're done installing the qa dependencies.
- https://github.com/ubccr/xdmod/security/dependabot/1 ( CVE-2020-5225 )
- Resolved with changes in commit: simplesamlphp/simplesamlphp@864f039
- patch of these changes ( for `www/errorreport.php` ): `open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patch`
- https://github.com/ubccr/xdmod/security/dependabot/2
- Resolved with changes in: simplesamlphp/simplesamlphp@47968d2
- Patch file: `open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5301.patch`
- https://github.com/ubccr/xdmod/security/dependabot/22
- Resolved with changes in: simplesamlphp/simplesamlphp@ce2294e
- Note: the function `isValidURL` already exists in `Utils/Http.php` in the version that we're using, that's why only the change to `postredirect.php` has been included in the patch file.
- Patch File: open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_postredirect.patch
We have a number of Dependabot Alerts that should probably be resolved. The following changes should do that for the `symfony/*` and `simplesamlphp/simplesamlphp` dependencies.
All automated tests pass.
<!--- Go over all the following points and make sure they have all been completed -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [X] The pull request description is suitable for a Changelog entry
- [X] The milestone is set correctly on the pull request
- [X] The appropriate labels have been added to the pull request
ryanrath
force-pushed
the
update-silex-11_0_1
branch
from
ebad1eb to
55c6b31
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: The upgrade won't pass because the patch files have lines that have trailing whitespace in them. But if the whitespace is removed the patches no longer work soooo... yeah, that's a thing.
Description
.circleci/config.yml:mongodbto specifically install version1.19.3, which is the current version, as we've been bitten more than once by not explicitly specifying which version we want. A point of discussion for this could be do we want to install the latest dependencies? If so, where do we want to install these dependencies? i.e. in the CI build? In the production build? etc.BaseControllerProvider.php: the namespace for theControllerProviderInterface;interface changed in the latest version of Silex ( fromSilex\ControllerProviderInterfacetoSilex\Api\ControllerProviderInterface).XdmodApplicationFactory.php:UrlGeneratorServiceProviderhas been changed toRoutingServiceProvider.app->sharefunction, you just use an anonymous function.Request $requestargument has been added to the anonymous function called by the$app->errorhelperfunction.
composer.json:v2.3.0, this resolves the following dependabot alerts:vendor/symfony/http-kernel/HttpCache/Store.php. Specifically lines49-51, and228-230.v4.4.49is >=3.4.35.vendor/symfony/http-foundation/File/MimeType/FileBinaryMimeTypeGuesser.phpvendor/symfony/http-foundation/Request.phpvendor/symfony/http-kernel/UriSigner.phpvendor/symfony/http-foundation/Request.phpmongodb/mongodbto the latest versionv1.19.0open_xdmod/modules/xdmod/assets/setup.sh:cdwas causing the composer dependencies ofqato be installed in the xdmod directory. This probably wasn't a problem or caught before because we were not previously patching files.cd $xdmod_dirto apushd | popdso that we reset the cwd after the script runs.open_xdmod/modules/xdmod/build.jsontests/ci/scripts/qa-test-setup.sh:$COMPOSERenv variable so that we can restore it after we're done installing the qa dependencies.SimpleSAMLphp Patches
www/errorreport.php):open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patchopen_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5301.patchisValidURLalready exists inUtils/Http.phpin the version that we're using, that's why only the change topostredirect.phphas been included in the patch file.Motivation and Context
We have a number of Dependabot Alerts that should probably be resolved. The following changes should do that for the
symfony/*andsimplesamlphp/simplesamlphpdependencies.Tests performed
All automated tests pass.
Checklist: