Bug 1721094

Summary: Cockpit-ovirt has vulnerabilities in some of its dependencies
Product: [oVirt] cockpit-ovirt Reporter: Ido Rosenzwig <irosenzw>
Component: GenericAssignee: Ido Rosenzwig <irosenzw>
Status: CLOSED CURRENTRELEASE QA Contact: Wei Wang <weiwang>
Severity: high Docs Contact:
Priority: high    
Version: 0.13.2CC: bugs, cshao, lsvaty, mavital, nlevy, qiyuan, sbonazzo, weiwang, yaniwang, yturgema
Target Milestone: ovirt-4.3.5Flags: weiwang: testing_ack+
Target Release: 0.13.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cockpit-ovirt-0.13.3 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-30 14:08:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1719317    

Comment 2 Wei Wang 2019-06-18 06:16:28 UTC 
Test Version
cockpit-ovirt-0.13.2

Test Steps:
1. $ cd cockpit-ovirt/dashboard
2. create package-lock.json if not exist (with "$ npm i --only-package-lock")
3. install all deps with "$ npm install"
4. $ npm audit

Result:
found 42 vulnerabilities (7 low, 30 moderate, 5 high) in 6600 scanned packages


QE can reproduce this issue, ACK+
Comment 3 Wei Wang 2019-06-26 05:40:33 UTC 
QE will verify it until getting the build with cockpit-ovirt-0.13.3
Comment 4 Wei Wang 2019-06-28 09:49:23 UTC 
Test Version
cockpit-ovirt-0.13.3


Test Steps:
According to comment 2

Result:
Same with comment 1
[xxx@localhost dashboard]$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ patternfly [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ patternfly > jquery                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/796                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 6112 scanned packages
  1 vulnerability requires manual review. See the full report for details.


Bug is fixed, move to "VERIFIED"
Comment 5 Sandro Bonazzola 2019-07-30 14:08:32 UTC 
This bugzilla is included in oVirt 4.3.5 release, published on July 30th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.5 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.