Bug 1721094 - Cockpit-ovirt has vulnerabilities in some of its dependencies
Summary: Cockpit-ovirt has vulnerabilities in some of its dependencies
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: cockpit-ovirt
Classification: oVirt
Component: Generic
Version: 0.13.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.3.5
: 0.13.3
Assignee: Ido Rosenzwig
QA Contact: Wei Wang
URL:
Whiteboard:
Depends On:
Blocks: 1719317
TreeView+ depends on / blocked
 
Reported: 2019-06-17 10:53 UTC by Ido Rosenzwig
Modified: 2019-07-30 14:08 UTC (History)
10 users (show)

Fixed In Version: cockpit-ovirt-0.13.3
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-30 14:08:32 UTC
oVirt Team: Integration
Embargoed:
weiwang: testing_ack+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 100870 0 'None' 'MERGED' 'Update dependencies' 2019-12-09 04:37:51 UTC
oVirt gerrit 100895 0 'None' 'MERGED' 'Update dependencies' 2019-12-09 04:37:51 UTC

Comment 2 Wei Wang 2019-06-18 06:16:28 UTC 
Test Version
cockpit-ovirt-0.13.2

Test Steps:
1. $ cd cockpit-ovirt/dashboard
2. create package-lock.json if not exist (with "$ npm i --only-package-lock")
3. install all deps with "$ npm install"
4. $ npm audit

Result:
found 42 vulnerabilities (7 low, 30 moderate, 5 high) in 6600 scanned packages


QE can reproduce this issue, ACK+
Comment 3 Wei Wang 2019-06-26 05:40:33 UTC 
QE will verify it until getting the build with cockpit-ovirt-0.13.3
Comment 4 Wei Wang 2019-06-28 09:49:23 UTC 
Test Version
cockpit-ovirt-0.13.3


Test Steps:
According to comment 2

Result:
Same with comment 1
[xxx@localhost dashboard]$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ patternfly [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ patternfly > jquery                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/796                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 6112 scanned packages
  1 vulnerability requires manual review. See the full report for details.


Bug is fixed, move to "VERIFIED"
Comment 5 Sandro Bonazzola 2019-07-30 14:08:32 UTC 
This bugzilla is included in oVirt 4.3.5 release, published on July 30th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.5 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.