Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability #5309

Merged
merged 3 commits into from
Oct 17, 2023

Conversation

manasvinibs
Copy link
Member

Description

Before fix:

yarn why @babel/traverse
yarn why v1.22.19
[1/4] Why do we have the module "@babel/traverse"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "@babel/traverse@7.17.3"
info Reasons this module exists
   - "_project_#@babel#core" depends on it
   - Hoisted from "_project_#@babel#core#@babel#traverse"
   - Hoisted from "_project_#babel-eslint#@babel#traverse"
   - Hoisted from "_project_#@babel#core#@babel#helper-module-transforms#@babel#traverse"
   - Hoisted from "_project_#@babel#core#@babel#helpers#@babel#traverse"
   - Hoisted from "_project_#@osd#ui-shared-deps#styled-components#@babel#traverse"
   - Hoisted from "_project_#jest#@jest#core#jest-snapshot#@babel#traverse"
   - Hoisted from "_project_#@osd#interpreter#@babel#plugin-transform-runtime#babel-plugin-polyfill-corejs2#@babel#helper-define-polyfill-provider#@babel#traverse"
   - Hoisted from "_project_#@osd#babel-preset#@babel#plugin-proposal-private-methods#@babel#helper-create-class-features-plugin#@babel#helper-replace-supers#@babel#traverse"
   - Hoisted from "_project_#@osd#babel-preset#@babel#preset-env#@babel#plugin-proposal-async-generator-functions#@babel#helper-remap-async-to-generator#@babel#helper-wrap-function#@babel#traverse"
info Disk size without dependencies: "292KB"
info Disk size with unique dependencies: "4.59MB"
info Disk size with transitive dependencies: "6.04MB"
info Number of shared dependencies: 23
Done in 0.86s.

After package resolution fix:

yarn why @babel/traverse
yarn why v1.22.19
[1/4] Why do we have the module "@babel/traverse"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "@babel/traverse@7.23.2"
info Reasons this module exists
   - "_project_#@babel#core" depends on it
   - Hoisted from "_project_#@babel#core#@babel#traverse"
   - Hoisted from "_project_#babel-eslint#@babel#traverse"
   - Hoisted from "_project_#@babel#core#@babel#helper-module-transforms#@babel#traverse"
   - Hoisted from "_project_#@babel#core#@babel#helpers#@babel#traverse"
   - Hoisted from "_project_#@osd#ui-shared-deps#styled-components#@babel#traverse"
   - Hoisted from "_project_#jest#@jest#core#jest-snapshot#@babel#traverse"
   - Hoisted from "_project_#@osd#interpreter#@babel#plugin-transform-runtime#babel-plugin-polyfill-corejs2#@babel#helper-define-polyfill-provider#@babel#traverse"
   - Hoisted from "_project_#@osd#babel-preset#@babel#plugin-proposal-private-methods#@babel#helper-create-class-features-plugin#@babel#helper-replace-supers#@babel#traverse"
   - Hoisted from "_project_#@osd#babel-preset#@babel#preset-env#@babel#plugin-proposal-async-generator-functions#@babel#helper-remap-async-to-generator#@babel#helper-wrap-function#@babel#traverse"
info Disk size without dependencies: "6.52MB"
info Disk size with unique dependencies: "13.78MB"
info Disk size with transitive dependencies: "15.23MB"
info Number of shared dependencies: 24
Done in 0.86s.

Issues Resolved

#5303

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
@codecov
Copy link

codecov bot commented Oct 16, 2023

Codecov Report

Merging #5309 (517dca1) into main (534b2d0) will increase coverage by 11.14%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main    #5309       +/-   ##
===========================================
+ Coverage   55.64%   66.79%   +11.14%     
===========================================
  Files        2995     3284      +289     
  Lines       59120    63113     +3993     
  Branches     9436    10049      +613     
===========================================
+ Hits        32900    42159     +9259     
+ Misses      24129    18474     -5655     
- Partials     2091     2480      +389     
Flag Coverage Δ
Linux_1 35.25% <ø> (-0.02%) ⬇️
Linux_2 55.20% <ø> (?)
Linux_3 43.84% <ø> (?)
Linux_4 35.35% <ø> (-0.01%) ⬇️
Windows_1 35.26% <ø> (-0.02%) ⬇️
Windows_2 55.16% <ø> (?)
Windows_3 43.84% <ø> (-0.01%) ⬇️
Windows_4 35.35% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 698 files with indirect coverage changes

@manasvinibs manasvinibs added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Oct 16, 2023
ananzh
ananzh previously approved these changes Oct 16, 2023
@manasvinibs manasvinibs changed the title [CVE-2023-45133] Add package resolution for to to fix vulnerability [CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability Oct 16, 2023
Signed-off-by: Josh Romero <rmerqg@amazon.com>
joshuarrrr
joshuarrrr previously approved these changes Oct 16, 2023
Copy link
Member

@joshuarrrr joshuarrrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>
@manasvinibs manasvinibs requested a review from ananzh October 16, 2023 23:01
@@ -103,7 +103,8 @@
"**/semver": "^7.5.3",
"**/set-value": "^4.1.0",
"**/xml2js": "^0.5.0",
"**/yaml": "^2.2.2"
"**/yaml": "^2.2.2",
"**/@babel/traverse": "^7.23.2"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't seem to me like a resolution is necessary. All the versions in the lock file are compatible with this version, so it should only need to be an update to the lock file.

With a grain of salt, though. I don't know how this project handles CVE's in terms of what optimizer does/guaranteeing that all plugins use this version too

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding package resolution will install the dependencies rightly to the desired version. Also, I think its a standard practice to add package resolution and to avoid directly editing the lock file as it can break somethings. I don't know how this package is any different from other ones we have dealt with.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, @BSFishy is right that it's not necessary; simply removing the entries from the yarn.lock and re-running the bootstrap command would be sufficient. But for CVEs, I think it's kind of nice to enforce a minimum range via a resolution, in case some dep decided to go backwards, so I'm fine with it either way.

@manasvinibs manasvinibs merged commit a351f90 into opensearch-project:main Oct 17, 2023
65 checks passed
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-5309-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a351f908b7ad28fedbb0534f2758cdcea693ffd8
# Push it to GitHub
git push --set-upstream origin backport/backport-5309-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-5309-to-2.x.

@joshuarrrr
Copy link
Member

@manasvinibs Looks like you'll need to manually backport.

manasvinibs added a commit to manasvinibs/OpenSearch-Dashboards that referenced this pull request Oct 18, 2023
…3.2` to fix vulnerability (opensearch-project#5309)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)
manasvinibs added a commit to manasvinibs/OpenSearch-Dashboards that referenced this pull request Oct 26, 2023
…3.2` to fix vulnerability (opensearch-project#5309)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)
manasvinibs added a commit to manasvinibs/OpenSearch-Dashboards that referenced this pull request Oct 27, 2023
…3.2` to fix vulnerability (opensearch-project#5309)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)
manasvinibs added a commit that referenced this pull request Nov 7, 2023
…3.2` to fix vulnerability (#5309) (#5320)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)

Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 15, 2023
…3.2` to fix vulnerability (#5309) (#5320)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)

Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit ea0e856)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
joshuarrrr pushed a commit that referenced this pull request Nov 16, 2023
…3.2` to fix vulnerability (#5309) (#5320) (#5480)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)

Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit ea0e856)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@joshuarrrr joshuarrrr added the v2.11.1 Issues targeting release v2.11.1 label Nov 16, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-1.3
# Create a new branch
git switch --create backport/backport-5309-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a351f908b7ad28fedbb0534f2758cdcea693ffd8
# Push it to GitHub
git push --set-upstream origin backport/backport-5309-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-5309-to-1.3.

@manasvinibs
Copy link
Member Author

Manual backport to 2.x - #5320
Manual backport to 1.3 - #5564

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.3 backport 2.x cve Security vulnerabilities detected by Dependabot or Mend distinguished-contributor high severity High severity CVE v2.11.1 Issues targeting release v2.11.1 v2.12.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants