microsoft / mcw-oss-paas-and-devops Goto Github PK
View Code? Open in Web Editor NEWMCW OSS PaaS and DevOps
License: MIT License
MCW OSS PaaS and DevOps
License: MIT License
Received security alert - labeling as a dependency for next update.
Bump lodash from 4.17.15 to 4.17.19 in /Hands-on lab/lab-files dependencies
#39 opened 19 days ago by dependabot bot
1 lodash vulnerability found in …/lab-files/package-lock.json 20 days ago
Remediation
Upgrade lodash to version 4.17.19 or later. For example:
"dependencies": {
"lodash": ">=4.17.19"
}
or…
"devDependencies": {
"lodash": ">=4.17.19"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2020-8203
low severity
Vulnerable versions: < 4.17.19
Patched version: 4.17.19
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Received security alert - labeling as a dependency for next update.
Bump elliptic from 6.5.2 to 6.5.3 in /Hands-on lab/lab-files dependencies
#40 opened 6 days ago by dependabot bot
1 elliptic vulnerability found in …/lab-files/package-lock.json 7 days ago
Remediation
Upgrade elliptic to version 6.5.3 or later. For example:
"dependencies": {
"elliptic": ">=6.5.3"
}
or…
"devDependencies": {
"elliptic": ">=6.5.3"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2020-13822
high severity
Vulnerable versions: < 6.5.3
Patched version: 6.5.3
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
In Exercise 5 -> Task 9 -> Step 10 , the web page shows “Not Found” with the image build done via CD Pipeline. The release log in VSTS is showing as successful.
If I use the private image tagged as latest ( which was built locally in the VM and pushed to ACR ) it is working fine.
I was able to complete the rest of the exercises using the locally pushed image in ACR.
For the March 2019 - Scheduled content update, has thought been given to the use of ARM Templates for resource provisioning, as opposed to Azure Portal? This is in reference to:
In the DevOps spirit, I think we should encourage infrastructure as code as much as possible.
Given the depth of this workshop, as a facilitator I not would expect people to build the ARM Templates, but at least review them and update parameters. For a workshop featuring ARM Template programming, I would turn to Continuous delivery in Azure DevOps.
I couldn't find Jenkins resource in Azure Portal.
Is there any other way to replace this resource?
"The requested service plan can not be created in the current resource group because it is hosting Linux apps. Please choose a different resource group or create a new one."
Can you please check fix this ASAP.
Thanks,
Amal Gireesh
In 1.6.3. Task 3: Pre-create and scale collections
let's add a note in step "If they do not already exist, repeat steps 1 and 2 to create collections for:" to use the existing database id (best-for-you-organic) when creating the users and plans collections
Merging the Feb 2020 test/fix resulted in 3 GitHub security alerts (and 2 automatic PRs). Please review and advise.
mongoose
Open
GitHub opened this alert 9 minutes ago
Bump mongoose from 5.4.21 to 5.7.5 in /Hands-on lab/lab-files dependencies
#30 opened 9 minutes ago by dependabot bot
1 mongoose vulnerability found in …/lab-files/package-lock.json 9 minutes ago
Remediation
Upgrade mongoose to version 5.7.5 or later. For example:
"dependencies": {
"mongoose": ">=5.7.5"
}
or…
"devDependencies": {
"mongoose": ">=5.7.5"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2019-17426
moderate severity
Vulnerable versions: < 5.7.5
Patched version: 5.7.5
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
serialize-javascript
Open
GitHub opened this alert 12 minutes ago
Dependabot cannot update to the required version
View details about this error or learn more about automated security updates.
1 serialize-javascript vulnerability found in …/lab-files/package-lock.json 12 minutes ago
Remediation
Upgrade serialize-javascript to version 2.1.1 or later. For example:
"dependencies": {
"serialize-javascript": ">=2.1.1"
}
or…
"devDependencies": {
"serialize-javascript": ">=2.1.1"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
GHSA-h9rv-jmmf-4pgx
moderate severity
Vulnerable versions: < 2.1.1
Patched version: 2.1.1
regular expressions Cross-Site Scripting (XSS) vulnerability
Impact
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions.
This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.
If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Patches
This was patched in v2.1.1.
handlebars
Open
GitHub opened this alert 14 minutes ago
Bump handlebars from 4.1.2 to 4.7.3 in /Hands-on lab/lab-files dependencies
#31 opened 13 minutes ago by dependabot bot
1 handlebars vulnerability found in …/lab-files/package-lock.json 14 minutes ago
Remediation
Upgrade handlebars to version 4.3.0 or later. For example:
"dependencies": {
"handlebars": ">=4.3.0"
}
or…
"devDependencies": {
"handlebars": ">=4.3.0"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2019-19919
high severity
Vulnerable versions: < 4.3.0
Patched version: 4.3.0
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
In task 5>Step 3 > I ran the command npm install but not able to install it. you can see the give error: https://cloudbeesstg.blob.core.windows.net/ossdevopserror/Screenshot_1.png
At one point in the lab directions (after granting the user permissions to use docker), the lab instructs the user to "reboot" if in doubt. However, MongoDB does not automatically start on boot. So you must manually run "sudo service mongod start" before continuing with the lab (and again anytime you reboot). Ideally, the service should be autostarting.
I'm doing this lab now and wasn't able to RDP to my LabVM after using the ARM Template (the 1-click deployment from the lab doc) to deploy it.
I then SSH'd into the box to investigate. It appeared that parts of labvmconfig.sh ran/worked (e.g. all the packages were installed). However, there was no sign of the first two sections of labvmconfig.sh having run properly. There was no ~/.xsession file, no /etc/X11/Xwrapper.config, and lxde was not installed.
Running the first part of the labvmconfig.sh manually fixed everything:
export DEBIAN_FRONTEND=noninteractive
# Install LXDE lxde.org and xrdp - (make sure to open 3389 on the NSG of the azure vm)
apt-get update
apt-get install -y lxde
apt-get install -y xrdp
/etc/init.d/xrdp start
# Prepare XWindows System
sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config
sudo touch ~/.xsession
echo "startlxde" > ~/.xsession
Everything beyond this part in the script was in-place already.
Following the lab sequence, at this stage (step 6 and 7) we didn't create the collection database so the database name "best-for-you-organics" may confuse users to use the cosmosdb name instead.
I highly recommend:
Either mention that this will be the collection database created later in this lab (Task 3)
Or move step 6 and 7 under task 3 after step 14
I've updated the document to match most current templates.
Please check that my changing the name to Before the HOL does not break any links in the labs.
Please add a TOC to the document
In Task 5: Fork the starter app It will be better to centralize the lab content under one repo, can we move the starter app under Microsoft organization and better under the same lab in a different folder.
In Task 6: Add an Azure service principal for Jenkins let's simplify the steps by using Azure CLI and az ad sp create-fpr-rbac
command
In 1.8.1. Task 1: Provision Web App for Containers move "OS: Select Linux" under web app configuration as it's not a container configuration.
Hi Jay,
QC for the November test/fix is complete, thank you! I've merged your PR, deleted the Nov test/fix branch and updated the HTML links. Can you please take a look at the open issues #11 #9 #8 #7 #6 for me? I think some may have been resolved with your test/fix and can be closed. If they need to wait for a full update, please label them either Improvement or Enhancement (whichever applies). I'm working on #10 so nothing for you to do there.
In 1.6.3. Task 3: Pre-create and scale collections
do we need step 4? we are creating the collections from scratch in the newly created cosmos db with the right throughput.
The august-2018-testfix branch is ready for review and QC.
In Task 2: Create a Linux virtual machine let's update the following:
In the Readme file let's add a section before "References" outline the how people can contribute with a link.
Contributing
If you'd like to contribute to this sample, see CONTRIBUTING.MD.This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
In Exercise 6, Task 3 - Upon creating the Cosmos DB trigger function, the following message is displayed:
Error: Failed to start language worker process for: node.
To resolve the problem I followed the instructions at MicrosoftDocs/azure-docs#17295, namely to change the Application Settings, WEBSITE_NODE_DEFAULT_VALUE value from 10.14.1 to 8.11.1.
I recommend that a note be added to the step by step instructions.
After step 11 of Exercise 7 Task 1, "Select Choose this Number", there is an Address Required step prior to step 12 "Select Done on the Congratulations dialog."
I entered an address, but it would not move me to a next step in the phone number selection workflow. The impression I have is that I would need to buy a phone number.
Given this issue, and that lab users may not be OK with opening a Twilio account (IMHO), perhaps this service should be replaced with something less intrusive?
@joelhulen @kylebunting
Solliance team -
This workshop is scheduled for an update in March. We will be combining this workshop with the OSS DevOps workshop. Please update this issue with suggested content changes. Once done, we'll assign to our SME team for review and additional feedback.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.