microsoft / mcw-oss-paas-and-devops Goto Github PK

Received security alert - labeling as a dependency for next update.

Bump lodash from 4.17.15 to 4.17.19 in /Hands-on lab/lab-files dependencies
#39 opened 19 days ago by dependabot bot
1 lodash vulnerability found in …/lab-files/package-lock.json 20 days ago
Remediation
Upgrade lodash to version 4.17.19 or later. For example:

"dependencies": {
"lodash": ">=4.17.19"
}
or…
"devDependencies": {
"lodash": ">=4.17.19"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2020-8203

low severity

Vulnerable versions: < 4.17.19
Patched version: 4.17.19
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Received security alert - labeling as a dependency for next update.

Bump elliptic from 6.5.2 to 6.5.3 in /Hands-on lab/lab-files dependencies
#40 opened 6 days ago by dependabot bot
1 elliptic vulnerability found in …/lab-files/package-lock.json 7 days ago
Remediation
Upgrade elliptic to version 6.5.3 or later. For example:

"dependencies": {
"elliptic": ">=6.5.3"
}
or…
"devDependencies": {
"elliptic": ">=6.5.3"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2020-13822

high severity

Vulnerable versions: < 6.5.3
Patched version: 6.5.3
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

In Exercise 5 -> Task 9 -> Step 10 , the web page shows “Not Found” with the image build done via CD Pipeline. The release log in VSTS is showing as successful.

If I use the private image tagged as latest ( which was built locally in the VM and pushed to ACR ) it is working fine.
I was able to complete the rest of the exercises using the locally pushed image in ACR.

For the March 2019 - Scheduled content update, has thought been given to the use of ARM Templates for resource provisioning, as opposed to Azure Portal? This is in reference to:

• Provision Cosmos DB using the MongoDB API
• Create an Azure Container Registry
• Provision Web App for Containers
• Provision a Function App

In the DevOps spirit, I think we should encourage infrastructure as code as much as possible.

Given the depth of this workshop, as a facilitator I not would expect people to build the ARM Templates, but at least review them and update parameters. For a workshop featuring ARM Template programming, I would turn to Continuous delivery in Azure DevOps.

In exercise 3 task 4 having issue to fetch image in docker explorer. I tried multiple times but the facing same issue every-time.

I couldn't find Jenkins resource in Azure Portal.
Is there any other way to replace this resource?

1. In Exercise 4 : We need to provision Web app for Containers with Linux OS in RG hands-on-lab-RG.
2. In Exercise 6 we need to provision a Function App with Windows OS in same RG hands-on-lab-RG , but we are unable to provision Function app due to below mentioned error:

"The requested service plan can not be created in the current resource group because it is hosting Linux apps. Please choose a different resource group or create a new one."

3. When we are deploying Web App for Containers In the lab guide its mentioned to select the default App Service Plan SKU, but in the RBAC/Policy we need provide specify the SKU. Can you please update the instructions for creating a App Service plan mentioning the specific SKU such as B1.

Can you please check fix this ASAP.

Thanks,
Amal Gireesh

In 1.6.3. Task 3: Pre-create and scale collections
let's add a note in step "If they do not already exist, repeat steps 1 and 2 to create collections for:" to use the existing database id (best-for-you-organic) when creating the users and plans collections

Merging the Feb 2020 test/fix resulted in 3 GitHub security alerts (and 2 automatic PRs). Please review and advise.

Security Alert 1 - Moderate severity, corresponds with PR #30 - mongoose

mongoose
Open
GitHub opened this alert 9 minutes ago

Bump mongoose from 5.4.21 to 5.7.5 in /Hands-on lab/lab-files dependencies
#30 opened 9 minutes ago by dependabot bot

1 mongoose vulnerability found in …/lab-files/package-lock.json 9 minutes ago
Remediation
Upgrade mongoose to version 5.7.5 or later. For example:
"dependencies": {
"mongoose": ">=5.7.5"
}
or…
"devDependencies": {
"mongoose": ">=5.7.5"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2019-17426
moderate severity
Vulnerable versions: < 5.7.5
Patched version: 5.7.5
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Security alert 2 - serialize-JavaScript - moderate severity

serialize-javascript
Open
GitHub opened this alert 12 minutes ago
Dependabot cannot update to the required version
View details about this error or learn more about automated security updates.
1 serialize-javascript vulnerability found in …/lab-files/package-lock.json 12 minutes ago
Remediation
Upgrade serialize-javascript to version 2.1.1 or later. For example:
"dependencies": {
"serialize-javascript": ">=2.1.1"
}
or…
"devDependencies": {
"serialize-javascript": ">=2.1.1"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
GHSA-h9rv-jmmf-4pgx
moderate severity
Vulnerable versions: < 2.1.1
Patched version: 2.1.1
regular expressions Cross-Site Scripting (XSS) vulnerability
Impact
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions.
This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.
If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Patches
This was patched in v2.1.1.

Security Alert 3 - handlebars - High severity, corresponds with PR #31

handlebars
Open
GitHub opened this alert 14 minutes ago

Bump handlebars from 4.1.2 to 4.7.3 in /Hands-on lab/lab-files dependencies
#31 opened 13 minutes ago by dependabot bot

1 handlebars vulnerability found in …/lab-files/package-lock.json 14 minutes ago
Remediation
Upgrade handlebars to version 4.3.0 or later. For example:
"dependencies": {
"handlebars": ">=4.3.0"
}
or…
"devDependencies": {
"handlebars": ">=4.3.0"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2019-19919
high severity
Vulnerable versions: < 4.3.0
Patched version: 4.3.0
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

In task 5>Step 3 > I ran the command npm install but not able to install it. you can see the give error: https://cloudbeesstg.blob.core.windows.net/ossdevopserror/Screenshot_1.png

At one point in the lab directions (after granting the user permissions to use docker), the lab instructs the user to "reboot" if in doubt. However, MongoDB does not automatically start on boot. So you must manually run "sudo service mongod start" before continuing with the lab (and again anytime you reboot). Ideally, the service should be autostarting.

I'm doing this lab now and wasn't able to RDP to my LabVM after using the ARM Template (the 1-click deployment from the lab doc) to deploy it.

I then SSH'd into the box to investigate. It appeared that parts of labvmconfig.sh ran/worked (e.g. all the packages were installed). However, there was no sign of the first two sections of labvmconfig.sh having run properly. There was no ~/.xsession file, no /etc/X11/Xwrapper.config, and lxde was not installed.

Running the first part of the labvmconfig.sh manually fixed everything:

export DEBIAN_FRONTEND=noninteractive
# Install LXDE lxde.org and xrdp - (make sure to open 3389 on the NSG of the azure vm)
apt-get update
apt-get install -y lxde
apt-get install -y xrdp
/etc/init.d/xrdp start

# Prepare XWindows System
sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config
sudo touch ~/.xsession
echo "startlxde" > ~/.xsession

Everything beyond this part in the script was in-place already.

Following the lab sequence, at this stage (step 6 and 7) we didn't create the collection database so the database name "best-for-you-organics" may confuse users to use the cosmosdb name instead.

I highly recommend:

• Either mention that this will be the collection database created later in this lab (Task 3)

• Or move step 6 and 7 under task 3 after step 14

I've updated the document to match most current templates.
Please check that my changing the name to Before the HOL does not break any links in the labs.
Please add a TOC to the document

In Exercise 5, Task 4, Unable to find the Github project option from the list where we build a new free style project .
Enclosing the image for reference.

In Task 5: Fork the starter app It will be better to centralize the lab content under one repo, can we move the starter app under Microsoft organization and better under the same lab in a different folder.

In Task 6: Add an Azure service principal for Jenkins let's simplify the steps by using Azure CLI and az ad sp create-fpr-rbac command

In 1.8.1. Task 1: Provision Web App for Containers move "OS: Select Linux" under web app configuration as it's not a container configuration.

Hi Jay,
QC for the November test/fix is complete, thank you! I've merged your PR, deleted the Nov test/fix branch and updated the HTML links. Can you please take a look at the open issues #11 #9 #8 #7 #6 for me? I think some may have been resolved with your test/fix and can be closed. If they need to wait for a full update, please label them either Improvement or Enhancement (whichever applies). I'm working on #10 so nothing for you to do there.

In 1.6.3. Task 3: Pre-create and scale collections
do we need step 4? we are creating the collections from scratch in the newly created cosmos db with the right throughput.

GitHub security alerts, closed as acceptable risk to project for now, please review and incorporate into next test/fix or update.

The august-2018-testfix branch is ready for review and QC.

In Task 2: Create a Linux virtual machine let's update the following:

• Remove the step to add inbound role to the VM (step 8)
• Use the new bade screenshoot where it allows you to add RDP port directly
  

In the Readme file let's add a section before "References" outline the how people can contribute with a link.

Contributing
If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

In Exercise 6, Task 3 - Upon creating the Cosmos DB trigger function, the following message is displayed:

Error: Failed to start language worker process for: node.

To resolve the problem I followed the instructions at MicrosoftDocs/azure-docs#17295, namely to change the Application Settings, WEBSITE_NODE_DEFAULT_VALUE value from 10.14.1 to 8.11.1.

I recommend that a note be added to the step by step instructions.

After step 11 of Exercise 7 Task 1, "Select Choose this Number", there is an Address Required step prior to step 12 "Select Done on the Congratulations dialog."

I entered an address, but it would not move me to a next step in the phone number selection workflow. The impression I have is that I would need to buy a phone number.

Given this issue, and that lab users may not be OK with opening a Twilio account (IMHO), perhaps this service should be replaced with something less intrusive?

@joelhulen @kylebunting
Solliance team -
This workshop is scheduled for an update in March. We will be combining this workshop with the OSS DevOps workshop. Please update this issue with suggested content changes. Once done, we'll assign to our SME team for review and additional feedback.