Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 #2166

Merged
merged 5 commits into from
Sep 20, 2022
Merged

Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 #2166

merged 5 commits into from
Sep 20, 2022

Conversation

CCongWang
Copy link
Contributor

@CCongWang CCongWang commented Aug 18, 2022
edited by kavilla
Loading

Signed-off-by: CCongWang wangcong@umich.edu

Description

Upgrade geckodriver to 3.0.2 to use got@11.8.5, which partially fix CVE-2022-33987

Issues Resolved

#1764

Check List

  • New functionality includes testing.
    • All tests pass
      • yarn test:jest
      • yarn test:jest_integration
      • yarn test:ftr
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

@CCongWang
Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987
7bda1a1 
Signed-off-by: CCongWang <wangcong@umich.edu>
@CCongWang CCongWang requested a review from a team as a code owner August 18, 2022 22:13
@codecov-commenter
Copy link

codecov-commenter commented Aug 18, 2022
edited
Loading

Codecov Report

Merging #2166 (c031614) into main (bebbcca) will increase coverage by 0.00%.
The diff coverage is n/a.

❗ Current head c031614 differs from pull request most recent head 1208bd3. Consider uploading reports for the commit 1208bd3 to get more accurate results

@@           Coverage Diff           @@
##             main    #2166   +/-   ##
=======================================
  Coverage   66.55%   66.55%           
=======================================
  Files        3170     3170           
  Lines       60318    60318           
  Branches     9181     9181           
=======================================
+ Hits        40142    40146    +4     
+ Misses      17983    17980    -3     
+ Partials     2193     2192    -1
Impacted Files Coverage Δ
packages/osd-optimizer/src/node/cache.ts 52.77% <0.00%> (+2.77%) ⬆️
...s/osd-optimizer/src/node/node_auto_tranpilation.ts 87.75% <0.00%> (+4.08%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

zhongnansu
zhongnansu previously approved these changes Aug 22, 2022
View reviewed changes
Copy link
Member

@zhongnansu zhongnansu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

ananzh
ananzh previously approved these changes Aug 22, 2022
View reviewed changes
Copy link
Member

@ananzh ananzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

kavilla
kavilla reviewed Aug 23, 2022
View reviewed changes
package.json Outdated
@@ -370,7 +370,7 @@
"exit-hook": "^2.2.0",
"fetch-mock": "^7.3.9",
"fp-ts": "^2.3.1",
"geckodriver": "^3.0.1",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can backport it if we just handle it resolution

kavilla
kavilla reviewed Aug 23, 2022
View reviewed changes
Copy link
Member

@kavilla kavilla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can keep all the resolutions

@ashwin-pc ashwin-pc dismissed stale reviews from ananzh and zhongnansu via d8e2fc8 September 15, 2022 00:38
@kavilla kavilla linked an issue Sep 19, 2022 that may be closed by this pull request
CVE-2022-33987 (Medium) detected in multiple libraries #1764
Closed
@kavilla kavilla added cve Security vulnerabilities detected by Dependabot or Mend backport 2.x labels Sep 19, 2022
@joshuarrrr joshuarrrr merged commit 06abe83 into opensearch-project:main Sep 20, 2022
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2166-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 06abe83e0180f391a84c742cf5594866bc747ea2
# Push it to GitHub
git push --set-upstream origin backport/backport-2166-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2166-to-2.x.

kavilla pushed a commit to kavilla/OpenSearch-Dashboards-1 that referenced this pull request Sep 21, 2022
@CCongWang @ashwin-pc
@joshuarrrr @kavilla
Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 (opensea…
6f76be4 
…rch-project#2166)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987

Signed-off-by: CCongWang <wangcong@umich.edu>

* Revert change to package.json

* Update yarn.lock

Signed-off-by: CCongWang <wangcong@umich.edu>
Co-authored-by: Ashwin P Chandran <ashwinpc1993@gmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
@kavilla kavilla mentioned this pull request Sep 21, 2022
Merged
@kavilla kavilla added the v2.3.1 label Sep 22, 2022
kavilla added a commit that referenced this pull request Sep 22, 2022
@kavilla @CCongWang
@ashwin-pc @joshuarrrr
Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 (#2166) (#…
3aacdc3 
…2397)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987

Signed-off-by: CCongWang <wangcong@umich.edu>

* Revert change to package.json

* Update yarn.lock

Signed-off-by: CCongWang <wangcong@umich.edu>
Co-authored-by: Ashwin P Chandran <ashwinpc1993@gmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>

Signed-off-by: CCongWang <wangcong@umich.edu>
Co-authored-by: Cong Wang <99116880+CCongWang@users.noreply.github.com>
Co-authored-by: Ashwin P Chandran <ashwinpc1993@gmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this pull request Sep 22, 2022
@kavilla @github-actions
Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 (#2166) (#…
ccc52a5 
…2397)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987

Signed-off-by: CCongWang <wangcong@umich.edu>

* Revert change to package.json

* Update yarn.lock

Signed-off-by: CCongWang <wangcong@umich.edu>
Co-authored-by: Ashwin P Chandran <ashwinpc1993@gmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>

Signed-off-by: CCongWang <wangcong@umich.edu>
Co-authored-by: Cong Wang <99116880+CCongWang@users.noreply.github.com>
Co-authored-by: Ashwin P Chandran <ashwinpc1993@gmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 3aacdc3)
kavilla pushed a commit that referenced this pull request Sep 23, 2022
@opensearch-trigger-bot
Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 (#2166) (#…
8912a28 
…2397) (#2405)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987
* Revert change to package.json
* Update yarn.lock

Signed-off-by: CCongWang <wangcong@umich.edu>
Co-authored-by: Ashwin P Chandran <ashwinpc1993@gmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Cong Wang <99116880+CCongWang@users.noreply.github.com>
(cherry picked from commit 3aacdc3)
@ananzh ananzh mentioned this pull request Oct 24, 2022
Closed
@AMoo-Miki AMoo-Miki added v2.4.0 'Issues and PRs related to version v2.4.0' and removed v2.3.1 labels Nov 5, 2022
sipopo pushed a commit to sipopo/OpenSearch-Dashboards that referenced this pull request Dec 16, 2022
@CCongWang @ashwin-pc
@joshuarrrr @sipopo
Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 (opensea…
4e00035 
…rch-project#2166)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987

Signed-off-by: CCongWang <wangcong@umich.edu>

* Revert change to package.json

* Update yarn.lock

Signed-off-by: CCongWang <wangcong@umich.edu>
Co-authored-by: Ashwin P Chandran <ashwinpc1993@gmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
Signed-off-by: Sergey V. Osipov <sipopo@yandex.ru>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@ashwin-pc ashwin-pc ashwin-pc approved these changes

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@ananzh ananzh Awaiting requested review from ananzh ananzh is a code owner

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

Assignees
No one assigned
Labels
backport 2.x cve Security vulnerabilities detected by Dependabot or Mend v2.4.0 'Issues and PRs related to version v2.4.0'
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2022-33987 (Medium) detected in multiple libraries
8 participants
@CCongWang @codecov-commenter @joshuarrrr @kavilla @ashwin-pc @zhongnansu @ananzh @AMoo-Miki