You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/11/11 00:23:20 UTC

[GitHub] [airflow] gvwirth opened a new issue #12272: Package vulnerability scan failing on lodash CVE

gvwirth opened a new issue #12272:
URL: https://github.com/apache/airflow/issues/12272


   Hello,
   
   We use the vulnerability scanning tool Trivy to scan our Airflow Docker images for vulnerabilities. Today the scans started failing on a discovered lodash vulnerability:
   
   `usr/local/lib/python3.8/dist-packages/airflow/www_rbac/yarn.lock
   ================================================================
   Total: 1 (HIGH: 1, CRITICAL: 0)
   
   +---------+------------------+----------+-------------------+---------------+
   | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
   +---------+------------------+----------+-------------------+---------------+
   | lodash  | CVE-2020-8203    | HIGH     | 4.17.15           | 4.17.19       |
   +---------+------------------+----------+-------------------+---------------+`
   
   Do you have any remediation steps for us to patch lodash to 4.17.19?
   
   Thank you!


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil edited a comment on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

kaxil edited a comment on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-725749306


   Yes we had fixed it in https://github.com/apache/airflow/pull/9921 and even bumped it to 4.17.20 in https://github.com/apache/airflow/pull/11095 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] tiagogoddard-hotmart commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

tiagogoddard-hotmart commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-742742296


   Seems to be caused by the dependencies dagre, dagre-3d, stylelint and some others.
   
   Here we can see it resolving to use the 4.17.15 version.
   https://github.com/apache/airflow/blob/1.10.14/airflow/www_rbac/yarn.lock#L3811


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] gvwirth commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

gvwirth commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-725565130


   Thanks for the reply -- after digging a little more, it seems that this was already taken care of and should be in the 1.10.13 release. Is this the correct file that generates airflow/www_rbac/yarn.lock ?
   
   https://github.com/apache/airflow/blob/cbe4ef2c5e143c87c9edd1c54a4949bbdd7a8edd/airflow/www/package.json#L72


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] boring-cyborg[bot] commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

boring-cyborg[bot] commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-725048389


   Thanks for opening your first issue here! Be sure to follow the issue template!
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] tiagogoddard-hotmart commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

tiagogoddard-hotmart commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-742747024


   Would a PR be acceptable or there aren't any minor versions for the 1.10 planed?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-725359990


   How about making a PR to increment the version @gvwirth ? 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil edited a comment on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

kaxil edited a comment on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-725749306


   Yes we had even bumped it to 4.17.20 in https://github.com/apache/airflow/pull/11095


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ashb commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

ashb commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-743232258


   lodash is never included at runtime in Airflow, so this is a false positive.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] tiagogoddard-hotmart commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

tiagogoddard-hotmart commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-742689712


   Should this commit be available on the 1.10.14 version? I'm still getting the CVE-2020-8203 and the NSWG-ECO-516 on this release.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil closed issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

kaxil closed issue #12272:
URL: https://github.com/apache/airflow/issues/12272


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

kaxil commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-742743519


   > Seems to be caused by the dependencies dagre, dagre-3d, stylelint and some others.
   > 
   > Here we can see it resolving to use the 4.17.15 version.
   > https://github.com/apache/airflow/blob/1.10.14/airflow/www_rbac/yarn.lock#L3811
   
   Yeah - most of the JS dependencies are not critical for Airflow as they are mostly used during build times.
   
   So this might not get fixed until Airflow 2.0 which will be released next week


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

kaxil commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-742727161


   > Should this commit be available on the 1.10.14 version? I'm still getting the [CVE-2020-8203](https://github.com/advisories/GHSA-p6mc-m468-83gw) and the NSWG-ECO-516 on this release.
   
   https://github.com/apache/airflow/blob/1.10.14/airflow/www_rbac/package.json#L72 -- It is already cherry-picked to >= 1.10.13 
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil commented on issue #12272: Package vulnerability scan failing on lodash CVE

Posted by GitBox <gi...@apache.org>.

kaxil commented on issue #12272:
URL: https://github.com/apache/airflow/issues/12272#issuecomment-725749306


   Yes we had fixed it in https://github.com/apache/airflow/pull/11095


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org