You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by Scott Cote <sc...@etcc.com> on 2019/01/18 18:35:57 UTC
notes and questions on configuration and installation of web console
for ignite
Am going through the manual installation and implementation of the Ignite Web Console.
This is Part 1 of a series of notes that I’m making….
Throughout this set of items (questions and notes), I’m referencing the “Build and Deploy“ document (BDD) https://apacheignite-tools.readme.io/docs/build-and-deploy
=====
Items
=====
Item 1:
In the prerequisites section of BDD, we are instructed to run npm from $IGNITE_HOME. Is this the ignite home of the exploded source tree, or the ignite home of the unzipped/extracted binary (released) instances ( - for example, I downloaded a binary and unzipped it/exploded the tar/gz).
Currently, I’m running npm from the exploded source tree and NOT my exploded binary – which is what my env variable $IGNITE_HOME points to.
Item 2:
The machine that I need to deploy the web console into is sitting behind a very grandiose firewall/av setup. Using GIT/Maven/NPM to pull in dependencies for a build on that machine is not supportable. I am able to build somewhere else …. Want to package the outcome and deploy it to the super secure machine. Maybe create a docker container…. Is there a docker container with web console already configured? If not, and if I’m allowed, how do I contribute a docker container of this setup? I think I can sell to my management that more eyeballs on a crafted docker container – generic without any of our proprietary work – would be good over all. We would all benefit.
Item 3:
While running the npm installer for the backend (prerequisites of BDD), I noticed desupport notices from:
* Mockgoose
* Simple-bufferstream
* Babel
* Minimatch
* Circular-json
* Cryptiles
* Boom
* Hoek
*
I will include the npm output below as Detail 1 -> 3 (notation: 1 refers to the first detail – 1, and 3 refers to this item of concern)
Item 4:
Npm audit revealed a couple of critical warnings (among others). So that I can address my security team accurately (considering this IS an open source project) Are the sources of the warnings (listed in Detail 2 -> 4) on an immediate roadmap to be corrected in the next release of Ignite.
Can I fix in my install by running “npm audit fix” ? I’m not a nodejs guy, so I don’t know if the “fix” could be backported to the source and then given back to ignite community. I will run npm fix, just don’t know if I can give outcome back.
Item 5:
Ran the audit fix for backend of BDD. See 3 -> 5 for the outcome on the screen.
Item 6:
While running the npm installer for the frontend (prerequisites of BDD), I noticed desupport and problem notices from:
* samsam
* text-encoding
* circular-json
* browserslist
* node-uuid
* hoek
* cryptiles
* boom
* socks
* mailcomposer
* buildmail
* uws
I will include the npm output below as Detail 4 -> 6
Item 7:
Again - Npm audit revealed a couple of critical warnings (among others). So that I can address my security team accurately (considering this IS an open source project) Are the sources of the warnings (listed in Detail 5 -> 7) on an immediate roadmap to be corrected in the next release of Ignite.
Can I fix in my install by running “npm audit fix” ? I’m not a nodejs guy, so I don’t know if the “fix” could be backported to the source and then given back to ignite community. I will run npm fix, just don’t know if I can give outcome back.
Item 8:
Ran the audit fix for backend of BDD. See 6 -> 8 for the outcome on the screen.
=======
Details
=======
Detail 1-> 3
c:\cygwin64\home\scote\ignite\modules\web-console\backend>npm install --no-optional
npm WARN deprecated mockgoose@6.0.8: Mockgoose is no longer actively maintained, consider using mongodb-memory-server
npm WARN deprecated scmp@1.0.2: scmp v2 uses improved core crypto comparison since Node v6.6.0
npm WARN deprecated simple-bufferstream@1.0.0: no longer maintained
npm WARN deprecated babel-preset-latest@6.24.1: We're super 😸 excited that you're trying to use ES2017+ syntax, but instead of making more yearly presets 😭 , Babel now has a better preset that we recommend you use instead: npm install babel-preset-env --save-dev. preset-env without options will compile ES2015+ down to ES5 just like using all the presets together and thus is more future proof. It also allows you to target specific browsers so that Babel can do less work and you can ship native ES2015+ to user 😎 ! We are also in the process of releasing v7, so please give http://babeljs.io/blog/2017/09/12/planning-for-7.0 a read and help test it out in beta! Thanks so much for using Babel 🙏, please give us a follow on Twitter @babeljs for news on Babel, join slack.babeljs.io for discussion/development and help support the project at opencollective.com/babel
npm WARN deprecated babel-preset-es2017@6.24.1: 🙌 Thanks for using Babel: we recommend using babel-preset-env now: please read babeljs.io/env to update!
npm WARN deprecated babel-preset-es2016@6.24.1: 🙌 Thanks for using Babel: we recommend using babel-preset-env now: please read babeljs.io/env to update!
npm WARN deprecated babel-preset-es2015@6.24.1: 🙌 Thanks for using Babel: we recommend using babel-preset-env now: please read babeljs.io/env to update!
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated cryptiles@2.0.5: This version is no longer maintained. Please upgrade to the latest version.
npm WARN deprecated boom@2.10.1: This version is no longer maintained. Please upgrade to the latest version.
npm WARN deprecated hoek@2.16.3: This version is no longer maintained. Please upgrade to the latest version.
> spawn-sync@1.0.15 postinstall c:\cygwin64\home\scote\ignite\modules\web-console\backend\node_modules\spawn-sync
> node postinstall
> mongodb-prebuilt@5.0.8 postinstall c:\cygwin64\home\scote\ignite\modules\web-console\backend\node_modules\mockgoose\node_modules\mongodb-prebuilt
> node install.js
done
inside extract, run complete 145.1mb)
Done installing MongoDB
npm notice created a lockfile as package-lock.json. You should commit this file.
added 886 packages from 765 contributors and audited 5716 packages in 45.958s
found 39 vulnerabilities (24 low, 7 moderate, 6 high, 2 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Detail 2 -> 4
c:\cygwin64\home\scote\ignite\modules\web-console\backend>npm audit
=== npm audit security report ===
# Run npm install express@4.16.4 to resolve 8 vulnerabilities
Low Regular Expression Denial of Service
Package debug
Dependency of express
Path express > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of express
Path express > send > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of express
Path express > serve-static > send > debug
More info https://nodesecurity.io/advisories/534
High Regular Expression Denial of Service
Package fresh
Dependency of express
Path express > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of express
Path express > send > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of express
Path express > serve-static > send > fresh
More info https://nodesecurity.io/advisories/526
Moderate Regular Expression Denial of Service
Package mime
Dependency of express
Path express > send > mime
More info https://nodesecurity.io/advisories/535
Moderate Regular Expression Denial of Service
Package mime
Dependency of express
Path express > serve-static > send > mime
More info https://nodesecurity.io/advisories/535
# Run npm install pkg@4.3.7 to resolve 4 vulnerabilities
Moderate Prototype pollution
Package hoek
Dependency of pkg
Path pkg > pkg-fetch > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of pkg
Path pkg > pkg-fetch > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of pkg
Path pkg > pkg-fetch > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of pkg
Path pkg > pkg-fetch > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
# Run npm install --save-dev mockgoose@8.0.1 to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package debug
Dependency of mockgoose [dev]
Path mockgoose > debug
More info https://nodesecurity.io/advisories/534
High Denial of Service
Package https-proxy-agent
Dependency of mockgoose [dev]
Path mockgoose > mongodb-prebuilt > https-proxy-agent
More info https://nodesecurity.io/advisories/593
Low Regular Expression Denial of Service
Package debug
Dependency of mockgoose
Path mockgoose > mongodb-prebuilt > https-proxy-agent > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of mockgoose
Path mockgoose > portfinder > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of mockgoose [dev]
Path mockgoose > mongodb-prebuilt > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of mockgoose [dev]
Path mockgoose > mongodb-prebuilt > mongodb-download > debug
More info https://nodesecurity.io/advisories/534
# Run npm install --save-dev mocha@5.2.0 to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package debug
Dependency of mocha [dev]
Path mocha > debug
More info https://nodesecurity.io/advisories/534
Critical Command Injection
Package growl
Dependency of mocha [dev]
Path mocha > growl
More info https://nodesecurity.io/advisories/146
# Run npm install morgan@1.9.1 to resolve 2 vulnerabilities
Low Regular Expression Denial of Service
Package debug
Dependency of morgan
Path morgan > debug
More info https://nodesecurity.io/advisories/534
Moderate Code Injection
Package morgan
Dependency of morgan
Path morgan
More info https://nodesecurity.io/advisories/736
# Run npm install mongodb-prebuilt@6.4.0 to resolve 2 vulnerabilities
Low Regular Expression Denial of Service
Package debug
Dependency of mongodb-prebuilt
Path mongodb-prebuilt > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of mongodb-prebuilt
Path mongodb-prebuilt > mongodb-download > debug
More info https://nodesecurity.io/advisories/534
# Run npm install body-parser@1.18.3 to resolve 1 vulnerability
Low Regular Expression Denial of Service
Package debug
Dependency of body-parser
Path body-parser > debug
More info https://nodesecurity.io/advisories/534
# Run npm install express-session@1.15.6 to resolve 1 vulnerability
Low Regular Expression Denial of Service
Package debug
Dependency of express-session
Path express-session > debug
More info https://nodesecurity.io/advisories/534
# Run npm install mongoose@5.4.5 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package debug
Dependency of mongoose
Path mongoose > mquery > debug
More info https://nodesecurity.io/advisories/534
# Run npm update debug --depth 9 to resolve 6 vulnerabilities
Low Regular Expression Denial of Service
Package debug
Dependency of migrate-mongoose
Path migrate-mongoose > babel-cli > chokidar > readdirp >
micromatch > braces > snapdragon > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of migrate-mongoose
Path migrate-mongoose > babel-cli > chokidar > readdirp >
micromatch > extglob > expand-brackets > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of migrate-mongoose
Path migrate-mongoose > babel-cli > chokidar > readdirp >
micromatch > extglob > expand-brackets > snapdragon > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of migrate-mongoose
Path migrate-mongoose > babel-cli > chokidar > readdirp >
micromatch > extglob > snapdragon > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of migrate-mongoose
Path migrate-mongoose > babel-cli > chokidar > readdirp >
micromatch > nanomatch > snapdragon > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of migrate-mongoose
Path migrate-mongoose > babel-cli > chokidar > readdirp >
micromatch > snapdragon > debug
More info https://nodesecurity.io/advisories/534
# Run npm update mocha --depth 2 to resolve 2 vulnerabilities
Low Regular Expression Denial of Service
Package debug
Dependency of mocha-teamcity-reporter [dev]
Path mocha-teamcity-reporter > mocha > debug
More info https://nodesecurity.io/advisories/534
Critical Command Injection
Package growl
Dependency of mocha-teamcity-reporter [dev]
Path mocha-teamcity-reporter > mocha > growl
More info https://nodesecurity.io/advisories/146
# Run npm update mongoose --depth 2 to resolve 1 vulnerability
Low Regular Expression Denial of Service
Package debug
Dependency of migrate-mongoose
Path migrate-mongoose > mongoose > mquery > debug
More info https://nodesecurity.io/advisories/534
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of fire-up
Path fire-up > simple-glob > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of fire-up
Path fire-up > simple-glob > minimatch
More info https://nodesecurity.io/advisories/118
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of fire-up
Path fire-up > simple-glob > lodash
More info https://nodesecurity.io/advisories/577
found 39 vulnerabilities (24 low, 7 moderate, 6 high, 2 critical) in 5716 scanned packages
run `npm audit fix` to fix 27 of them.
9 vulnerabilities require semver-major dependency updates.
3 vulnerabilities require manual review. See the full report for details.
Detail 3 -> 5
c:\cygwin64\home\scote\ignite\modules\web-console\backend>npm audit fix
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.7 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.7: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
+ morgan@1.9.1
+ body-parser@1.18.3
+ mongodb-prebuilt@6.4.0
+ pkg@4.3.7
+ express@4.16.4
+ express-session@1.15.6
added 107 packages from 521 contributors, removed 61 packages, updated 42 packages and moved 2 packages in 18.742s
fixed 27 of 39 vulnerabilities in 5716 scanned packages
3 vulnerabilities required manual review and could not be updated
3 package updates for 9 vulns involved breaking changes
(use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
Detail 4 -> 6
c:\cygwin64\home\scote\ignite\modules\web-console\frontend>npm install --no-optional
npm WARN deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam
npm WARN deprecated text-encoding@0.6.4: no longer maintained
npm WARN deprecated formatio@1.2.0: This package is unmaintained. Use @sinonjs/formatio instead
npm WARN deprecated circular-json@0.5.9: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated nodemailer@2.7.2: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated hoek@2.16.3: This version is no longer maintained. Please upgrade to the latest version.
npm WARN deprecated cryptiles@2.0.5: This version is no longer maintained. Please upgrade to the latest version.
npm WARN deprecated boom@2.10.1: This version is no longer maintained. Please upgrade to the latest version.
npm WARN deprecated socks@1.1.9: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm WARN deprecated mailcomposer@4.0.1: This project is unmaintained
npm WARN deprecated buildmail@4.0.1: This project is unmaintained
npm WARN deprecated uws@9.14.0: stop using this version
> uws@9.14.0 install c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\uws
> node-gyp rebuild > build_log.txt 2>&1 || exit 0
> @uirouter/visualizer@4.0.2 install c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\@uirouter\visualizer
> node ./migrate/migratewarn.js
> node-sass@4.10.0 install c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\node-sass
> node scripts/install.js
Downloading binary from https://github.com/sass/node-sass/releases/download/v4.10.0/win32-x64-67_binding.node
Download complete .] - :
Binary saved to c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\node-sass\vendor\win32-x64-67\binding.node
Caching binary to C:\Users\scote\AppData\Roaming\npm-cache\node-sass\4.10.0\win32-x64-67_binding.node
> node-sass@4.10.0 postinstall c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\node-sass
> node scripts/build.js
Binary found at c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\node-sass\vendor\win32-x64-67\binding.node
Testing binary
Binary is fine
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN acorn-dynamic-import@4.0.0 requires a peer of acorn@^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.7 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.7: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
added 1726 packages from 1909 contributors and audited 18424 packages in 58.495s
found 11 vulnerabilities (3 low, 5 moderate, 1 high, 2 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Detail 5 -> 7
c:\cygwin64\home\scote\ignite\modules\web-console\frontend>npm audit
=== npm audit security report ===
# Run npm install --save-dev mocha@5.2.0 to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package debug
Dependency of mocha [dev]
Path mocha > debug
More info https://nodesecurity.io/advisories/534
Critical Command Injection
Package growl
Dependency of mocha [dev]
Path mocha > growl
More info https://nodesecurity.io/advisories/146
# Run npm install --save-dev karma@3.1.4 to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Memory Exposure
Package tunnel-agent
Dependency of karma [dev]
Path karma > log4js > loggly > request > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Prototype pollution
Package hoek
Dependency of karma [dev]
Path karma > log4js > loggly > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma [dev]
Path karma > log4js > loggly > request > hawk > cryptiles > boom
> hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma [dev]
Path karma > log4js > loggly > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma [dev]
Path karma > log4js > loggly > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Low Regular Expression Denial of Service
Package timespan
Dependency of karma [dev]
Path karma > log4js > loggly > timespan
More info https://nodesecurity.io/advisories/533
# Run npm install --save-dev webpack-dev-server@3.1.14 to resolve 1 vulnerability
High Missing Origin Validation
Package webpack-dev-server
Dependency of webpack-dev-server [dev]
Path webpack-dev-server
More info https://nodesecurity.io/advisories/725
# Run npm update mocha --depth 2 to resolve 2 vulnerabilities
Low Regular Expression Denial of Service
Package debug
Dependency of mocha-teamcity-reporter [dev]
Path mocha-teamcity-reporter > mocha > debug
More info https://nodesecurity.io/advisories/534
Critical Command Injection
Package growl
Dependency of mocha-teamcity-reporter [dev]
Path mocha-teamcity-reporter > mocha > growl
More info https://nodesecurity.io/advisories/146
found 11 vulnerabilities (3 low, 5 moderate, 1 high, 2 critical) in 18424 scanned packages
run `npm audit fix` to fix 3 of them.
8 vulnerabilities require semver-major dependency updates.
Detail 6 -> 4
c:\cygwin64\home\scote\ignite\modules\web-console\frontend>npm audit fix
npm WARN acorn-dynamic-import@4.0.0 requires a peer of acorn@^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.7 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.7: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
+ webpack-dev-server@3.1.14
added 8 packages from 433 contributors, removed 18 packages, updated 10 packages and moved 1 package in 13.165s
fixed 3 of 11 vulnerabilities in 18424 scanned packages
2 package updates for 8 vulns involved breaking changes
(use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
Detail 7 ->
Detail 7 ->