[FOLIO-2213] In folio-install kubernetes-rancher: Fix security vulnerability for js-yaml and various lodash Created: 14/Aug/19  Updated: 08/Nov/21  Resolved: 08/Nov/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: David Crossley Assignee: Julian Ladisch
Resolution: Done Votes: 0
Labels: keep-bug, platform-backlog, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-2080 Fix security vulnerability reported f... Closed
Sprint: CP: Non-roadmap backlog
Development Team: Core: Platform

 Description   

For a couple of months there are security alerts reported for the demonstration "alternative-install/kubernetes-rancher"

(Not a good presentation for the general folio-install documentation.)

Taras Spashchenko Would you please investigate. Their detail should be visible to you there.



 Comments   
Comment by Jakub Skoczen [ 07/Oct/20 ]

David Crossley Adam Dickmeiss Julian Ladisch Closing because it's old, please re-open if still relevant.

Comment by Julian Ladisch [ 08/Oct/20 ]

https://github.com/folio-org/folio-install/pull/49/files removed yarn.lock. This makes the GitHub security warning disappear.
However, the vulnerable libraries are still being used by the code. The issues are not resolved and are still reported by other security scanners like https://jeremylong.github.io/DependencyCheck/ .
I propose to delete the https://github.com/folio-org/folio-install/tree/master/alternative-install/kubernetes-rancher/EBSCO directory from master. It is outdated (last change 16 months ago) and cannot been used any longer. It will remain in the git history.

Comment by Craig McNally [ 16/Jul/21 ]

From the security team: Let's proceed with Julian Ladisch's proposal and remove this outdated directory. If needed it will continue to live on in git history.

Comment by Ingolf Kuss [ 30/Sep/21 ]

The directory you deleted is still being referenced here [Kubernetes example | FOLIO Documentation|https://docs.folio.org/docs/getting-started/installation/kubernetesex/-] Build the job image

Comment by Jakub Skoczen [ 28/Oct/21 ]

Julian Ladisch can this be closed? Also, do we know who should update the docs linked to by Ingolf Kuss above?

Comment by Julian Ladisch [ 08/Nov/21 ]

https://docs.folio.org/docs/getting-started/installation/kubernetesex/ no longer references the kubernetes-rancher/EBSCO example: https://github.com/folio-org/docs/commit/08b3fa39b1725acae1c34cba6c1be7e465db8279

Therefore I close this issue.

Generated at Thu Feb 08 23:19:02 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.