fix(ci): address CVE-2018-16138

fixes: #1642 Signed-off-by: micoferdinand98 <ferdinand.m.b.mico@accenture.com>
hyperledger-cacti · Sep 6, 2022 · cb19c9b · cb19c9b
1 parent ee99c87
commit cb19c9b
Show file tree

Hide file tree

Showing 5 changed files with 709 additions and 14 deletions.
diff --git a/cactus b/cactus
diff --git a/package.json b/package.json
@@ -20,7 +20,7 @@
     "reset": "run-s reset:git reset:node-modules reset:yarn-lock configure",
     "configure": "yarn install --frozen-lockfile --non-interactive && yarn run build:dev:backend",
     "install-yarn": "npm install --global yarn@1.22.17",
-    "custom-checks": "TS_NODE_PROJECT=./tools/tsconfig.json node --trace-deprecation --experimental-modules --abort-on-uncaught-exception --loader ts-node/esm --experimental-specifier-resolution=node ./tools/custom-checks/run-custom-checks.ts",
+    "custom-checks": "TS_NODE_PROJECT=./tools/tsconfig.json node --trace-deprecation --experimental-modules --abort-on-uncaught-exception --loader ts-node/esm --experimental-specifier-resolution=node ./tools/custom-checks/run-custom-checks.ts && yarn run check-licenses",
     "tools:validate-bundle-names": "TS_NODE_PROJECT=./tools/tsconfig.json node --trace-deprecation --experimental-modules --abort-on-uncaught-exception --loader ts-node/esm --experimental-specifier-resolution=node ./tools/validate-bundle-names.js",
     "generate-api-server-config": "node ./tools/generate-api-server-config.js",
     "sync-ts-config": "TS_NODE_PROJECT=tools/tsconfig.json node --experimental-json-modules --loader ts-node/esm ./tools/sync-npm-deps-to-tsc-projects.ts",
@@ -68,16 +68,13 @@
     "version": "npm ci && npm run build:dev && npm run build:prod && npm run test:unit",
     "lerna-publish-canary": "npm run run-ci && lerna publish --canary --force-publish --dist-tag $(git branch --show-current) --preid $(git branch --show-current).$(git rev-parse --short HEAD)",
     "lerna-publish": "lerna publish --conventional-commits --sign-git-commit --sign-git-tag",
-    "prepare": "husky install"
+    "prepare": "husky install",
+    "check-licenses": "apache2-license-checker"
   },
   "devDependencies": {
     "@commitlint/cli": "13.1.0",
     "@commitlint/config-conventional": "13.1.0",
     "@openapitools/openapi-generator-cli": "2.4.14",
-    "@lerna-lite/cli": "1.4.0",
-    "@lerna-lite/exec": "1.4.0",
-    "@lerna-lite/list": "1.4.0",
-    "@lerna-lite/run": "1.4.0",
     "@types/fs-extra": "9.0.12",
     "@types/jasminewd2": "2.0.10",
     "@types/jest": "27.5.0",
@@ -88,6 +85,7 @@
     "@types/uuid": "8.3.1",
     "@typescript-eslint/eslint-plugin": "4.29.1",
     "@typescript-eslint/parser": "4.29.1",
+    "apache2-license-checker": "^1.0.0",
     "buffer": "6.0.3",
     "codecov": "3.8.3",
     "cpy-cli": "4.1.0",
@@ -121,6 +119,9 @@
     "karma-electron": "7.0.0",
     "karma-tap": "4.2.0",
     "karma-webpack": "5.0.0",
+    "lerna": "4.0.0",
+    "license-checker": "^25.0.1",
+    "license-checker-webpack-plugin": "^0.2.1",
     "lint-staged": "11.1.2",
     "make-dir-cli": "3.0.0",
     "node-polyfill-webpack-plugin": "1.1.4",
@@ -153,4 +154,4 @@
     "node-forge": ">=1.3.0",
     "underscore": "1.13.2"
   }
-}
+  } 
diff --git a/tools/custom-checks/check-apache-versions.ts b/tools/custom-checks/check-apache-versions.ts
@@ -0,0 +1,124 @@
+import fs from "fs-extra";
+import path from "path";
+import { fileURLToPath } from "url";
+import { globby, Options as GlobbyOptions } from "globby";
+// import * as globby from "globby";
+import { RuntimeError } from "run-time-error";
+import { hasProperty } from "./has-property";
+import { isStdLibRecord } from "./is-std-lib-record";
+/**
+ * Verifies that the openapi.json files in the entire project are conformant to
+ * certain boilerplate requirements and conventions that are designed to reduce
+ * or completely eliminate certain types of bugs/mistakes that users/developers
+ * can make (and frequently do without these checks).
+ *
+ * @returns An array with the first item being a boolean indicating
+ * 1) success (`true`) or 2) failure (`false`)
+ */
+export async function apache2LicenseChecker(
+  req: ICheckApacheVersionRequest,
+): Promise<[boolean, string[]]> {
+  const TAG = "[tools/check-apache-version.ts]";
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = path.dirname(__filename);
+  const SCRIPT_DIR = __dirname;
+  const PROJECT_DIR = path.join(SCRIPT_DIR, "../../");
+  console.log(`${TAG} SCRIPT_DIR=${SCRIPT_DIR}`);
+  console.log(`${TAG} PROJECT_DIR=${PROJECT_DIR}`);
+  if (!req) {
+    throw new RuntimeError(`req parameter cannot be falsy.`);
+  }
+  if (!req.argv) {
+    throw new RuntimeError(`req.argv cannot be falsy.`);
+  }
+  if (!req.env) {
+    throw new RuntimeError(`req.env cannot be falsy.`);
+  }
+  const globbyOpts: GlobbyOptions = {
+    cwd: PROJECT_DIR,
+    ignore: ["node_modules"],
+  };
+  const DEFAULT_GLOB = "**/cactus-*/src/main/json/openapi.json";
+  const oasPaths = await globby(DEFAULT_GLOB, globbyOpts);
+  console.log(`openapi.json paths: (${oasPaths.length}): `);
+  // const oasPaths = oasPathsEntries.map((it) => it.path);
+  const errors: string[] = [];
+  const checks = oasPaths.map(async (oasPathRel) => {
+    const oasPathAbs = path.join(PROJECT_DIR, oasPathRel);
+    const oas: unknown = await fs.readJSON(oasPathAbs);
+    if (typeof oas !== "object") {
+      errors.push(`ERROR: ${oasPathRel} openapi.json cannot be empty.`);
+      return;
+    }
+    if (!oas) {
+      errors.push(`ERROR: ${oasPathRel} openapi.json cannot be empty.`);
+      return;
+    }
+    if (!isStdLibRecord(oas)) {
+      return;
+    }
+    if (!hasProperty(oas, "paths")) {
+      return;
+    }
+    const { paths } = oas;
+    if (!isStdLibRecord(paths)) {
+      errors.push(`ERROR: ${oasPathRel} "paths" must be an object`);
+      return;
+    }
+    Object.entries(paths).forEach(([pathObjKey, pathObjProp]) => {
+      if (!isStdLibRecord(pathObjProp)) {
+        errors.push(
+          `ERROR: ${oasPathRel} "paths"."${pathObjKey}" must be an object`,
+        );
+        return;
+      }
+      Object.entries(pathObjProp).forEach(([verbObjKey, verbObjProp]) => {
+        if (!isStdLibRecord(verbObjProp)) {
+          errors.push(
+            `ERROR: ${oasPathRel} "paths"."${pathObjKey}"."${verbObjKey}" must be an object`,
+          );
+          return;
+        }
+        const oasExtension = verbObjProp["x-hyperledger-cactus"];
+        if (!isStdLibRecord(oasExtension)) {
+          const errorMessage = `${oasPathRel} is missing "paths"."${pathObjKey}"."${verbObjKey}"."x-hyperledger-cactus" from the path definition of ${pathObjKey}. Please add it. If you do not know how to, search for existing examples in other openapi.json files within the project for the string "x-hyperledger-cactus"`;
+          errors.push(errorMessage);
+          return;
+        }
+        if (!hasProperty(oasExtension, "http")) {
+          const errorMessage = `${oasPathRel} is missing "paths"."${pathObjKey}"."${verbObjKey}"."x-hyperledger-cactus"."http" from the path definition of ${pathObjKey}. Please add it. If you do not know how to, search for existing examples in other openapi.json files within the project for the string "x-hyperledger-cactus"`;
+          errors.push(errorMessage);
+          return;
+        }
+        const { http } = oasExtension;
+        if (!hasProperty(http, "verbLowerCase")) {
+          const errorMessage = `${oasPathRel} is missing "paths"."${pathObjKey}"."${verbObjKey}"."x-hyperledger-cactus"."http"."verbLowerCase" from the path definition of ${pathObjKey}. Please add it. If you do not know how to, search for existing examples in other openapi.json files within the project for the string "x-hyperledger-cactus"`;
+          errors.push(errorMessage);
+          return;
+        }
+        if (!hasProperty(http, "path")) {
+          const errorMessage = `${oasPathRel} is missing "paths"."${pathObjKey}"."${verbObjKey}"."x-hyperledger-cactus"."http"."path" from the path definition object of ${pathObjKey}. Please add it. If you do not know how to, search for existing examples in other openapi.json files within the project for the string "x-hyperledger-cactus"`;
+          errors.push(errorMessage);
+          return;
+        }
+        if (http.path !== pathObjKey) {
+          const errorMessage = `${oasPathRel} HTTP paths at "paths"."${pathObjKey}"."${verbObjKey}"."x-hyperledger-cactus"."http"."path" must match "${pathObjKey}" but it is currently set to "${http.path}"`;
+          errors.push(errorMessage);
+          return;
+        }
+        if (http.verbLowerCase !== verbObjKey) {
+          const errorMessage = `${oasPathRel} HTTP verbs at "paths"."${pathObjKey}"."${verbObjKey}"."x-hyperledger-cactus"."http"."verbLowerCase" must match "${verbObjKey}" but it is currently set to "${http.verbLowerCase}"`;
+          errors.push(errorMessage);
+          return;
+        }
+      });
+    });
+  });
+  await Promise.all(checks);
+  return [errors.length === 0, errors];
+}
+export const E_MISSING_OAS_EXTENSION = `missing "x-hyperledger-cactus" from `;
+export interface ICheckApacheVersionRequest {
+  readonly argv: string[];
+  readonly env: NodeJS.ProcessEnv;
+}