logzio / apollo Goto Github PK
View Code? Open in Web Editor NEWNOT MAINTAINED. Apollo - The logz.io continuous deployment solution over kubernetes
License: Apache License 2.0
NOT MAINTAINED. Apollo - The logz.io continuous deployment solution over kubernetes
License: Apache License 2.0
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /tmp/git/apollo/ui/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
Publish Date: 2018-05-31
URL: CVE-2016-10518
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10518
Release Date: 2018-05-31
Fix Resolution: 1.0.0
Step up your Open Source Security Game with WhiteSource here
querystring parser
path: /tmp/git/apollo/ui/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Dependency Hierarchy:
querystring parser
path: /tmp/git/apollo/ui/node_modules/tiny-lr-fork/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.5.6.tgz
Dependency Hierarchy:
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/28
Release Date: 2014-08-06
Fix Resolution: Update to version 1.0.0 or later
Step up your Open Source Security Game with WhiteSource here
Simplified HTTP request client.
path: /tmp/git/apollo/ui/node_modules/google-cdn/node_modules/request/package.json
Library home page: http://registry.npmjs.org/request/-/request-2.42.0.tgz
Dependency Hierarchy:
Simplified HTTP request client.
path: /tmp/git/apollo/ui/node_modules/bower-registry-client/node_modules/request/package.json
Library home page: http://registry.npmjs.org/request/-/request-2.51.0.tgz
Dependency Hierarchy:
Simplified HTTP request client.
path: /tmp/git/apollo/ui/node_modules/phantomjs/node_modules/request/package.json
Library home page: http://registry.npmjs.org/request/-/request-2.67.0.tgz
Dependency Hierarchy:
Request is an http client. If a request is made using multipart
, and the body type is a number
, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.
Publish Date: 2018-06-04
URL: CVE-2017-16026
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026
Release Date: 2018-06-04
Fix Resolution: 2.47.1,2.67.1
Step up your Open Source Security Game with WhiteSource here
JavaScript parser and compressor/beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/socket.io-client/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-1.2.5.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/handlebars/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Dependency Hierarchy:
UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.
Publish Date: 2015-08-24
URL: WS-2015-0024
Type: Upgrade version
Origin: mishoo/UglifyJS@905b601
Release Date: 2017-01-31
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /tmp/git/apollo/ui/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
By sending an overly long websocket payload to a ws server, it is possible to crash the node process.
Publish Date: 2016-06-24
URL: WS-2016-0040
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/120
Release Date: 2016-06-24
Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.
Step up your Open Source Security Game with WhiteSource here
A comprehensive library for mime-type mapping
path: /tmp/git/apollo/ui/node_modules/serve-static/node_modules/mime/package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Dependency Hierarchy:
A comprehensive library for mime-type mapping
path: /tmp/git/apollo/ui/node_modules/mime/package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Dependency Hierarchy:
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
Step up your Open Source Security Game with WhiteSource here
Parse, validate, manipulate, and display dates
path: /apollo/ui/app/index.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js
Dependency Hierarchy:
Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.
Publish Date: 2016-10-24
URL: WS-2016-0075
Type: Change files
Origin: moment/moment@663f33e
Release Date: 2016-10-24
Fix Resolution: Replace or update the following files: month.js, lt.js
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /tmp/git/apollo/ui/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws
server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Publish Date: 2018-05-31
URL: CVE-2016-10542
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
The steps described in https://github.com/logzio/apollo/wiki/Getting-Started-with-Apollo don't work because the docker-compose.yml references an image tag that doesn't exist.
docker-compose.yml:
image: logzio/apollo:e4b1c1b19532be6dc7013cd4903e4a605a952edb
Result after running docker-compose up -d
:
Pulling apollo (logzio/apollo:e4b1c1b19532be6dc7013cd4903e4a605a952edb)...
ERROR: manifest for logzio/apollo:e4b1c1b19532be6dc7013cd4903e4a605a952edb not found
It appears the current image tag is 204f92d.
Should there be a 'latest' tag?
Can this app be used for deployment where there are multiple containers in a single pod. So, provides an option to deploy to individual containers in the same pod?
A tool for rapidly building command line apps
path: /tmp/git/apollo/ui/node_modules/cli/package.json
Library home page: http://registry.npmjs.org/cli/-/cli-0.6.6.tgz
Dependency Hierarchy:
The package node-cli
before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.
Publish Date: 2018-05-31
URL: CVE-2016-10538
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10538
Release Date: 2018-05-31
Fix Resolution: 1.0.0
Step up your Open Source Security Game with WhiteSource here
The core jetty server artifact.
path: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.5.v20170502/jetty-server-9.4.5.v20170502.jar
Library home page: http://www.eclipse.org/jetty
Dependency Hierarchy:
The Eclipse Jetty Project
path: /root/.m2/repository/org/eclipse/jetty/jetty-http/9.4.5.v20170502/jetty-http-9.4.5.v20170502.jar
Library home page: http://www.eclipse.org/jetty
Dependency Hierarchy:
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Publish Date: 2018-06-26
URL: CVE-2017-7657
Base Score Metrics:
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1041194
Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).
9.2.25.v20180606, 9.3.24.v20180605
The vendor advisory is available at:
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html
Step up your Open Source Security Game with WhiteSource here
small debugging utility
path: /tmp/git/apollo/ui/node_modules/debug/package.json
Library home page: http://registry.npmjs.org/debug/-/debug-0.8.1.tgz
Dependency Hierarchy:
small debugging utility
path: /tmp/git/apollo/ui/node_modules/google-cdn/node_modules/debug/package.json
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.5.tgz
Dependency Hierarchy:
small debugging utility
path: /tmp/git/apollo/ui/node_modules/grunt-usemin/node_modules/debug/package.json
Library home page: http://registry.npmjs.org/debug/-/debug-2.1.3.tgz
Dependency Hierarchy:
small debugging utility
path: /tmp/git/apollo/ui/node_modules/tiny-lr-fork/node_modules/debug/package.json
Library home page: http://registry.npmjs.org/debug/-/debug-0.7.4.tgz
Dependency Hierarchy:
small debugging utility
path: /tmp/git/apollo/ui/node_modules/express-session/node_modules/debug/package.json
Library home page: http://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Dependency Hierarchy:
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/534
Release Date: 2017-09-27
Fix Resolution: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.
Step up your Open Source Security Game with WhiteSource here
General purpose node utilities
path: /tmp/git/apollo/ui/node_modules/bower/lib/node_modules/sntp/node_modules/hoek/package.json
Library home page: http://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz
Dependency Hierarchy:
General purpose node utilities
path: /tmp/git/apollo/ui/node_modules/hoek/package.json
Library home page: http://registry.npmjs.org/hoek/-/hoek-0.9.1.tgz
Dependency Hierarchy:
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728
Release Date: 2018-03-30
Fix Resolution: 4.2.0,5.0.3
Step up your Open Source Security Game with WhiteSource here
A tool for rapidly building command line apps
path: /tmp/git/apollo/ui/node_modules/cli/package.json
Library home page: http://registry.npmjs.org/cli/-/cli-0.6.6.tgz
Dependency Hierarchy:
The package node-cli insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.
Publish Date: 2016-06-15
URL: WS-2016-0036
Type: Upgrade version
Origin: node-js-libs/cli@fd6bc4d
Release Date: 2017-01-31
Fix Resolution: 1.0.0
Step up your Open Source Security Game with WhiteSource here
It'd be a nice feature if (by default or manual) apollo could tag the deployed commit as 'deployed' so we could have a better overview on the project just by looking on the git log.
The tag could be a lightweight tag so it will float and point on the current deployed commit.
I am not aware if this functionality is already there but, if there are already some deployments in my kubernetes environment, will Apollo be able to automatically import that?
Reference implementation of Joyent's HTTP Signature scheme.
path: /tmp/git/apollo/ui/node_modules/google-cdn/node_modules/http-signature/package.json
Library home page: http://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz
Dependency Hierarchy:
Affected versions (before 1.0.0) of the http-signature package are vulnerable to Timing Attacks.
Publish Date: 2017-06-28
URL: WS-2017-0266
Type: Upgrade version
Origin: TritonDataCenter/node-http-signature#36
Release Date: 2017-01-31
Fix Resolution: 1.0.0
Step up your Open Source Security Game with WhiteSource here
Currently it hard for new users to start using Apollo due to many APIs needed.
Ideally, when first launching Apollo, the Admin user should be greeted with a "Welcome Flow" to configure all of the initial configuration needed.
For example, if an environment is defined without a valid token and I try to deploy on it, the deployment would get stuck on "pending" and keep trying forever.
Parse, validate, manipulate, and display dates
path: /apollo/ui/app/index.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js
Dependency Hierarchy:
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2016-4055
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4055
Release Date: 2017-01-23
Fix Resolution: 2.11.2
Step up your Open Source Security Game with WhiteSource here
a glob matcher in javascript
path: /tmp/git/apollo/ui/node_modules/bower/lib/node_modules/glob/node_modules/minimatch/package.json
Library home page: http://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Dependency Hierarchy:
a glob matcher in javascript
path: /tmp/git/apollo/ui/node_modules/load-grunt-tasks/node_modules/minimatch/package.json
Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Dependency Hierarchy:
a glob matcher in javascript
path: /tmp/git/apollo/ui/node_modules/globule/node_modules/minimatch/package.json
Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Dependency Hierarchy:
a glob matcher in javascript
path: /tmp/git/apollo/ui/node_modules/google-cdn/node_modules/minimatch/package.json
Library home page: http://registry.npmjs.org/minimatch/-/minimatch-1.0.0.tgz
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Step up your Open Source Security Game with WhiteSource here
Tiny ms conversion utility
path: /tmp/git/apollo/ui/node_modules/grunt-usemin/node_modules/ms/package.json
Library home page: http://registry.npmjs.org/ms/-/ms-0.7.0.tgz
Dependency Hierarchy:
Ms is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.
Publish Date: 2015-10-24
URL: WS-2015-0015
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/46
Release Date: 2015-10-24
Fix Resolution: Update to version 0.7.1 or greater. An alternative would be to limit the input length of the user input before passing it into ms.
Step up your Open Source Security Game with WhiteSource here
Tiny milisecond conversion utility
path: /tmp/git/apollo/ui/node_modules/serve-favicon/node_modules/ms/package.json
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz
Dependency Hierarchy:
Tiny ms conversion utility
path: /tmp/git/apollo/ui/node_modules/grunt-usemin/node_modules/ms/package.json
Library home page: http://registry.npmjs.org/ms/-/ms-0.7.0.tgz
Dependency Hierarchy:
Tiny ms conversion utility
path: /tmp/git/apollo/ui/node_modules/serve-index/node_modules/ms/package.json
Library home page: http://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Dependency Hierarchy:
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-05-15
URL: WS-2017-0247
Type: Change files
Origin: vercel/ms@305f2dd
Release Date: 2017-04-12
Fix Resolution: Replace or update the following file: index.js
Step up your Open Source Security Game with WhiteSource here
The core jetty server artifact.
path: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.5.v20170502/jetty-server-9.4.5.v20170502.jar
Library home page: http://www.eclipse.org/jetty
Dependency Hierarchy:
The Eclipse Jetty Project
path: /root/.m2/repository/org/eclipse/jetty/jetty-http/9.4.5.v20170502/jetty-http-9.4.5.v20170502.jar
Library home page: http://www.eclipse.org/jetty
Dependency Hierarchy:
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Publish Date: 2018-06-26
URL: CVE-2017-7658
Base Score Metrics:
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1041194
Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).
9.2.25.v20180606, 9.3.24.v20180605
The vendor advisory is available at:
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html
Step up your Open Source Security Game with WhiteSource here
A comprehensive library for mime-type mapping
path: /tmp/git/apollo/ui/node_modules/serve-static/node_modules/mime/package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Dependency Hierarchy:
A comprehensive library for mime-type mapping
path: /tmp/git/apollo/ui/node_modules/mime/package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Dependency Hierarchy:
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
a JDBC Connection pooling / Statement caching library
path: /root/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar
Library home page: https://github.com/swaldman/c3p0
Dependency Hierarchy:
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
Publish Date: 2018-12-24
URL: CVE-2018-20433
Base Score Metrics:
Type: Change files
Origin: zhutougg/c3p0@2eb0ea9
Release Date: 2018-12-20
Fix Resolution: Replace or update the following file: C3P0ConfigXmlUtils.java
Step up your Open Source Security Game with WhiteSource here
JavaScript parser and compressor/beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/socket.io-client/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-1.2.5.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/handlebars/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz
Dependency Hierarchy:
Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().
Publish Date: 2015-10-24
URL: WS-2015-0017
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/48
Release Date: 2015-10-24
Fix Resolution: Update to version 2.6.0 or later
Step up your Open Source Security Game with WhiteSource here
Curious if it's related to the older version of kubernetes client. Looks like it may be obscuring the real error. Also is there an option for loading the CA cert for environment, or is it ignoring TLS errors? We're using self signed cert via kops.
Thanks for all the hard work, this has been a really neat evaluation to play with.
19:43:03.738 [kubernetes-monitor-0] ERROR io.logz.apollo.kubernetes.KubernetesHandler - Got exception while deploying to kubernetes deployment id 1. Leaving in its original state
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://[redacted]/apis/extensions/v1beta1/namespaces/default/deployments/sample-apollo-app. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked..
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:315)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:266)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:237)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:230)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:226)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:656)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:168)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.createOrReplace(BaseOperation.java:357)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.createOrReplace(BaseOperation.java:355)
at io.logz.apollo.kubernetes.KubernetesHandler.startDeployment(KubernetesHandler.java:83)
at io.logz.apollo.kubernetes.KubernetesMonitor.lambda$monitor$0(KubernetesMonitor.java:107)
at java.util.ArrayList.forEach(ArrayList.java:1249)
at io.logz.apollo.kubernetes.KubernetesMonitor.monitor(KubernetesMonitor.java:98)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)```
The core jetty server artifact.
path: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.5.v20170502/jetty-server-9.4.5.v20170502.jar
Library home page: http://www.eclipse.org/jetty
Dependency Hierarchy:
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
Publish Date: 2018-06-22
URL: CVE-2018-12538
Base Score Metrics:
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1041194
Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).
9.2.25.v20180606, 9.3.24.v20180605
The vendor advisory is available at:
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html
Step up your Open Source Security Game with WhiteSource here
HTTP content negotiation
path: /tmp/git/apollo/ui/node_modules/accepts/node_modules/negotiator/package.json
Library home page: http://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz
Dependency Hierarchy:
HTTP content negotiation
path: /tmp/git/apollo/ui/node_modules/negotiator/package.json
Library home page: http://registry.npmjs.org/negotiator/-/negotiator-0.3.0.tgz
Dependency Hierarchy:
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Publish Date: 2018-05-31
URL: CVE-2016-10539
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/106
Release Date: 2016-06-16
Fix Resolution: Upgrade to at least version 0.6.1
Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages
function call in your application will tell you if you are using this functionality.
Step up your Open Source Security Game with WhiteSource here
querystring parser
path: /tmp/git/apollo/ui/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Dependency Hierarchy:
querystring parser
path: /tmp/git/apollo/ui/node_modules/tiny-lr-fork/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.5.6.tgz
Dependency Hierarchy:
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-08-06
URL: WS-2014-0005
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
Release Date: 2014-08-06
Fix Resolution: Update qs to version 1.0.0 or greater
Step up your Open Source Security Game with WhiteSource here
Apollo permissions are only configured via the API currently -
There should be a nice drag-drop UI for creating permissions, assigning roles to users, and permissions to roles
Parse, validate, manipulate, and display dates
path: /apollo/ui/app/index.html
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js
Dependency Hierarchy:
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214
Release Date: 2018-03-04
Fix Resolution: 2.19.3
Step up your Open Source Security Game with WhiteSource here
JavaScript parser and compressor/beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/socket.io-client/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-1.2.5.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/handlebars/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz
Dependency Hierarchy:
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.6.0
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /tmp/git/apollo/ui/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
DoS in ws module due to excessively large websocket message.
Publish Date: 2016-06-24
URL: WS-2016-0031
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/120
Release Date: 2016-06-24
Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.
Step up your Open Source Security Game with WhiteSource here
JavaScript parser and compressor/beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/socket.io-client/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-1.2.5.tgz
Dependency Hierarchy:
JavaScript parser, mangler/compressor and beautifier toolkit
path: /tmp/git/apollo/ui/node_modules/handlebars/node_modules/uglify-js/package.json
Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Dependency Hierarchy:
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Publish Date: 2017-01-23
URL: CVE-2015-8857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /tmp/git/apollo/ui/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
Depending on the JavaScript engine, Math.random can be anywhere between extremely insecure and cryptographically pseudo-random.
Versions which use Math.random can produce predictable values, thus shall not be used.
Publish Date: 2016-09-20
URL: WS-2017-0107
Type: Change files
Origin: websockets/ws@7253f06
Release Date: 2016-11-25
Fix Resolution: Replace or update the following file: Sender.js
Step up your Open Source Security Game with WhiteSource here
quote and parse shell commands
path: /tmp/git/apollo/ui/node_modules/shell-quote/package.json
Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-1.4.3.tgz
Dependency Hierarchy:
The npm module "shell-quote" cannot correctly escape "greater than" and "lower than" operator used for redirection in shell. This might be possible vulnerability for many application which depends on shell-quote.
Publish Date: 2016-06-21
URL: WS-2016-0039
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/117
Release Date: 2016-06-21
Fix Resolution: Upgrade to at least version 1.6.1
Step up your Open Source Security Game with WhiteSource here
General purpose crypto utilities
path: /tmp/git/apollo/ui/node_modules/cryptiles/package.json
Library home page: http://registry.npmjs.org/cryptiles/-/cryptiles-0.2.2.tgz
Dependency Hierarchy:
General purpose crypto utilities
path: /tmp/git/apollo/ui/node_modules/bower/lib/node_modules/cryptiles/package.json
Library home page: http://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Dependency Hierarchy:
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
querystring parser
path: /tmp/git/apollo/ui/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.6.6.tgz
Dependency Hierarchy:
querystring parser
path: /tmp/git/apollo/ui/node_modules/tiny-lr-fork/node_modules/qs/package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.5.6.tgz
Dependency Hierarchy:
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution: 1.0.0
Step up your Open Source Security Game with WhiteSource here
I've found herer (https://github.com/logzio/apollo/wiki/Getting-Started-with-Apollo) that inside the payload json, used to make admin a user, the "isEnabled: true" property is missing, returning an Internal server error when sent:
java.lang.RuntimeException:
...
Caused by: com.fasterxml.jackson.databind.JsonMappingException: (was java.lang.NullPointerException) (through reference chain: java.util.ArrayList[1]->io.logz.apollo.models.User["enabled"])
...
Caused by: java.lang.NullPointerException
The correct payload should be :
{
"firstName": "example_firstname",
"lastName": "example_lastname",
"userEmail": "[email protected]",
"password": "example_secret",
"isEnabled": true,
"isAdmin": true
}
Since Kubernetes mock is deprecated, it's super hard to write some tests that we would like to write:
Creating a GitHub mock is needed because:
quote and parse shell commands
path: /tmp/git/apollo/ui/node_modules/shell-quote/package.json
Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-1.4.3.tgz
Dependency Hierarchy:
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.
Publish Date: 2018-05-31
URL: CVE-2016-10541
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10541
Release Date: 2018-12-15
Fix Resolution: 1.6.1
Step up your Open Source Security Game with WhiteSource here
When using the docker-compose from the /exampes/ folder.
The connection to the DB can not be made.
74) An exception was caught and reported. Message: apollo_1 | Unable to obtain Jdbc connection from DataSource (jdbc:mysql://db:3306/apollo?createDatabaseIfNotExist=true) for user 'root': Could not create connection to database server. apollo_1 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- apollo_1 | SQL State : 08001 apollo_1 | Error Code : 0 apollo_1 | Message : Could not create connection to database server. apollo_1 | apollo_1 | at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138) apollo_1 | apollo_1 | 74 errors apollo_1 | at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:470) apollo_1 | at com.google.inject.internal.InternalInjectorCreator.initializeStatically(InternalInjectorCreator.java:155) apollo_1 | at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107) apollo_1 | at com.google.inject.internal.InjectorImpl.createChildInjector(InjectorImpl.java:232) apollo_1 | at com.netflix.governator.guice.LifecycleInjector.createChildInjector(LifecycleInjector.java:331) apollo_1 | at com.netflix.governator.guice.LifecycleInjector.createInjector(LifecycleInjector.java:411) apollo_1 | at com.netflix.governator.guice.LifecycleInjector.createInjector(LifecycleInjector.java:352) apollo_1 | at io.logz.apollo.ApolloApplication.start(ApolloApplication.java:38) apollo_1 | ... 1 common frames omitted apollo_1 | Caused by: org.flywaydb.core.internal.dbsupport.FlywaySqlException: apollo_1 | Unable to obtain Jdbc connection from DataSource (jdbc:mysql://db:3306/apollo?createDatabaseIfNotExist=true) for user 'root': Could not create connection to database server. apollo_1 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- apollo_1 | SQL State : 08001 apollo_1 | Error Code : 0 apollo_1 | Message : Could not create connection to database server. apollo_1 | apollo_1 | at org.flywaydb.core.internal.util.jdbc.DriverDataSource.getConnectionFromDriver(DriverDataSource.java:419) apollo_1 | at org.flywaydb.core.internal.util.jdbc.DriverDataSource.getConnection(DriverDataSource.java:381) apollo_1 | at org.flywaydb.core.internal.util.jdbc.JdbcUtils.openConnection(JdbcUtils.java:51) apollo_1 | at org.flywaydb.core.Flyway.execute(Flyway.java:1418) apollo_1 | at org.flywaydb.core.Flyway.migrate(Flyway.java:971) apollo_1 | at io.logz.apollo.di.ApolloMyBatisModule.migrateDatabase(ApolloMyBatisModule.java:81) apollo_1 | at io.logz.apollo.di.ApolloMyBatisModule.initialize(ApolloMyBatisModule.java:40) apollo_1 | at org.mybatis.guice.MyBatisModule.internalConfigure(MyBatisModule.java:134) apollo_1 | at org.mybatis.guice.AbstractMyBatisModule.configure(AbstractMyBatisModule.java:66) apollo_1 | at com.google.inject.AbstractModule.configure(AbstractModule.java:62) apollo_1 | at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340) apollo_1 | at com.google.inject.spi.Elements.getElements(Elements.java:110) apollo_1 | at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138) apollo_1 | at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104) apollo_1 | ... 6 common frames omitted
The core jetty server artifact.
path: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.5.v20170502/jetty-server-9.4.5.v20170502.jar
Library home page: http://www.eclipse.org/jetty
Dependency Hierarchy:
Utility classes for Jetty
path: /root/.m2/repository/org/eclipse/jetty/jetty-util/9.4.5.v20170502/jetty-util-9.4.5.v20170502.jar
Library home page: http://www.eclipse.org/jetty
Dependency Hierarchy:
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
Publish Date: 2018-06-27
URL: CVE-2018-12536
Base Score Metrics:
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1041194
Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).
9.2.25.v20180606, 9.3.24.v20180605
The vendor advisory is available at:
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html
Step up your Open Source Security Game with WhiteSource here
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: /tmp/git/apollo/ui/node_modules/ws/package.json
Library home page: http://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Dependency Hierarchy:
Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/550/versions
Release Date: 2019-01-24
Fix Resolution: 3.3.1
Step up your Open Source Security Game with WhiteSource here
Environments are only defined via the API currently.
There should be a screen, similar to service configuration screen to add and manage Apollo environments
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.