Code Monkey home page Code Monkey logo

dovetail's Introduction

Project Dovetail™ is a complete set of tools for modelling blockchain decentralized apps

Documentation Status

Dovetail™ | Architecture | Blockchains smart contracts | Contributing | License


Developing blockchain solutions with today’s technology is challenging given the lack of tooling and standardization. Project Dovetail™ by TIBCO LABS™ addresses these issues by providing a graphical interface for modeling smart contracts, making them easier to write, visualize, test, and audit, all without deep programming experience.

Logic is abstracted from low-level code, and contracts can be developed for different blockchain stacks with little or no code. On-chain and off-chain computation can become more seamless, time to market is improved, and the risk of technology lock-in is reduced. Project Dovetail makes your smart contracts smarter.

What are Smart Contracts

There are many definitions and descriptions of smart contracts, as each blockchain framework tends to implement this capability in its own way (if it does implement this feature at all). However, generally speaking, smart contracts (at least from an enterprise / permissioned perspective) may be thought of as application or business logic (defined in code) that runs within the context of a blockchain network itself.

The idea is to automate the processing of blockchain transactions across the network, use the logic to determine if a transaction will get written to the ledger, and to maintain accuracy, compliance, and trust. In essence, smart contracts represent a method for controlling how changes are made to the underlying blockchain, in a non-centralized and (potentially) untrustworthy environment. Supply chain transaction tracking, healthcare revenue cycle management, consumer contract execution, and government interactions are all areas in which smart contracts (business logic) may be applied. Remember, however, that "smart contracts" are not necessarily "smart" (depends on the code) nor "contracts" (as they may not be viewed as legal contracts). Thus, the term can be a bit misleading :)

Project Dovetail

Project Dovetail™ is a framework that allows for the end to end design, development, testing, and deployment of blockchain smart contracts. Project Dovetail™ allows you to develop smart contracts based on a series of models, helping to:

  • Increase security since the modeling abstraction layer will allow for reusable and tested code derived from the model.
  • Simplify development via an extendable abstraction layer (flow model)
  • Decouple your code from the underlying blockchain technology
  • Reduce the amount of code needed
  • Increase visibility and audit-ability
  • Allow customizable modeling for your industry
  • Expose a better UI for the design of smart contracts

Dovetail Core

Dovetail is based on TIBCO FLOGO™, an event-driven app framework used to develop apps for the cloud & IoT edge. It can also be thought of as a lightweight app kernel used by open source & commercial solutions like Dovetail here. The trigger used is based on the cli to generate or transpile your smart contract logic into blockchain technologies languages : R3 Corda, HyperLedger Fabric...

Dovetail Core provides the following key benefits:

Action chaining enables communication between one or more capabilities in a single, sub 10MB binary!
🏗 Common contribution model build activities and triggers that can be leveraged by all capabilities
🔨 Extensible easily extend the capabilities available by building your own action using the common interfaces

Dovetail Core Contribution Model

Dovetail™ Core exposes three principal contribution interfaces that enable developers to build common capabilities and functionality. These contribution interfaces include:

  • Connector Interface a common interface for importing predefined schemas into Dovetail, Hyperledger Composer Connector is an example.
  • Trigger Interface a common interface for building event-consumers that dispatch events to one or more actions. The Smart Contract TXN Trigger is an example of a trigger.
  • Activity Interface a common interface for exposing common application logic in a reusable manner. Think of this as a function, such as write to ledger, publish events, etc that can be used by all Dovetail apps.

Dovetail Flows

Dovetail Flows provides smart contract logic design capabilities and includes the following key highlights.

🌈 Painless development Visual modeler with step-back debugging capabilities & elegant DSL
⚙️ Ultra-light process engine for conditional flow control

Zero-code Developers

If your background is in or you prefer to develop your smart contracts using zero-coding environments, then read on, because we’ve got something special for you.

Flows Web UI is available via Dovetail releases page.

To report any issues with the Issue tracker on this project.

Dovetail Documentation

Dovetail documentation can be found on the documentation page and the source code in the github page.

Contributing

Want to contribute to Project Dovetail? We've made it easy, all you need to do is fork the repository you intend to contribute to, make your changes and create a Pull Request! Once the pull request has been created, you'll be prompted to sign the CLA (Contributor License Agreement) online.

Not sure where to start? No problem, here are a few suggestions:

  • dovetail-contrib: This repository contains all of the contributions, such as activities, triggers, etc. Perhaps there is something missing? Create a new activity or trigger or fix a bug in an existing activity or trigger.
  • Browse all of the Project Dovetail repositories and look for issues tagged kind/help-wanted or good first issue

If you have any questions, feel free to post an issue and tag it as a question or email [email protected].

For additional details, refer to the “Contribution Guidelines”.

License

The top level flogo repo, consisting of flow samples & documentation, is licensed licensed under a BSD-style license. Refer to LICENSE for license text.

Dovetail source code in dovetail-cli, dovetail-contrib, dovetail-java-lib are all licensed under a BSD-style license, refer to LICENSE

dovetail's People

Contributors

dependabot[bot] avatar jcentenotibco avatar jgrotex avatar mend-for-github-com[bot] avatar mwenyan avatar torresashjian avatar yxuco avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

pradyuz3rocool ckbonu mwenyan mmashalkar fsiddiqi getamazednow torresashjian jgrotex nickperez1285 trevor-gitgoat-dev

dovetail's Issues

WS-2019-0066 (Medium) detected in ecstatic-3.2.0.tgz

WS-2019-0066 - Medium Severity Vulnerability

Vulnerable Library - ecstatic-3.2.0.tgz

A simple static file server middleware that works with both Express and Flatiron

Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-3.2.0.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/ecstatic/package.json

Dependency Hierarchy:

  • http-server-0.11.1.tgz (Root Library)
    • ecstatic-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

Versions of ecstatic prior to 4.1.2 fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.

Publish Date: 2019-05-02

URL: WS-2019-0066

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/830/versions

Release Date: 2019-05-02

Fix Resolution: 4.1.2

WS-2016-0090 (Medium) detected in jquery-1.8.2-2.6.4.min.js, jquery-2.1.4.min.js

WS-2016-0090 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.8.2-2.6.4.min.js, jquery-2.1.4.min.js

jquery-1.8.2-2.6.4.min.js

jQuery validation engine is a Javascript plugin aimed at the validation of form fields in the browser (IE 6-8, Chrome, Firefox, Safari, Opera 10). The plugin provides visually appealing prompts that grab user attention on the subject matter.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jQuery-Validation-Engine/2.6.4/jquery-1.8.2.min.js

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2-2.6.4.min.js (Vulnerable Library)
jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/js-base64/test-moment/index.html

Path to vulnerable library: /dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/js-base64/test-moment/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

CVE-2018-3721 (Medium) detected in lodash-2.4.2.tgz

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/bhttp/node_modules/lodash/package.json

Dependency Hierarchy:

  • broken-link-checker-0.7.8.tgz (Root Library)
    • bhttp-1.2.4.tgz
      • lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

WS-2018-0236 (Medium) detected in mem-1.1.0.tgz

WS-2018-0236 - Medium Severity Vulnerability

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/mem/package.json

Dependency Hierarchy:

  • htmllint-cli-0.0.7.tgz (Root Library)
    • yargs-11.1.0.tgz
      • os-locale-2.1.0.tgz
        • mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

Publish Date: 2019-05-30

URL: WS-2018-0236

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744

Release Date: 2019-05-30

Fix Resolution: 4.0.0

CLI install setting own GOPATH

Hi,

Looking at the instructions set here: https://tibcosoftware.github.io/dovetail/getting-started/getting-started-cli/ I see you need to set your GOPATH param and add GOPATH/bin to your PATH param. I've done that but when i try to run the curl install command found on the page, it sets my GOPATH to the current directory i'm in, completely ignoring the variable i had set previously.

screen shot 2018-12-21 at 1 31 30 pm

Once the install is done, it has also change the GOPATH variable for the shell i'm currently in.

I'm assuming this is unintended since the instructions ask you to set your GOPATH.

Thanks,
Cris

model vs. models on https://tibcosoftware.github.io/dovetail/labs/iou-smart-app/ - step 1.2

Under https://tibcosoftware.github.io/dovetail/labs/iou-smart-app/ - Step 1.2 the Dovedail Labs docu describes:
1.) create dir structure:

  • /tutorial --> = workspace folder
  • /tutorial/artifacts
  • /tutorial/network
  • /tutorial/network/fabric
  • /tutorial/network/corda

2.) then
2a.) -> copy template project to the workspace,
results:

  • /tutorial --> = workspace folder
  • /tutorial/artifacts
  • /tutorial/network
  • /tutorial/network/fabric
  • /tutorial/network/corda
  • /tutorial/composer-project-template --> = project folder
  • /tutorial/composer-project-template/models
  • /tutorial/composer-project-template/models/dovetail.system.cto
  • /tutorial/composer-project-template/README.txt
  • /tutorial/composer-project-template/package.json

---> Please note the 's' in models
--Question 1-> Could you please confirm the understanding of the "workspace" and "project" -or - answer in --Question 3-> ?

2b.) "...and rename the project as iou..."
which results to:

  • /tutorial --> = workspace folder
  • /tutorial/artifacts
  • /tutorial/network
  • /tutorial/network/fabric
  • /tutorial/network/corda
  • /tutorial/iou/models
  • /tutorial/iou/models/dovetail.system.cto
  • /tutorial/iou/README.txt
  • /tutorial/iou/package.json

2c.) then "under folder iou/model, create a file iou.cto" -> please note model, not models
which (would) result to:

  • /tutorial --> = workspace folder
  • /tutorial/artifacts
  • /tutorial/network
  • /tutorial/network/fabric
  • /tutorial/network/corda
  • /tutorial/iou/models
  • /tutorial/iou/models/dovetail.system.cto
  • /tutorial/iou/model/iou.cto
  • /tutorial/iou/README.txt
  • /tutorial/iou/package.json

--Question 2-> Could you please let the community know if this the expected directory and file structure -or- is there a typo with the models vs. model ?
--Question 3-> Could you please confirm the structure in 2c.) -or- provide an update ?

Thanks.

CVE-2017-1000048 (High) detected in qs-6.2.3.tgz

CVE-2017-1000048 - High Severity Vulnerability

Vulnerable Library - qs-6.2.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/loggly/node_modules/qs/package.json

Dependency Hierarchy:

  • karma-2.0.4.tgz (Root Library)
    • log4js-2.10.0.tgz
      • loggly-1.1.1.tgz
        • request-2.75.0.tgz
          • qs-6.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: ljharb/qs@c709f6e

Release Date: 2017-03-06

Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js

CVE-2012-6708 (Medium) detected in jquery-1.8.2-2.6.4.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.2-2.6.4.min.js

jQuery validation engine is a Javascript plugin aimed at the validation of form fields in the browser (IE 6-8, Chrome, Firefox, Safari, Opera 10). The plugin provides visually appealing prompts that grab user attention on the subject matter.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jQuery-Validation-Engine/2.6.4/jquery-1.8.2.min.js

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2-2.6.4.min.js (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Spec and docs for Dovetail Data types

We need to define the Specification and documentation for available Dovetail Data types.

Also we need to discuss what kind of implementation is derived from this discussion.

CVE-2018-16489 (High) detected in just-extend-1.1.27.tgz

CVE-2018-16489 - High Severity Vulnerability

Vulnerable Library - just-extend-1.1.27.tgz

extend an object

Library home page: https://registry.npmjs.org/just-extend/-/just-extend-1.1.27.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/just-extend/package.json

Dependency Hierarchy:

  • sinon-6.1.2.tgz (Root Library)
    • nise-1.4.2.tgz
      • just-extend-1.1.27.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.

Publish Date: 2019-02-01

URL: CVE-2018-16489

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/430291

Release Date: 2019-02-01

Fix Resolution: 4.0.0

CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz

CVE-2019-10746 - High Severity Vulnerability

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/mixin-deep/package.json

Dependency Hierarchy:

  • core-7.0.0-beta.52.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2,2.0.1

CVE-2019-20149 (Medium) detected in multiple libraries

CVE-2019-20149 - Medium Severity Vulnerability

Vulnerable Libraries - kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-3.2.2.tgz, kind-of-5.1.0.tgz

kind-of-4.0.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/node_modules/has-values/node_modules/kind-of/package.json,/tmp/ws-scm/dovetail/docs-src/node_modules/has-values/node_modules/kind-of/package.json

Dependency Hierarchy:

  • postcss-cli-5.0.1.tgz (Root Library)
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • has-value-1.0.0.tgz
                • has-values-1.0.0.tgz
                  • kind-of-4.0.0.tgz (Vulnerable Library)
kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/kind-of/package.json,/tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/kind-of/package.json

Dependency Hierarchy:

  • postcss-cli-5.0.1.tgz (Root Library)
    • chokidar-2.1.8.tgz
      • anymatch-2.0.0.tgz
        • micromatch-3.1.10.tgz
          • kind-of-6.0.2.tgz (Vulnerable Library)
kind-of-3.2.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/node_modules/is-data-descriptor/node_modules/kind-of/package.json,/tmp/ws-scm/dovetail/docs-src/node_modules/is-data-descriptor/node_modules/kind-of/package.json

Dependency Hierarchy:

  • karma-coverage-istanbul-reporter-2.0.1.tgz (Root Library)
    • istanbul-api-1.3.1.tgz
      • istanbul-reports-1.3.0.tgz
        • handlebars-4.0.11.tgz
          • uglify-js-2.8.29.tgz
            • yargs-3.10.0.tgz
              • cliui-2.1.0.tgz
                • center-align-0.1.3.tgz
                  • align-text-0.1.4.tgz
                    • kind-of-3.2.2.tgz (Vulnerable Library)
kind-of-5.1.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/node_modules/is-descriptor/node_modules/kind-of/package.json,/tmp/ws-scm/dovetail/docs-src/node_modules/is-descriptor/node_modules/kind-of/package.json

Dependency Hierarchy:

  • postcss-cli-5.0.1.tgz (Root Library)
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • define-property-0.2.5.tgz
            • is-descriptor-0.1.6.tgz
              • kind-of-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2019-1010266 (Medium) detected in lodash-4.17.10.tgz, lodash-2.4.2.tgz

CVE-2019-1010266 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-2.4.2.tgz

lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-7.0.0-beta.52.tgz (Root Library)
    • lodash-4.17.10.tgz (Vulnerable Library)
lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/bhttp/node_modules/lodash/package.json

Dependency Hierarchy:

  • broken-link-checker-0.7.8.tgz (Root Library)
    • bhttp-1.2.4.tgz
      • lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

CVE-2015-9251 (Medium) detected in jquery-1.8.2-2.6.4.min.js, jquery-2.1.4.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.8.2-2.6.4.min.js, jquery-2.1.4.min.js

jquery-1.8.2-2.6.4.min.js

jQuery validation engine is a Javascript plugin aimed at the validation of form fields in the browser (IE 6-8, Chrome, Firefox, Safari, Opera 10). The plugin provides visually appealing prompts that grab user attention on the subject matter.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jQuery-Validation-Engine/2.6.4/jquery-1.8.2.min.js

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2-2.6.4.min.js (Vulnerable Library)
jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/js-base64/test-moment/index.html

Path to vulnerable library: /dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/js-base64/test-moment/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

WS-2019-0019 (Medium) detected in braces-1.8.5.tgz, braces-0.1.5.tgz

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Libraries - braces-1.8.5.tgz, braces-0.1.5.tgz

braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/qunit/node_modules/braces/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • micromatch-2.3.11.tgz
      • braces-1.8.5.tgz (Vulnerable Library)
braces-0.1.5.tgz

Fastest brace expansion lib. Typically used with file paths, but can be used with any string. Expands comma-separated values (e.g. `foo/{a,b,c}/bar`) and alphabetical or numerical ranges (e.g. `{1..9}`)

Library home page: https://registry.npmjs.org/braces/-/braces-0.1.5.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/expand-braces/node_modules/braces/package.json

Dependency Hierarchy:

  • karma-2.0.4.tgz (Root Library)
    • expand-braces-0.1.2.tgz
      • braces-0.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Release

IMPORTANT: DELETE THIS PRE-RELEASE BEFORE MAKING THE REPO PUBLIC!!!!

CVE-2018-10899 (High) detected in jolokia-jvm-1.6.0.jar

CVE-2018-10899 - High Severity Vulnerability

Vulnerable Library - jolokia-jvm-1.6.0.jar

JVM-agent

Library home page: http://www.jolokia.org/jolokia-agent-parent/jolokia-jvm/

Path to vulnerable library: _depth_0/dovetail/src/tutorials/iou/corda/corda/build.gradle,_depth_0/dovetail/src/tutorials/iou/corda/corda/build.gradle

Dependency Hierarchy:

  • jolokia-jvm-1.6.0.jar (Vulnerable Library)

Found in HEAD commit: 51a26af8ac205a1fab2a6df60448b350c96e7181

Vulnerability Details

A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.

Publish Date: 2019-08-01

URL: CVE-2018-10899

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10899

Release Date: 2019-08-01

Fix Resolution: 1.6.1

WS-2018-0076 (Medium) detected in tunnel-agent-0.4.3.tgz

WS-2018-0076 - Medium Severity Vulnerability

Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/loggly/node_modules/tunnel-agent/package.json

Dependency Hierarchy:

  • karma-2.0.4.tgz (Root Library)
    • log4js-2.10.0.tgz
      • loggly-1.1.1.tgz
        • request-2.75.0.tgz
          • tunnel-agent-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2018-04-25

URL: WS-2018-0076

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2018-01-27

Fix Resolution: 0.6.0

how todovetail java lib jars available to pulic

three options:

  1. add dovetail java lib jars to public maven repo to make it available for download.

  2. add build script to allow users to build jars from source code.

  3. add jars to our release bin folder

CVE-2018-1000620 (High) detected in cryptiles-2.0.5.tgz

CVE-2018-1000620 - High Severity Vulnerability

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/cryptiles/package.json

Dependency Hierarchy:

  • node-sass-4.9.1.tgz (Root Library)
    • node-gyp-3.7.0.tgz
      • request-2.81.0.tgz
        • hawk-3.1.3.tgz
          • cryptiles-2.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

Release Date: 2019-04-08

Fix Resolution: 4.1.2

import application json file

users should be able to import application json file generated with different version of dovetail UI, then fixed errors if any

CVE-2018-3728 (High) detected in hoek-2.16.3.tgz

CVE-2018-3728 - High Severity Vulnerability

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/hoek/package.json

Dependency Hierarchy:

  • node-sass-4.9.1.tgz (Root Library)
    • node-gyp-3.7.0.tgz
      • request-2.81.0.tgz
        • hawk-3.1.3.tgz
          • hoek-2.16.3.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Release Date: 2018-03-30

Fix Resolution: 4.2.1,5.0.3

CVE-2018-16487 (High) detected in lodash-4.17.10.tgz, lodash-2.4.2.tgz

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-2.4.2.tgz

lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-7.0.0-beta.52.tgz (Root Library)
    • lodash-4.17.10.tgz (Vulnerable Library)
lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/bhttp/node_modules/lodash/package.json

Dependency Hierarchy:

  • broken-link-checker-0.7.8.tgz (Root Library)
    • bhttp-1.2.4.tgz
      • lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Low prio: run-studio.bat eula-accept on Win 10-Docker Toolbox stops with invalid mode: /usr/src/tmp/localstack

1.) run-studio.bat eula-accept on Windows stops with invalid mode: /usr/src/tmp/localstack

##############################
C:\tmp\dovetail\TIB_dovetail_0.1.2_win_x86_64\dovetail\0.1\bin>run-studio.bat eula-accept

========== Docker version 18.03.0-ce, build 0520e24302 detected
========== Reconstituting Docker image; this will take a few minutes...
cd7100a72410: Loading layer [==================================================>] 4.403MB/4.403MB
38fa3a04ac11: Loading layer
...
and so on Loading layer.....and after last Loading layer
...
[==================================================>] 4.608kB/4.608kB
Loaded image: dovetail-studio:7054-smart-contracts
========== Docker image ready for use
========== Logs go to C:\tmp\dovetail\TIB_dovetail_0.1.2_win_x86_64\dovetail\0.1\bin\..\logs

docker: Error response from daemon: invalid mode: /usr/src/tmp/localstack.
See 'docker run --help'.

C:\tmp\dovetail\TIB_dovetail_0.1.2_win_x86_64\dovetail\0.1\bin>
##############################

2.) Docker image created but not started (different to my Ubuntu version).
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest fce289e99eb9 2 months ago 1.84kB
dovetail-studio 7054-smart-contracts 52f8bbf7dcf4 3 months ago 1.58GB

3.) Try manual start (assumed start command):
MINGW64 /c/tmp/dovetail/TIB_dovetail_0.1.2_win_x86_64/dovetail/0.1/bin
$ docker run --name dovetail-studio -p 8090:8090 dovetail-studio:7054-smart-contracts
Error: The directory named as part of the path /usr/flogo/home/logs/studio.log does not exist
For help, use /usr/bin/supervisord -h

WS-2019-0307 (Medium) detected in mem-1.1.0.tgz

WS-2019-0307 - Medium Severity Vulnerability

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/mem/package.json

Dependency Hierarchy:

  • htmllint-cli-0.0.7.tgz (Root Library)
    • yargs-11.1.0.tgz
      • os-locale-2.1.0.tgz
        • mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.

Publish Date: 2019-12-01

URL: WS-2019-0307

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

dovetail-cli installation

do we ask users to go get dovetail-cli package and build themselves, or make dovetail-cli executable available for download.

CVE-2019-10744 (High) detected in lodash-4.17.10.tgz, lodash-2.4.2.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-2.4.2.tgz

lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-7.0.0-beta.52.tgz (Root Library)
    • lodash-4.17.10.tgz (Vulnerable Library)
lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/bhttp/node_modules/lodash/package.json

Dependency Hierarchy:

  • broken-link-checker-0.7.8.tgz (Root Library)
    • bhttp-1.2.4.tgz
      • lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

CVE-2019-11358 (Medium) detected in jquery-3.3.1.min.js, jquery-2.1.4.min.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-3.3.1.min.js, jquery-2.1.4.min.js

jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/dovetail/docs/docs/getting-started/installation/index.html

Path to vulnerable library: /dovetail/docs/docs/getting-started/installation/index.html

Dependency Hierarchy:

  • jquery-3.3.1.min.js (Vulnerable Library)
jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/js-base64/test-moment/index.html

Path to vulnerable library: /dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/js-base64/test-moment/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Architecture diagramm

Need to change the current arch diagram in the README.md to reflect what actually dovetail does.

Ensure that apps only implement 1 type of trigger

It is a requirement that apps (Smart Contracts) all implement the same trigger, we need to make sure that this is validated from the UI. If not, worse case scenario we should fail fast during building of the archives on the CLI.

Add new Functions in mappings and conditions to Dovetail Studio

We need to add a set of Functions to Dovetail Studio this includes the following tasks:

  • Implement functions contribution model for flogo oss (Need further discussion here)

  • Implement functions contribution model for dovetail studio (Also need discussion here)

  • Implement functions for golang (flogo-lib) and java (dovetail-java-lib)

WS-2019-0180 (Medium) detected in lodash.mergewith-4.6.1.tgz

WS-2019-0180 - Medium Severity Vulnerability

Vulnerable Library - lodash.mergewith-4.6.1.tgz

The Lodash method `_.mergeWith` exported as a module.

Library home page: https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.1.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/lodash.mergewith/package.json

Dependency Hierarchy:

  • node-sass-4.9.1.tgz (Root Library)
    • lodash.mergewith-4.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

lodash.mergewith before 4.6.2 is vulnerable to prototype pollution. The function mergeWith() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0180

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1071

Release Date: 2019-08-14

Fix Resolution: 4.6.2

CVE-2019-10103 (High) detected in multiple libraries

CVE-2019-10103 - High Severity Vulnerability

Vulnerable Libraries - kotlin-stdlib-1.2.71.jar, kotlin-reflect-1.2.71.jar, kotlin-stdlib-common-1.2.71.jar

kotlin-stdlib-1.2.71.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.71/d9717625bb3c731561251f8dd2c67a1011d6764c/kotlin-stdlib-1.2.71.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.71/d9717625bb3c731561251f8dd2c67a1011d6764c/kotlin-stdlib-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-stdlib-1.2.71.jar (Vulnerable Library)
kotlin-reflect-1.2.71.jar

Kotlin Full Reflection Library

Library home page: https://kotlinlang.org/

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_9cf72faf-c3a5-4ca6-8dde-fd94e19d8487/20191217192438_10965/ws-scm_depth_0/dovetail/tutorials/iou/corda/corda/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.2.71/7512db3b3182753bd2e48ce8d345abbadc40fe6b/kotlin-reflect-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-reflect-1.2.71.jar (Vulnerable Library)
kotlin-stdlib-common-1.2.71.jar

Kotlin Common Standard Library

Library home page: https://kotlinlang.org/

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_9cf72faf-c3a5-4ca6-8dde-fd94e19d8487/20191217192438_10965/ws-scm_depth_0/dovetail/tutorials/iou/corda/corda/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-common/1.2.71/ba18ca1aa0e40eb6f1865b324af2f4cbb691c1ec/kotlin-stdlib-common-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-stdlib-1.2.71.jar
      • kotlin-stdlib-common-1.2.71.jar (Vulnerable Library)

Found in HEAD commit: 31bb8320e5d443a1a63fa22aba3ad79a44782d9d

Vulnerability Details

JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.

Publish Date: 2019-07-03

URL: CVE-2019-10103

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10103

Release Date: 2019-07-03

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

CVE-2020-8116 (Medium) detected in dot-prop-4.2.0.tgz

CVE-2020-8116 - Medium Severity Vulnerability

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/dot-prop/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • postcss-selector-parser-3.1.1.tgz
      • dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

CVE-2019-10101 (High) detected in multiple libraries

CVE-2019-10101 - High Severity Vulnerability

Vulnerable Libraries - kotlin-stdlib-1.2.71.jar, kotlin-reflect-1.2.71.jar, kotlin-stdlib-common-1.2.71.jar

kotlin-stdlib-1.2.71.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.71/d9717625bb3c731561251f8dd2c67a1011d6764c/kotlin-stdlib-1.2.71.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.71/d9717625bb3c731561251f8dd2c67a1011d6764c/kotlin-stdlib-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-stdlib-1.2.71.jar (Vulnerable Library)
kotlin-reflect-1.2.71.jar

Kotlin Full Reflection Library

Library home page: https://kotlinlang.org/

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_9cf72faf-c3a5-4ca6-8dde-fd94e19d8487/20191217192438_10965/ws-scm_depth_0/dovetail/tutorials/iou/corda/corda/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.2.71/7512db3b3182753bd2e48ce8d345abbadc40fe6b/kotlin-reflect-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-reflect-1.2.71.jar (Vulnerable Library)
kotlin-stdlib-common-1.2.71.jar

Kotlin Common Standard Library

Library home page: https://kotlinlang.org/

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_9cf72faf-c3a5-4ca6-8dde-fd94e19d8487/20191217192438_10965/ws-scm_depth_0/dovetail/tutorials/iou/corda/corda/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-common/1.2.71/ba18ca1aa0e40eb6f1865b324af2f4cbb691c1ec/kotlin-stdlib-common-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-stdlib-1.2.71.jar
      • kotlin-stdlib-common-1.2.71.jar (Vulnerable Library)

Found in HEAD commit: 31bb8320e5d443a1a63fa22aba3ad79a44782d9d

Vulnerability Details

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

Publish Date: 2019-07-03

URL: CVE-2019-10101

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10101

Release Date: 2019-07-03

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

CVE-2018-10237 (Medium) detected in guava-20.0.jar

CVE-2018-10237 - Medium Severity Vulnerability

Vulnerable Library - guava-20.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. 

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: https://github.com/google/guava/

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_9cf72faf-c3a5-4ca6-8dde-fd94e19d8487/20191217192438_10965/ws-scm_depth_0/dovetail/tutorials/iou/corda/corda/build.gradle

Path to vulnerable library: /tmp/ws-ua/WhiteSource_Download_Resources_8de4cddb-c336-423f-a568-24de28151cdd/20191217192811/guava-20.0.jar,/tmp/ws-ua/WhiteSource_Download_Resources_8de4cddb-c336-423f-a568-24de28151cdd/20191217192811/guava-20.0.jar

Dependency Hierarchy:

  • quasar-core-0.7.10.jar (Root Library)
    • guava-20.0.jar (Vulnerable Library)

Found in HEAD commit: 31bb8320e5d443a1a63fa22aba3ad79a44782d9d

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1-jre, 24.1.1-android

CVE-2019-10742 (High) detected in axios-0.16.2.tgz, axios-0.15.3.tgz

CVE-2019-10742 - High Severity Vulnerability

Vulnerable Libraries - axios-0.16.2.tgz, axios-0.15.3.tgz

axios-0.16.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.16.2.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/axios/package.json

Dependency Hierarchy:

  • bundlesize-0.15.3.tgz (Root Library)
    • axios-0.16.2.tgz (Vulnerable Library)
axios-0.15.3.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/log4js/node_modules/axios/package.json

Dependency Hierarchy:

  • bundlesize-0.15.3.tgz (Root Library)
    • github-build-1.2.0.tgz
      • axios-0.15.3.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: axios/axios#1098

Release Date: 2019-05-31

Fix Resolution: 0.19.0

CVE-2018-20834 (High) detected in tar-4.4.1.tgz, tar-2.2.1.tgz

CVE-2018-20834 - High Severity Vulnerability

Vulnerable Libraries - tar-4.4.1.tgz, tar-2.2.1.tgz

tar-4.4.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz

Dependency Hierarchy:

  • cli-7.0.0-beta.52.tgz (Root Library)
    • chokidar-2.0.4.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • tar-4.4.1.tgz (Vulnerable Library)
tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/dovetail/docs-src/themes/tibcolabs/assets/vendor/bootstrap/node_modules/tar/package.json

Dependency Hierarchy:

  • node-sass-4.9.1.tgz (Root Library)
    • node-gyp-3.7.0.tgz
      • tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 7855a4e99c7e10458d2d5f4e9b408f4c8f37d583

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/344595

Release Date: 2019-04-30

Fix Resolution: v4.4.2

CVE-2019-10102 (High) detected in multiple libraries

CVE-2019-10102 - High Severity Vulnerability

Vulnerable Libraries - kotlin-stdlib-1.2.71.jar, kotlin-reflect-1.2.71.jar, kotlin-stdlib-common-1.2.71.jar

kotlin-stdlib-1.2.71.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.71/d9717625bb3c731561251f8dd2c67a1011d6764c/kotlin-stdlib-1.2.71.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.71/d9717625bb3c731561251f8dd2c67a1011d6764c/kotlin-stdlib-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-stdlib-1.2.71.jar (Vulnerable Library)
kotlin-reflect-1.2.71.jar

Kotlin Full Reflection Library

Library home page: https://kotlinlang.org/

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_9cf72faf-c3a5-4ca6-8dde-fd94e19d8487/20191217192438_10965/ws-scm_depth_0/dovetail/tutorials/iou/corda/corda/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.2.71/7512db3b3182753bd2e48ce8d345abbadc40fe6b/kotlin-reflect-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-reflect-1.2.71.jar (Vulnerable Library)
kotlin-stdlib-common-1.2.71.jar

Kotlin Common Standard Library

Library home page: https://kotlinlang.org/

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_9cf72faf-c3a5-4ca6-8dde-fd94e19d8487/20191217192438_10965/ws-scm_depth_0/dovetail/tutorials/iou/corda/corda/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-common/1.2.71/ba18ca1aa0e40eb6f1865b324af2f4cbb691c1ec/kotlin-stdlib-common-1.2.71.jar

Dependency Hierarchy:

  • kotlin-compiler-embeddable-1.2.71.jar (Root Library)
    • kotlin-stdlib-1.2.71.jar
      • kotlin-stdlib-common-1.2.71.jar (Vulnerable Library)

Found in HEAD commit: 31bb8320e5d443a1a63fa22aba3ad79a44782d9d

Vulnerability Details

JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.

Publish Date: 2019-07-03

URL: CVE-2019-10102

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10102

Release Date: 2019-07-03

Fix Resolution: io.ktor:ktor:1.1.0,org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.