From 5c088a658edeff3401d5e4fd58e3cc25f400629b Mon Sep 17 00:00:00 2001 From: njouud <156097454+njouud@users.noreply.github.com> Date: Wed, 30 Oct 2024 17:56:03 +0300 Subject: [PATCH 1/7] adding snyk.yaml file --- .github/workflows/snyk.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/snyk.yaml diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml new file mode 100644 index 0000000000..6ef6e5aa77 --- /dev/null +++ b/.github/workflows/snyk.yaml @@ -0,0 +1,28 @@ +name: Snyk Security Scan + +on: + pull_request: + branches: + - main + push: + branches: + - main + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Set up Node.js + uses: actions/setup-node@v2 + with: + node-version: '16' + + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: test --severity-threshold=high From 65ac41214fe3d264b64e95b7b0bb341e0a4dff07 Mon Sep 17 00:00:00 2001 From: njouud <156097454+njouud@users.noreply.github.com> Date: Wed, 30 Oct 2024 18:09:11 +0300 Subject: [PATCH 2/7] rewriting snyk.yaml --- .github/workflows/snyk.yaml | 39 +++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 6ef6e5aa77..9a08cd4deb 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -1,28 +1,37 @@ -name: Snyk Security Scan +name: Snyk Test on: pull_request: branches: - - main - push: - branches: - - main + - f24 + workflow_call: # Usually called from deploy + +defaults: + run: + shell: bash + +permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code jobs: snyk: runs-on: ubuntu-latest + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Ensure your token is added as a secret in GitHub + steps: - - name: Checkout code - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - - name: Set up Node.js - uses: actions/setup-node@v2 + - name: Install Node + uses: actions/setup-node@v4 with: - node-version: '16' + node-version: 20 - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/node@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: NPM Install + uses: bahmutov/npm-install@v1 with: - args: test --severity-threshold=high + useLockFile: false + + - name: Run Snyk Test + run: npx snyk test From 7ba89044a11971ea893860daf1764dbd8f523e9a Mon Sep 17 00:00:00 2001 From: njouud <156097454+njouud@users.noreply.github.com> Date: Wed, 30 Oct 2024 18:13:22 +0300 Subject: [PATCH 3/7] adding snyk to package.json --- .github/workflows/snyk.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 9a08cd4deb..85c68d4bc4 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -35,3 +35,4 @@ jobs: - name: Run Snyk Test run: npx snyk test + \ No newline at end of file From eec0252f5a8b7af31b0a47dddf927764595443c0 Mon Sep 17 00:00:00 2001 From: njouud <156097454+njouud@users.noreply.github.com> Date: Wed, 30 Oct 2024 20:24:30 +0300 Subject: [PATCH 4/7] removing package.json from gitignore --- .gitignore | 2 +- package.json | 199 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 200 insertions(+), 1 deletion(-) create mode 100644 package.json diff --git a/.gitignore b/.gitignore index 9232511851..7d30e78879 100644 --- a/.gitignore +++ b/.gitignore @@ -68,7 +68,7 @@ coverage test/files/normalise.jpg.png test/files/normalise-resized.jpg package-lock.json -/package.json +#/package.json *.mongodb link-plugins.sh test.sh diff --git a/package.json b/package.json new file mode 100644 index 0000000000..52bf647d27 --- /dev/null +++ b/package.json @@ -0,0 +1,199 @@ +{ + "name": "nodebb", + "license": "GPL-3.0", + "description": "NodeBB Forum", + "version": "3.8.4", + "homepage": "https://www.nodebb.org", + "repository": { + "type": "git", + "url": "https://github.com/NodeBB/NodeBB/" + }, + "main": "app.js", + "scripts": { + "start": "node loader.js", + "lint": "eslint --cache ./nodebb .", + "test": "nyc --reporter=html --reporter=text-summary mocha", + "coverage": "nyc report --reporter=text-lcov > ./coverage/lcov.info", + "coveralls": "nyc report --reporter=text-lcov | coveralls && rm -r coverage" + }, + "nyc": { + "exclude": [ + "src/upgrades/*", + "test/*" + ] + }, + "lint-staged": { + "*.js": [ + "eslint --fix" + ] + }, + "dependencies": { + "@adactive/bootstrap-tagsinput": "0.8.2", + "@fontsource/inter": "5.0.18", + "@fontsource/poppins": "5.0.14", + "@fortawesome/fontawesome-free": "6.5.2", + "@isaacs/ttlcache": "1.4.1", + "@nodebb/spider-detector": "2.0.3", + "@popperjs/core": "2.11.8", + "@socket.io/redis-adapter": "8.3.0", + "ace-builds": "1.33.2", + "archiver": "7.0.1", + "async": "3.2.5", + "autoprefixer": "10.4.19", + "bcryptjs": "2.4.3", + "benchpressjs": "2.5.1", + "body-parser": "^1.20.3", + "bootbox": "6.0.0", + "bootstrap": "5.3.3", + "bootswatch": "5.3.3", + "chalk": "4.1.2", + "chart.js": "4.4.2", + "cli-graph": "3.2.2", + "clipboard": "2.0.11", + "colors": "1.4.0", + "commander": "12.0.0", + "compare-versions": "6.1.0", + "compression": "1.7.4", + "connect-flash": "0.1.1", + "connect-mongo": "5.1.0", + "connect-multiparty": "2.2.0", + "connect-pg-simple": "9.0.1", + "connect-redis": "7.1.1", + "cookie-parser": "^1.4.7", + "cron": "3.1.7", + "cropperjs": "1.6.2", + "csrf-sync": "4.0.3", + "daemon": "1.1.0", + "diff": "5.2.0", + "esbuild": "0.21.2", + "express": "^4.21.1", + "express-session": "^1.18.1", + "express-useragent": "1.0.15", + "fetch-cookie": "3.0.1", + "file-loader": "6.2.0", + "fs-extra": "11.2.0", + "graceful-fs": "4.2.11", + "helmet": "7.1.0", + "html-to-text": "9.0.5", + "imagesloaded": "5.0.0", + "ioredis": "5.4.1", + "ipaddr.js": "2.2.0", + "jquery": "3.7.1", + "jquery-deserialize": "2.0.0", + "jquery-form": "4.3.0", + "jquery-serializeobject": "1.0.0", + "jquery-ui": "1.13.3", + "jsesc": "3.0.2", + "json2csv": "5.0.7", + "jsonwebtoken": "9.0.2", + "lodash": "4.17.21", + "logrotate-stream": "0.2.9", + "lru-cache": "10.2.2", + "mime": "3.0.0", + "mkdirp": "3.0.1", + "mongodb": "6.6.1", + "morgan": "1.10.0", + "mousetrap": "1.6.5", + "multiparty": "4.2.3", + "nconf": "0.12.1", + "nodebb-plugin-2factor": "7.5.3", + "nodebb-plugin-composer-default": "10.2.36", + "nodebb-plugin-dbsearch": "6.2.5", + "nodebb-plugin-emoji": "5.1.15", + "nodebb-plugin-emoji-android": "4.0.0", + "nodebb-plugin-markdown": "12.2.6", + "nodebb-plugin-mentions": "4.4.3", + "nodebb-plugin-ntfy": "1.7.4", + "nodebb-plugin-spam-be-gone": "2.2.2", + "nodebb-rewards-essentials": "1.0.0", + "nodebb-theme-harmony": "1.2.63", + "nodebb-theme-lavender": "7.1.8", + "nodebb-theme-peace": "2.2.6", + "nodebb-theme-persona": "13.3.25", + "nodebb-widget-essentials": "7.0.18", + "nodemailer": "6.9.13", + "nprogress": "0.2.0", + "passport": "0.7.0", + "passport-http-bearer": "1.0.1", + "passport-local": "1.0.0", + "pg": "8.11.5", + "pg-cursor": "2.10.5", + "postcss": "8.4.38", + "postcss-clean": "1.2.0", + "progress-webpack-plugin": "1.0.16", + "prompt": "1.3.0", + "rimraf": "5.0.7", + "rss": "1.2.2", + "rtlcss": "4.1.1", + "sanitize-html": "2.13.0", + "sass": "1.77.1", + "semver": "7.6.2", + "serve-favicon": "2.5.0", + "sharp": "0.32.6", + "sitemap": "7.1.1", + "socket.io": "4.7.5", + "socket.io-client": "4.7.5", + "sortablejs": "1.15.2", + "spdx-license-list": "6.9.0", + "terser-webpack-plugin": "5.3.10", + "textcomplete": "0.18.2", + "textcomplete.contenteditable": "0.1.1", + "timeago": "1.6.7", + "tinycon": "0.6.8", + "toobusy-js": "0.5.1", + "tough-cookie": "4.1.4", + "validator": "13.12.0", + "webpack": "^5.94.0", + "webpack-merge": "5.10.0", + "winston": "3.13.0", + "workerpool": "9.1.1", + "xml": "1.0.1", + "xregexp": "5.1.1", + "yargs": "17.7.2", + "zxcvbn": "4.4.2" + }, + "devDependencies": { + "@apidevtools/swagger-parser": "10.1.0", + "@commitlint/cli": "19.3.0", + "@commitlint/config-angular": "19.3.0", + "coveralls": "3.1.1", + "eslint": "8.57.0", + "eslint-config-nodebb": "0.2.1", + "eslint-plugin-import": "2.29.1", + "grunt": "1.6.1", + "grunt-contrib-watch": "1.1.0", + "husky": "8.0.3", + "jsdom": "24.0.0", + "lint-staged": "15.2.2", + "mocha": "10.4.0", + "mocha-lcov-reporter": "1.3.0", + "mockdate": "3.0.5", + "nyc": "15.1.0", + "smtp-server": "3.13.4", + "snyk": "^1.1294.0" + }, + "optionalDependencies": { + "sass-embedded": "1.77.1" + }, + "resolutions": { + "*/jquery": "3.7.1" + }, + "bugs": { + "url": "https://github.com/NodeBB/NodeBB/issues" + }, + "engines": { + "node": ">=18" + }, + "maintainers": [ + { + "name": "Julian Lam", + "email": "julian@nodebb.org", + "url": "https://github.com/julianlam" + }, + { + "name": "Barış Soner Uşaklı", + "email": "baris@nodebb.org", + "url": "https://github.com/barisusakli" + } + ] +} From def7459cbbc2af3ff33f47aff9940513538b627b Mon Sep 17 00:00:00 2001 From: njouud <156097454+njouud@users.noreply.github.com> Date: Wed, 30 Oct 2024 20:31:19 +0300 Subject: [PATCH 5/7] adding .snyk file to ignore dependencies with no updates --- .snyk | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000000..1c9f856cd1 --- /dev/null +++ b/.snyk @@ -0,0 +1,42 @@ +version: v1.1293.1 + +ignore: + "SNYK-JS-BOOTBOX-174704": + - "*": # ignore for all paths + reason: "No patch or upgrade available for bootbox@6.0.0" + expires: "2025-12-31" + + "SNYK-JS-COOKIE-8163060": + - "*": + reason: "No immediate fix available for socket.io dependency" + expires: "2025-12-31" + + "SNYK-JS-INFLIGHT-6095116": + - "*": + reason: "No direct patch available for inflight@1.0.6" + expires: "2025-12-31" + + "SNYK-JS-JQUERYFORM-574783": + - "*": + reason: "No upgrade available for jquery-form@4.3.0" + expires: "2025-12-31" + + "SNYK-JS-MARKDOWNIT-6483324": + - "*": + reason: "No upgrade available" + expires: "2025-12-31" + + "SNYK-JS-REQUEST-3361831": + - "*": + reason: "No upgrade available" + expires: "2025-12-31" + + "SNYK-JS-TOUGHCOOKIE-5672873": + - "*": + reason: "No upgrade available" + expires: "2025-12-31" + + "SNYK-JS-ZXCVBN-3257741": + - "*": + reason: "No upgrade path for zxcvbn@4.4.2" + expires: "2025-12-31" From a79a57c05849c24cded6feda7a5bd7d503da27b6 Mon Sep 17 00:00:00 2001 From: njouud <156097454+njouud@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:07:25 +0300 Subject: [PATCH 6/7] re-adding package.json to gitignore and adding snyk to install/package.json --- .gitignore | 2 +- install/package.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 7d30e78879..9232511851 100644 --- a/.gitignore +++ b/.gitignore @@ -68,7 +68,7 @@ coverage test/files/normalise.jpg.png test/files/normalise-resized.jpg package-lock.json -#/package.json +/package.json *.mongodb link-plugins.sh test.sh diff --git a/install/package.json b/install/package.json index cb5eb4e4ea..2af192a0e2 100644 --- a/install/package.json +++ b/install/package.json @@ -169,7 +169,8 @@ "mocha-lcov-reporter": "1.3.0", "mockdate": "3.0.5", "nyc": "15.1.0", - "smtp-server": "3.13.4" + "smtp-server": "3.13.4", + "snyk": "^1.1294.0" }, "optionalDependencies": { "sass-embedded": "1.77.1" From a9730b380e14b8b6229b5ca427fb90b22961363f Mon Sep 17 00:00:00 2001 From: njouud <156097454+njouud@users.noreply.github.com> Date: Thu, 31 Oct 2024 21:05:34 +0300 Subject: [PATCH 7/7] adding high vulnerabilty threshold to snyk.yaml --- .github/workflows/snyk.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 85c68d4bc4..98305278f9 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -34,5 +34,4 @@ jobs: useLockFile: false - name: Run Snyk Test - run: npx snyk test - \ No newline at end of file + run: npx snyk test --severity-threshold=high