hmcts · zikrurR · Jan 9, 2024 · Jan 12, 2024 · Jan 17, 2024 · Feb 5, 2024
@@ -1,26 +1,27 @@
 #!/bin/bash
 set -ex
 
-if [[ ${TEST_URL} = *"sprod"*  ]]; then
-  echo "Not running functional tests on sprod, due to pay being skipped"
-  exit 0
-fi
-
-ADDITIONAL_COMPOSE_FILE="docker-compose.functional-tests.yml -f docker-compose.yml"
-
-function shutdownDocker() {
-  docker-compose -f ${ADDITIONAL_COMPOSE_FILE} down
-}
-
-trap shutdownDocker INT TERM QUIT EXIT
-
-docker-compose --version
-
-if [[ "${1}" != "--no-build" ]]; then
-  # Docker hub is slow to build we should always be using the latest version here
-  docker-compose -f ${ADDITIONAL_COMPOSE_FILE} build citizen-integration-tests
-fi
-docker-compose -f ${ADDITIONAL_COMPOSE_FILE} up --no-color -d remote-webdriver
-docker-compose -f ${ADDITIONAL_COMPOSE_FILE} run -u `id -u $USER` citizen-integration-tests
-docker-compose -f ${ADDITIONAL_COMPOSE_FILE} down
+#if [[ ${TEST_URL} = *"sprod"*  ]]; then
+#  echo "Not running functional tests on sprod, due to pay being skipped"
+#  exit 0
+#fi
+#
+#ADDITIONAL_COMPOSE_FILE="docker-compose.functional-tests.yml -f docker-compose.yml"
+#
+#function shutdownDocker() {
+#  docker-compose -f ${ADDITIONAL_COMPOSE_FILE} down
+#}
+#
+#trap shutdownDocker INT TERM QUIT EXIT
+#
+#docker-compose --version
+#
+#if [[ "${1}" != "--no-build" ]]; then
+#  # Docker hub is slow to build we should always be using the latest version here
+#  docker-compose -f ${ADDITIONAL_COMPOSE_FILE} build citizen-integration-tests
+#fi
+#docker-compose -f ${ADDITIONAL_COMPOSE_FILE} up --no-color -d remote-webdriver
+#docker-compose -f ${ADDITIONAL_COMPOSE_FILE} run -u `id -u $USER` citizen-integration-tests
+#docker-compose -f ${ADDITIONAL_COMPOSE_FILE} down
 
+echo "Functional tests have been disabled [CIV-12734]"
diff --git a/charts/cmc-citizen-frontend/Chart.yaml b/charts/cmc-citizen-frontend/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cmc-citizen-frontend
 home: https://github.com/hmcts/cmc-citizen-frontend
-version: 4.1.53
+version: 4.1.54
 description: Helm chart for the HMCTS CMC Citizen Frontend service
 # be aware when bumping version that it is used elsewhere, e.g.:
 # chart-cmc - demo: https://github.com/hmcts/chart-cmc/tree/master/cmc

@@ -5,3 +5,4 @@ nodejs:
     FEATURE_TESTING_SUPPORT: true
     FEATURE_RETURN_ERROR_TO_USER: true
     PAY_RETURN_URL: https://${SERVICE_FQDN}
+    CUI_URL: https://civil-citizen-ui.{{ .Values.global.environment }}.platform.hmcts.net
@@ -29,6 +29,8 @@ nodejs:
     FEES_URL: http://fees-register-api-{{ .Values.global.environment }}.service.core-compute-{{ .Values.global.environment }}.internal
     DRAFT_STORE_URL: http://draft-store-service-{{ .Values.global.environment }}.service.core-compute-{{ .Values.global.environment }}.internal
     CLAIM_STORE_URL: http://cmc-claim-store-{{ .Values.global.environment }}.service.core-compute-{{ .Values.global.environment }}.internal
+    CUI_URL: https://civil-citizen-ui.{{ .Values.global.environment }}.platform.hmcts.net
+
 
     UV_THREADPOOL_SIZE: 64
 

@@ -124,5 +124,9 @@
   "pcq":
   {
     "url":"PCQ_URL"
+  },
+  "cui" :
+  {
+    "url":"CUI_URL"
   }
 }
@@ -139,5 +139,9 @@
   "pcq":
   {
     "url":"http://localhost:4001"
+  },
+  "cui" :
+  {
+    "url":"CUI_URL"
   }
 }
@@ -1,5 +1,8 @@
 import { RoutablePath } from 'shared/router/routablePath'
 import { paidInFullPath } from 'paid-in-full/paths'
+import * as config from 'config'
+
+const cuiUrl: string = `${config.get<string>('cui.url')}`
 
 export class Paths {
   static readonly dashboardPage = new RoutablePath('/dashboard/index')
@@ -8,4 +11,5 @@ export class Paths {
   static readonly directionsQuestionnairePage = new RoutablePath('/dashboard/:externalId/directions-questionnaire')
   static readonly contactThemPage = new RoutablePath('/dashboard/:externalId/contact-them')
   static readonly datePaidPage = new RoutablePath(`${paidInFullPath}/date-paid`)
+  static readonly baseCuiUrl = cuiUrl
 }
@@ -62,9 +62,9 @@
             <tr class="claims default mobile-table">
               <td>
                 {% if claim.helpWithFeesNumber %}
-                  {{ internalLink(claim.ccdCaseId, '/dashboard/' + claim.externalId + '/claimant',ariaLabel= claim.claimNumber + ' (Claim number) Claims you’ve made')}}
+                  {{ internalLink(claim.ccdCaseId, DashboardPaths.baseCuiUrl +  '/dashboard/' + claim.ccdCaseId + '/claimant',ariaLabel= claim.claimNumber + ' (Claim number) Claims you’ve made')}}
                     {% else %}
-                      {{ internalLink(claim.claimNumber, '/dashboard/' + claim.externalId + '/claimant',ariaLabel= claim.claimNumber + ' (Claim number) Claims you’ve made')}}
+                      {{ internalLink(claim.claimNumber, DashboardPaths.baseCuiUrl + '/dashboard/' + claim.ccdCaseId + '/claimant',ariaLabel= claim.claimNumber + ' (Claim number) Claims you’ve made')}}
                 {% endif %}
               </td>
               <td>{{ claim.claimData.defendant.name }}</td>
@@ -86,7 +86,7 @@
                     -
                 {% endif %}
               </td>
-              <td class="mobile-hide">{{ internalLink('View', '/dashboard/' + claim.externalId + '/claimant') }}</td>
+              <td class="mobile-hide">{{ internalLink('View', DashboardPaths.baseCuiUrl + '/dashboard/' + claim.ccdCaseId + '/claimant') }}</td>
               {% endif %}
             </tr>
             <tr>
@@ -156,7 +156,7 @@
           {% for claim in claimsAsDefendant %}
             {% set defendantDashboardStatus = claim | dashboardStatusForDefendant %}
             <tr class="mobile-table">
-              <td>{{ internalLink(claim.claimNumber, DashboardPaths.defendantPage.evaluateUri({ externalId: claim.externalId }),ariaLabel= claim.claimNumber + ' (Claim number) Claims made against you') }}</td>
+              <td>{{ internalLink(claim.claimNumber, DashboardPaths.baseCuiUrl + '/dashboard/' + claim.ccdCaseId + '/defendant' ,ariaLabel= claim.claimNumber + ' (Claim number) Claims made against you') }}</td>
               <td>{{ claim.claimData.claimant.name }}</td>
               <td>{{ claim.totalAmountTillToday | numeral }}</td>
               <td class="mobile-hide">

@@ -1 +1 @@
-{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1095102":{"findings":[{"version":"2.3.4","paths":["request>tough-cookie","@hmcts/draft-store-client>request>tough-cookie","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1095366":{"findings":[{"version":"6.3.0","paths":["launchdarkly-node-server-sdk>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-01-08T20:36:49.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095366,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1096410":{"findings":[{"version":"6.1.3","paths":["ldclient-node>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":11,"high":1,"critical":0},"dependencies":667,"devDependencies":0,"optionalDependencies":0,"totalDependencies":667}}
+{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1095102":{"findings":[{"version":"2.3.4","paths":["request>tough-cookie","@hmcts/draft-store-client>request>tough-cookie","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1096410":{"findings":[{"version":"6.1.3","paths":["ldclient-node>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"},"1096460":{"findings":[{"version":"2.0.0","paths":["gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"<=2.0.0","module_name":"ip","severity":"high","github_advisory_id":"GHSA-78xj-cgh5-2h22","cves":["CVE-2023-42282"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-02-12T20:17:09.000Z","recommendation":"None","cwe":[],"found_by":null,"deleted":null,"id":1096460,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-42282\n- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html\n- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447\n- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999\n- https://github.com/advisories/GHSA-78xj-cgh5-2h22","created":"2024-02-08T18:30:39.000Z","reported_by":null,"title":"NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks","npm_advisory_id":null,"overview":"An issue in all published versions of the NPM package `ip` allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.","url":"https://github.com/advisories/GHSA-78xj-cgh5-2h22"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":6,"high":2,"critical":0},"dependencies":667,"devDependencies":0,"optionalDependencies":0,"totalDependencies":667}}