hmcts · Andrew-McMahon7 · Feb 5, 2024 · Feb 6, 2024 · Feb 6, 2024 · Feb 6, 2024
@@ -1,6 +1,11 @@
 #!/bin/bash
 set -ex
 
+pip3 install --upgrade requests
+pip3 install docker==6.1.3
+
+# trigger a rebuild including static checks
+
 ADDITIONAL_COMPOSE_FILE="docker-compose.smoke-tests.yml -f docker-compose.yml"
 
 function shutdownDocker() {

@@ -83,26 +83,58 @@ cmc-claim-store:
       cmc:
         resourceGroup: cmc
         secrets:
-          - AppInsightsInstrumentationKey
-          - citizen-oauth-client-secret
-          - claim-store-s2s-secret
-          - anonymous-caseworker-username
-          - anonymous-caseworker-password
-          - system-update-username
-          - system-update-password
-          - notify-api-key
-          - milo-recipient
-          - staff-email
-          - live-support-email
-          - rpa-email-sealed-claim
-          - rpa-email-more-time-requested
-          - rpa-email-response
-          - rpa-email-ccj
-          - rpa-email-paid-in-full
-          - launchDarkly-sdk-key
-          - sendgrid-api-key
-          - staff-email-legal-rep
-          - rpa-email-breathing-space
+          - name: claim-store-db-password
+            alias: CLAIM_STORE_DB_PASSWORD
+          - name: AppInsightsInstrumentationKey
+            alias: azure.application-insights.instrumentation-key
+          - name: cmc-db-password-v15
+            alias: CMC_DB_PASSWORD
+          - name: cmc-db-username-v15
+            alias: CMC_DB_USERNAME
+          - name: cmc-db-host-v15
+            alias: CMC_DB_HOST
+          - name: citizen-oauth-client-secret
+            alias: oauth2.client.secret
+          - name: claim-store-s2s-secret
+            alias: idam.s2s-auth.totp_secret
+          - name: anonymous-caseworker-username
+            alias: idam.caseworker.anonymous.username
+          - name: anonymous-caseworker-password
+            alias: idam.caseworker.anonymous.password
+          - name: system-update-username
+            alias: idam.caseworker.system.username
+          - name: system-update-password
+            alias: idam.caseworker.system.password
+          - name: notify-api-key
+            alias: GOV_NOTIFY_API_KEY
+          - name: milo-recipient
+            alias: MILO_CSV_RECIPIENT
+          - name: staff-email
+            alias: staff-notifications.recipient
+          - name: live-support-email
+            alias: live-support.recipient
+          - name: rpa-email-sealed-claim
+            alias: rpa.notifications.sealedClaimRecipient
+          - name: rpa-email-breathing-space
+            alias: rpa.notifications.breathingSpaceRecipient
+          - name: rpa-email-legal-sealed-claim
+            alias: rpa.notifications.legalSealedClaimRecipient
+          - name: rpa-email-more-time-requested
+            alias: rpa.notifications.moreTimeRequestedRecipient
+          - name: rpa-email-response
+            alias: rpa.notifications.responseRecipient
+          - name: rpa-email-ccj
+            alias: rpa.notifications.countyCourtJudgementRecipient
+          - name: rpa-email-paid-in-full
+            alias: rpa.notifications.paidInFullRecipient
+          - name: launchDarkly-sdk-key
+            alias: LAUNCH_DARKLY_SDK_KEY
+          - name: sendgrid-api-key
+            alias: SENDGRID_API_KEY
+          - name: staff-email-legal-rep
+            alias: staff-notifications.legalRecipient
+          - name: appinsights-connection-string
+            alias: appinsights-connection-string
     environment:
       LOG_LEVEL: DEBUG
       DOC_ASSEMBLY_URL: http://dg-docassembly-aat.service.core-compute-aat.internal
@@ -270,4 +302,4 @@ ccd:
   logstash:
     image:
     tag: ccd-cmc-logstash-latest
-    
+
diff --git a/package.json b/package.json
@@ -86,7 +86,6 @@
     "jquery": "3.6.0",
     "js-base64": "^2.5.1",
     "launchdarkly-node-server-sdk": "^7.0.0",
-    "ldclient-node": "^5.8.0",
     "lodash": "^4.17.21",
     "mime": "^2.4.6",
     "moment": "^2.29.4",

@@ -1,6 +1,6 @@
 import * as config from 'config'
 import { User } from 'idam/user'
-import * as ld from 'ldclient-node'
+import * as ld from 'launchdarkly-node-server-sdk'
 
 const sdkKey: string = config.get<string>('secrets.cmc.launchDarkly-sdk-key')
 const ldConfig = {

@@ -1 +1 @@
-{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1094555":{"findings":[{"version":"6.3.0","paths":["launchdarkly-node-server-sdk>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-11-05T05:04:46.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1094555,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1095102":{"findings":[{"version":"2.3.4","paths":["request>tough-cookie","@hmcts/draft-store-client>request>tough-cookie","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":11,"high":0,"critical":0},"dependencies":667,"devDependencies":0,"optionalDependencies":0,"totalDependencies":667}}
+{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.88.2","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":3,"high":0,"critical":0},"dependencies":657,"devDependencies":0,"optionalDependencies":0,"totalDependencies":657}}