Skip to content

Fix vulnerabilities by removing request dependency #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 21, 2018
Merged

Fix vulnerabilities by removing request dependency #98

merged 8 commits into from
May 21, 2018

Conversation

tylerbrandt
Copy link
Contributor

@tylerbrandt tylerbrandt commented May 18, 2018
edited
Loading

Summary:
srcclr flags request and some of its transitive dependencies as vulnerable. Since we are only barely using it, we can switch to the native node modules http/https instead. The result is a clean run.

$ srcclr scan .
SourceClear scanning engine ready
Running the NPM scanner
Scanning completed
Found 12997 lines of code
Processing results...
Processing results complete

Summary Report
Scan ID                                   614c7376-d1ae-4d77-ad5f-3078f6a17917
Scan Date & Time                          May 16 2018 04:26PM PDT
Account type                              PRO
Scan engine                               2.14.7 (latest 2.14.7)
Analysis time                             12 seconds
User                                      tbrandt
Project                                   /Users/tbrandt/optly/Projects/javascript-sdk/packages/optimizely-sdk
Package Manager(s)                        NPM

Open-Source Libraries
Total Libraries                           5
Direct Libraries                          5
Transitive Libraries                      0
Vulnerable Libraries                      0
Third Party Code                          77.4%

Security
With Vulnerable Methods                   0
High Risk Vulnerabilities                 0
Medium Risk Vulnerabilities               0
Low Risk Vulnerabilities                  0

Licenses
Unique Library Licenses                   3
Libraries Using GPL                       0
Libraries With No License                 1
Libraries With Multiple Licenses          1

Full Report Details                       https://optimizely.sourceclear.io/teams/3OOu2k/scans/3772270?login=saml

Also add srcclr.yml with scope: production so we can scan more easily in the correct way.

Test Plan: Existing automated tests

Reviewers: matt.carroll, ola.nordstrom, michael.hood, ali, greeshma

Reviewed By: ali, greeshma

JIRA Issues: OASIS-2776

Differential Revision: https://phabricator.optimizely.com/D19829

Fix vulnerabilities by removing request dependency
55e2461 
Summary:
[`srcclr`](https://optimizely.sourceclear.io/teams/3OOu2k/scans/3772139?login=saml) flags `request` and some of its transitive dependencies as vulnerable. Since we are only barely using it, we can switch to the native node modules `http`/`https` instead. The result is a [[ https://optimizely.sourceclear.io/teams/3OOu2k/scans/3772270?login=saml | clean run ]]!
```
$ srcclr scan .
SourceClear scanning engine ready
Running the NPM scanner
Scanning completed
Found 12997 lines of code
Processing results...
Processing results complete

Summary Report
Scan ID                                   614c7376-d1ae-4d77-ad5f-3078f6a17917
Scan Date & Time                          May 16 2018 04:26PM PDT
Account type                              PRO
Scan engine                               2.14.7 (latest 2.14.7)
Analysis time                             12 seconds
User                                      tbrandt
Project                                   /Users/tbrandt/optly/Projects/javascript-sdk/packages/optimizely-sdk
Package Manager(s)                        NPM

Open-Source Libraries
Total Libraries                           5
Direct Libraries                          5
Transitive Libraries                      0
Vulnerable Libraries                      0
Third Party Code                          77.4%

Security
With Vulnerable Methods                   0
High Risk Vulnerabilities                 0
Medium Risk Vulnerabilities               0
Low Risk Vulnerabilities                  0

Licenses
Unique Library Licenses                   3
Libraries Using GPL                       0
Libraries With No License                 1
Libraries With Multiple Licenses          1

Full Report Details                       https://optimizely.sourceclear.io/teams/3OOu2k/scans/3772270?login=saml
```

Also add srcclr.yml with `scope: production` so we can scan more easily in the correct way.

Test Plan: Existing automated tests

Reviewers: matt.carroll, ola.nordstrom, michael.hood, ali, greeshma

Reviewed By: ali, greeshma

JIRA Issues: OASIS-2776

Differential Revision: https://phabricator.optimizely.com/D19829
@tylerbrandt tylerbrandt requested a review from aliabbasrizvi May 18, 2018 16:29
mikeproeng37
mikeproeng37 reviewed May 21, 2018
View reviewed changes
packages/optimizely-sdk/lib/plugins/event_dispatcher/index.node.js Outdated
@@ -25,23 +25,42 @@ module.exports = {
* @param {Object} eventObj.params parameters to pass to the request
* @param {string} eventObj.httpVerb the HTTP request method type
* @param {function} callback callback to execute
* @return {Promise<Object>} the payload from the request
* @return {ClientRequest} ClientRequest object which made the request
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also document that we return undefined if the req is non POSt? Or we can return an explicit null in that case as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'll update this

mikeproeng37
mikeproeng37 approved these changes May 21, 2018
View reviewed changes
Copy link
Contributor

@mikeproeng37 mikeproeng37 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, just a minor question

mikeproeng37
mikeproeng37 reviewed May 21, 2018
View reviewed changes
.travis.yml Outdated
@@ -3,7 +3,8 @@ node_js:
- '4'
- '6'
- '8'
- node
- '9'
- '10'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like Node 10 might be causing issues?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I was talking about it with @aliabbasrizvi on Friday. It's affecting master as well (https://travis-ci.org/optimizely/javascript-sdk/builds/380812924), hence the other PR #101

@mikeproeng37
Copy link
Contributor

Did some manual testing and counting by creating a new A/B experiment and a Feature Experiment. Verified that impressions and conversion events with revenue show up correctly in our Results Dashboard.

@mikeproeng37 mikeproeng37 mentioned this pull request May 21, 2018
Closed
@tylerbrandt tylerbrandt merged commit 449849c into master May 21, 2018
@tylerbrandt tylerbrandt deleted the tyler/no-request-pr branch May 21, 2018 23:35
@Geit Geit mentioned this pull request Jun 21, 2018
Closed
@tylerbrandt tylerbrandt mentioned this pull request Jun 22, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikeproeng37 mikeproeng37 mikeproeng37 approved these changes

@aliabbasrizvi aliabbasrizvi Awaiting requested review from aliabbasrizvi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tylerbrandt @mikeproeng37