Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Least Authority Initial Audit Suggestion 1 #11

Closed
ianconsolata opened this issue Apr 29, 2024 · 6 comments
Closed

Least Authority Initial Audit Suggestion 1 #11

ianconsolata opened this issue Apr 29, 2024 · 6 comments
Milestone
Open Beta

Comments

@ianconsolata
Copy link
Collaborator

Suggestion 1: Update and Maintain Dependencies

Location

  • power-voting/package.json
  • power-voting-backend/go.mod
  • power-oracle-node/backend/go.mod

Synopsis

Analyzing package.json for dependency versions using Npm Audit shows 19 vulnerabilities (1 low, 15 moderate, 3 high). Additionally, running the depcheck command shows a large number of unused dependencies, and analysis with nancy revealed several Go dependency issues of various severity. We analyzed each reported issue and found that only one dependency - protobuf < 1.33.0 - has possible impact in the Power Voting scheme. Susceptible versions could crash or hang a node via malicious JSON payloads.

Mitigation

We recommend upgrading the protobuf version to the 1.33.0 version, or higher, if possible. As of writing this report, version 1.5.4 is the current latest release version for Protobuf. We additionally recommend following a process that emphasizes secure dependency usage to avoid introducing vulnerabilities to the Voting contracts and to mitigate supply-chain attacks, which includes:

  • Manually reviewing and assessing currently used dependencies;
  • Upgrading dependencies with known vulnerabilities to patched versions with fixes;
  • Replacing unmaintained dependencies with secure and battle-tested alternatives, if possible;
  • Pinning dependencies to specific versions, including pinning build-level dependencies in the
  • package.json file to a specific version;
  • Only upgrading dependencies upon careful internal review for potential backward compatibility
    issues and vulnerabilities; and
  • Including automated dependency auditing reports in the project’s CI/CD workflow.
@ianconsolata ianconsolata mentioned this issue May 7, 2024
Merged
@joekingss
Copy link
Collaborator

#21 updated power-voting/package.json dependencies.

@mor9x00
Copy link
Collaborator

mor9x00 commented May 13, 2024

#8 protobuf version already updated to 1.33

@joekingss
Copy link
Collaborator

@ianconsolata could you help to config the CI/CD workflow to include automated dependency auditing reports? Thanks

@ianconsolata
Copy link
Collaborator Author

@hexianglinss sorry, just seeing this comment now. What exactly do you need my support on? Was this related to the request to give your team admin privileges so you could update the secrets, or something else?

@ianconsolata ianconsolata modified the milestone: Open Beta Jun 5, 2024
@joekingss
Copy link
Collaborator

It doesn't matter. Thanks for giving us the admin privileges. As our server cannot be accessed without a VPN, could you provide us a server with public IP, a domain name point to that IP and a HTTPS certificate? So that we can config the CD workflows. Thanks!

@ianconsolata
Copy link
Collaborator Author

Ok, I will close this issue then, and we can continue the discussion about CD in #84

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Open Beta
Development

No branches or pull requests
3 participants
@ianconsolata @joekingss @mor9x00