OSPOCO Updates

Owned by Eli Sutton
Mar 24, 2022

Copied from Magma Community Workplace group


OSPOCO Report, First Half of March


Welcome to another OSPOCO report, this one for the first two weeks of March. We have been hard at work addressing both the overall security posture of Magma as well as working on the ongoing Dependabot alerts. This two week period has our highest total number of PRs and closed issues so far.
Magma’s security posture: One of our ongoing efforts focuses on how to integrate security processes into Magma’s ongoing development process. We had two significant developments these past couple weeks addressing this issue.
Proposal: Security WG
Magma security work is generally done in private by assigned owners, in the style of a commercial project. As an open-source project Magma should involve the community as a whole. We have opened an issue for a Security Working Group that brings together multiple stakeholders to drive broader participation in the security process.
Proposal: https://github.com/magma/magma/issues/12016
Update disclosure handling workflows
Over the past couple updates we mentioned that we dealt with some of our first reported vulnerabilities that came through the disclosure reporting process. As always, we learned a lot from actually going through the process, resulting in a major rewrite of SECURITY.md to incorporate what we learned:
Link: https://github.com/magma/magma/security/policy
PR: https://github.com/magma/magma/pull/11888

Other issues:
fix(orc8r): lowercase orc8r service names
This was created by Hunter Gatewood. OSPOCO covered as part of an initiative to contribute to non-security issues.
PR: https://github.com/magma/magma/pull/11896
Issue: https://github.com/magma/magma/issues/9829

Dependabot, Code scanning, and other alerts:
We've had a number of items that we have been working on that all ended up landing in the past two weeks - 9 PRs addressing 17 separate Dependabot issues. They are:
fix(feg): fix incorrect conversion between integer types #12098
Closes five code scanning alerts for “Incorrect conversion between integer types.”
PR: https://github.com/magma/magma/pull/12098
Dependabot:

  1. Incorrect conversion between integer types

  2. Incorrect conversion between integer types

  3. Incorrect conversion between integer types

  4. Incorrect conversion between integer types

  5. Incorrect conversion between integer types

chore: prismjs to 1.27.0
PR: https://github.com/magma/magma/pull/12011
Issue https://github.com/magma/security/issues/36
Dependabot:

  1. https://github.com/magma/magma/security/dependabot/136

  2. https://github.com/magma/magma/security/dependabot/70

  3. https://github.com/magma/magma/security/dependabot/58

  4. https://github.com/magma/magma/security/dependabot/40

  5. https://github.com/magma/magma/security/dependabot/31

chore(cwg): Upgrade helm.sh/helm/v3 to v3.2.4
Closes information disclosure vulnerability in Helm 3.0.0-3.1.2.
PR: https://github.com/magma/magma/pull/12027
Dependabot: https://github.com/magma/magma/security/dependabot/82

chore: bump ssri
PR: https://github.com/magma/magma/pull/12032
Issue: https://github.com/magma/security/issues/78
Dependabot link: https://github.com/magma/magma/security/dependabot/48

chore: bump minimist
Bump mapbox-gl in packages/magmalte/package.json from 0.53 to 1.x.x in order to pick up minimist upgrade
PR: https://github.com/magma/magma/pull/12069
Issue: https://github.com/magma/security/issues/40
Dependabot: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/minimist/open

chore: bump jspdf
Bump jspdf version using a package.json resolution
PR: https://github.com/magma/magma/pull/12035
Issue: https://github.com/magma/security/issues/9
Dependabot: https://github.com/magma/magma/security/dependabot/45

chore: upgrade elliptic package
PR: https://github.com/magma/magma/pull/12010
Issue: https://github.com/magma/security/issues/56
Dependabot: https://github.com/magma/magma/security/dependabot/43

chore(deps): bump color-string to 1.5.5 or greater
PR: https://github.com/magma/magma/pull/12000
Issue: https://github.com/magma/security/issues/75
Dependabot: https://github.com/magma/magma/security/dependabot/57

chore: bump node-forge
PR: https://github.com/magma/magma/pull/12013/
Issue: https://github.com/magma/security/issues/22
Other Dependabot Issues:

  1. Open Redirect in node-forge

  2. Prototype Pollution in node-forge debug API.

  3. Prototype Pollution in node-forge util.setPath API

  4. URL parsing in node-forge could lead to undesired behavior.

  5. Prototype Pollution in node-forge


_______
Recurring note - what is OSPOCO: OSPOCO is an Open Source Program Office (“OSPO”) as a Service company. We have been retained to provide one “virtual head” dedicated to helping Magma improve under the direction of the Magma leadership.


OSPOCO Report, second half of February


This is an update on what the OSPOCO team did in the second half of February. Some interesting issues to discuss:
It’s all about the logs: Magma uses Github’s “code quality” scanning tool to identify potential or actual issues in the code. One of the recurring themes in the code quality scan has been code that writes to a log without the contents being sanitized first. While that may seem like a minor issue, that was the root cause of the log4j vulnerability that recently made headlines, so we have been looking closely to see if there are ways in which this issue can be dealt with.
We aren’t the only ones looking at this issue - for example, see this discussion on /r/golang: https://www.reddit.com/r/golang/comments/rgbn5q/should_we_be_sanitizing_log_messages/
So far there have been 11 separate code quality alerts associated with unsanitized log inputs. We quickly realized that we had a couple of possible ways to handle these:
1. Create a specialized sanitizing function at each location, based on the type of inputs
2. Create a general sanitizing function that is used throughout Magma
3. Find and adopt a sanitizing package
Given that there is no consensus sanitizing package right now, OSPOCO associate Kristjian (spikey979) created a proposed sanitizing function for use throughout the codebase (option 2). The SafeLog() function would:
- accept a string with arguments, just like the Sprintf command
- check for/normalize unicode characters
- check for/remove non UTF-8 chars
- check for/truncate values longer than 1024 characters
- escape special characters in HTML text
There was a lively discussion in slack and in the associated PR, https://github.com/magma/magma/pull/11738. Ultimately, there wasn’t enough consensus to move forward with a Magma-only sanitizing function, and the risk was considered low enough to close these code quality alerts for now. At some point, however, Magma may adopt a code sanitizing package (option 3) when the broader community comes to a consensus.
Alerts closed:
Log entries created from user input (59)
Log entries created from user input (58)
Log entries created from user input (57)
Log entries created from user input (40)
Log entries created from user input (39)
Log entries created from user input (38)
Log entries created from user input (37)
Log entries created from user input (36)
Log entries created from user input (35)
Rename lib/errors package to lib/merrors: Previously, we would usually alias our internal errors package to merrors, so as to not cause a namespace clash with the stdlib errors package. Hcgatewood suggested renaming our package to merrors and removing all the occasions where we perform that alias.
Issue: https://github.com/magma/magma/issues/9827
PR: https://github.com/magma/magma/pull/11806
Code owner needed: Sometimes a fix just needs a review by the code owner in order to get merged. Anyone interested in jspdf?
Security tracker issue: https://github.com/magma/security/issues/9
Public Magma issue: https://github.com/magma/magma/issues/11371 (the patch is attached).
Regular Expression Denial of Service in trim
Issue: https://github.com/magma/security/issues/59
Dependabot link: https://github.com/magma/magma/security/dependabot/49
PR: https://github.com/magma/magma/pull/11353
Update validator to >= 13.7.0: We had previously engaged upstream to get the upstream dependency to upgrade. This is the corresponding upgrade for Magma. This PR picks up the upstream upgrade of validator to "^13.7.0" in order to fix CVE.
PR: https://github.com/magma/magma/pull/11435
passport-saml
Dependabot link: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/passport-saml/open
Remediation: Upgrade passport-saml to version 3.1.0 or later.
Issue: https://github.com/magma/security/issues/14
Issue (Upstream): https://github.com/facebookincubator/fbc-js-core/issues/168
PR (Upstream): https://github.com/facebookincubator/fbc-js-core/pull/169
_______
Recurring note - what is OSPOCO: OSPOCO is an Open Source Program Office (“OSPO”) as a Service company. We have been retained to provide one “virtual head” dedicated to helping Magma improve under the direction of the Magma leadership.


OSPOCO Report, first half of February
Hello all,
This is an update on what the OSPOCO team did in the first half of February.
Quick clarification for those who have asked “What is OSPOCO?”. OSPOCO is an Open Source Program Office (“OSPO”) as a Service company. We act as the OSPO for a company or provide additional capabilities for an existing open source program. In the case of Magma, we have been retained to provide one “virtual head” dedicated to helping Magma improve under the direction of the Magma leadership. Think of this as a report from one full time “employee” about what they did for the first part of February. (We aren’t actually employees, but we want to make things as seamless as if we were.)
Now on to what we actually did:
General projects:
Security Disclosures: A major focus for OSPOCO has been the improvement of Magma’s security posture and development of security practices and infrastructure. As a provider concerned with open source in particular, we work on security practices related to open source - dependencies, SBOM, OpenSSF’s Security Scorecards for Open Source Projects. As part of this effort, we created a security disclosure process in January and led the response for two security disclosures we received in early Feb. The two disclosures we managed were:
Disclosure: EPC and Backhaul Data Unencrypted
https://github.com/magma/security/issues/72
Disclosure: Linux ‘Magic SysRq’ enabled in the Linux kernel running on the Magma gateway host
https://github.com/magma/security/issues/69
We used this to help us develop our security policy:
https://github.com/magma/magma/security/policy
We evaluated the disclosures and assigned the appropriate security level using the Common Vulnerability Scoring System (CVSS). As part of this we developed a Magma-specific spreadsheet for performing this task using the scoring rubric at https://www.first.org/cvss/v3.1/user-guide. The spreadsheet is at:
https://docs.google.com/spreadsheets/d/1XKa08l64cynIFi2xNdRBKuSmehtkU_GHk55LFv6yMmI/edit#gid=672841727
Improve Tooling: We keep on trying to make the security process more transparent and inclusive. As part of that we have created akanban board and triaged all security tickets:
https://github.com/orgs/magma/projects/12
We also finished moving all issues from our old private repo into the Magma organization repo. From now on, we will only be reporting issues out of the new https://github.com/magma/security/issues location. As part of this effort we also identified and closed stale tickets and open PRs that needed to be closed, such as these three related to logging: https://github.com/magma/magma/pull/11269
Analysis of golang dependencies: A common source of security issues is golang dependencies. We have created an analysis of Golang dependency patterns to identify high-impact projects:
https://docs.google.com/document/d/1XHd5iioHfFmKDz91UEJemoSmXPhCy1kN7sP-DgnYN7o/edit
Non-Security GitHub Issues
As well as security, we are active in general development as well. We worked on following issues and PRs:
chore(orc8r):
Merge combine_swagger and swaggergen executables
PR: https://github.com/magma/magma/pull/10856
fix(orc8r):
Change alsologtostderr to logtostderr in tests
PR: https://github.com/magma/magma/pull/10403
fbc-js-core bug "cannot-resolve-module multiSamlStrategy"
PR: (Upstream) https://github.com/facebookincubator/fbc-js-core/issues/168
PR: (Upstream) https://github.com/facebookincubator/fbc-js-core/pull/169
Propose contributor attribution project to “Contributor Experience and Onboarding” document
https://etherpad.opendev.org/p/Magma_Contributor_Attribution
Selected Dependabot, Code Scanning, Other Issues:
We continue to analyze and close dependabot and code scanning issues. One thing to note is that a substantial portion of our work fixing issues that are reported for Magma actually involves finding the necessary upstream dependency and making fixes or upgrades upstream. If you want to see examples, note when a PR or issue has the (Upstream) tag.
aiohttp
Dependabot link: https://github.com/magma/magma/security/dependabot/1
Suggested remediation: Upgrade aiohttp to version >=3.7.4
Issue: https://github.com/magma/security/issues/44
PR: https://github.com/magma/magma/pull/11165
trim
Dependabot link: https://github.com/magma/magma/security/dependabot/49
Issue: https://github.com/magma/security/issues/59
PR: https://github.com/magma/magma/pull/11353/files
https://github.com/magma/magma/pull/11353/commits
yargs-parser
Dependabot link: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/yargs-parser/open
Component: nms
Suggested remediation: Upgrade yargs-parser to version 13.1.2 or later
Issue: https://github.com/magma/security/issues/29
PR: https://github.com/magma/magma/pull/11352
babel-plugin-fbt
Upgrade babel-plugin-fbt from 0.10.4 to 0.20.3 (needed for yargs-parser)
PR: https://github.com/magma/magma/pull/11352
Mem
Dependabot link: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/mem/open
Component: nms
Suggested remediation: Upgrade mem to version 4.0.0 or later
Issue: https://github.com/magma/security/issues/27
Issue (Upstream): https://github.com/facebook/fbt/issues/317
Closed by upgrade of transitive dependency babel-plugin-fbt
Prism.js
Upgraded prismjs to version 1.25.0 or later: bumped @storybook/addon-actions in @fbcnms/ui to transitively bump prismjs@1.17.1 up to 1.26.0.
Issue: https://github.com/magma/security/issues/36
PRs (Upstream): https://github.com/facebookincubator/fbc-js-core/pull/164
https://github.com/facebookincubator/fbc-js-core/pull/165
node-fetch
Partial fix for node-fetch CVE-2022-0235
Submitted patch to upstream package fbjs
PR (Upstream): https://github.com/facebook/fbjs/pull/472

OSPOCO Report for January

Hello all, apologies for the delay putting together a general update. As discussed in the last update, we have broadened our focus from just Dependabot alerts to incorporate some longer-term, higher-reward projects - but we have been plenty busy on alerts as well.
Some of you also probably saw the colors.js (and faker.js) attacks that surfaced last month. Our team did an immediate review of how those could affect Magma and published a report. See our analysis of exposure to colors.js attack: https://my.workplace.com/groups/985358419049435/permalink/1010763649842245/ and https://docs.google.com/document/d/1KVI7v9m8a-EgKGPoNUDmI3HCJi4uHHidaN3keRTfIb4/e
This update is split into two parts: The longer term projects and the ongoing alert work.
Longer-Term Projects
- SBOM planning and research: Last update we noted that we currently do not have a complete, centralized list of all the outside code used in Magma. This is leading to multiple security alerts and inconsistent use of third-party code. It also prevents us from making sure that we are complying with all open source licenses and from understanding our upstream risk from smaller, less-maintained projects.
One of our longer-term projects we are starting on is creating an ongoing, audited version of Magma’s dependencies so that we can reduce our scope of dependencies, reduce the use of multiple versions of the same dependencies (where possible), and to make sure that we are complying with all open source licenses.
We moved forward on this plan, evaluating several methods of creating an SBOM:
https://docs.google.com/document/d/1abC7kGhM8Q8oj6V2ZK5FTo5FJXX5ymT-kJt9mxMfK5U/edit?usp=sharing
Following our research, we used the tools to create an SBOM and created a PR to check it in: https://github.com/magma/magma/pull/11266
We are also working to keep this updated (https://github.com/magma/magma/pull/11340) and are using it to iIdentify most common sources of upstream vulnerabilities: https://github.com/magma/security/issues/39.
- OpenSSF Scorecard results: From a Magma perspective, one of the most important issues for enterprise deployment is a consistent security posture and validated practices.
The Open Source Security Foundation (OpenSSF) is a multi-vendor effort to create validated security models and practices for open source projects: “We created Scorecards to give consumers of open-source projects an easy way to judge whether their dependencies are safe….Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.”
We investigated the use of scorecards for Magma (https://github.com/ospoco/magma-issue-tracker/issues/46) and reported on our findings:
https://my.workplace.com/groups/985358419049435/permalink/1019676708950939/
Working from those findings, we started working on the “Dangerous-Workflow” security issue in Scorecard. It determines if the project's GitHub Action workflows avoid dangerous patterns: https://github.com/ospoco/magma-issue-tracker/issues/46 https://github.com/ospoco/magma-issue-tracker/issues/53
- Define Security Vulnerability team and create social tooling: To better center security in the magma project, we transitioned the ospoco security issues tracker into the Magma organization (https://github.com/magma/security) as a private repository and helped define the security team and associated private slack channel: https://github.com/magma/security/issues/71 and slack://channel?team=magmacore&id=#security
- Improve testing: The third item we discussed in our last update was updates to testing to help make it easier to have confidence in fixes. With that in mind, we identified and diagnosed some common CI errors(see https://github.com/magma/magma/issues/11220 and https://github.com/magma/magma/issues/11221). Work on this is ongoing.
- Work on OSS-Fuzz Tooling on Magma: Finally, as part of overall improving our security posture, we have begun work on applying OSS-Fuzz to Magma. OSS-Fuzz is a fuzz testing tool designed to trigger bugs that can become errors or vulnerabilities. Expect some targeted fixes to come. In the meantime, read more about Fuzz testing: https://www.synopsys.com/glossary/what-is-fuzz-testing.html l
Selected Dependabot, Code Scanning, Other Issues:
Shelljs
Dependabot link: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/shelljs/open
Component: NMS
Suggested remediation: upgrade shelljs to at least 0.8.5
Issue: https://github.com/magma/security/issues/61
PR: https://github.com/magma/magma/pull/11392
lxml
Dependabot link: https://github.com/magma/magma/security/dependabot/lte/gateway/python/setup.py/lxml/open
Component: lte
Suggested remediation: Upgrade lxml to version 4.7.1
Issue: https://github.com/magma/security/issues/45
PR: https://github.com/magma/magma/pull/11181
xmldom (#1)
Dependabot link: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/xmldom/open
Suggested remediation: Upgrade xmldom to version 0.5.0
Issue: https://github.com/magma/security/issues/31
PR: https://github.com/facebookincubator/fbc-js-core/pull/148 (Upstream)
xmldom (#2)
Dependabot link: https://github.com/.../dependabot/nms/yarn.lock/xmldom/open
Component: nms
Suggested remediation: Upgrade xmldom to 0.7.0 or later
Issue: https://github.com/magma/security/issues/42
PR: https://github.com/facebookincubator/fbc-js-core/pull/149 (Upstream)
Prism.js
Dependency Storybook uses vulnerable prismjs and react-syntax-highlighter libraries.
PR: https://github.com/storybookjs/storybook/pull/17100 (Upstream)
hosted-git-info
Dependabot link: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/hosted-git-info/open
Component: nms
Suggested remediation: Upgrade hosted-git-info to version 2.8.9
Issue: https://github.com/magma/security/issues/32
PR: https://github.com/magma/magma/pull/11013
pug-code-gen
Dependabot link: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/pug-code-gen/open
Suggested remediation: Upgrade pug-code-gen to version 2.0.3 or later
Issue: https://github.com/magma/security/issues/30
PR: https://github.com/magma/magma/pull/11435
passport-saml
Transitive dependency needing to be updated to support vulnerable xmldom upgrade
Issues: https://github.com/ospoco/magma-issue-tracker/issues/42, https://github.com/ospoco/magma-issue-tracker/issues/14
PR: https://github.com/facebookincubator/fbc-js-core/pull/149
@fbcnms/platform-server
Update to pick up dependencies to get magma to not use vulnerable versions
PR: https://github.com/facebookincubator/fbc-js-core/pull/153
openshift/origin:
Dependabot link: https://github.com/.../github.com%2Fopenshift%2Forigin/open
Component: cwf
Suggested remediation: Upgrade github.com/openshift/origin to version 1.1.1 or later
Issues: https://github.com/ospoco/magma-issue-tracker/issues/38; https://github.com/ospoco/magma-issue-tracker/issues/37
Resolved with PR
sequelize
(Upstream) Upgrade sequelize to latest to pick up validator upgrade
PR merged into fbc-js-core: https://github.com/facebookincubator/fbc-js-core/pull/153
validator
Update validator to >= 13.7.0
Upstream PR: https://github.com/magma/magma/pull/11218
(Magma) Update @fbcnms/{sequelize-models,platform-server} to pick up updates that (transitively) bump validator package
PR: https://github.com/magma/magma/pull/11168
Frequent Sentry Error: Handle empty list gracefully
Issue link: https://github.com/magma/magma/issues/11097
PR: https://github.com/magma/magma/pull/11124
nanoid/json-server
Upgrade nanoid to version 3.1.31 or later.
Dependabot link: https://github.com/magma/magma/security/dependabot/nms/yarn.lock/nanoid/closed
Component: nms
Suggested remediation: Dependabot didn't succeed in automatically updating dependency, nonoid is required by json-server": "^0.16.1"
Update json-server to 0.17:
PR: https://github.com/magma/magma/pull/11326

Thanks,
Van

OpenSSF Scorecard Results


Test Date 2022-01-17

INTRODUCTION


We performed a security review of Magma using the OpenSSF Security Scorecards tool (https://github.com/ossf/scorecard), which provides security health metrics for open source:
We created Scorecards to give consumers of open-source projects an easy way to judge whether their dependencies are safe.
Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
Our initial plan was to run the security scorecard as a GitHub Action, grading commits on their security impact. On reviewing the output we found that the numeric score is too opaque to be a strong call to action in the short term. However, the individual tests used by the scoring algorithm are a useful checklist for security improvements.

REVIEW OF FINDINGS


For the raw scorecard data see:
https://github.com/ospoco/magma-issue-tracker/blob/main/magma-scorecard-beautify.json

POSITIVES


Magma is already doing well on the following criteria:

  • Code-Review

    • Determines if the project requires code review before pull requests (aka merge requests) are merged.

  • Security-Policy

    • Determines if the project has published a security policy.

  • Dependency-Update-Tool

    • Determines if the project uses a dependency update tool.

  • License

    • Determines if the project has defined a license.

  • Maintained

    • Determines if the project is "actively maintained".

NEED FOLLOWUP


The following items call for work. They are practical opportunities to improve Magma security.

NOT APPLICABLE


The following items don’t apply to Magma:

  • Signed-Releases

    • Determines if the project cryptographically signs release artifacts.

  • Branch-Protection

    • Determines if the default and release branches are protected with GitHub's branch protection settings.

  • Binary-Artifacts

    • Determines if the project has generated executable (binary) artifacts in the source repository.

  • Packaging

    • Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.


Analysis of Magma Exposure to colors.js Attack
As part of our ongoing work to improve Magma security, we investigated whether emergency action was needed to respond to the colors.js attack that surfaced over the weekend. We concluded that no emergency action was needed, but we should reconsider some of our upstream dependencies to reduce our security risks going forward. Our full report is linked.
https://docs.google.com/.../1KVI7v9m8a.../edit...

OSPOCO Update - Week ending 12/31/21

Hello all, and I hope you had a good holiday!
Work from the OSPOCO team was a bit slower over the holidays, as expected, but we were still able to get in a number of updates over the back half of December.
Process and focus updates: Our initial goal was to quickly make an impact. We chose to work on alerts because they have a minimal learning curve. We have been using these updates to learn the Magma system and code organization, while still having a positive impact. As we head into 2022, we will be balancing these immediate needs with a few longer-term issues and expanding the scope of our contributions.
New focus #1: Adding resolution of simpler issues. A lot of our work so far has been only in the Dependabot and Code quality alerts. As we become more confident with the codebase, it also seems reasonable to start addressing general issues. We have some our first results of this focus below (see items about combine_swagger and swaggergen).
New focus #2: Improvements to testing: In the course of creating updates, we have noticed gaps in testing and places where the testing infrastructure is not yet sufficient for us to have good confidence in our fixes. While we don’t intend on creating “tests for tests sake,” we are going to expand the scope of our fixes to include tests to help us catch and prevent regressions from our ongoing security work.
New focus #3: Creating and updating a Software Bill of Materials (SBOM): We currently do not have a complete, centralized list of all the outside code used in Magma. This is leading to multiple security alerts and inconsistent use of third-party code. It also prevents us from making sure that we are complying with all open source licenses and from understanding our upstream risk from smaller, less-maintained projects.
One of our longer-term projects we are starting on is creating an ongoing, audited version of Magma’s dependencies so that we can reduce our scope of dependencies, reduce the use of multiple versions of the same dependencies (where possible), and to make sure that we are complying with all open source licenses.
Issues, Code Quality, and Dependabot Fixes:
Issue: Merge combine_swagger and swaggergen executables #5425: This was tagged as a good first issue, which matches our criteria for getting started on new “general” issues.


Issue: Suggest CWE ID for vuln type


Update validator


Update OpenID-client (upstream, needed by passport-saml)


Upgrade passport-saml


Code quality: Clear-text logging of sensitive information


Code quality: Log entries created from user input (#1)


Code quality: Log entries created from user input (#2)


Code quality: Log entries created from user input (#3, #4)


mem


dot-prop


yargs-parser


upgrade xmldom


hosted-git-info


For your information: Open issues in OSPOCO Private Security Issue Tracker:
Dependabot: TBD openshift/origin security
Dependabot: TBD gopkg.in/yaml.v2 security
Dependabot: highlight.js upgrade security
Dependabot: upgrade hosted-git-info security
Dependabot: upgrade xmldom security
Dependabot: pug-code-gen security
Dependabot: yargs-parser security
Dependabot: mem alert security
Code Scan Alert: Log entries created from user input security
Clear-text logging of sensitive information security
Dependabot: update validator to >= 13.7.0 security
Dependabot: node-forge security
Dependabot: containerd security
postcss update to 7.0.36 or later
ansi-html alert
passport-saml dependabot alert
axios update
Dependabot alert on pug < 3.0.1
jspdf upgrade
Alerts in CWF Kubernetes Operator
Dependabot alert on github.com/miekg/dns
Dependabot alert on jwt-go
Kubernetes package update (k8s.io/kubernetes)