Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: included versions of minimatch, brace-expansion, and shelljs #5008

Open
1 of 4 tasks
msftvito opened this issue Oct 1, 2024 · 2 comments
Open
1 of 4 tasks

[BUG]: included versions of minimatch, brace-expansion, and shelljs #5008

msftvito opened this issue Oct 1, 2024 · 2 comments
Labels
Area: Agent bug misc Miscellaneous Changes

Comments

@msftvito
Copy link

msftvito commented Oct 1, 2024

What happened?

Our security scanner is detecting vulnerable versions of various node packages included in the agent tarball, even up to the latest 4.244.1 release. Can the versions be updated to the latest?

minimatch CVE-2022-3517
Upgrade from 3.0.0->3.0.5+ tmp/agent__src/externals/vso-task-lib/node__modules/minimatch/package.json
brace-expansion CVE-2017-18077
Upgrade from 1.1.5->1.1.7+ tmp/agent__src/externals/vso-task-lib/node__modules/minimatch/node__modules/brace-expansion/package.json
shelljs CVE-2022-0144 AND (GHSA-64g7-mvw6-v9qj)
Upgrade from 0.3.0->0.8.5+ tmp/agent__src/externals/vso-task-lib/node__modules/shelljs/package.json

Versions

azure-pipelines-4.244.1
https://github.com/microsoft/azure-pipelines-agent/releases
https://vstsagentpackage.azureedge.net/agent/4.244.1/vsts-agent-linux-x64-4.244.1.tar.gz

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

No response

Version controll system

No response

Relevant log output

> tar -xf ../vsts-agent-linux-x64-4.244.1.tar.gz
> ls
bin  config.sh  env.sh  externals  license.html  run-docker.sh  run.sh
>grep version ./externals/vso-task-lib/node_modules/minimatch/node_modules/brace-expansion/package.json 
  "version": "1.1.5",
>grep version externals/vso-task-lib/node_modules/shelljs/package.json
  "version": "0.3.0",
>grep version externals/vso-task-lib/node_modules/minimatch/package.json
  "version": "3.0.0",
@msftvito msftvito added the bug label Oct 1, 2024
@KonstantinTyukalov
Copy link
Contributor

@msftvito thanks for the reporting! We are working on higher priority issues now, but we'll get back to this one soon.
note that if you don't have an old task relying on this vso-task-lib (I assume you don't if you're not using TFS 2015), as a mitigation you can remove it from agent externals.

@KonstantinTyukalov KonstantinTyukalov added misc Miscellaneous Changes and removed triage labels Oct 1, 2024
@msftvito
Copy link
Author

msftvito commented Oct 1, 2024

Thank you for the clarification! I was not aware it could be removed. We'll look at that, thank you.

@ivanduplenskikh ivanduplenskikh mentioned this issue Nov 19, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Agent bug misc Miscellaneous Changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KonstantinTyukalov @msftvito