C8Y app builder vulnerability

What product/components do you use and which version/fix level?

We are using C8Y application builder 1.2.6

Are you using a free trial or a product with a customer license?

We have a customer licence

What are trying to achieve? Please describe in detail.

We have referred Software AG Cumulocity App builder code( https://github.com/SoftwareAG/cumulocity-app-builder ) to create an Angular Widget in our project, we have found number of vulnerability which is checked with “npm audit” command. We have found 97 vulnerabilities (1 low, 61 moderate, 35 high).

  1. fixed 36 of 97 vulnerabilities with “npm audit fix”.
  2. again we found 63 vulnerabilities (1 low, 41 moderate, 21 high)

at least we need to fix high and moderate vulnerabilities, kindly provide the solution for it.

Do you get any error messages? Please provide a full error message screenshot and log file.

npm audit report.txt (23.4 KB)

Thank you for sharing audit report. We have investigated the audit report and there is no vulnerability w.r.t. Application Builder.

We would also like to share with you that before release of new version of application builder, we are running scan on the npm packages to identify and fix for any potential security vulnerability (except framework packages)

When you run “npm audit fix”, it will fix a few but create few more and there are possibilities that your code will not compile due to version compatibility issue.

When you use tools like “npm audit”, it shows outdated versions mostly for sub-dependencies and that are out of our hands since those are coming from the framework itself.

Many vulnerabilities simply don’t apply when you create build for your project for example, issue with dev dependencies does not apply to product(binary) itself.

If you would like to know more about npm audit, please refer https://overreacted.io/npm-audit-broken-by-design/

Thanks Darpan for your quick response, we found these with the “Dependabot” feature in GitHub. below snap is one of the critical vulnerability in application builder’s package-lock.json, Where it says to update the “handlebars” version.

but on the Cumulocity application builder latest version it have the same older version that our custom application builder have which is “handlebars”: “^4.0.2”.

I’m not sure if I update the vulnerable version, will it affect the application builder workflow? I need to know what is the best way that you suggest to get rid of the vulnerability issue from the GitHub dependabot on our application builder.

Hi Saif,

This vulnerability is not related with Application Builder.

As per “npm ls” handlebars@4.7.7 is installed in application builder by framework component.

You can also try by executing “npm ls handlebars” command.

See below output for your reference:

If you investigate further in package-lock json, you will find that handlebars@4.0.2 marked as dependency in “conventional-changelog-writer” package. But NPM install 4.7.7 based on dependency of other framework packages.

Thant means, in production, 4.7.7 used (not 4.0.2).

I would suggest using “npm ls” command to identify dependency tree and go through documentation for the package in case if you would like to upgrade.

However, if you decide to upgrade, it may affect core functionalities if it used in framework and version is not compatible/supported

Hope this helps.

Regards,

Darpan