Update deprecated and unsecure libraries

Description

Bonita Portal and UIDesigner pages comes with libraries suffering security vulnerabilities. For example:

jquery-ui-1.10.3 (https://snyk.io/vuln/npm:jquery-ui:20160721)
jquery-1.6.4 (https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/version_id-235563/Jquery-Jquery-1.6.4.html)
angularjs-1.4.5 (https://snyk.io/test/npm/angular/1.4.5?severity=high&severity=medium&severity=low)
plupload-1.2.1

Environment

None

External Link

None

Workaround

None

Activity

Show:
Antoine Mottier
June 11, 2019, 3:33 PM

sorry I didn't give the proper attention to this issue as it was initially created on the project to request improvement.

I can confirm that angularjs version 1.4.5 is still used by the Bonita Portal (see https://github.com/bonitasoft/bonita-portal-js/blob/7.9.0/bower.json)

I also find the reference to the jquery-ui in ./looknfeel/src/main/less/skin/skin.less that is part of bonita-web project.

The reference to the jquery version 1.6.4 in bonita-web project.

And finally in bonita-web project the plupload library is located in and is in version 1.2.1 : ./portal/src/main/webapp/portal/scripts/ext/plupload.full.min.js

I report all the issue to the development team and keep updating this issue with feedback.

Antoine Mottier
July 24, 2019, 7:31 AM

Quick update on the status of this issue:

We are currently getting rid of GWT pages which are the ones using this JQuery version, so once it is done this dependency to jQuery version 1.x won’t be present anymore (and plupload-1.2.1 will also be removed).
Meanwhile, we cannot easily update the jQuery version because we would need to jump from a version 1.x to a version 3.x (which solves the security issues) and it would break everything.

However since we use GWT for requests and content validation, I we are not vulnerable to the 2 last CVE. And as for the first one, we don’t have any code using jQuery.extend

About the AngularJS we will first try to migrate to version 1.5.x that will fix major issues. Migration to version 1.6.x is more challenging so it requires a little bit more investigation.

For jquery-ui we will try to upgrade to a version >=1.12.0.

Antoine Mottier
October 14, 2019, 4:30 PM

Here is another update:

Jquery UI 1.12 dropped the support for jquery 1.6.x which we use in the GWT pages.

We cannot easily upgrade jQuery to 1.7.x as 1.7 is not backward compatible with 1.6.

There is an on going effort to get rid of all GWT pages. When this will be done we will no longer have this dependencies on those library.

Łukasz Majek
September 3, 2020, 1:17 PM

Do we have a solution to the problem?

Delphine Coille
December 10, 2020, 1:58 PM
Edited

Here is the latest update on this issue:

Bonita Portal is being transformed into Bonita Applications since 7.10. When Bonita Applications are ready, Bonita Portal will be removed there will no longer have dependancies on those libraries.

Developers and users will have to stop using the Portal and start using Bonita Applications instead. This change will allow Bonita and its users to get free from Google Web Toolkit (GWT) technology and offer opportunities for customization. Indeed, some Portal pages (built with GWT) are being totally recreated with our own UI Designer. They will be customizable. Other pages (those that were already using another technology than GWT) are being wrapped and will not be customizable. 

Pages which have already been created:

  • User Portal tasklist and process list, Case list, included in a Bonita user application available from Bonita Studio (7.10 and further)

  • Administrator Portal pages except Analytics page included in an Admin user application available from Bonita Studio as well (7.12 to be released in january 2021).

The Administrator Portal in GWT is currently still available but deprecated and will be removed in future versions

FYI here are the dependencies for portal-js updated on 7.12: https://documentation.bonitasoft.com/bonita/7.12/portal-js-dependencies

Fixed

Assignee

Delphine Coille

Reporter

Maciej Michalak

Affects versions

Reference

BPO-173 / BS-18047

Fix versions

None
Configure