Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge 4.10.2 into master #367

Merged
merged 5 commits into from
Oct 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 36 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,48 @@ All notable changes to the Wazuh app project will be documented in this file.

- Changed the reportingDashboards platform plugin to a customized one and adapt the build tools [#340](https://github.com/wazuh/wazuh-dashboard/pull/340)

## Wazuh dashboard v4.10.0 - OpenSearch Dashboards 2.16.0 - Revision 00
## Wazuh dashboard v4.10.2 - OpenSearch Dashboards 2.16.0 - Revision 00

### Added

- Support for Wazuh 4.10.2

## Wazuh dashboard v4.10.1 - OpenSearch Dashboards 2.16.0 - Revision 00

### Added

- Support for Wazuh 4.10.1

## Wazuh dashboard v4.10.0 - OpenSearch Dashboards 2.16.0 - Revision 02

### Removed

- Removed the setting home:useNewHomePage from the advanced settings because the views are not finished. [#282](https://github.com/wazuh/wazuh-dashboard/pull/282)

## Wazuh dashboard v4.9.1 - OpenSearch Dashboards 2.13.0 - Revision 04

### Added

- Support for Wazuh 4.9.1

### Changed

- Changed link to sample data in the dashboards section and references to Opensearch Dashboards [#311](https://github.com/wazuh/wazuh-dashboard/pull/311)

### Fixed

- Fixed bug that caused the terminal to freeze on deb upgrades [#301](https://github.com/wazuh/wazuh-dashboard/pull/301)
- Fixed the name of the "Index management" category to "Indexer management" [#330](https://github.com/wazuh/wazuh-dashboard/pull/330)

## Wazuh dashboard v4.9.0 - OpenSearch Dashboards 2.13.0 - Revision 07

### Added

- Support for Wazuh 4.9.0

### Changed

- Changed default value of useExpandedHeader to false. [#247](https://github.com/wazuh/wazuh-dashboard/pull/247)
- Changed default theme [#174](https://github.com/wazuh/wazuh-dashboard/pull/174)
- Changed default logos and main menu app categories [141](https://github.com/wazuh/wazuh-dashboard/pull/141)
- Changed default value of useExpandedHeader to false [#247](https://github.com/wazuh/wazuh-dashboard/pull/247)
- Changed build number to match the Wazuh standard [#284](https://github.com/wazuh/wazuh-dashboard/pull/284)
80 changes: 29 additions & 51 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,67 +1,45 @@
## Reporting a Vulnerability
# Wazuh Open Source Project Security Policy

If you discover a potential security issue in this project we ask that you notify OpenSearch Security directly via email to [email protected]. Please do **not** create a public GitHub issue.
Version: 2023-06-12

## Fixing a Vulnerability
## Introduction
This document outlines the Security Policy for Wazuh's open source projects. It emphasizes our commitment to maintain a secure environment for our users and contributors, and reflects our belief in the power of collaboration to identify and resolve security vulnerabilities.

- For direct dependencies (listed explicitly in `package.json`) - After identifying a version of the package that is both compatible with OpenSearch Dashboards and includes a fix for the vulnerability, update the dependency in `package.json` and run `yarn osd bootstrap` to build the project and update the `yarn.lock` file.
## Scope
This policy applies to all open source projects developed, maintained, or hosted by Wazuh.

- For nested dependencies (sub-dependencies)
## Reporting Security Vulnerabilities
If you believe you've discovered a potential security vulnerability in one of our open source projects, we strongly encourage you to report it to us responsibly.

- Check the package range in package.json: Open the `package.json` file and locate the dependency entry for the package you're interested in. The version range is specified after the package name, using a combination of version numbers and symbols. Examples of version ranges are ^1.0.0, ~1.0.0, or >=1.0.0 <2.0.0. Ensure that the desired version falls within the specified range.
Please submit your findings as security advisories under the "Security" tab in the relevant GitHub repository. Alternatively, you may send the details of your findings to [[email protected]](mailto:[email protected]).

- Check the desired version in `yarn.lock`: Open the `yarn.lock` file and search for the package name. If the package is listed, check the version number specified for the package. Compare this version number with the desired version.
## Vulnerability Disclosure Policy
Upon receiving a report of a potential vulnerability, our team will initiate an investigation. If the reported issue is confirmed as a vulnerability, we will take the following steps:

- If the package range is suitable but `yarn.lock` does not include the desired version, edit the `yarn.lock` file and remove the lines corresponding to the package. Then, run `yarn osd bootstrap` to have the latest version of the package, that satisfies the range from `package.json`, added to `yarn.lock`.
1. Acknowledgment: We will acknowledge the receipt of your vulnerability report and begin our investigation.
2. Validation: We will validate the issue and work on reproducing it in our environment.
3. Remediation: We will work on a fix and thoroughly test it
4. Release & Disclosure: After 90 days from the discovery of the vulnerability, or as soon as a fix is ready and thoroughly tested (whichever comes first), we will release a security update for the affected project. We will also publicly disclose the vulnerability by publishing a CVE (Common Vulnerabilities and Exposures) and acknowledging the discovering party.
5. Exceptions: In order to preserve the security of the Wazuh community at large, we might extend the disclosure period to allow users to patch their deployments.

- If the package range is not suitable and there is no resolutions or the package range in the resolutions is not correct, we can add or update version in the resolutions for all the package sub-deps or specific package sub-dep. For more on version updates please see [Why](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-why-would-you-want-to-do-this) and [How](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-how-to-use-it) to upgrade.
This 90-day period allows for end-users to update their systems and minimizes the risk of widespread exploitation of the vulnerability.

```
Example: If [email protected] exists for subdeps in yarn.lock file. But [email protected] is the target version.
## Automatic Scanning
We leverage GitHub Actions to perform automated scans of our supply chain. These scans assist us in identifying vulnerabilities and outdated dependencies in a proactive and timely manner.

Step 1: remove the entry from lockfile and bootstrap; if a suitable version was installed, you can stop.
Step 2: use resolutions to require a specific range for the nested dependency in package.json:
'resolutions': { "**/foobar": "^1.y",
"**/foo": "^2.x" ,
"**/bar": "^3.k"}
Step 3: repeat step 1
## Credit
We believe in giving credit where credit is due. If you report a security vulnerability to us, and we determine that it is a valid vulnerability, we will publicly credit you for the discovery when we disclose the vulnerability. If you wish to remain anonymous, please indicate so in your initial report.

```
We do appreciate and encourage feedback from our community, but currently we do not have a bounty program. We might start bounty programs in the future.

Please be aware of that fixing nested dependencies can be tricky. Sometimes, bumping a parent package of the nested dependency can upgrade several of the nested dependencies at once to solve multiple security vulnerabilities and provide a more maintainable code base.
## Compliance with this Policy
We consider the discovery and reporting of security vulnerabilities an important public service. We encourage responsible reporting of any vulnerabilities that may be found in our site or applications.

## Backport a Vulnerability Fix
Furthermore, we will not take legal action against or suspend or terminate access to the site or services of those who discover and report security vulnerabilities in accordance with this policy because of the fact.

To backport a CVE fix to previous versions of OpenSearch Dashboards, add the desired backport labels (e.g., backport 1.x) to the PR. Upon merging the PR, a workflow will attempt to backport it. If this process fails, the PR will be updated with a comment detailing the failure, and you'll need to follow the provided instructions to manually backport the changes in a new PR. Keep in mind that some CVEs may require distinct resolutions for each branch, such as a major version bump in the main branch, a minor version bump in the 2.x branch, and a specific resolution in the 1.x branch. Refer to the following steps for guidance:
We ask that all users and contributors respect this policy and the security of our community's users by disclosing vulnerabilities to us in accordance with this policy.

1. Identify the pull request you want to backport and the target backport version.
2. Create a new local branch from the target version.
3. Cherry-pick the changes from the pull request into the new branch. To do this, you can use the `git cherry-pick` command followed by the hash of the pull request commit. For example: `git cherry-pick 123456`.
4. Resolve any conflicts. This step may require some manual intervention.
5. Run `yarn osd bootstrap` in the root directory. This will update the dependencies, install the latest version of the package that satisfies the range from `package.json`, and add the updated package information to the `yarn.lock` file.
5. Test the changes thoroughly.
6. Push the new branch to the appropriate remote repository.
7. Submit a new pull request to the target version for the backported changes.
## Changes to this Security Policy
This policy may be revised from time to time. Each version of the policy will be identified at the top of the page by its effective date.

```
Example: backport a pull request with hash 123 in main to 1.3

* Fetch the latest changes from upstream repo:
git pull upstream

* Create a new local branch from the target version:
git checkout -b backport-cve upstream/1.3

* Cherry pick the changes:
git cherry-pick 123

* Resolve any conflicts.

* Push to your origin forked repo:
git push -u origin backport-cve

* Submit a new pull request to 1.3.

```

It's worth noting that backporting a pull request can be a complex process and depending on the changes involved, additional steps might be required to resolve conflicts. It's important to carefully review and test the changes to ensure they are compatible with the version of OpenSearch Dashboards in the target branch and that the changes are applied correctly.
If you have any questions about this Security Policy, please contact us at [[email protected]](mailto:[email protected])
4 changes: 2 additions & 2 deletions dev-tools/build-packages/base/generate_base.sh
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ build() {

# Move installed plugins from categories after generating the package
category_explore='{id:"explore",label:"Explore",order:100,euiIconType:"search"}'
category_dashboard_management='{id:"management",label:"Index management",order:5e3,euiIconType:"managementApp"}'
category_dashboard_management='{id:"management",label:"Indexer management",order:5e3,euiIconType:"managementApp"}'

# Replace app category to Alerting app
sed -i -e "s|category:{id:\"opensearch\",label:\"OpenSearch Plugins\",order:2e3}|category:${category_explore}|" ./plugins/alertingDashboards/target/public/alertingDashboards.plugin.js
Expand All @@ -178,7 +178,7 @@ build() {
# Replace app category to Notifications app
sed -i -e "s|category:DEFAULT_APP_CATEGORIES.management|category:${category_explore}|" ./plugins/notificationsDashboards/target/public/notificationsDashboards.plugin.js

# Replace app category to Index Management app
# Replace app category to Indexer Management app
sed -i -e "s|category:DEFAULT_APP_CATEGORIES.management|category:${category_dashboard_management}|g" ./plugins/indexManagementDashboards/target/public/indexManagementDashboards.plugin.js

# Generate compressed files
Expand Down
2 changes: 1 addition & 1 deletion dev-tools/build-packages/deb/debian/postinst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ configure)
service wazuh-dashboard restart >/dev/null 2>&1
fi
fi
if [ ! -f "${INSTALLATION_DIR}"/config/opensearch_dashboards.keystore ]; then
if [ ! -f "${CONFIG_DIR}"/opensearch_dashboards.keystore ]; then
runuser "${NAME}" --shell="/bin/bash" --command="${INSTALLATION_DIR}/bin/opensearch-dashboards-keystore create" >/dev/null 2>&1
runuser "${NAME}" --shell="/bin/bash" --command="echo kibanaserver | ${INSTALLATION_DIR}/bin/opensearch-dashboards-keystore add opensearch.username --stdin" >/dev/null 2>&1
runuser "${NAME}" --shell="/bin/bash" --command="echo kibanaserver | ${INSTALLATION_DIR}/bin/opensearch-dashboards-keystore add opensearch.password --stdin" >/dev/null 2>&1
Expand Down
3 changes: 2 additions & 1 deletion dev-tools/build-packages/rpm/wazuh-dashboard.spec
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ fi
setcap 'cap_net_bind_service=+ep' %{INSTALL_DIR}/node/bin/node
setcap 'cap_net_bind_service=+ep' %{INSTALL_DIR}/node/fallback/bin/node

if [ ! -f %{INSTALLATION_DIR}/config/opensearch_dashboards.keystore ]; then
if [ ! -f %{CONFIG_DIR}/opensearch_dashboards.keystore ]; then
runuser %{USER} --shell="/bin/bash" --command="%{INSTALL_DIR}/bin/opensearch-dashboards-keystore create" > /dev/null 2>&1
runuser %{USER} --shell="/bin/bash" --command="echo kibanaserver | %{INSTALL_DIR}/bin/opensearch-dashboards-keystore add opensearch.username --stdin" > /dev/null 2>&1
runuser %{USER} --shell="/bin/bash" --command="echo kibanaserver | %{INSTALL_DIR}/bin/opensearch-dashboards-keystore add opensearch.password --stdin" > /dev/null 2>&1
Expand Down Expand Up @@ -381,6 +381,7 @@ rm -fr %{buildroot}
%attr(640, %{USER}, %{GROUP}) "%{INSTALL_DIR}/src/legacy/ui/ui_render/bootstrap/osd_bundles_loader_source.js"
%attr(640, %{USER}, %{GROUP}) "%{INSTALL_DIR}/src/legacy/ui/ui_render/bootstrap/index.js"
%attr(640, %{USER}, %{GROUP}) "%{INSTALL_DIR}/src/legacy/ui/ui_render/bootstrap/template.js.hbs"
%attr(640, %{USER}, %{GROUP}) "%{INSTALL_DIR}/src/legacy/ui/ui_render/bootstrap/startup.js.hbs"
%attr(640, %{USER}, %{GROUP}) "%{INSTALL_DIR}/src/legacy/ui/ui_render/bootstrap/app_bootstrap.js"
%attr(640, %{USER}, %{GROUP}) "%{INSTALL_DIR}/src/legacy/ui/index.js"
%attr(640, %{USER}, %{GROUP}) "%{INSTALL_DIR}/src/legacy/ui/apm/index.js"
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -506,4 +506,4 @@
"node": ">=14.20.1 <19",
"yarn": "^1.22.10"
}
}
}
Loading
Loading