Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CP V6 - Bug 11537: fix access to collect and management contract #1400

Merged
merged 1 commit into from
Jul 3, 2023
Merged

CP V6 - Bug 11537: fix access to collect and management contract #1400

merged 1 commit into from
Jul 3, 2023

Conversation

mohatizaoui
Copy link
Contributor

Description

Description des modifications

Type de changement:

Indiquer le ou les types de changements

  • Build

  • PKI

  • Ansiblerie

  • Nouveau Code

  • Correction

  • Refactorisation de code

  • Autre

Documentation:

Indiquer la documentation mise à jour

[ ] Quels sont les nouvelles documentations ?

[ ] Quels sont les modifications existantes ?

[ ] Quels sont les documentations ou sections de documentations supprimés ?

Tests:

Indiquer comment le code à été testé (manuel, environnement, TU, etc)

manuel

environnement

TU

Migration:

Indiquer si les modifications apportées impliquent une migration sur l'existant et comment la faire

Checklist:

Sélectionner les éléments de la checklist

[ ] Mon code suit le style de code de ce projet.

[ ] J'ai commenté mon code, en particulier dans les classes et les méthodes difficile à comprendre.

[ ] J'ai fait les changements correspondant dans la documentation RAML.

[ ] J'ai fait les changements correspondant dans la documentation Métier.

[ ] J'ai fait les changements correspondant dans la documentation Technique.

[ ] J'ai rajouté les tests unitaires vérifiant mes fonctionnalités.

[ ] J'ai rajouté les tests de non régression vérifiant mes fonctionnalités.

[ ] Les tests unitaires nouveaux et existants passent avec succès localement.

[ ] Toutes les dépendances ont été mergées en priorité

Contributeur

Indiquer qui a développé cette fonctionnalité

VAS (Vitam Accessible en Service)

CEA (Commissariat à l'énergie atomique et aux énergies alternatives)

@mohatizaoui mohatizaoui added bug Something isn't working small pr embarquant peu de changements et à review rapide, ne nécessitant qu'un reviewer VAS VAS contribution labels Jun 30, 2023
@mohatizaoui mohatizaoui changed the title Bug/vas 11537 fix fix access to collect and contract management v6 CP6 Bug/vas 11537 fix fix access to collect and contract management v6 Jun 30, 2023
@mohatizaoui mohatizaoui changed the base branch from develop to master_6.x June 30, 2023 15:28
@mohatizaoui mohatizaoui force-pushed the bug/vas-11537-fix-fix-access-to-collect-and-contract-management-v6 branch 2 times, most recently from 6e21290 to 6b4387c Compare June 30, 2023 15:53
@TDevillechabrolle
Copy link
Contributor

Logo
Checkmarx One – Scan Summary & Details3655d842-78e9-48bc-bec7-ffdf20f3b454

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM CVE-2022-25883 Npm-semver-7.5.3 Vulnerable Package
MEDIUM CVE-2022-25883 Npm-semver-7.3.2 Vulnerable Package
MEDIUM CVE-2022-25883 Npm-semver-6.3.0 Vulnerable Package
MEDIUM CVE-2022-25883 Npm-semver-5.7.1 Vulnerable Package
MEDIUM CVE-2022-25883 Npm-semver-5.3.0 Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-2.2.4 Vulnerable Package
MEDIUM Unchecked_Input_for_Loop_Condition /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 322 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 322 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 181 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 322 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 277 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 228 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 239 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 311 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 277 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 228 Attack Vector
LOW Log_Forging /ui/ui-archive-search/src/main/java/fr/gouv/vitamui/archives/search/rest/ArchivesSearchController.java: 311 Attack Vector
LOW Log_Forging /api/api-archive-search/archive-search-internal/src/main/java/fr/gouv/vitamui/archive/internal/server/rest/ArchiveSearchInternalController.java: 238 Attack Vector
LOW Log_Forging /api/api-archive-search/archive-search-internal/src/main/java/fr/gouv/vitamui/archive/internal/server/rest/ArchiveSearchInternalController.java: 225 Attack Vector
LOW Log_Forging /api/api-archive-search/archive-search-internal/src/main/java/fr/gouv/vitamui/archive/internal/server/rest/ArchiveSearchInternalController.java: 249 Attack Vector
LOW Log_Forging /api/api-archive-search/archive-search-internal/src/main/java/fr/gouv/vitamui/archive/internal/server/rest/ArchiveSearchInternalController.java: 213 Attack Vector

Fixed Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH Reflected_XSS_All_Clients /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
HIGH Reflected_XSS_All_Clients /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
HIGH Reflected_XSS_All_Clients /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
HIGH Reflected_XSS_All_Clients /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
HIGH Reflected_XSS_All_Clients /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
HIGH Reflected_XSS_All_Clients /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
HIGH Reflected_XSS_All_Clients /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
HIGH Reflected_XSS_All_Clients /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 110 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 110 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 115 Attack Vector
MEDIUM SSRF /commons/commons-rest/src/main/java/fr/gouv/vitamui/commons/rest/client/ExternalHttpContext.java: 116 Attack Vector
MEDIUM SSRF

More results are available on AST platform

@GiooDev GiooDev changed the title CP6 Bug/vas 11537 fix fix access to collect and contract management v6 CP V6 - Bug 11537: fix access to collect and management contract Jul 3, 2023
@GiooDev GiooDev added this to the IT 121 milestone Jul 3, 2023
@mohatizaoui mohatizaoui force-pushed the bug/vas-11537-fix-fix-access-to-collect-and-contract-management-v6 branch from 6b4387c to 6403b27 Compare July 3, 2023 09:15
@GiooDev GiooDev added the OPS REVIEW Mandatory if deployment/ directory is modified. label Jul 3, 2023
GiooDev
GiooDev reviewed Jul 3, 2023
View reviewed changes
deployment/scripts/mongod/v6.0/24_update_hasTenantList_application_COLLECT_APP.js.j2 Outdated
@@ -0,0 +1,13 @@
db = db.getSiblingDB('iam')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Déplacer ce script sous le répertoire 6.rc.0 pour CP 6RC.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pour moi il faut qu'on garde ce script dans le dossier 6.0 car imaginons quelqu'un est déjà sur 6.rc et veux switcher directement vers la 6.0

pour moi cette pr est ok on le merge

par contre dans la pr de 6.rc on ajoute ce script dans le dossier 6.rc

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Même si tu installes une 6.0, les scripts du répertoire 6.rc seront joués. Il faut mettre ce script dans le répertoire où la fonctionnalité a été ajoutée afin de pouvoir corriger jusqu'à la branche cible et ainsi éviter les dérives entre les branches de maintenance.

@GiooDev GiooDev force-pushed the bug/vas-11537-fix-fix-access-to-collect-and-contract-management-v6 branch from 6403b27 to b39143f Compare July 3, 2023 16:23
@GiooDev GiooDev merged commit ca50a44 into master_6.x Jul 3, 2023
@GiooDev GiooDev deleted the bug/vas-11537-fix-fix-access-to-collect-and-contract-management-v6 branch July 3, 2023 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GiooDev GiooDev GiooDev approved these changes

@abdelmoez-guetat abdelmoez-guetat abdelmoez-guetat approved these changes

@laedanrex laedanrex laedanrex approved these changes

Assignees
No one assigned
Labels
bug Something isn't working OPS REVIEW Mandatory if deployment/ directory is modified. small pr embarquant peu de changements et à review rapide, ne nécessitant qu'un reviewer VAS VAS contribution
Projects
None yet
Milestone
IT 121
Development

Successfully merging this pull request may close these issues.
5 participants
@mohatizaoui @TDevillechabrolle @abdelmoez-guetat @GiooDev @laedanrex