Page MenuHomePhabricator

Application Security Review Request : Image Suggestions Service
Closed, ResolvedPublic

Assigned To
Authored By
WDoranWMF
Mar 28 2022, 6:53 PM
Referenced Files
Restricted File
Jun 28 2022, 5:20 PM
Restricted File
Jun 28 2022, 5:20 PM
Restricted File
Jun 28 2022, 5:20 PM
Restricted File
Jun 28 2022, 5:20 PM
Restricted File
Jun 28 2022, 5:17 PM
Restricted File
Jun 28 2022, 4:59 PM
Restricted File
Jun 28 2022, 4:59 PM
Restricted File
Jun 28 2022, 4:59 PM

Description

Project Information

Currently, https://gitlab.wikimedia.org/repos/generated-data-platform/datasets/image-suggestions but will move to Gerrit
Description of the tool/project:
A Go service that supports persistence of Image Suggestions data - both Suggestions and their associated feedback to Cassandra. An Image Suggestion is a mapping between an unillustrated Wiki Article and one or more Images. The Image Suggestion data is based on the output of an algorithm developed by the Structured Data team. A variation of this data was previously reviewed and passed a Privacy review by the Security team.

As part of the next phase of the work, feedback on the quality of Image Suggestions will be collected and persisted to Cassandra, the scheme can be seen here
https://gitlab.wikimedia.org/repos/generated-data-platform/datasets/image-suggestions/-/blob/main/cassandra_schema.cql

Description of how the tool will be used at WMF:
The tool will store Image Suggestions feedback based on feedback submit by users as part of MVP testing by the Structured Data and Growth teams.

Dependencies

List dependencies, or upstream projects that this project relies on.

  • Go
  • Cassandra

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

No

Working test environment

Please link or describe setup process for setting up a test environment.

Not yet available - we will update the ticket once the docker image is available

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

Platform Engineering team

Event Timeline

WDoranWMF renamed this task from Application Security Review Request : Image Suggestions Feedback Service to Application Security Review Request : Image Suggestions Service.Mar 29 2022, 12:12 PM
WDoranWMF updated the task description. (Show Details)

Hey @WDoranWMF - we can likely schedule the review for this quarter upon the qualification that a production-ready codebase has been completed by mid-quarter. I had a couple of quick questions though:

A Go service that supports persistence of Image Suggestions data

I assume the home for this service is intended to be Wikimedia production and not wmcs or somewhere else?

Currently, https://gitlab.wikimedia.org/repos/generated-data-platform/datasets/image-suggestions but will move to Gerrit

Back to Gerrit? Is this mainly to leverage pipelinelib for CI/CD since that's still an unanswered question for Gitlab?

Hello @WDoranWMF and @Eevans, I will be in charge of this security review.

For now, I would like to know if you have any estimate as to when you might have a stable branch as close to production-deployable as possible (small changes and features might still be worked upon up until a production deployment) to be reviewed.

Thanks

Hey @Eevans, I just wanted to have confirmation that the main branch is stable and I can work with the most recent commit, and that there shouldn't be any more substantial contributions before deployment.

If this is the case, I can proceed with my review.

Thanks

Hey @Eevans, I just wanted to have confirmation that the main branch is stable and I can work with the most recent commit, and that there shouldn't be any more substantial contributions before deployment.

If this is the case, I can proceed with my review.

Thanks

Yes; The only change pending will be to serve a static (yaml) file -an openapi specification- from the root url (/openapi or similar). Nothing else is planned at this time.

The former is a proof-of-concept (this service will replace it), the latter will (at most) consume from this service; They're out of scope, yes.

mmartorana changed the task status from Open to In Progress.May 10 2022, 2:06 PM
mmartorana triaged this task as Low priority.
mmartorana moved this task from Waiting to In Progress on the secscrum board.

Security Review Summary - T304885 - 2022-06-28
Last commit reviewed: I38128ed804e5e9d1fd05f16aae303ac479b684cb

Summary

Overall, the extension looks pretty good. There are a limited amount of findings, and they are easy to fix. A decent number of outdated dependencies have been found, with an overall risk rating of: low.

Vulnerable Packages

VulnerabilityPackageNotesServiceRemediationRisk
[CVE-2020-26892] CWE-798: Use of Hard-coded Credentialsjwt@v0.3.2The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.nancyadvisory link critical
[CVE-2020-26892] CWE-798: Use of Hard-coded Credentialsv2@v2.1.2The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.nancyadvisory link critical
[CVE-2022-24450] CWE-863: Incorrect Authorizationv2@v2.1.2NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.nancyadvisory link high
[CVE-2021-3121] CWE-129: Improper Validation of Array Indexprotobuf@v1.3.1An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka "skippy peanut butter" issue.nancyadvisory link medium
[CVE-2022-29153] CWE-918: Server-Side Request Forgery (SSRF)api@v1.3.0HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF.nancyadvisory link medium
[CVE-2022-29153] CWE-918: Server-Side Request Forgery (SSRF)sdk@v0.3.0HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF.nancyadvisory link medium
[CVE-2021-3127] CWE-863: Incorrect Authorizationjwt@v0.3.2NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.nancyadvisory link medium
[CVE-2020-26521] CWE-476: NULL Pointer Dereferencev2@v2.1.2The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).nancyadvisory link medium
[CVE-2020-28466] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')v2@v2.1.2This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles.nancyadvisory link medium
[CVE-2021-3127] CWE-863: Incorrect Authorizationv2@v2.1.2NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.nancyadvisory link medium
[CVE-2022-29946] Permissions, Privileges, and Access Controlsv2@v2.1.2Permissions, Privileges, and Access Controlsnancyadvisory link medium
[CVE-2021-32026] github.com/nats-io/nats-server - Cryptographic Issuesv2@v2.1.2github.com/nats-io/nats-server - Cryptographic Issuesnancyadvisory link low

Outdated Packages
As reported via go-mod-outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentWanted
bitbucket.org/creachadair/shellv0.0.6v0.0.7
cloud.google.com/gov0.65.0v0.102.0
cloud.google.com/go/bigqueryv1.8.0v1.32.0
cloud.google.com/go/datastorev1.1.0v1.6.0
cloud.google.com/go/pubsubv1.5.0v1.22.1
cloud.google.com/go/spannerv1.7.0v1.33.0
cloud.google.com/go/storagev1.10.0v1.22.1
contrib.go.opencensus.io/exporter/stackdriverv0.13.4v0.13.13
dmitri.shuralyov.com/gpu/mtlv0.0.0-20190408044501-666a987793e9v0.0.0-20201218220906-28db891af037
github.com/BurntSushi/tomlv0.3.1v1.1.0
github.com/BurntSushi/xgbv0.0.0-20160522181843-27f122750802v0.0.0-20210121224620-deaf085860bc
github.com/Masterminds/goutilsv1.1.0v1.1.1
github.com/Shopify/saramav1.19.0v1.34.0
github.com/alecthomas/unitsv0.0.0-20190924025748-f65c72e2690dv0.0.0-20211218093645-b94a6e3cc137
github.com/antihax/optionalv0.0.0-20180407024304-ca021399b1a6v1.0.0
github.com/aokoli/goutilsv1.0.1v1.1.1
github.com/apache/thriftv0.13.0v0.16.0
github.com/armon/circbufv0.0.0-20150827004946-bbbad097214ev0.0.0-20190214190532-5111143e8da2
github.com/armon/go-metricsv0.0.0-20180917152333-f0300d1749dav0.4.0
github.com/armon/go-radixv0.0.0-20180808171621-7fddfc383310v1.0.0
github.com/aryann/difflibv0.0.0-20170710044230-e206f873d14av0.0.0-20210328193216-ff5ff6dc229b
github.com/aws/aws-lambda-gov1.13.3v1.32.0
github.com/aws/aws-sdk-gov1.36.30v1.44.27
github.com/aws/aws-sdk-go-v2v0.18.0v1.16.4
github.com/bitly/go-hostpoolv0.0.0-20171023180738-a3a6125de932v0.1.0
github.com/casbin/casbin/v2v2.1.2v2.47.1
github.com/census-instrumentation/opencensus-protov0.2.1v0.3.0
github.com/chzyer/logexv1.1.10v1.2.1
github.com/chzyer/readlinev0.0.0-20180603132655-2972be24d48ev1.5.0
github.com/chzyer/testv0.0.0-20180213035817-a1ea475d72b1v1.0.0
github.com/cncf/udpa/gov0.0.0-20191209042840-269d4d468f6fv0.0.0-20220112060539-c52dc94e7fbe
github.com/cockroachdb/datadrivenv0.0.0-20190809214429-80d97fb3cbaav1.0.1
github.com/codahale/hdrhistogramv0.0.0-20161010025455-3a0bb77429bdv1.1.2
github.com/coreos/etcdv3.3.10+incompatiblev3.3.27+incompatible
github.com/coreos/go-systemdv0.0.0-20190620071333-e64a0ec8b42av0.0.0-20191104093116-d3cd4ed1dbcf
github.com/cpuguy83/go-md2man/v2v2.0.0v2.0.2
github.com/creack/ptyv1.1.7v1.1.18
github.com/eapache/go-resiliencyv1.1.0v1.2.0
github.com/edsrzf/mmap-gov1.0.0v1.1.0
github.com/envoyproxy/go-control-planev0.9.4v0.10.1
github.com/envoyproxy/protoc-gen-validatev0.1.0v0.6.7
github.com/fatih/colorv1.10.0v1.13.0
github.com/franela/goblinv0.0.0-20200105215937-c9ffbefa60dbv0.0.0-20211003143422-0a4f594942bf
github.com/fsnotify/fsnotifyv1.4.9v1.5.4
github.com/fullstorydev/grpcurlv1.6.0v1.8.6
github.com/go-gl/glfwv0.0.0-20190409004039-e6da0acd62b1v0.0.0-20220516021902-eb3e265c7661
github.com/go-gl/glfw/v3.3/glfwv0.0.0-20200222043503-6f7a984d4dc4v0.0.0-20220516021902-eb3e265c7661
github.com/go-kit/kitv0.10.0v0.12.0
github.com/go-kit/logv0.2.0v0.2.1
github.com/go-redis/redisv6.15.8+incompatiblev6.15.9+incompatible
github.com/go-sql-driver/mysqlv1.5.0v1.6.0
github.com/go-stack/stackv1.8.0v1.8.1
github.com/gocql/gocqlv1.0.0v1.1.0
github.com/gogo/googleapisv1.1.0v1.4.1
github.com/gogo/protobufv1.3.1v1.3.2
github.com/golang/glogv0.0.0-20160126235308-23def4e6c14bv1.0.0
github.com/golang/groupcachev0.0.0-20200121045136-8c9f03a8e57ev0.0.0-20210331224755-41bb18bfe9da
github.com/golang/mockv1.4.4v1.6.0
github.com/google/btreev1.0.0v1.0.1
github.com/google/certificate-transparency-gov1.1.1v1.1.3
github.com/google/go-cmpv0.5.5v0.5.8
github.com/google/gofuzzv1.0.0v1.2.0
github.com/google/martian/v3v3.0.0v3.3.2
github.com/google/pprofv0.0.0-20210407192527-94a9f03dee38v0.0.0-20220520215854-d04f2422c8a1
github.com/google/renameiov0.1.0v1.0.1
github.com/google/trillianv1.3.11v1.4.1
github.com/googleapis/gax-go/v2v2.0.5v2.4.0
github.com/gopherjs/gopherjsv0.0.0-20181017120253-0766667cb4d1v1.17.2
github.com/gordonklaus/ineffassignv0.0.0-20200309095847-7953dde2c7bfv0.0.0-20210914165742-4cc7213b9bc8
github.com/gorilla/websocketv1.4.1v1.5.0
github.com/grpc-ecosystem/go-grpc-middlewarev1.2.2v1.3.0
github.com/grpc-ecosystem/grpc-gatewayv1.12.1v1.16.0
github.com/hashicorp/consul/apiv1.3.0v1.13.0
github.com/hashicorp/consul/sdkv0.3.0v0.9.0
github.com/hashicorp/errwrapv1.0.0v1.1.0
github.com/hashicorp/go-cleanhttpv0.5.1v0.5.2
github.com/hashicorp/go-immutable-radixv1.0.0v1.3.1
github.com/hashicorp/go-msgpackv0.5.3v1.1.5
github.com/hashicorp/go-multierrorv1.0.0v1.1.1
github.com/hashicorp/go-rootcertsv1.0.0v1.0.2
github.com/hashicorp/go-sockaddrv1.0.0v1.0.2
github.com/hashicorp/go-uuidv1.0.1v1.0.3
github.com/hashicorp/go-versionv1.2.0v1.5.0
github.com/hashicorp/mdnsv1.0.0v1.0.5
github.com/hashicorp/memberlistv0.1.3v0.3.1
github.com/hashicorp/serfv0.8.2v0.9.8
github.com/huandu/xstringsv1.2.0v1.3.2
github.com/hudl/fargov1.3.0v1.4.0
github.com/ianlancetaylor/demanglev0.0.0-20200824232613-28f6c0f3b639v0.0.0-20220517205856-0058ec4f073c
github.com/imdario/mergov0.3.8v0.3.13
github.com/influxdata/influxdb1-clientv0.0.0-20191209144304-8bf82d3c094dv0.0.0-20220302092344-a9ab5670611c
github.com/jhump/protoreflectv1.6.1v1.12.0
github.com/jonboulle/clockworkv0.2.0v0.3.0
github.com/jstemmer/go-junit-reportv0.9.1v1.0.0
github.com/kisielk/errcheckv1.2.0v1.6.1
github.com/kr/logfmtv0.0.0-20140226030751-b84e30acd515v0.0.0-20210122060352-19f9bcb100e6
github.com/kr/prettyv0.1.0v0.3.0
github.com/kr/ptyv1.1.1v1.1.8
github.com/kr/textv0.1.0v0.2.0
github.com/lib/pqv1.10.4v1.10.6
github.com/lightstep/lightstep-tracer-common/golang/gogov0.0.0-20190605223551-bc2310a04743v0.0.0-20210210170715-a8dfcb80d3a7
github.com/lightstep/lightstep-tracer-gov0.18.1v0.25.0
github.com/lyft/protoc-gen-validatev0.0.13v0.6.7
github.com/magiconair/propertiesv1.8.0v1.8.6
github.com/mattn/go-colorablev0.1.8v0.1.12
github.com/mattn/go-isattyv0.0.12v0.0.14
github.com/miekg/dnsv1.1.35v1.1.49
github.com/miekg/pkcs11v1.0.3v1.1.1
github.com/mitchellh/cliv1.0.0v1.1.4
github.com/mitchellh/copystructurev1.0.0v1.2.0
github.com/mitchellh/go-testing-interfacev1.0.0v1.14.1
github.com/mitchellh/goxv0.4.0v1.0.1
github.com/mitchellh/mapstructurev1.1.2v1.5.0
github.com/mitchellh/reflectwalkv1.0.1v1.0.2
github.com/mozilla/scribev0.0.0-20180711195314-fb71baf557c1v0.0.0-20220110210141-3fd4271eb395
github.com/mwitkow/go-proto-validatorsv0.2.0v0.3.2
github.com/nats-io/jwtv0.3.2v1.2.2
github.com/nats-io/nats-server/v2v2.1.2v2.8.4
github.com/nats-io/nats.gov1.9.1v1.16.0
github.com/nats-io/nkeysv0.1.3v0.3.0
github.com/nishanths/predeclaredv0.0.0-20190419143655-18a43bb90ffcv0.2.2
github.com/oklog/runv1.0.0v1.1.0
github.com/onsi/ginkgov1.16.4v1.16.5
github.com/onsi/ginkgo/v2v2.1.3v2.1.4
github.com/onsi/gomegav1.18.1v1.19.0
github.com/opentracing/basictracer-gov1.0.0v1.1.0
github.com/opentracing/opentracing-gov1.1.0v1.2.0
github.com/openzipkin/zipkin-gov0.2.2v0.4.0
github.com/pact-foundation/pact-gov1.0.4v1.6.9
github.com/pascaldekloe/goev0.0.0-20180627143212-57f6aae5913cv0.1.0
github.com/pborman/uuidv1.2.0v1.2.1
github.com/pelletier/go-tomlv1.2.0v1.9.5
github.com/pierrec/lz4v2.0.5+incompatiblev2.6.1+incompatible
github.com/pkg/profilev1.2.1v1.6.0
github.com/posener/completev1.1.1v1.2.3
github.com/prometheus/client_golangv1.12.1v1.12.2
github.com/prometheus/commonv0.33.0v0.34.0
github.com/pseudomuto/protoc-gen-docv1.3.2v1.5.1
github.com/pseudomuto/protokitv0.2.0v0.2.1
github.com/rcrowley/go-metricsv0.0.0-20181016184325-3113b8401b8av0.0.0-20201227073835-cf1acfcdf475
github.com/rogpeppe/go-internalv1.3.0v1.8.1
github.com/rs/corsv1.7.0v1.8.2
github.com/russross/blackfridayv1.5.2v1.6.0
github.com/russross/blackfriday/v2v2.0.1v2.1.0
github.com/ryanuber/columnizev0.0.0-20160712163229-9b3edd62028fv2.1.2+incompatible
github.com/samuel/go-zookeeperv0.0.0-20190923202752-2cc03de413dav0.0.0-20201211165307-7117e9ea2414
github.com/sergi/go-diffv1.1.0v1.2.0
github.com/sirupsen/logrusv1.7.0v1.8.1
github.com/smartystreets/assertionsv0.0.0-20180927180507-b2de0cb4f26dv1.13.0
github.com/smartystreets/goconveyv1.6.4v1.7.2
github.com/soheilhy/cmuxv0.1.4v0.1.5
github.com/sony/gobreakerv0.4.1v0.5.0
github.com/spf13/aferov1.1.2v1.8.2
github.com/spf13/castv1.3.0v1.5.0
github.com/spf13/cobrav0.0.5v1.4.0
github.com/spf13/jwalterweathermanv1.0.0v1.1.0
github.com/spf13/viperv1.3.2v1.12.0
github.com/streadway/amqpv0.0.0-20190827072141-edfb9018d271v1.0.0
github.com/streadway/handyv0.0.0-20190108123426-d5acb3125c2av0.0.0-20200128134331-0f66f006fb2e
github.com/stretchr/objxv0.1.1v0.4.0
github.com/tmc/grpc-websocket-proxyv0.0.0-20200427203606-3cfed13b9966v0.0.0-20220101234140-673ab2c3ae75
github.com/ugorji/go/codecv0.0.0-20181204163529-d75b2dcb6bc8v1.2.7
github.com/urfave/cliv1.22.1v1.22.9
github.com/yuin/goldmarkv1.4.1v1.4.12
gitlab.wikimedia.org/repos/generated-data-platform/cassandra-http-gatewayv0.0.0-20220406012109-9b74748f0478v0.0.0-20220413203947-b7f91ef2e161
go.etcd.io/bboltv1.3.4v1.3.6
go.etcd.io/etcdv0.0.0-20200513171258-e048e166ab9cv3.3.27+incompatible
go.opencensus.iov0.22.4v0.23.0
go.uber.org/atomicv1.5.0v1.9.0
go.uber.org/multierrv1.4.0v1.8.0
go.uber.org/zapv1.13.0v1.21.0
golang.org/x/cryptov0.0.0-20220313003712-b769efc7c000v0.0.0-20220525230936-793ad666bf5e
golang.org/x/expv0.0.0-20200331195152-e8c3332aa8e5v0.0.0-20220602145555-4a0574d9293f
golang.org/x/imagev0.0.0-20190802002840-cff245a6509bv0.0.0-20220601225756-64ec528b34cd
golang.org/x/mobilev0.0.0-20190719004257-d2bd2a29d028v0.0.0-20220518205345-8578da9835fd
golang.org/x/netv0.0.0-20220225172249-27dd8689420fv0.0.0-20220531201128-c960675eff93
golang.org/x/oauth2v0.0.0-20220223155221-ee480838109bv0.0.0-20220524215830-622c5d57e401
golang.org/x/syncv0.0.0-20210220032951-036812b2e83cv0.0.0-20220601150217-0de741cfad7f
golang.org/x/termv0.0.0-20210927222741-03fcf44c2211v0.0.0-20220526004731-065cf7ba2467
golang.org/x/timev0.0.0-20200416051211-89c76fbcd5d1v0.0.0-20220411224347-583f2d630306
google.golang.org/apiv0.30.0v0.82.0
google.golang.org/appenginev1.6.6v1.6.7
google.golang.org/genprotov0.0.0-20200825200019-8632dd797987v0.0.0-20220602131408-e326c6e8e9c8
google.golang.org/grpcv1.31.0v1.47.0
gopkg.in/check.v1v1.0.0-20190902080502-41f04d3bba15v1.0.0-20201130134442-10cb98267c6c
gopkg.in/yaml.v3v3.0.0-20200313102051-9f266ea9e77cv3.0.1
honnef.co/go/toolsv0.0.1-2020.1.4v0.3.2
rsc.io/samplerv1.3.0v1.99.99
sigs.k8s.io/yamlv1.1.0v1.3.0
sourcegraph.com/sourcegraph/appdashv0.0.0-20190731080439-ebfcffb1b5c0v0.0.0-20211028080628-e2786a622600

Static Analysis Findings
snyk returned no results. low risk
gosec generated results. medium

semgrep which was run with the following rule sets:

  1. p/ci: This policy returned no results. low risk
  2. p/insecure-transport: This policy returned no results. low risk
  3. p/jwt: This policy returned no results. low risk
  4. p/secrets: This policy returned no results. low risk
  5. p/r2c: This policy returned no results. low risk
  6. p/supply-chain: This policy returned no results. low risk

The following semgrep policies all generated results, which I've included as supplemental files at the end of this review.

  1. p/golang-correctness
  2. p/golang
  3. p/owasp
  4. p/security-audit
  5. p/xss

The general summary of the above tools and policy results are:

  1. ioutil.ReadFile is deprecated. (CWE-22: Potential file inclusion via variable) medium
  2. Detected directly writing in http.ResponseWriter.write(). This bypasses HTML escaping that prevents XSS vulnerabilities. Instead, use the 'html/template' package and render data using template.Execute(). medium
  3. Use net.JoinHostPort instead of fmt.Sprintf(config.Address, config.Port). low risk
  4. Found an HTTP server without TLS. Is it possible to use http.ListenAndServeTLS instead? low risk
  5. Errors unhandled in main.go:152. low risk
  6. Errors unhandled in openapi.go:75. low risk
  7. Errors unhandled in healthz.go:60. low risk
  8. Errors unhandled in healthz.go:57. low risk

Supplemental Materials
Please see attached:

  1. {F35284622}
  2. {F35284630}
  3. {F35284629}
  4. {F35284628}
  5. {F35284627}
mmartorana raised the priority of this task from Low to Medium.
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.
sbassett moved this task from Our Part Is Done to Waiting on the secscrum board.

Hi @WDoranWMF and @Eevans - even though we rated the reviews as low risk, do you have any actual plans to address the security issues and vulnerable dependencies?

Hi @WDoranWMF and @Eevans - even though we rated the reviews as low risk, do you have any actual plans to address the security issues and vulnerable dependencies?

Hi @mmartorana,

First off: Many thanks for the review, it is appreciated!

With a couple of exceptions, the list of outdated modules are all transitive dependencies of third-party libraries. Fixing them will require us to engage with those third-party maintainers to update their code, and release new versions.

Most of the semgrep feedback seems reasonable and straightforward. One exception is (2), which comes from cassandra-http-gateway where it returns JSON serialized results from the database verbatim. It's done this way to keep the data model opaque to the framework, and if it were to ever return anything other than well formed JSON query results, it'd be a bug in Cassandra and not a code error here.

Regarding (4), TLS could be added but (thus far) the service is only accessible to internal clients, access is unauthenticated, and it only exposes otherwise public data. Consensus seemed to be that TLS didn't provide any benefits here, and would only make it more difficult to access. A valid counter-argument of course would be that if any of the above were to change in the future (even inadvertently) then we could create unintended exposure.

So: I propose to follow this up with a) an upgrade of the direct dependencies, and b) to address the semgrep output. The rest I will defer to @WDoranWMF to schedule/prioritize as necessary (both the coordination with upstream maintainers, and/or revisiting whether to run TLS).

/cc @mark

Change 811783 had a related patch set uploaded (by Eevans; author: Eevans):

[generated-data-platform/datasets/image-suggestions@main] Security review

https://gerrit.wikimedia.org/r/811783

Change 811783 merged by jenkins-bot:

[generated-data-platform/datasets/image-suggestions@main] Security review

https://gerrit.wikimedia.org/r/811783

All that remains is for this be deployed, @hnowlan is this something you can help with (there is no hurry)? I tagged this 1.0.0 so you can deploy as docker-registry.wikimedia.org/wikimedia/generated-data-platform-datasets-image-suggestions:1.0.0.

Change 813242 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/deployment-charts@master] image-suggestion: Bump to latest version

https://gerrit.wikimedia.org/r/813242

Change 813242 merged by jenkins-bot:

[operations/deployment-charts@master] image-suggestion: Bump to latest version

https://gerrit.wikimedia.org/r/813242

Version 1.0.0 has been deployed across all clusters.

Since there are no longer vulnerable packages, outdated modules are significantly reduced, and the main SAST issues are fixed; I am considering this review completed.

Feel free to comment if you have further questions.