suculent · suculent · Nov 8, 2023 · Jan 16, 2023 · Jan 16, 2023 · Jan 16, 2023
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -10,7 +10,7 @@ jobs:
     executor: docker/docker
     steps:
       - setup_remote_docker:
-          version: 20.10.12
+          version: 20.10.18
       - checkout
       - docker/check
       - run:
@@ -33,7 +33,7 @@ jobs:
     executor: docker/docker
     steps:
       - setup_remote_docker:
-          version: 20.10.12
+          version: 20.10.18
       - checkout
       - run:
           name: Fetch all dependencies (esp. console)
@@ -75,7 +75,7 @@ jobs:
     executor: docker/docker
     steps:
       - setup_remote_docker:
-          version: 20.10.12
+          version: 20.10.18
       - checkout
       - run:
           name: Fetch all dependencies (esp. console)
@@ -111,7 +111,7 @@ jobs:
     executor: docker/docker
     steps:
       - setup_remote_docker:
-          version: 20.10.12
+          version: 20.10.18
       - checkout
       - run:
           name: Clean package-lock
@@ -175,7 +175,7 @@ jobs:
           docker compose version
 
     - setup_remote_docker:
-        version: 20.10.12
+        version: 20.10.18
 
     - checkout
 
@@ -212,7 +212,7 @@ jobs:
         command: |
             mkdir -p /mnt/data/
             mkdir -p /mnt/data && cp -R ./conf /mnt/data
-            mkdir -p /mnt/data/ssh_keys
+            mkdir -p /mnt/data/ssh_keys && cp -R ./spec/mnt/data/ssh_keys /mnt/data
             mkdir -p /mnt/data/mosquitto/auth
             mkdir -p /mnt/data/mosquitto/config
             mkdir -p /mnt/data/mosquitto/data
@@ -316,16 +316,17 @@ jobs:
           docker compose logs couchdb
 
     - run:
-        name: Starting API Test
+        name: Running Unit and Integration Tests 
         command: |
           export ENVIRONMENT=test
+          pwd
           docker compose up --build api | tee -ia ./test.log
-          if [ ! $(cat ./test.log | grep "specs, 0 failures") ]; then 
+          echo "Docker test complete."
+          if [[ ! $(grep "specs, 0 failures" ./test.log) ]]; then 
             echo "» TEST failed. Should not deploy this commit."
-            cat ./test.log | grep "Failures:"
+            grep "Failures:" ./test.log
             exit 1
           fi
-          date
 
     - run:
         name: Allow inspecting MQTT logs
@@ -372,7 +373,7 @@ jobs:
     executor: docker/docker
     steps:
       - setup_remote_docker:
-          version: 20.10.12
+          version: 20.10.18
       - checkout
       - docker/check
       - run:
@@ -426,15 +427,15 @@ workflows:
                 - main
                 - master
 
-      # - build-console-classic:
-      #     context:
-      #       - thinx-docker-repo
-      #       - console
-      #     filters:
-      #       branches:
-      #         only:
-      #           - thinx-staging
-      #           - master
+      - build-console-classic:
+          context:
+            - thinx-docker-repo
+            - console
+          filters:
+            branches:
+              only:
+                - thinx-staging
+                - master
 
       # - build-console-cloud:
       #     context:

diff --git a/.coveralls.yml b/.coveralls.yml
@@ -1,2 +1 @@
 repo_token: nJpg2RHfxQRyMMmHAYmGTUyWa3B7L76ty
-
diff --git a/.dockerignore b/.dockerignore
@@ -1,13 +1,6 @@
-clair*
 .git
-node_modules/
+**/node_modules/
 package-lock.json
-tools/arduino-docker-build
-tools/platformio-docker-build
-tools/micropython-docker-build
-tools/mongoose-docker-build
-tools/nodemcu-docker-build
-tools/nodemcu-firmware
-tools/lua-inspect
-
-conf/
+tools/
+conf/
+clair*
diff --git a/.env.dist b/.env.dist
@@ -59,6 +59,9 @@ WORKER_SECRET=twilight_zone
 
 # Slack Bot Notifications
 # SLACK_BOT_TOKEN=
+# SLACK_CLIENT_ID=
+# SLACK_CLIENT_SECRET=
+# SLACK_WEBHOOK=
 
 # Mailgun API Key
 # MAILGUN_API_KEY=
diff --git a/.github/workflows/checkmarx.ym_ b/.github/workflows/checkmarx.ym_
@@ -0,0 +1,34 @@
+name: "Checkmarx"
+
+on:
+  push:
+    branches: [master, thinx-staging, main]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master, thinx-staging, main]
+  schedule:
+    - cron: '0 18 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['javascript']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkmarx AST Github Action
+      uses: Checkmarx/[email protected]
+
+      with:
+          base_uri: https://ast.checkmarx.net/
+          cx_tenant: nfr_nfr_ast_corpus
+          cx_client_id: ${{ secrets.CX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }}
diff --git a/.gitmodules b/.gitmodules
@@ -2,10 +2,6 @@
 	path = builders/arduino-docker-build
 	url = https://github.com/suculent/arduino-docker-build.git
 
-[submodule "builders/lua-inspect"]
-	path = builders/lua-inspect
-	url = https://github.com/davidm/lua-inspect.git
-
 [submodule "builders/micropython-docker-build"]
 	path = builders/micropython-docker-build
 	url = https://github.com/suculent/micropython-docker-build.git
@@ -18,10 +14,6 @@
 	path = builders/nodemcu-docker-build
 	url = https://github.com/suculent/nodemcu-docker-build.git
 
-[submodule "builders/nodemcu-firmware"]
-	path = builders/nodemcu-firmware
-	url = https://github.com/suculent/nodemcu-firmware.git
-
 [submodule "builders/platformio-docker-build"]
 	path = builders/platformio-docker-build
 	url = https://github.com/suculent/platformio-docker-build.git

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 FROM thinxcloud/base:alpine
 
 LABEL maintainer="Matej Sychra <[email protected]>"
-LABEL name="THiNX API" version="1.8.2247"
+LABEL name="THiNX API" version="1.9.2451"
 
 ARG DEBIAN_FRONTEND=noninteractive
 
@@ -47,9 +47,17 @@ ARG GITHUB_CLIENT_ID
 ENV GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID}
 ARG GITHUB_CLIENT_SECRET
 ENV GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}
+ARG GITHUB_ACCESS_TOKEN
+ENV GITHUB_ACCESS_TOKEN={GITHUB_ACCESS_TOKEN}
 
 ARG SLACK_BOT_TOKEN
 ENV SLACK_BOT_TOKEN=${SLACK_BOT_TOKEN}
+ARG SLACK_CLIENT_ID
+ENV SLACK_CLIENT_ID=${SLACK_CLIENT_ID}
+ARG SLACK_CLIENT_SECRET
+ENV SLACK_CLIENT_SECRET=${SLACK_CLIENT_SECRET}
+ARG SLACK_WEBHOOK
+ENV SLACK_WEBHOOK=${SLACK_WEBHOOK}
 
 ARG ENTERPRISE
 ENV ENTERPRISE=${ENTERPRISE}
@@ -66,8 +74,8 @@ WORKDIR /opt/thinx/thinx-device-api
 # Install app dependencies
 COPY package.json ./
 
-RUN npm install -g npm@8.6.0 \
- && npm install --unsafe-perm --only-prod .
+RUN npm install -g npm@10.2.3 \
+ && npm install --only-prod .
 
 # THiNX Web & Device API (HTTP)
 EXPOSE 7442

diff --git a/Dockerfile.test b/Dockerfile.test
@@ -1,14 +1,10 @@
 FROM thinxcloud/base:alpine
 
 LABEL maintainer="Matej Sychra <[email protected]>"
-LABEL name="THiNX API" version="1.8.2247"
+LABEL name="THiNX API" version="1.9.2451"
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-# For test-env node-18
-ENV NODE_TLS_REJECT_UNAUTHORIZED=0
-ENV NODE_EXTRA_CA_CERTS=/mnt/data/ssl/testRoot.crt
-
 ARG THINX_HOSTNAME
 ENV THINX_HOSTNAME=${THINX_HOSTNAME}
 
@@ -33,9 +29,6 @@ ENV AQUA_SEC_TOKEN=${AQUA_SEC_TOKEN}
 ARG SNYK_TOKEN
 ENV SNYK_TOKEN=${SNYK_TOKEN}
 
-ARG GITHUB_ACCESS_TOKEN
-ENV GITHUB_ACCESS_TOKEN={GITHUB_ACCESS_TOKEN}
-
 ARG ENVIRONMENT
 ENV ENVIRONMENT=${ENVIRONMENT}
 
@@ -54,9 +47,17 @@ ARG GITHUB_CLIENT_ID
 ENV GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID}
 ARG GITHUB_CLIENT_SECRET
 ENV GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}
+ARG GITHUB_ACCESS_TOKEN
+ENV GITHUB_ACCESS_TOKEN={GITHUB_ACCESS_TOKEN}
 
 ARG SLACK_BOT_TOKEN
 ENV SLACK_BOT_TOKEN=${SLACK_BOT_TOKEN}
+ARG SLACK_CLIENT_ID
+ENV SLACK_CLIENT_ID=${SLACK_CLIENT_ID}
+ARG SLACK_CLIENT_SECRET
+ENV SLACK_CLIENT_SECRET=${SLACK_CLIENT_SECRET}
+ARG SLACK_WEBHOOK
+ENV SLACK_WEBHOOK=${SLACK_WEBHOOK}
 
 ARG GITHUB_SECRET
 ENV GITHUB_SECRET=${GITHUB_SECRET}
@@ -73,6 +74,9 @@ ENV CIRCLE_NODE_TOTAL=${CIRCLE_NODE_TOTAL}
 ARG CIRCLE_NODE_INDEX
 ENV CIRCLE_NODE_INDEX=${CIRCLE_NODE_INDEX}
 
+ARG NODE_COVERALLS_DEBUG
+ENV NODE_COVERALLS_DEBUG=0
+
 # Create app directory
 WORKDIR /opt/thinx/thinx-device-api
 
@@ -82,7 +86,7 @@ RUN apk add openjdk8-jre p7zip
 # Install app dependencies
 COPY package.json ./
 
-RUN npm install -g npm@8.6.0 \
+RUN npm install -g npm@10.2.3 \
     && npm install .
 
 VOLUME /var/lib/docker

diff --git a/HISTORY.md b/HISTORY.md
@@ -2,6 +2,16 @@
 
 ## HISTORY
 
+6/11/2023 1.9.2451
+
+» Updating vulnerable components
+» Improving security configuration
+» Cleaning vulnerable/unnecessary parts of code
+
+28/1/2023 1.8.2343
+
+» Refactoring fixes, optimizations, dependency updates and cleanup, production fix
+
 16/1/2023 1.8.2247
 
 » Security fixes due to Circle CI leak (moved Mailgun API key to env var)

diff --git a/README.md b/README.md
@@ -18,9 +18,7 @@ IoT Device Management Server running on node.js.
 
 [![CodeFactor](https://www.codefactor.io/repository/github/suculent/thinx-device-api/badge)](https://www.codefactor.io/repository/github/suculent/thinx-device-api)
 [![codebeat badge](https://codebeat.co/badges/a3b416b1-b53b-4bc5-ae6e-8a2b9ca31880)](https://codebeat.co/projects/github-com-suculent-thinx-device-api-master)
-[![Language grade: JavaScript](https://img.shields.io/lgtm/grade/javascript/g/suculent/thinx-device-api.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/suculent/thinx-device-api/context:javascript)
 [![Codacy Badge](https://api.codacy.com/project/badge/Grade/9a7d084ad97e430ba12333f384b44255)](https://www.codacy.com/app/suculent/thinx-device-api?utm_source=github.com&utm_medium=referral&utm_content=suculent/thinx-device-api&utm_campaign=badger)
-[![Total alerts](https://img.shields.io/lgtm/alerts/g/suculent/thinx-device-api.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/suculent/thinx-device-api/alerts/)
 <a href="https://scan.coverity.com/projects/suculent-thinx-device-api">
   <img alt="Coverity Scan Build Status"
        src="https://scan.coverity.com/projects/18787/badge.svg"/>

diff --git a/VeracodeIgnored.json b/VeracodeIgnored.json
@@ -0,0 +1,28 @@
+[
+  {
+    "CWEId": "259",
+    "FlawMatch": {
+      "ProcedureHash": "1057981634",
+      "PrototypeHash": "2924686005",
+      "FlawHash": "2666345062",
+      "FlawHashCount": "1",
+      "FlawHashOrdinal": "1",
+      "CauseHash": "3488685266",
+      "CauseHashCount": "1",
+      "CauseHashOrdinal": "1",
+      "CauseHash2": "0",
+      "CauseHash2Ordinal": "0"
+    },
+    "Files": {
+      "SourceFile": {
+        "File": "auth.js",
+        "Line": "23",
+        "FunctionName": "add_mqtt_credentials",
+        "QualifiedFunctionName": "Auth.add_mqtt_credentials",
+        "FunctionPrototype": "add_mqtt_credentials(: ::Auth,  : any,  : any,  : any, ...) : any",
+        "Scope": "^::Auth",
+        "AbsoluteFilePath": "/Users/sychram/Repositories/thinx-device-api/lib/thinx/auth.js"
+      }
+    }
+  }
+]
diff --git a/base b/base
diff --git a/builders/arduino-docker-build b/builders/arduino-docker-build
diff --git a/builders/lua-inspect b/builders/lua-inspect