Coder Social home page Coder Social logo

finos / symphony-wdk Goto Github PK

View Code? Open in Web Editor NEW
3.0 7.0 10.0 7.63 MB

Symphony Workflow Developer Kit (WDK), a bot capable of running workflows

License: Apache License 2.0

Java 89.00% FreeMarker 0.01% Dockerfile 0.06% HTML 0.10% JavaScript 10.20% CSS 0.63%
workflows symphony bot symphony-bot finos java

symphony-wdk's Introduction

FINOS - Incubating License

Symphony Workflow Developer Kit (WDK) - Beta

๐Ÿ“บ Video introduction of the WDK

The Symphony Workflow Developer Kit (WDK) is a way to build bots on the Symphony platform with minimal coding efforts. A standard execution engine, provided as a bot is running workflows written in a declarative manner.

The WDK is provided as an experimental beta-test

Workflow executions are triggered by events (such Real-Time Events) and run activities. Activities are small building blocks often calling REST API endpoints of the Symphony platform or can even be custom-made to tailor your needs.

  • Getting started: a beginner's guide to run your first workflow
  • Concepts: high-level view of the key concepts behind workflows
  • Architecture: technical bits on the execution of workflows
  • Deployment: how to run and configure the workflow bot
  • Custom activities: step-by-step guide on how to implement your own activities
  • Examples: learning about workflows through examples
  • Concrete and advanced examples in the gallery
  • SWADL Reference: syntax reference for the language used to write workflows

Usage example

For more examples and usage, please refer to the docs/examples.

Development setup

Build

Java (JDK) 11 is required and Gradle is used to build the project.

./gradlew build

Tests run

./gradlew check

Contributing

In order to get in touch with the project team, please open a GitHub Issue. Alternatively, you can email/subscribe to [email protected].

  1. Fork it (https://github.com/finos/symphony-wdk)
  2. Create your feature branch (git checkout -b feature/fooBar)
  3. Read our contribution guidelines and Community Code of Conduct
  4. Check your code quality (./gradlew check)
  5. Commit your changes (git commit -am 'Add some fooBar')
  6. Push to the branch (git push origin feature/fooBar)
  7. Create a new Pull Request

NOTE: Commits and pull requests to FINOS repositories will only be accepted from those contributors with an active, executed Individual Contributor License Agreement (ICLA) with FINOS OR who are covered under an existing and active Corporate Contribution License Agreement (CCLA) executed with FINOS. Commits from individuals not covered under an ICLA or CCLA will be flagged and blocked by the FINOS Clabot tool (or EasyCLA). Please note that some CCLAs require individuals/employees to be explicitly named on the CCLA.

Need an ICLA? Unsure if you are covered under an existing CCLA? Email [email protected]

Thanks to all the people who have contributed

contributors

Roadmap

Checkout the open issues.

License

Copyright 2022 Symphony LLC

Distributed under the Apache License, Version 2.0.

SPDX-License-Identifier: Apache-2.0

symphony-wdk's People

Contributors

finos-admin avatar mend-for-github-com[bot] avatar symphony-mariacristina avatar symphony-soufiane avatar symphony-yassine avatar symphony-youri avatar thibauult avatar yannick-malins avatar yinan-symphony avatar ystxn avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

symphony-youri symphony-soufiane symphony-mariacristina elikkatzgit yinan-symphony amaybaum-prod dovops

symphony-wdk's Issues

CVE-2022-23181 (High) detected in tomcat-embed-core-9.0.52.jar - autoclosed

CVE-2022-23181 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.52.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.52/501d876042f7bff64ee42cf1849e4abea272632/tomcat-embed-core-9.0.52.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.4.jar (Root Library)
    • spring-boot-starter-tomcat-2.5.4.jar
      • โŒ tomcat-embed-core-9.0.52.jar (Vulnerable Library)

Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183

Found in base branch: master

Vulnerability Details

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

Publish Date: 2022-01-27

URL: CVE-2022-23181

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9

Release Date: 2022-01-27

Fix Resolution: org.apache.tomcat:tomcat-catalina:8.5.75,9.0.58,10.0.16,10.1.0-M10;org.apache.tomcat.embed:tomcat-embed-core:8.5.75,9.0.58,10.0.16,10.1.0-M10

CVE-2019-17495 (High) detected in springfox-swagger-ui-2.9.2.jar - autoclosed

CVE-2019-17495 - High Severity Vulnerability

Vulnerable Library - springfox-swagger-ui-2.9.2.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/io.springfox/springfox-swagger-ui/2.9.2/d542382a88ff3ea8d4032c28b2b0325797fada7d/springfox-swagger-ui-2.9.2.jar

Dependency Hierarchy:

  • โŒ springfox-swagger-ui-2.9.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Publish Date: 2019-10-10

URL: CVE-2019-17495

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17495

Release Date: 2019-10-10

Fix Resolution: 3.23.11

  • Check this box to open an automated fix PR

Support of message update

Feature Request

Description of Problem:

We want to be able to update message content
Do we use send-message activity with an optional property (messageId) or do we create a simple dedicated activity?

If we want an activity oriented SWADL, the first option is convenient. If we want to be close to Symphony public api, then the second one is better.

SWADL suggestion


update-message:
      id: updateMessageId
      messageId: MSG_ID
      content:  NEW MSG CONTENT

or

send-message:
   id: updateMessageId
   messageId: MSG_ID        // If set, then the message is updated. otherwise, a new message is sent like the activity works today
   content: NEW MSG CONTENT

Workflows versioning

We would like to be able to create and manage different versions of a workflow.
Right now, this work partially. If we update a workflow and we keep the same workflow id, then new executions use the new version.
We would like to have a complete versioning management (roll back to a previous one..)

Support message pin/unpin

Feature Request

Description of Problem:

Add an activity to pin/unpin a message in a given stream

Do we create a dedicated pin-message activity or do we add a field to update-activity?
If we want an activity oriented SWADL, maybe pin-message is convenient. It can have an optional boolean property to pin or unpin a message according to its value. Otherwise, if want to be close the Symphony public api, update-activity would be better as it is done this way in the api.

The streamId is probably not required to be provided by user in SWADL as the messageId can be used to get it.

SWADL suggestion

pin-message:
   id: pinMessageActivity
   message-id:  MSG_ID
   pin: false    // if false then unpin message. If true or not set then pin message```

CVE-2022-22965 (High) detected in spring-beans-5.3.9.jar

CVE-2022-22965 - High Severity Vulnerability

Vulnerable Library - spring-beans-5.3.9.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.9/48600db2cb1abc0f7ef2b073f0c1abd78a83bcfc/spring-beans-5.3.9.jar

Dependency Hierarchy:

  • camunda-bpm-spring-boot-starter-7.15.0.jar (Root Library)
    • spring-tx-5.3.9.jar
      • โŒ spring-beans-5.3.9.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.3.18

Direct dependency fix Resolution (org.camunda.bpm.springboot:camunda-bpm-spring-boot-starter): 7.16.0

  • Check this box to open an automated fix PR

Support environment variables/properties

SWADL variables can only manually set when writing the file or set by a groovy script during execution.
We would like to be able to set them from System properties as well.

CVE-2020-8908 (Low) detected in guava-29.0-jre.jar, guava-28.2-android.jar - autoclosed - autoclosed - autoclosed - autoclosed

CVE-2020-8908 - Low Severity Vulnerability

Vulnerable Libraries - guava-29.0-jre.jar, guava-28.2-android.jar

guava-29.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: symphony-wdk/workflow-language/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/29.0-jre/801142b4c3d0f0770dd29abea50906cacfddd447/guava-29.0-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/29.0-jre/801142b4c3d0f0770dd29abea50906cacfddd447/guava-29.0-jre.jar

Dependency Hierarchy:

  • checkstyle-8.37.jar (Root Library)
    • โŒ guava-29.0-jre.jar (Vulnerable Library)
guava-28.2-android.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.2-android/e11db6e27f5d1ec19826848a865c496c798398fa/guava-28.2-android.jar

Dependency Hierarchy:

  • reflections-0.9.11.jar (Root Library)
    • โŒ guava-28.2-android.jar (Vulnerable Library)

Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183

Found in base branch: master

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Allow variable usage of variables in list users-id

user-ids parameter requires a list of Number-based ids if we try to use ${...} the ids are passed as String and the workflow fails. We should allow the usage of variables in this field.

Example of workflow:

- send-message:
  id: informationAnalysis
  on:
    form-replied:
      form-id: requestApprover
  to:
    user-ids:
      - ${event.initiator.user.userId}
  content: |
    Please review the following Information Analysis

CVE-2021-35516 (High) detected in commons-compress-1.20.jar

CVE-2021-35516 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar

Dependency Hierarchy:

  • camunda-bpm-spring-boot-starter-7.15.0.jar (Root Library)
    • spring-boot-loader-tools-2.5.4.jar
      • โŒ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183

Found in base branch: master

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-36373 (Medium) detected in ant-1.10.9.jar - autoclosed - autoclosed - autoclosed - autoclosed

CVE-2021-36373 - Medium Severity Vulnerability

Vulnerable Library - ant-1.10.9.jar

Library home page: https://ant.apache.org/

Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.10.9/a8a0c9bc4473acdac25832d0a9da2ca9fd9cd35f/ant-1.10.9.jar

Dependency Hierarchy:

  • groovy-all-3.0.8-groovydoc.jar (Root Library)
    • groovy-ant-3.0.8.jar
      • ant-junit-1.10.9.jar
        • โŒ ant-1.10.9.jar (Vulnerable Library)

Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183

Found in base branch: master

Vulnerability Details

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Publish Date: 2021-07-14

URL: CVE-2021-36373

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373

Release Date: 2021-07-14

Fix Resolution: org.apache.ant:ant:1.9.16,1.10.11

CVE-2022-42889 (High) detected in commons-text-1.9.jar

CVE-2022-42889 - High Severity Vulnerability

Vulnerable Library - commons-text-1.9.jar

Apache Commons Text is a library focused on algorithms working on strings.

Library home page: https://commons.apache.org/proper/commons-text

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-text/1.9/ba6ac8c2807490944a0a27f6f8e68fb5ed2e80e2/commons-text-1.9.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-text/1.9/ba6ac8c2807490944a0a27f6f8e68fb5ed2e80e2/commons-text-1.9.jar

Dependency Hierarchy:

  • spotbugs-4.5.2.jar (Root Library)
    • โŒ commons-text-1.9.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Publish Date: 2022-10-13

URL: CVE-2022-42889

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2022/10/13/4

Release Date: 2022-10-13

Fix Resolution: org.apache.commons:commons-text:1.10.0

Workflow definition API is incomplete

1. Missing ids

All event type nodes do not have id. However their ids are used in parents/children properties of activity based nodes.

2. Change requests

  • 2.a Activity based node "activityId" property should be renamed with "id"

  • 2.b Property "type" should be "SEND_MESSAGE" and "nodeType" should be "ACTIVITY" or for an event "MESSAGE_RECEIVED" and "EVENT" to ease the visual diagram creation.

Here is an example of what is currently returned:

{ "workflowId": "abcde", "variables": [], "flowNodes": [ { "type": "SEND_MESSAGE_ACTIVITY", "parents": [ "message-received_/onboard" ], "children": [ "form-reply_clientForm" ], "activityId": "clientForm" }, { "type": "UPDATE_MESSAGE_ACTIVITY", "parents": [ "form-reply_clientForm" ], "children": [ "checkGleif" ], "activityId": "progressStatus" }, { "type": "EXECUTE_REQUEST_ACTIVITY", "parents": [ "progressStatus" ], "children": [ "resFailure", "resSuccess" ], "activityId": "checkGleif" }, { "type": "UPDATE_MESSAGE_ACTIVITY", "parents": [ "checkGleif" ], "children": [], "activityId": "resFailure" }, { "type": "EXECUTE_SCRIPT_ACTIVITY", "parents": [ "checkGleif" ], "children": [ "statusMessage" ], "activityId": "resSuccess" }, { "type": "UPDATE_MESSAGE_ACTIVITY", "parents": [ "resSuccess" ], "children": [], "activityId": "statusMessage" }, { "type": "MESSAGE_RECEIVED_EVENT", "parents": [], "children": [ "clientForm" ] }, { "type": "FORM_REPLIED_EVENT", "parents": [ "clientForm" ], "children": [ "progressStatus" ] } ] }

Support Form Submission as an Initiating Event

Feature Request

Description of Problem:

There is currently a hard requirement for the form-replied event in WDK where the form being replied to has to be sent within the same workflow using a send-message activity bearing the same id as the form-id listed in the event.

This will not work for menu-based workflows where a multi-submit form is pre-sent into a room and pinned. Each submission of that pinned form should initiate a new instance of a workflow, which cannot be achieved since the current assumption is that a command needs to be submitted first.

Potential Solutions:

Allow all elements form submissions to serve as initiating events

CVE-2021-35515 (High) detected in commons-compress-1.20.jar

CVE-2021-35515 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar

Dependency Hierarchy:

  • camunda-bpm-spring-boot-starter-7.15.0.jar (Root Library)
    • spring-boot-loader-tools-2.5.4.jar
      • โŒ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183

Found in base branch: master

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Support Workflow Joins

Feature Request

Description of Problem:

The on construct currently supports either a timeout, a single event or a one-of construct that will trigger when any activity in the array completes. There is no construct to wait for all activities in an array to complete. This is a common use-case in many workflows where a task can only start when all prerequisites (prior tasks) have been completed successfully.

Potential Solutions:

Create a all-of construct similar to one-of that will handle joins.

CVE-2021-36090 (High) detected in commons-compress-1.20.jar

CVE-2021-36090 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar

Dependency Hierarchy:

  • camunda-bpm-spring-boot-starter-7.15.0.jar (Root Library)
    • spring-boot-loader-tools-2.5.4.jar
      • โŒ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183

Found in base branch: master

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2022-25857 (High) detected in snakeyaml-1.30.jar - autoclosed

CVE-2022-25857 - High Severity Vulnerability

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /custom-activity-example/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

  • jackson-annotations-2.13.3.jar (Root Library)
    • jackson-bom-2.13.3.pom
      • jackson-dataformat-yaml-2.13.3.jar
        • โŒ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (com.fasterxml.jackson.core:jackson-annotations): 2.13.4

  • Check this box to open an automated fix PR

Condition on a form reply is not working

Bug Report

given a workflow definition like

id: form-reply-conditional-message
activities:
  - send-message:
      id: testForm
      on:
        message-received:
          content: /test
      content: |
        <messageML>
          <p><b>Test</b></p>
          <form id="testForm">
            Hi, what can I do for you?
            <button name="create" type="action">Create</button>
            <button name="menu" type="action">Menu</button>
          </form>
        </messageML>
  - send-message:
      id: resCreate
      if: ${testForm.action=='create'}
      on:
        form-replied:
          form-id: testForm
          exclusive: true
      content:  Create
  - send-message:
      id: resMenu
      else: {}
      on:
        form-replied:
          form-id: testForm
          exclusive: true
      content: Menu
  - send-message:
      id: finish
      on:
        message-received:
          content: /continue
      content: DONE

the condition if: ${testForm.action=='create'} is not taken into account

Expected Result:

the workflow is running with the condition taken into account

Environment:

...version and build of the project, OS and runtime versions, virtualised environment (if any), etc. ...

Additional Context:

...add any other context about the problem here. If applicable, add screenshots to help explain...

CVE-2022-42004 (High) detected in jackson-databind-2.13.3.jar - autoclosed

CVE-2022-42004 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /custom-activity-example/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar

Dependency Hierarchy:

  • jackson-annotations-2.13.3.jar (Root Library)
    • jackson-bom-2.13.3.pom
      • โŒ jackson-databind-2.13.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.13.4

Direct dependency fix Resolution (com.fasterxml.jackson.core:jackson-annotations): 2.13.4

  • Check this box to open an automated fix PR

Introduce Draft Mode

Feature Request

Description of Problem:

When building or revising a complex workflow, it is typically not in a useable / ready state for a while. In a traditional development cycle, developers will build and test code on their local devices before it gets deployed. In the WDK world, workflows are often live and edited as-is by users. This causes incomplete workflows to be deployed once they are saved and saving is the only way to validate the workflow contents at the moment.

Potential Solutions:

Introduce a boolean draft (or published or live) field in SWADL that will trigger the validation process when a watched workflow gets saved, but does not deploy the workflow. A workflow should also be able to be "undeployed" in the same manner, by inverting that boolean value.

Future Work:

A more elegant solution will involve workflow versioning by keeping a prior version of a workflow live while a revised version is in draft mode until it is ready to be published and replaces the live version with no downtime.

CVE-2022-23221 (High) detected in h2-1.4.200.jar

CVE-2022-23221 - High Severity Vulnerability

Vulnerable Library - h2-1.4.200.jar

H2 Database Engine

Library home page: https://h2database.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.h2database/h2/1.4.200/f7533fe7cb8e99c87a43d325a77b4b678ad9031a/h2-1.4.200.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.h2database/h2/1.4.200/f7533fe7cb8e99c87a43d325a77b4b678ad9031a/h2-1.4.200.jar

Dependency Hierarchy:

  • โŒ h2-1.4.200.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Publish Date: 2022-01-19

URL: CVE-2022-23221

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/h2database/h2database/releases/tag/version-2.1.210

Release Date: 2022-01-19

Fix Resolution: com.h2database:h2:2.1.210

  • Check this box to open an automated fix PR

CVE-2021-36374 (Medium) detected in ant-1.10.9.jar - autoclosed - autoclosed - autoclosed - autoclosed

CVE-2021-36374 - Medium Severity Vulnerability

Vulnerable Library - ant-1.10.9.jar

Library home page: https://ant.apache.org/

Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.10.9/a8a0c9bc4473acdac25832d0a9da2ca9fd9cd35f/ant-1.10.9.jar

Dependency Hierarchy:

  • groovy-all-3.0.8-groovydoc.jar (Root Library)
    • groovy-ant-3.0.8.jar
      • ant-junit-1.10.9.jar
        • โŒ ant-1.10.9.jar (Vulnerable Library)

Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183

Found in base branch: master

Vulnerability Details

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Publish Date: 2021-07-14

URL: CVE-2021-36374

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://ant.apache.org/security.html

Release Date: 2021-07-14

Fix Resolution: org.apache.ant:ant:1.9.16,1.10.11

Create a Util to help generate JWTs from the WDK

Feature Request

Description of Problem:

Need to generate a JWT on the fly to connect to the Federation APIs (as an example) but other API may require a similar authentication token. This would be massively helpful for many customers.

Potential Solutions:

Make me a util. ๐Ÿ˜

Alternatives: Make me sad. ๐Ÿ˜ข

Support external message template

Right now when sending a message from a workflow, its content is part of the SWADL file.
It would be interesting to be able to reference an external file (that can in the ./workflows folder). This way complex messages can be decoupled from SWADL making it easier to read.

So in the send-message activity, we could have a content.template attribute.

send-message:
  content: BlahBlah
  content:
    template: ./myMessage.mml.xml

WDK 1.2.0: BPMN Engine error when starting WDK with Conditional Branching & Loops SWADL

WDK 1.2.0: BPMN Engine error when starting WDK with Conditional Branching & Loops SWADL

Steps to Reproduce:

  1. WDK 1.2.0 & SWADL = (https://github.com/SymphonyPlatformSolutions/symphony-training-research-workflow/blob/chapter-7/workflows/research.swadl.yaml)

  2. Trying to start the WDK bot - will result in a number of BPMN Engine errors.

Expected Result:

WDK 1.2.0 is expected to start up with the SWADL for Conditional Branching & Loops being expected to work as it does in WDK 1.1.0

Actual Result:

The WDK 1.2.0 does not start up correctly and has BPMN Engine error messages - leading to the SWADL not working or action.

Environment:

WDK 1.2.0
SWADL = (https://github.com/SymphonyPlatformSolutions/symphony-training-research-workflow/blob/chapter-7/workflows/research.swadl.yaml)

Additional Context:

The Chapter 7 SWADL (https://github.com/SymphonyPlatformSolutions/symphony-training-research-w...) from the WDK Course works in WDK 1.1.0 but does not work in WDK 1.2.0.
โ€‹
When starting up the WDK Bot produces this error.
โ€‹

2022-09-27 17:02:21.070 ERROR 7158 --- [   scheduling-1] org.camunda.bpm.engine.context           : ENGINE-16004 Exception while closing command context: ENGINE-09005 Could not parse BPMN process. Errors: 
* Invalid destination 'authoringForm' of sequence flow 'sequenceFlow_0e5cde2a-3746-4007-a84d-d28e728b2c06' | resource research-workflow.bpmn | line 166 | column 156
org.camunda.bpm.engine.ParseException: ENGINE-09005 Could not parse BPMN process. Errors: 
* Invalid destination 'authoringForm' of sequence flow 'sequenceFlow_0e5cde2a-3746-4007-a84d-d28e728b2c06' | resource research-workflow.bpmn | line 166 | column 156

Support event filtering

Right now, when a workflow activity is set to be triggered on UserJoinedRoom for example, no matter the user who triggered the event (by joining the room for instance), the activity will be executed. The same thing happens with the other different Datafeed events.
We would like to filter events so we can, for instance, only react to UserJoinedRoom triggered by a specific user, not any one.

Workflow communication with other bots

We would like the workflow to be able to handle communication with other workflows/bots and call them.
An idea would be to make this as part of the BDK.

CVE-2021-23463 (High) detected in h2-1.4.200.jar

CVE-2021-23463 - High Severity Vulnerability

Vulnerable Library - h2-1.4.200.jar

H2 Database Engine

Library home page: https://h2database.com

Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle

Path to vulnerable library: e/caches/modules-2/files-2.1/com.h2database/h2/1.4.200/f7533fe7cb8e99c87a43d325a77b4b678ad9031a/h2-1.4.200.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.h2database/h2/1.4.200/f7533fe7cb8e99c87a43d325a77b4b678ad9031a/h2-1.4.200.jar

Dependency Hierarchy:

  • โŒ h2-1.4.200.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package com.h2database:h2 from 0 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Publish Date: 2021-12-10

URL: CVE-2021-23463

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23463

Release Date: 2021-12-10

Fix Resolution: com.h2database:h2:2.0.202

  • Check this box to open an automated fix PR

Enhance blast messaging processing

Feature Request

Description of Problem:

When sending a message to multiple rooms there isn't a way to interrogate the rooms you sent afterwards in downstream workflows, you can only access the first message ID.

Potential Solutions:

Access as a list the message IDs from the activity?

CVE-2021-42392 (High) detected in h2-1.4.200.jar

CVE-2021-42392 - High Severity Vulnerability

Vulnerable Library - h2-1.4.200.jar

H2 Database Engine

Library home page: https://h2database.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.h2database/h2/1.4.200/f7533fe7cb8e99c87a43d325a77b4b678ad9031a/h2-1.4.200.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.h2database/h2/1.4.200/f7533fe7cb8e99c87a43d325a77b4b678ad9031a/h2-1.4.200.jar

Dependency Hierarchy:

  • โŒ h2-1.4.200.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

Publish Date: 2022-01-10

URL: CVE-2021-42392

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h376-j262-vhq6

Release Date: 2021-10-15

Fix Resolution: com.h2database:h2:2.0.206

  • Check this box to open an automated fix PR

WDK 1.1.0 - Illegal unquoted character ((CTRL-CHAR, code 10)): has to be escaped using backslash to be included in string value

Description:

When sending a text that contains a break line character in a text area Symphony Element and submitting the form. The WDK will error with "Illegal unquoted character" and fail to submit the form. The form does not reset, but rather hangs in a submitted state.
If this issue occurs on a complex workflow, then the workflow will have to be re-started from the beginning.

Steps to Reproduce:

  1. Start WDK 1.1.0 or 1.2.0 and & use either of these SWADL workflows:
  2. The following text that is sent in the textarea works fine:
    • Apple Inc. has increased new popular mobile devices and laptops. There is speculation that Apple will release a self-driving car by 2025.
  3. However, sending this text with a newline /breakline it breaks and returns an error:
    • Apple Inc. has increased new popular mobile devices and laptops. There is speculation that Apple will release a self-driving car by 2025.
      WE should consider this stock for the future.

Expected Result:

When adding new sentences in the textarea with a break line character WDK should not fail and parse it correctly.

Actual Result:

When adding new sentences in the textarea with a break line character WDK fails to parse it and stops the workflow from progressing further.

Environment:

WDK 1.1.0 & WDK 1.2.0.

Additional Context:

Snippet of error that is returned:

2022-09-28 16:21:07.859 ERROR 9184 --- [aTaskExecutor-2] org.camunda.bpm.engine.context           : ENGINE-16004 Exception while closing command context: couldn't execute activity <serviceTask id="approvalForm" ...>: Illegal unquoted character ((CTRL-CHAR, code 10)): has to be escaped using backslash to be included in string value
 at [Source: 
(String)"{"id":"approvalForm","on":{"one-of":null,"form-replied":{"form-id":"authoringForm","exclusive":false},"activity-expired":null,"activity-completed":null,"activity-failed":null,"message-received":null,"message-suppressed":null,"post-shared":null,"im-created":null,"room-created":null,"room-updated":null,"room-deactivated":null,"room-reactivated":null,"room-member-promoted-to-owner":null,"room-member-demoted-from-owner":null,"user-joined-room":null,"user-left-room":null,"user-requested-join-room":nu"[truncated 579 chars]; line: 1, column: 924] (through reference chain: com.symphony.bdk.workflow.swadl.v1.activity.message.SendMessage["content"])

org.camunda.bpm.engine.impl.pvm.PvmException: couldn't execute activity <serviceTask id="approvalForm" ...>: Illegal unquoted character ((CTRL-CHAR, code 10)): has to be escaped using backslash to be included in string value
 at [Source: (String)"{"id":"approvalForm","on":{"one-of":null,"form-replied":{"form-id":"authoringForm","exclusive":false},"activity-expired":null,"activity-completed":null,"activity-failed":null,"message-received":null,"message-suppressed":null,"post-shared":null,"im-created":null,"room-created":null,"room-updated":null,"room-deactivated":null,"room-reactivated":null,"room-member-promoted-to-owner":null,"room-member-demoted-from-owner":null,"user-joined-room":null,"user-left-room":null,"user-requested-join-room":nu"[truncated 579 chars]; line: 1, column: 924] (through reference chain: com.symphony.bdk.workflow.swadl.v1.activity.message.SendMessage["content"])

WDK 1.2.0: Send Message action not initiating for 'One-Of' activity when 'Request-Received' + 'Form-Replied'

WDK 1.2.0: Send Message action not initiating for 'One-Of' activity when 'Request-Received + 'Form-Replied'

Steps to Reproduce:

  1. Open WDK 1.2.0 + the SWADL (https://github.com/SymphonyPlatformSolutions/symphony-training-research-workflow/blob/chapter-6.1/workflows/research.swadl.yaml)

  2. Use Postman to initiate the webhook URL (http://localhost:8080/wdk/v1/workflows/research-webhook-workflow/execute)
    Header = X-Workflow-Token
    Body = { "args": { "webhookTicker": "AAPL" , "webhookContent": "Apple Inc. has released new popular mobile devices and laptops. There is speculation that Apple will release a self-driving car by 2025. We should consider this stock for the future." }}

  3. In the Symphony Pod Environment - check the conversation chatroom as per the SWADL.

Expected Result:

The webhook from Postman should initiate the WDK bot to create a conversation with the end-user and send an element form in the Symphony Pod Environment.

Actual Result:

In WDK 1.2.0 - This does not work - the Send Message activity in the WDK Bot logs show that it has received the webhook but has not sent the message.
In WDK 1.1.0 - This works - The Send Message activity is mentioned in the WDK Bot logs along with the 'request-received' webhook - with the elements form showing up in the Symphony Pod Environment.

Environment:

WDK 1.2.0
SWADL = (https://github.com/SymphonyPlatformSolutions/symphony-training-research-workflow/blob/chapter-6.1/workflows/research.swadl.yaml)

Additional Context:

It is important to note that tweaking the SWADL to remove the 'One-Of' activity and keeping just the single event trigger 'request-received' - allows for the message to be sent. However, there have been instances where the 'One-of' and the 'Form-Replied' might be conflicting which is why the Send Message does not action.

Unicode Support for execute-request

Bug Report

WDK's execute-request is not unicode compatible and transforms unicode characters to question marks in the outputs object returned.

Steps to Reproduce:

id: post
activities:
  - execute-request:
      id: init
      on:
        message-received:
          content: post
      method: POST
      url: https://httpbin.org/post
      headers:
        Content-Type: multipart/form-data
      body:
        text: Hello ใ“ใ‚“ใซใกใฏไธ–็•Œ

  - execute-script:
      id: debug
      script: println init.outputs

  - send-message:
      id: sendResponse
      content: ${init.outputs.body.form.text}

Expected Result:

  1. Console will print the original text: Hello ใ“ใ‚“ใซใกใฏไธ–็•Œ
  2. Bot will send original text: Hello ใ“ใ‚“ใซใกใฏไธ–็•Œ

Actual Result:

  1. Console prints: Hello ???????
  2. Bot sends: Hello ???????

Environment:

WDK 1.1.0

Endpoints for Workflow Management

Feature Request

Description of Problem:

WDK currently uses a watched directory as a basis for managing workflows. One would need access to that directory to deploy, edit or delete workflows. This can be challenging either in an enterprise setting or when integrations to other systems are required, e.g. to build controls around who can view or modify workflows.

Potential Solutions:

Since WDK already contains an embedded web server for receiving webhooks, it can be extended with some endpoints for managing workflows using the following actions:

  • Validate a SWADL payload
  • Deploy a new workflow
  • Update an existing workflow
  • Delete an existing workflow

These endpoints should be disabled by default and enabled in Spring configuration, along with a configurable security token to prevent unauthorised calls.

Saving SWADL file throws exception intermittently

Bug Report

Sometimes, when saving a SWADL file (usually after a long break while the WDK bot is still running), an exception is thrown when the WDK attempts to deploy the revised workflow. This doesn't actually impact the redeployment itself as it completes successfully after the exception is thrown, just that it confuses the reader with a false negative exception.

Steps to Reproduce:

Save a SWADL file in a watched directory multiple times irregularly

Expected Result:

2022-03-25 17:52:32.830  INFO 2857 --- [   scheduling-1] c.s.b.w.engine.camunda.CamundaEngine     : Deployed workflow 4aa729a6-ac21-11ec-a735-00155d0523ff meh
2022-03-25 17:52:32.830  INFO 2857 --- [   scheduling-1] audit-trail                              : event=deploy_workflow, deployment=4aa729a6-ac21-11ec-a735-00155d0523ff, deployment_name=meh, process_key=meh

Actual Result:

2022-03-25 17:52:32.791 ERROR 2857 --- [   scheduling-1] c.s.b.w.c.WorkflowFolderWatcher          : Failed to update workflow for file change event meh.swadl.yaml

java.lang.NullPointerException: unhandled token type NOT_AVAILABLE
        at com.github.fge.jackson.NodeType.getNodeType(NodeType.java:144) ~[jackson-coreutils-2.0.jar!/:na]
        at com.github.fge.jsonschema.processors.data.SchemaContext.<init>(SchemaContext.java:50) ~[json-schema-validator-2.2.14.jar!/:na]
        at com.github.fge.jsonschema.processors.validation.InstanceValidator.process(InstanceValidator.java:103) ~[json-schema-validator-2.2.14.jar!/:na]
        at com.github.fge.jsonschema.processors.validation.ValidationProcessor.process(ValidationProcessor.java:56) ~[json-schema-validator-2.2.14.jar!/:na]
        at com.github.fge.jsonschema.processors.validation.ValidationProcessor.process(ValidationProcessor.java:34) ~[json-schema-validator-2.2.14.jar!/:na]
        at com.github.fge.jsonschema.core.processing.ProcessingResult.of(ProcessingResult.java:79) ~[json-schema-core-1.2.14.jar!/:na]
        at com.github.fge.jsonschema.main.JsonSchemaImpl.doValidate(JsonSchemaImpl.java:77) ~[json-schema-validator-2.2.14.jar!/:na]
        at com.github.fge.jsonschema.main.JsonSchemaImpl.validate(JsonSchemaImpl.java:100) ~[json-schema-validator-2.2.14.jar!/:na]
        at com.github.fge.jsonschema.main.JsonSchemaImpl.validate(JsonSchemaImpl.java:110) ~[json-schema-validator-2.2.14.jar!/:na]
        at com.symphony.bdk.workflow.swadl.validator.SwadlValidator.validate(SwadlValidator.java:73) ~[classes!/:na]
        at com.symphony.bdk.workflow.swadl.validator.SwadlValidator.validateYaml(SwadlValidator.java:64) ~[classes!/:na]
        at com.symphony.bdk.workflow.swadl.SwadlParser.fromYaml(SwadlParser.java:53) ~[classes!/:na]
        at com.symphony.bdk.workflow.configuration.WorkflowFolderWatcher.addWorkflow(WorkflowFolderWatcher.java:138) ~[classes!/:na]
        at com.symphony.bdk.workflow.configuration.WorkflowFolderWatcher.handleFileEvent(WorkflowFolderWatcher.java:125) ~[classes!/:na]
        at com.symphony.bdk.workflow.configuration.WorkflowFolderWatcher.handleFileEventOrLogError(WorkflowFolderWatcher.java:104) ~[classes!/:na]
        at com.symphony.bdk.workflow.configuration.WorkflowFolderWatcher.watchFileEvents(WorkflowFolderWatcher.java:90) ~[classes!/:na]
        at com.symphony.bdk.workflow.configuration.WorkflowFolderWatcher.monitorWorkflowsFolder(WorkflowFolderWatcher.java:82) ~[classes!/:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
        at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[na:na]
        at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84) ~[spring-context-5.3.16.jar!/:5.3.16]
        at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-5.3.16.jar!/:5.3.16]
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) ~[na:na]
        at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) ~[na:na]
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) ~[na:na]
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[na:na]
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[na:na]
        at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]

2022-03-25 17:52:32.830  INFO 2857 --- [   scheduling-1] c.s.b.w.engine.camunda.CamundaEngine     : Deployed workflow 4aa729a6-ac21-11ec-a735-00155d0523ff meh
2022-03-25 17:52:32.830  INFO 2857 --- [   scheduling-1] audit-trail                              : event=deploy_workflow, deployment=4aa729a6-ac21-11ec-a735-00155d0523ff, deployment_name=meh, process_key=meh

Environment:

WDK 1.0.0

CVE-2022-42003 (High) detected in jackson-databind-2.13.3.jar - autoclosed

CVE-2022-42003 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /custom-activity-example/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar

Dependency Hierarchy:

  • jackson-annotations-2.13.3.jar (Root Library)
    • jackson-bom-2.13.3.pom
      • โŒ jackson-databind-2.13.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.13.4.1

Direct dependency fix Resolution (com.fasterxml.jackson.core:jackson-annotations): 2.13.4

  • Check this box to open an automated fix PR

Support Inline Templates

Feature Request

Description of Problem:

The send-message activity currently supports the content payload being either a MessageML string or a sub-field named template that expects an external file reference. Using template will load the file using the freemarker templating engine and process it using global and event variables. Using just the content field does not pass the payload into the templating engine, so including any freemarker syntax will throw errors.

Potential Solutions:

  • Option 1: Re-use the template field for inline content. If the template field does not resolve to a file, try loading it as template content instead.
- send-message:
    id: example
    content:
      template: <#list variables.collection as document>${document}</#list>
  • Option 2: Introduce a new field under content that is mean to contain inline template content
- send-message:
    id: example
    content:
      template-inline: <#list variables.collection as document>${document}</#list>
  • Option 3: Rename the current file loader to template-file
- send-message:
    id: example1
    content:
      template-file: templates/documents.ftl

- send-message:
    id: example2
    content:
      template: <#list variables.collection as document>${document}</#list>

Workflow cannot be deployed when a join activity after a condition form reply

Bug Report

given a workflow having a join activity after a conditional form reply as

id: condition-form-reply-join
activities:
  - send-message:
      id: sendForm
      on:
        message-received:
          content: /go
      content: |
        <messageML>
          <form id="sendForm">
            <text-field name="ticker" placeholder="Please enter the Stock Ticker here"></text-field>
            <textarea name="content" placeholder="Please enter your Research Content here and then Submit form."></textarea>
            <button name="send-answers" type="action">Send</button>
          </form>
        </messageML>
  - send-message:
      id: response0
      on:
        form-replied:
          form-id: sendForm
      if: ${sendForm.ticker == 'GOOG'}
      content: |
        <messageML>
          First reply (if): ${sendForm.content}
        </messageML>
  - send-message:
      id: response1
      on:
        form-replied:
          form-id: sendForm
      else: {}
      content: |
        <messageML>
          First reply (else): ${sendForm.content}
        </messageML>
  - send-message:
      id: response2
      on:
        one-of:
          - activity-completed:
              activity-id: response0
          - activity-completed:
              activity-id: response1
      content: |
        <messageML>
          END
        </messageML>

Expected Result:

the workflow is deployed successfully and running as correctly according to the right conditions

Actual Result:

the workflow is not able to deploy

Environment:

...version and build of the project, OS and runtime versions, virtualised environment (if any), etc. ...

Additional Context:

...add any other context about the problem here. If applicable, add screenshots to help explain...

WS-2022-0107 (High) detected in spring-beans-5.3.9.jar - autoclosed

WS-2022-0107 - High Severity Vulnerability

Vulnerable Library - spring-beans-5.3.9.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.9/48600db2cb1abc0f7ef2b073f0c1abd78a83bcfc/spring-beans-5.3.9.jar

Dependency Hierarchy:

  • camunda-bpm-spring-boot-starter-7.15.0.jar (Root Library)
    • spring-tx-5.3.9.jar
      • โŒ spring-beans-5.3.9.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Spring Framework before 5.2.20 and 5.3.x before 5.3.18 are vulnerable due to a vulnerability in Spring-beans which allows attackers under certain circumstances to achieve remote code execution, this vulnerability is also known as ืดSpring4Shellืด or ืดSpringShellืด.

The current POC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE (Remote Code Execution).
Please note that the ease of exploitation may diverge by the code implementation.

Currently, the exploit requires JDK 9 or higher, Apache Tomcat as the Servlet container, the application Packaged as WAR, and dependency on spring-webmvc or spring-webflux.
Spring Framework 5.3.18 and 5.2.20 have already been released.

WhiteSourceโ€™s research team is carefully observing developments and researching the case. We will keep updating this page and our WhiteSource resources with updates.
This is a temporary WhiteSource ID until an official CVE ID will be released.

Publish Date: 2022-03-30

URL: WS-2022-0107

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-03-30

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

CVE-2021-35517 (High) detected in commons-compress-1.20.jar

CVE-2021-35517 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar

Dependency Hierarchy:

  • camunda-bpm-spring-boot-starter-7.15.0.jar (Root Library)
    • spring-boot-loader-tools-2.5.4.jar
      • โŒ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183

Found in base branch: master

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2022-42920 (Critical) detected in bcel-6.5.0.jar

CVE-2022-42920 - Critical Severity Vulnerability

Vulnerable Library - bcel-6.5.0.jar

Apache Commons Bytecode Engineering Library

Library home page: https://commons.apache.org/proper/commons-bcel

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar

Dependency Hierarchy:

  • spotbugs-4.7.3.jar (Root Library)
    • โŒ bcel-6.5.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

Publish Date: 2022-11-07

URL: CVE-2022-42920

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4

Release Date: 2022-11-07

Fix Resolution: org.apache.bcel:bcel:6.6.0

CVE-2020-36518 (High) detected in jackson-databind-2.12.4.jar, jackson-databind-2.12.5.jar

CVE-2020-36518 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.12.4.jar, jackson-databind-2.12.5.jar

jackson-databind-2.12.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /custom-activity-example/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.4/69206e02e6a696034f06a59d3ddbfbba5a4cd81/jackson-databind-2.12.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.4/69206e02e6a696034f06a59d3ddbfbba5a4cd81/jackson-databind-2.12.4.jar

Dependency Hierarchy:

  • jackson-annotations-2.12.4.jar (Root Library)
    • jackson-bom-2.12.4.pom
      • โŒ jackson-databind-2.12.4.jar (Vulnerable Library)
jackson-databind-2.12.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.5/b064cf057f23d3d35390328c5030847efeffedde/jackson-databind-2.12.5.jar

Dependency Hierarchy:

  • json-schema-validator-2.2.14.jar (Root Library)
    • json-schema-core-1.2.14.jar
      • โŒ jackson-databind-2.12.5.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2816

Release Date: 2022-03-11

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6.1,2.13.2.1

Support OBO

We would like the workflow to be able to do actions on behalf of a user, maybe by using BDK obo service.

Cannot use text() function in message templates

Bug Report

The text() function does not work when used within a send-message template file
https://github.com/finos/symphony-wdk/blob/master/docs/reference.md#string-textstring-presentationml

Steps to Reproduce:

hello.swadl.yaml

id: hello
activities:
  - send-message:
      id: init
      on:
        message-received:
          content: hello
      content:
          template: hello.ftl

hello.ftl

I heard this: ${text(event.source.message.message)}

Expected Result:

Bot responds with I heard this: hello to hello command

Actual Result:

ERROR 1295 --- [aTaskExecutor-1] c.s.b.w.engine.camunda.CamundaExecutor   : Activity init:51954532-a5ea-11ec-8047-acde48001122 from workflow 518bcf41-a5ea-11ec-8047-acde48001122 failed

com.symphony.bdk.template.api.TemplateException: Could not generate string from template
	at com.symphony.bdk.template.freemarker.FreeMarkerTemplate.process(FreeMarkerTemplate.java:40) ~[symphony-bdk-template-freemarker-2.5.0.jar!/:2.5.0]
	at com.symphony.bdk.workflow.engine.executor.message.SendMessageExecutor.extractContent(SendMessageExecutor.java:121) ~[classes!/:na]
	at com.symphony.bdk.workflow.engine.executor.message.SendMessageExecutor.buildMessage(SendMessageExecutor.java:100) ~[classes!/:na]
	at com.symphony.bdk.workflow.engine.executor.message.SendMessageExecutor.execute(SendMessageExecutor.java:43) ~[classes!/:na]
	at com.symphony.bdk.workflow.engine.camunda.CamundaExecutor.execute(CamundaExecutor.java:114) ~[classes!/:na]
	at org.camunda.bpm.engine.impl.bpmn.delegate.JavaDelegateInvocation.invoke(JavaDelegateInvocation.java:40) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.delegate.DelegateInvocation.proceed(DelegateInvocation.java:58) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.delegate.DefaultDelegateInterceptor.handleInvocationInContext(DefaultDelegateInterceptor.java:92) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.delegate.DefaultDelegateInterceptor.handleInvocation(DefaultDelegateInterceptor.java:63) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.bpmn.behavior.ServiceTaskJavaDelegateActivityBehavior.execute(ServiceTaskJavaDelegateActivityBehavior.java:55) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.bpmn.behavior.ServiceTaskJavaDelegateActivityBehavior.performExecution(ServiceTaskJavaDelegateActivityBehavior.java:44) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.bpmn.behavior.TaskActivityBehavior.execute(TaskActivityBehavior.java:69) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.bpmn.behavior.ClassDelegateActivityBehavior$1.call(ClassDelegateActivityBehavior.java:68) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.bpmn.behavior.ClassDelegateActivityBehavior$1.call(ClassDelegateActivityBehavior.java:65) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.bpmn.behavior.AbstractBpmnActivityBehavior.executeWithErrorPropagation(AbstractBpmnActivityBehavior.java:90) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.bpmn.behavior.ClassDelegateActivityBehavior.execute(ClassDelegateActivityBehavior.java:65) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationActivityExecute$2.callback(PvmAtomicOperationActivityExecute.java:61) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationActivityExecute$2.callback(PvmAtomicOperationActivityExecute.java:50) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.PvmExecutionImpl.continueIfExecutionDoesNotAffectNextOperation(PvmExecutionImpl.java:2039) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationActivityExecute.execute(PvmAtomicOperationActivityExecute.java:42) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationActivityExecute.execute(PvmAtomicOperationActivityExecute.java:31) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.AtomicOperationInvocation.execute(AtomicOperationInvocation.java:99) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.invokeNext(CommandInvocationContext.java:131) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performNext(CommandInvocationContext.java:111) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:86) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperation(ExecutionEntity.java:634) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperation(ExecutionEntity.java:608) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.PvmExecutionImpl$6.callback(PvmExecutionImpl.java:1978) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.PvmExecutionImpl$6.callback(PvmExecutionImpl.java:1975) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.PvmExecutionImpl.continueExecutionIfNotCanceled(PvmExecutionImpl.java:2045) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.PvmExecutionImpl.dispatchDelayedEventsAndPerformOperation(PvmExecutionImpl.java:1994) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.PvmExecutionImpl.dispatchDelayedEventsAndPerformOperation(PvmExecutionImpl.java:1975) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationTransitionNotifyListenerStart.eventNotificationsCompleted(PvmAtomicOperationTransitionNotifyListenerStart.java:60) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationTransitionNotifyListenerStart.eventNotificationsCompleted(PvmAtomicOperationTransitionNotifyListenerStart.java:30) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.core.operation.AbstractEventAtomicOperation.execute(AbstractEventAtomicOperation.java:66) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.AtomicOperationInvocation.execute(AtomicOperationInvocation.java:99) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.invokeNext(CommandInvocationContext.java:131) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performNext(CommandInvocationContext.java:111) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:86) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:76) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:643) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:618) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.core.operation.AbstractEventAtomicOperation.execute(AbstractEventAtomicOperation.java:62) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.AtomicOperationInvocation.execute(AtomicOperationInvocation.java:99) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.invokeNext(CommandInvocationContext.java:131) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performNext(CommandInvocationContext.java:111) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:86) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:76) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:643) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:618) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.core.operation.AbstractEventAtomicOperation.execute(AbstractEventAtomicOperation.java:62) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.AtomicOperationInvocation.execute(AtomicOperationInvocation.java:99) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.invokeNext(CommandInvocationContext.java:131) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performNext(CommandInvocationContext.java:111) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:86) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:76) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:643) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:618) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.core.operation.AbstractEventAtomicOperation.execute(AbstractEventAtomicOperation.java:62) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.AtomicOperationInvocation.execute(AtomicOperationInvocation.java:99) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.invokeNext(CommandInvocationContext.java:131) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performNext(CommandInvocationContext.java:111) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:86) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperation(ExecutionEntity.java:634) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity.performOperation(ExecutionEntity.java:608) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationTransitionCreateScope.scopeCreated(PvmAtomicOperationTransitionCreateScope.java:38) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationCreateScope.execute(PvmAtomicOperationCreateScope.java:54) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.pvm.runtime.operation.PvmAtomicOperationCreateScope.execute(PvmAtomicOperationCreateScope.java:28) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.AtomicOperationInvocation.execute(AtomicOperationInvocation.java:99) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.invokeNext(CommandInvocationContext.java:131) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performNext(CommandInvocationContext.java:118) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:86) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandInvocationContext.performOperation(CommandInvocationContext.java:76) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.jobexecutor.AsyncContinuationJobHandler.execute(AsyncContinuationJobHandler.java:81) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.jobexecutor.AsyncContinuationJobHandler.execute(AsyncContinuationJobHandler.java:40) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.persistence.entity.JobEntity.execute(JobEntity.java:134) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.cmd.ExecuteJobsCmd.execute(ExecuteJobsCmd.java:110) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.cmd.ExecuteJobsCmd.execute(ExecuteJobsCmd.java:43) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:28) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:110) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.spring.SpringTransactionInterceptor$1.doInTransaction(SpringTransactionInterceptor.java:72) ~[camunda-engine-spring-7.16.0.jar!/:7.16.0]
	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:140) ~[spring-tx-5.3.15.jar!/:5.3.15]
	at org.camunda.bpm.engine.spring.SpringTransactionInterceptor.execute(SpringTransactionInterceptor.java:70) ~[camunda-engine-spring-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:70) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandCounterInterceptor.execute(CommandCounterInterceptor.java:35) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:33) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.jobexecutor.ExecuteJobHelper.executeJob(ExecuteJobHelper.java:57) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.jobexecutor.ExecuteJobsRunnable.executeJob(ExecuteJobsRunnable.java:110) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at org.camunda.bpm.engine.impl.jobexecutor.ExecuteJobsRunnable.run(ExecuteJobsRunnable.java:71) ~[camunda-engine-7.16.0.jar!/:7.16.0]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: freemarker.core.InvalidReferenceException: The following has evaluated to null or missing:
==> text  [in template "hello.ftl" at line 1, column 17]

----
Tip: If the failing expression is known to legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing</#if>. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)??
----

----
FTL stack trace ("~" means nesting-related):
	- Failed at: ${text(event.source.message.message)}  [in template "hello.ftl" at line 1, column 15]
----
	at freemarker.core.InvalidReferenceException.getInstance(InvalidReferenceException.java:134) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.UnexpectedTypeException.newDescriptionBuilder(UnexpectedTypeException.java:85) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.UnexpectedTypeException.<init>(UnexpectedTypeException.java:63) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.NonMethodException.<init>(NonMethodException.java:74) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.MethodCall._eval(MethodCall.java:67) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.Expression.eval(Expression.java:101) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.DollarVariable.calculateInterpolatedStringOrMarkup(DollarVariable.java:100) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.DollarVariable.accept(DollarVariable.java:63) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.Environment.visit(Environment.java:347) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.Environment.visit(Environment.java:353) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.core.Environment.process(Environment.java:326) ~[freemarker-2.3.31.jar!/:2.3.31]
	at freemarker.template.Template.process(Template.java:383) ~[freemarker-2.3.31.jar!/:2.3.31]
	at com.symphony.bdk.template.freemarker.FreeMarkerTemplate.process(FreeMarkerTemplate.java:37) ~[symphony-bdk-template-freemarker-2.5.0.jar!/:2.5.0]
	... 91 common frames omitted

Environment:

WDK 1.0.0-RC2

CVE-2022-2048 (High) detected in http2-server-9.4.46.v20220331.jar - autoclosed

CVE-2022-2048 - High Severity Vulnerability

Vulnerable Library - http2-server-9.4.46.v20220331.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-server/9.4.46.v20220331/3dd32e15c013986d83819c045b12c054b2c6fad1/http2-server-9.4.46.v20220331.jar

Dependency Hierarchy:

  • wiremock-jre8-2.32.0.jar (Root Library)
    • โŒ http2-server-9.4.46.v20220331.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

Publish Date: 2022-07-07

URL: CVE-2022-2048

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wgmr-mf83-7x4j

Release Date: 2022-07-07

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.47,10.0.10,11.0.10

Add a utility method to encode/decode url parameters

Feature Request

Description of Problem:

When using variables for query param in execute-request activity, they are not encoded. Given that the execute-request takes the full URL as an input and does not handle them in separate inputs, it would be the responsibility of the workflow to encode/decode the data. For that, it would be helpful to have a utility method to be called in execute-script activities.

Potential Solutions:

Have a utility method to be called in execute-script activities.

Bug with one-of

Bug Report

Steps to Reproduce:

Setup 3 workflows that perform the same logic:

  • Send a form
  • Wait for form submission to update that message
# Simple linear
id: abc
activities:
  - send-message:
      id: init
      on:
        message-received:
          content: abc
      content: |
        <form id="init"><button type="action" name="x">Init</button></form>
  - update-message:
      id: aloha
      on:
        form-replied:
          form-id: init
      message-id: ${init.outputs.msgId}
      content: Hey
# Use one-of but with only 1 event
id: def
activities:
  - send-message:
      id: init
      on:
        message-received:
          content: def
      content: |
        <form id="init"><button type="action" name="x">Init</button></form>
  - update-message:
      id: aloha
      on:
        one-of:
        - form-replied:
            form-id: init
      message-id: ${init.outputs.msgId}
      content: Hey
# Use one-of with 2 events
id: ghi
activities:
  - send-message:
      id: init
      on:
        message-received:
          content: ghi
      content: |
        <form id="init"><button type="action" name="x">Init</button></form>
  - update-message:
      id: aloha
      on:
        one-of:
        - form-replied:
            form-id: init
        - message-received:
            content: hey
      message-id: ${init.outputs.msgId}
      content: Hey

Expected Result:

All 3 workflows should have identical logic

Actual Result:

Without one-of, the workflow works as expected
abc

Using a one-of with only 1 event, the workflow does not wait for the event and executes the next activity immediately after completion of the first.
def

Using a one-of with 2 events, the workflow ignores the first event if it happens and only executes the next activity on the second event (sending a hey message)
ghi

Environment:

WDK 1.1.0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.