Knowlg Security Enhancement Initiatives

[HarishGangula]

The foundation of our knowlg building blocks predominantly relies on Docker images. However, Docker images have garnered the attention of hackers due to their intrinsic susceptibilities. These images are often constructed on top of pre-existing ones and encompass a variety of libraries and dependencies. In cases where these underlying components carry known vulnerabilities, malevolent actors can easily capitalize on them to gain access to containerized applications and sensitive data. To mitigate these risks, we have devised an initiative aimed at eliminating vulnerabilities.

In addition to addressing vulnerabilities in Docker images, we are also focusing on rectifying vulnerabilities within all Javascript-based editors, players, and tools.

Within the scope of this initiative, we will undertake the following actions:

1. We will rectify vulnerabilities by updating dependent libraries and packages in all knowledge components.

2. We will eliminate unused dependencies and libraries within the components.

Please be aware that these two steps have the potential to introduce disruptive changes to some of the knowlg building block components. Detailed information on these changes will be provided here.

Stay tuned for updates and improvements as we work to enhance security!

cc: @Krishnaj20 @pallakartheekreddy @vinukumar-vs @vrayulu @madhucr @maheshkumargangula

[pallakartheekreddy]

As part of the vulnerability fixes, we are upgrading the following components:

Telemetry JS SDK:

We have removed unused dependencies, updated the build script, and the new version for this is 1.1.0, which will be published.

Players & Editors:

We plan to upgrade the Angular version from 14 to 15. This is necessitated by the presence of vulnerable dependencies in the Angular packages, and additionally, Angular LTS support for version 14 has concluded.

1. Sunbird video player
2. Sunbird pdf player
3. Sunbird pub player
4. Sunbird collection editor

NOTE: As of now, there are no modifications planned for the Sunbird Content Editor, Sunbird Generic Editor (Upload Editor), and Sunbird Content Player (ECML player). Any updates to these tools will be communicated in this thread following discussions with the PM and DC.

@Krishnaj20 @vinukumar-vs @vrayulu @madhucr @maheshkumargangula @rajeevsathish @AmiableAnil @ashokreddy1208 @swayangjit @chitranshu-keshav