diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f2cafec..c0380aeb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [3.4.2] - 2025-09-09 + +### Fixed + +- Fixed Dockerfile to remove locust from excluded plugins installation list. + +### Security + +- Update Flask-Cors from 4.0.2 to 6.0.0 to fix [CVE-2024-6221](https://nvd.nist.gov/vuln/detail/CVE-2024-6221), [CVE-2024-6839](https://nvd.nist.gov/vuln/detail/CVE-2024-6839), [CVE-2024-6844](https://nvd.nist.gov/vuln/detail/CVE-2024-6844), [CVE-2024-6866](https://nvd.nist.gov/vuln/detail/CVE-2024-6866) +- Update setuptools to 80.9.0 to fix [CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273) and [CVE-2024-6345](https://nvd.nist.gov/vuln/detail/CVE-2024-6345) +- Update pip to 25.2 to fix [CVE-2023-5752](https://nvd.nist.gov/vuln/detail/CVE-2023-5752) +- Update Jetty HTTP/2 to fix [CVE-2025-5115](https://nvd.nist.gov/vuln/detail/CVE-2025-5115) + + ## [3.4.1] - 2025-08-11 ### Security diff --git a/VERSION.txt b/VERSION.txt index 47b322c9..4d9d11cf 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -3.4.1 +3.4.2 diff --git a/deployment/ecr/distributed-load-testing-on-aws-load-tester/Dockerfile b/deployment/ecr/distributed-load-testing-on-aws-load-tester/Dockerfile index 4899e7c1..59af4bb8 100644 --- a/deployment/ecr/distributed-load-testing-on-aws-load-tester/Dockerfile +++ b/deployment/ecr/distributed-load-testing-on-aws-load-tester/Dockerfile @@ -6,15 +6,17 @@ RUN dnf upgrade -y && \ ENV PIP_INSTALL="pip3.11 install --no-cache-dir" - -# install bzt -RUN $PIP_INSTALL --upgrade bzt awscli setuptools==78.1.1 h11 urllib3==2.2.2 && \ - $PIP_INSTALL --upgrade bzt +# install bzt and upgrade pip/setuptools, then remove vulnerable system packages +RUN $PIP_INSTALL --upgrade pip==25.2 setuptools==80.9.0 && \ + $PIP_INSTALL --upgrade bzt awscli h11 urllib3==2.5.0 && \ + $PIP_INSTALL --upgrade Flask-Cors==6.0.1 && \ + dnf remove -y python3.11-setuptools python3.11-pip && \ + dnf clean all COPY ./.bzt-rc /root/.bzt-rc RUN chmod 755 /root/.bzt-rc # install bzt tools -RUN bzt -install-tools -o modules.install-checker.exclude=selenium,gatling,tsung,siege,ab,k6,external-results-loader,locust,junit,testng,rspec,mocha,nunit,xunit,wdio,robot,newman +RUN bzt -install-tools -o modules.install-checker.exclude=selenium,gatling,tsung,siege,ab,k6,external-results-loader,junit,testng,rspec,mocha,nunit,xunit,wdio,robot,newman RUN rm -rf /root/.bzt/selenium-taurus RUN mkdir /bzt-configs /tmp/artifacts ADD ./load-test.sh /bzt-configs/ diff --git a/deployment/ecr/distributed-load-testing-on-aws-load-tester/jar_updater.py b/deployment/ecr/distributed-load-testing-on-aws-load-tester/jar_updater.py index 40936e51..e559fb3d 100644 --- a/deployment/ecr/distributed-load-testing-on-aws-load-tester/jar_updater.py +++ b/deployment/ecr/distributed-load-testing-on-aws-load-tester/jar_updater.py @@ -22,7 +22,14 @@ * tika-core v1.28.3 will be replaced with v1.28.4 * json-path v2.7.0 will be replaced with v2.9.0 * dnsjava v2.1.9 will be replaced with v3.6.1 -Also jmeter plugins manager will be updated to v1.10 to address CVEs and cmdrunner will be updated to v2.3 to accomodate with plugins manager. + * xstream will be replaced with v1.4.21 + * http2-hpack will be replaced with v11.0.16 + * jetty-http will be replaced with v12.0.12 + * http2-common will be replaced with v11.0.26 + * kotlin-stdlib will be replaced with v2.1.0 + * commons-lang3 will be replaced with v3.18.0 + * commons-lang v2.5 - no fix available for CVE-2025-48924 +Also jmeter plugins manager will be updated to v1.11 to address CVEs and cmdrunner will be updated to v2.3 to accomodate with plugins manager. """ # these jars should be replaced with newer version in order to fix some vulnerabilities @@ -42,8 +49,10 @@ "xstream":"com/thoughtworks/xstream/xstream/1.4.21/xstream-1.4.21.jar", "http2-hpack": "org/eclipse/jetty/http2/http2-hpack/11.0.16/http2-hpack-11.0.16.jar", "jetty-http": "org/eclipse/jetty/jetty-http/12.0.12/jetty-http-12.0.12.jar", - "http2-common": "org/eclipse/jetty/http2/http2-common/11.0.20/http2-common-11.0.20.jar", + "http2-common": "org/eclipse/jetty/http2/http2-common/11.0.26/http2-common-11.0.26.jar", "kotlin-stdlib": "org/jetbrains/kotlin/kotlin-stdlib/2.1.0/kotlin-stdlib-2.1.0.jar", + "commons-lang3": "org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar", + } JMETER_VERSION = "5.6.3" JMETER_PLUGINS_MANAGER_VERSION = "1.11" diff --git a/source/api-services/package-lock.json b/source/api-services/package-lock.json index 8d83a460..f1e1f859 100644 --- a/source/api-services/package-lock.json +++ b/source/api-services/package-lock.json @@ -1,12 +1,12 @@ { "name": "api-services", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "api-services", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-cloudformation": "^3.758.0", @@ -34,7 +34,7 @@ } }, "../solution-utils": { - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/api-services/package.json b/source/api-services/package.json index 310e74d1..34b2d31f 100644 --- a/source/api-services/package.json +++ b/source/api-services/package.json @@ -1,6 +1,6 @@ { "name": "api-services", - "version": "3.4.1", + "version": "3.4.2", "description": "REST API micro services", "repository": { "type": "git", diff --git a/source/console/package-lock.json b/source/console/package-lock.json index 14f733cc..1a28b8a5 100644 --- a/source/console/package-lock.json +++ b/source/console/package-lock.json @@ -1,12 +1,12 @@ { "name": "distributed-load-testing-on-aws-ui", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "distributed-load-testing-on-aws-ui", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-amplify/pubsub": "^6.0.16", @@ -39,7 +39,7 @@ } }, "../solution-utils": { - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/console/package.json b/source/console/package.json index 50982138..333f6228 100644 --- a/source/console/package.json +++ b/source/console/package.json @@ -1,6 +1,6 @@ { "name": "distributed-load-testing-on-aws-ui", - "version": "3.4.1", + "version": "3.4.2", "private": true, "license": "Apache-2.0", "author": { diff --git a/source/custom-resource/package-lock.json b/source/custom-resource/package-lock.json index 28426cbb..fe2249af 100644 --- a/source/custom-resource/package-lock.json +++ b/source/custom-resource/package-lock.json @@ -1,12 +1,12 @@ { "name": "custom-resource", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "custom-resource", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-dynamodb": "^3.758.0", @@ -27,7 +27,7 @@ } }, "../solution-utils": { - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/custom-resource/package.json b/source/custom-resource/package.json index 148045ac..ec6ef64e 100644 --- a/source/custom-resource/package.json +++ b/source/custom-resource/package.json @@ -1,6 +1,6 @@ { "name": "custom-resource", - "version": "3.4.1", + "version": "3.4.2", "description": "cfn custom resources for distributed load testing on AWS workflow", "repository": { "type": "git", diff --git a/source/infrastructure/cdk.json b/source/infrastructure/cdk.json index e9998a09..49476cc2 100644 --- a/source/infrastructure/cdk.json +++ b/source/infrastructure/cdk.json @@ -4,7 +4,7 @@ "@aws-cdk/core:stackRelativeExports": false, "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false, "solutionId": "SO0062", - "solutionVersion": "custom-v3.4.1", + "solutionVersion": "custom-v3.4.2", "solutionName": "distributed-load-testing-on-aws" } } diff --git a/source/infrastructure/package-lock.json b/source/infrastructure/package-lock.json index a4cf3015..3043bcf1 100644 --- a/source/infrastructure/package-lock.json +++ b/source/infrastructure/package-lock.json @@ -1,12 +1,12 @@ { "name": "distributed-load-testing-on-aws-infrastructure", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "distributed-load-testing-on-aws-infrastructure", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "source-map-support": "^0.5.16" diff --git a/source/infrastructure/package.json b/source/infrastructure/package.json index 246980c7..457b1392 100644 --- a/source/infrastructure/package.json +++ b/source/infrastructure/package.json @@ -1,6 +1,6 @@ { "name": "distributed-load-testing-on-aws-infrastructure", - "version": "3.4.1", + "version": "3.4.2", "author": { "name": "Amazon Web Services", "url": "https://aws.amazon.com/solutions" diff --git a/source/metrics-utils/lib/solutions-metrics.ts b/source/metrics-utils/lib/solutions-metrics.ts index 000cb933..f0ccfa81 100644 --- a/source/metrics-utils/lib/solutions-metrics.ts +++ b/source/metrics-utils/lib/solutions-metrics.ts @@ -126,7 +126,7 @@ export class SolutionsMetrics extends Construct { const metricIdentifier = this.extractQueryFields(queryDefinitionProps.queryString); // Duplicate metric names would cause it to be impossible to determine which metric refers to which initial resource metricIdentifier.forEach((metricIdentifier) => { - if (metricIdentifier && !metricIdentifier.match(/^[a-zA-Z0-9_]*$/)) { + if (metricIdentifier && !metricIdentifier.match(/^\w*$/)) { throw new Error(`Identifier: ${metricIdentifier} must contain only alphanumeric characters and underscores`); } if (this.existingMetricIdentifiers.has(metricIdentifier)) { diff --git a/source/metrics-utils/package-lock.json b/source/metrics-utils/package-lock.json index 4e21da17..289f9c19 100644 --- a/source/metrics-utils/package-lock.json +++ b/source/metrics-utils/package-lock.json @@ -1,12 +1,12 @@ { "name": "metrics-utils", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "metrics-utils", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-cloudwatch": "^3.637.0", diff --git a/source/metrics-utils/package.json b/source/metrics-utils/package.json index 1512dea2..9cad04c2 100644 --- a/source/metrics-utils/package.json +++ b/source/metrics-utils/package.json @@ -1,6 +1,6 @@ { "name": "metrics-utils", - "version": "3.4.1", + "version": "3.4.2", "main": "index.ts", "license": "Apache-2.0", "description": "Distributed Load Testing on AWS Ops Metrics", diff --git a/source/package-lock.json b/source/package-lock.json index 08dba950..64432063 100644 --- a/source/package-lock.json +++ b/source/package-lock.json @@ -1,12 +1,12 @@ { "name": "source", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "source", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "devDependencies": { "@types/node": "^18.8.0", diff --git a/source/package.json b/source/package.json index 308cd02c..2b9aa39f 100644 --- a/source/package.json +++ b/source/package.json @@ -1,6 +1,6 @@ { "name": "source", - "version": "3.4.1", + "version": "3.4.2", "private": true, "description": "ESLint and prettier dependencies to be used within the solution", "license": "Apache-2.0", diff --git a/source/real-time-data-publisher/package-lock.json b/source/real-time-data-publisher/package-lock.json index 327c75cb..e0dbcad1 100644 --- a/source/real-time-data-publisher/package-lock.json +++ b/source/real-time-data-publisher/package-lock.json @@ -1,12 +1,12 @@ { "name": "real-time-data-publisher", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "real-time-data-publisher", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-iot-data-plane": "^3.758.0", @@ -22,7 +22,7 @@ } }, "../solution-utils": { - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/real-time-data-publisher/package.json b/source/real-time-data-publisher/package.json index 54c27947..963907ac 100644 --- a/source/real-time-data-publisher/package.json +++ b/source/real-time-data-publisher/package.json @@ -1,6 +1,6 @@ { "name": "real-time-data-publisher", - "version": "3.4.1", + "version": "3.4.2", "description": "Publishes real time test data to an IoT endpoint", "repository": { "type": "git", diff --git a/source/results-parser/package-lock.json b/source/results-parser/package-lock.json index 1c125da7..54417f03 100644 --- a/source/results-parser/package-lock.json +++ b/source/results-parser/package-lock.json @@ -1,12 +1,12 @@ { "name": "results-parser", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "results-parser", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-cloudwatch": "^3.758.0", @@ -27,7 +27,7 @@ } }, "../solution-utils": { - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/results-parser/package.json b/source/results-parser/package.json index c84b916b..b6e50bb8 100644 --- a/source/results-parser/package.json +++ b/source/results-parser/package.json @@ -1,6 +1,6 @@ { "name": "results-parser", - "version": "3.4.1", + "version": "3.4.2", "description": "result parser for indexing xml test results to DynamoDB", "repository": { "type": "git", diff --git a/source/solution-utils/package-lock.json b/source/solution-utils/package-lock.json index 90e844ed..12ff7ff7 100644 --- a/source/solution-utils/package-lock.json +++ b/source/solution-utils/package-lock.json @@ -1,12 +1,12 @@ { "name": "solution-utils", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "solution-utils", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/solution-utils/package.json b/source/solution-utils/package.json index 3cfa529e..790a691a 100644 --- a/source/solution-utils/package.json +++ b/source/solution-utils/package.json @@ -1,6 +1,6 @@ { "name": "solution-utils", - "version": "3.4.1", + "version": "3.4.2", "description": "Utilities package for Distributed Load Testing on AWS", "license": "Apache-2.0", "author": { diff --git a/source/task-canceler/package-lock.json b/source/task-canceler/package-lock.json index 9c9a6592..c4f9e6bb 100644 --- a/source/task-canceler/package-lock.json +++ b/source/task-canceler/package-lock.json @@ -1,12 +1,12 @@ { "name": "task-canceler", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "task-canceler", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-dynamodb": "^3.758.0", @@ -22,7 +22,7 @@ } }, "../solution-utils": { - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/task-canceler/package.json b/source/task-canceler/package.json index 90957aa4..ad9c1255 100644 --- a/source/task-canceler/package.json +++ b/source/task-canceler/package.json @@ -1,6 +1,6 @@ { "name": "task-canceler", - "version": "3.4.1", + "version": "3.4.2", "description": "Triggered by api-services lambda function, cancels ecs tasks", "repository": { "type": "git", diff --git a/source/task-runner/package-lock.json b/source/task-runner/package-lock.json index 23ab9137..0054624b 100644 --- a/source/task-runner/package-lock.json +++ b/source/task-runner/package-lock.json @@ -1,12 +1,12 @@ { "name": "task-runner", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "task-runner", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-cloudwatch": "^3.758.0", @@ -26,7 +26,7 @@ } }, "../solution-utils": { - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/task-runner/package.json b/source/task-runner/package.json index 649dfcb8..a99649a5 100644 --- a/source/task-runner/package.json +++ b/source/task-runner/package.json @@ -1,6 +1,6 @@ { "name": "task-runner", - "version": "3.4.1", + "version": "3.4.2", "description": "Triggered by Step Functions, runs ecs task Definitions", "repository": { "type": "git", diff --git a/source/task-status-checker/package-lock.json b/source/task-status-checker/package-lock.json index 8344fbdf..3de29b80 100644 --- a/source/task-status-checker/package-lock.json +++ b/source/task-status-checker/package-lock.json @@ -1,12 +1,12 @@ { "name": "task-status-checker", - "version": "3.4.1", + "version": "3.4.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "task-status-checker", - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-dynamodb": "^3.758.0", @@ -23,7 +23,7 @@ } }, "../solution-utils": { - "version": "3.4.1", + "version": "3.4.2", "license": "Apache-2.0", "dependencies": { "axios": "^1.8.3", diff --git a/source/task-status-checker/package.json b/source/task-status-checker/package.json index f4e4dc89..1e672d54 100644 --- a/source/task-status-checker/package.json +++ b/source/task-status-checker/package.json @@ -1,6 +1,6 @@ { "name": "task-status-checker", - "version": "3.4.1", + "version": "3.4.2", "description": "checks if tasks are running or not", "repository": { "type": "git",