centraldashboard: removed critical vulnerabilities from centraldashboard image Fixes #7098

[deepk2u]

Description of your changes:

• Fixes [centraldashboard]: critical vulnerabilities found in the centraldashboard docker image #7098
• Switching to the 14.21.3 version of the node image, which is the next LTS version after 12.22.12
• changed user from root to node because of the compliance issue (CIS_Docker_CE_v1.1.0 - 4.1) Image should be created with a non-root user

Before:

Vulnerabilities
===============
  CVE                 Package                 Version      Severity    Status                    CVSS
  ---                 -------                 -------      --------    ------                    ----
  CVE-2022-37434      zlib                    1.2.12-r0    critical    fixed in 1.2.12-r2        9.8
  CVE-2021-44906      minimist                1.2.5        critical    fixed in 1.2.6            9.8
  CVE-2020-7746       chart.js                2.8.0        critical    fixed in 2.9.4            9.8
  CVE-2023-0464       openssl                 1.1.1n-r0    high        fixed in 1.1.1t-r2        7.5
  CVE-2023-0215       openssl                 1.1.1n-r0    high        fixed in 1.1.1t-r0        7.5
  CVE-2022-4450       openssl                 1.1.1n-r0    high        fixed in 1.1.1t-r0        7.5
  CVE-2022-3517       minimatch               3.0.4        high        fixed in 3.0.5            7.5
  CVE-2022-31129      moment                  2.29.2       high        fixed in 2.29.4           7.5
  CVE-2022-25878      protobufjs              6.11.2       high        fixed in 6.11.3           7.5
  CVE-2022-24999      qs                      6.5.2        high        fixed in 6.10.3           7.5
  CVE-2022-24999      qs                      6.7.0        high        fixed in 6.10.3           7.5
  CVE-2021-3807       ansi-regex              4.1.0        high        fixed in 4.1.1            7.5
  CVE-2021-3807       ansi-regex              3.0.0        high        fixed in 4.1.1            7.5
  CVE-2021-23343      path-parse              1.0.6        high        fixed in 1.0.7            7.5
  CVE-2023-0286       openssl                 1.1.1n-r0    high        fixed in 1.1.1t-r0        7.4
  PRISMA-2022-0022    node-forge              0.10.0       high        fixed in 1.0.0            7
  CVE-2022-24772      node-forge              0.10.0       high        fixed in 1.3.0            7
  CVE-2022-24771      node-forge              0.10.0       high        fixed in 1.3.0            7
  CVE-2022-38778      decode-uri-component    0.2.0        medium      fixed in 0.2.1            6.5
  CVE-2022-0235       node-fetch              2.6.6        medium      fixed in 3.1.1, 2.6.7     6.1
  CVE-2022-4304       openssl                 1.1.1n-r0    medium      fixed in 1.1.1t-r0        5.9
  CVE-2020-28928      musl                    1.2.2-r7     medium      fixed in 1.2.2_pre2-r0    5.5
  CVE-2023-0465       openssl                 1.1.1n-r0    medium      fixed in 1.1.1t-r3        5.3
  CVE-2022-33987      got                     6.7.1        medium      fixed in 12.1.0           5.3
  CVE-2022-2097       openssl                 1.1.1n-r0    medium      fixed in 1.1.1q-r0        5.3
  CVE-2022-24773      node-forge              0.10.0       moderate    fixed in 1.3.0            4
  CVE-2022-0122       node-forge              0.10.0       moderate    fixed in 1.0.0            4
  CVE-2020-15366      ajv                     6.9.2        moderate    fixed in 6.12.3           4

Compliance
==========
  Severity    Description
  --------    -----------
  high        (CIS_Docker_CE_v1.1.0 - 4.1) Image should be created with a non-root user

Vulnerability
    Critical: 3
    High:     15
    Medium:   10
    Low:      0
    Total:    28

  Compliance
    Critical: 0
    High:     1
    Medium:   0
    Low:      0
    Total:    1

After:

Vulnerabilities
===============
  CVE                 Package       Version    Severity    Status                   CVSS
  ---                 -------       -------    --------    ------                   ----
  CVE-2022-3517       minimatch     3.0.4      high        fixed in 3.0.5           7.5
  CVE-2022-25878      protobufjs    6.11.2     high        fixed in 6.11.3          7.5
  CVE-2022-24999      qs            6.5.2      high        fixed in 6.10.3          7.5
  CVE-2022-24999      qs            6.7.0      high        fixed in 6.10.3          7.5
  CVE-2021-3807       ansi-regex    4.1.0      high        fixed in 4.1.1           7.5
  CVE-2021-3807       ansi-regex    3.0.0      high        fixed in 4.1.1           7.5
  CVE-2021-23343      path-parse    1.0.6      high        fixed in 1.0.7           7.5
  PRISMA-2022-0022    node-forge    0.10.0     high        fixed in 1.0.0           7
  CVE-2022-24772      node-forge    0.10.0     high        fixed in 1.3.0           7
  CVE-2022-24771      node-forge    0.10.0     high        fixed in 1.3.0           7
  CVE-2022-0235       node-fetch    2.6.6      medium      fixed in 3.1.1, 2.6.7    6.1
  CVE-2022-33987      got           6.7.1      medium      fixed in 12.1.0          5.3
  CVE-2022-24773      node-forge    0.10.0     moderate    fixed in 1.3.0           4
  CVE-2022-0122       node-forge    0.10.0     moderate    fixed in 1.0.0           4
  CVE-2020-15366      ajv           6.9.2      moderate    fixed in 6.12.3          4

Compliance
==========
  No compliances issues found

  Vulnerability
    Critical: 0
    High:     10
    Medium:   5
    Low:      0
    Total:    15

  Compliance
    Critical: 0
    High:     0
    Medium:   0
    Low:      0
    Total:    0

Most of the remaining severities are coming from 2 packages

kubeflow/components/centraldashboard/package.json

Line 41 in d0df9b1

"@google-cloud/monitoring": "^2.3.5",

and

kubeflow/components/centraldashboard/package.json

Line 42 in d0df9b1

"@kubernetes/client-node": "^0.8.2",

I tried to upgrade @google-cloud/monitoring to latest version and looks like it has even more vulnerabilities, so i skipped that.

For @kubernetes/client-node looks like 0.8.2 is best we can do with current node and webpack version. I tried couple of different versions, but build was breaking because of compilation issues (some names have changed in new lib version),, even after fixing those i was getting webpack issues.

[kimwnasptd]

Thanks @deepk2u!

/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kimwnasptd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• components/centraldashboard/OWNERS [kimwnasptd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment