vSphere

 View Only

 vSphere 8.0U3 remote plugin sample has multiple critical vulnerabilities and deprecated components

chrissmith1's profile image
chrissmith1 posted Sep 09, 2024 07:56 AM

Building the latest HTML client SDK (8.0U3) "remote-plugin-sample" using the latest version of the JDK/Maven as specified in the developer guide (Oracle JDK 1.8.0_421-b09, Maven 3.9.9) reports multiple critical vulnerabilities, deprecated options, and other warnings - some dating as far back as 2019. There are too many warnings to list in full, but some of the more concerning ones include:

npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'remote-plugin-sample@1.0.0',
npm WARN EBADENGINE   required: { node: '>= 8 < 14' },
npm WARN EBADENGINE   current: { node: 'v16.16.0', npm: '8.11.0' }
npm WARN EBADENGINE }

npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies

npm WARN deprecated core-js@3.16.0: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

68 vulnerabilities (1 low, 44 moderate, 20 high, 3 critical)

Whilst a target JAR is built, it will not even run using the command line from the "Start the Remote Plug-in Server" section of the developer guide (which still references a 7.0.1 sample!):

no main manifest attribute, in target/remote-plugin-sample-8.0.3.00000-SNAPSHOT.jar

Is the sample provided with the SDK actually expected to work, and be usable as the basis of a plugin that integrates seamlessly into the vSphere 8.0 UI? Can you provide a usable sample that is up-to-date and consistent with the vSphere 8.0U3 UX and theme?

Denis Chorbadzhiyski's profile image
Broadcom Employee Denis Chorbadzhiyski posted Sep 10, 2024 08:54 AM

Hi Chris,

You are right, the sample plug-in is not updated to use the latest versions of technologies and security fixes.

We consider that sample plug-ins should be mostly used as templates to illustrate basic operations, behaviours and API usages. Plug-in developers need to make sure their plug-in is following the latest security practices and standards.

Given that most plug-in developers have already migrated to remote plug-ins, we haven't updated the samples much. We will correct that in the future.

In any case, we verified that the Remote Plugin Sample is working correctly. It is able to be built and started with no issue. Let us know what errors you are observing and what command do you use.

Best Regards,

Denis