refactor(INJI-449): fix OWASP vulnerabilities with dependencies (#1035)

* refactor(INJI-449): remove unused dependencies

Dependencies removed

1. expo-status-bar
2. @expo-google-fonts/poppins
3. react-native-simple-markdown
4. react-native-swipe-gestures

DevDependencies removed

1. @react-native/metro-config (removed as we already have @expo/metro-config dependency used)
2. metro-react-native-babel-preset
3. @types/react-test-renderer
4. react-test-renderer

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* refactor(INJI-449): update expo related packages and crypto-js

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* refactor(INJI-449): update transitive dependency of expo-updates package

plist package is a transitive dependency of expo-updates which had vulnerability - Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. Thus this package was updated to fix vulnerability

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* refactor(INJI-449): update axios dependency of telemetry-sdk to 1.6.0

Since the package axios(1.5.0) has vulnerability - Cross-Site Request Forgery (CSRF), it is updated to 1.6.0

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* fix(INJI-449): vulnerablity issue with @digitalbazaar/rsa-verification-key-2018

override the node-forge dependency of the package - @digitalbazaar/rsa-verification-key-2018 as it has the high severity with CVE count 13

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* revert(INJI-449): downgrade crypto-js to 3.3.0 from 4.x.x version

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* refactor(INJI-449): use expo-splash-screen instead of expo-app-loading

expo-app-loading package is deprecated and it is suggested to replace it with expo-splash-screen

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* refactor(INJI-449): optimize time taken to hide splash screen

Co-authored-by: Sreenadh S <[email protected]>

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* refactor(INJI-449): change appEntry to index js

Change appEntry to index.js file since react-native-url-polyfill/auto is imported to avoid URL error. appEntry is required for expo package update

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* refactor(INJI-559): update podfile.lock

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

* refactor(INJI-449): optimize import

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

---------

Signed-off-by: Kiruthika Jeyashankar <[email protected]>

.talismanrc

@@ -1,10 +1,8 @@
 fileignoreconfig:
-- filename: ios/Podfile.lock
-  checksum: cc123c3e1f04d41b394ceb16843b15c08bac3ba619ae853ff322717739761a85  
 - filename: package.json
-  checksum: fdd5905228a1afbfb004c710fd6c61adf073a12840200327c0592b76bea5e7e3
+  checksum: a5a22604f2b9d917adaf3561fdcaeccd4e69b92e1240070480d7498e1eda5162
 - filename: package-lock.json
-  checksum: 3d98844cbc77fe3721077ea606713cd5adc2f238db1bbc10081141a7e4cd06a9
+  checksum: 7e8bc0fa27b4eca3b7a825bccdef88ef1c9e7932a5d9af0e5feca2d42d72703b
 - filename: lib/jsonld-signatures/suites/ed255192018/ed25519.ts
   checksum: 493b6e31144116cb612c24d98b97d8adcad5609c0a52c865a6847ced0a0ddc3a
 - filename: components/PasscodeVerify.tsx
@@ -47,9 +45,7 @@ fileignoreconfig:
   checksum: bc12c43ccc27ac04e5763fa6a6ed3cee63e4362ba5666c160b5e53269de924ab
   checksum: 9a61cd59a3718adf1f14faf3024fec66a3295ef373878a878a28e5cb1287afaa
 - filename: ios/Podfile.lock
-  checksum: cc123c3e1f04d41b394ceb16843b15c08bac3ba619ae853ff322717739761a85
-- filename: ios/Podfile.lock
-  checksum: cc123c3e1f04d41b394ceb16843b15c08bac3ba619ae853ff322717739761a85
+  checksum: edad9c2d11b0b3ed819cb0dcbfaf0515d31adb8116223c07f7b7b79e6689fe96
 - filename: screens/Home/IntroSlidersScreen.tsx
   checksum: 72ef913857448ef05763e52e32356faa2d1f3de8130a1c638d1897f44823031f
 - filename: shared/commonUtil.ts
@@ -59,7 +55,7 @@ fileignoreconfig:
 - filename: shared/openId4VCI/Utils.ts
   checksum: ba3041b2ce380f44f6f52dc2c3df337d857df4494bd3c8727df9bf6fb5734750    
 - filename: shared/cryptoutil/cryptoUtil.ts
-  checksum: 350524d0d0d18993903b056a1d0a396ec2b2566b6531fd83bd7cafce06d1c332
+  checksum: adbc2ff6df1df412e891c988c9ba03fc82f66c2f6c64339f87d513fc835d14cc
 - filename: machines/store.typegen.ts
   checksum: 6d22bc5c77398316b943c512c208ce0846a9fff674c1ccac79e07f21962acd5f
 - filename: machines/VCItemMachine/ExistingMosipVCItem/ExistingMosipVCItemMachine.typegen.ts

App.tsx

@@ -1,5 +1,4 @@
 import React, {useContext, useEffect} from 'react';
-import AppLoading from 'expo-app-loading';
 import {AppLayout} from './screens/AppLayout';
 import {useFont} from './shared/hooks/useFont';
 import {GlobalContextProvider} from './components/GlobalContextProvider';
@@ -26,9 +25,12 @@ import SecureKeystore from 'react-native-secure-keystore';
 import {isHardwareKeystoreExists} from './shared/cryptoutil/cryptoUtil';
 import i18n from './i18n';
 import './shared/flipperConfig';
+import * as SplashScreen from 'expo-splash-screen';
+
+SplashScreen.preventAutoHideAsync();
 
 // kludge: this is a bad practice but has been done temporarily to surface
-//  an occurance of a bug with minimal residual code changes, this should
+//  an occurrence of a bug with minimal residual code changes, this should
 //  be removed once the bug cause is determined & fixed, ref: INJI-222
 const DecryptErrorAlert = (controller, t) => {
   const heading = t('errors.decryptionFailed');
@@ -48,6 +50,14 @@ const AppLayoutWrapper: React.FC = () => {
   const isDecryptError = useSelector(appService, selectIsDecryptError);
   const controller = useApp();
   const {t} = useTranslation('WelcomeScreen');
+
+  useEffect(() => {
+    async function hideAppLoading() {
+      await SplashScreen.hideAsync();
+    }
+    hideAppLoading();
+  }, []);
+
   if (isDecryptError) {
     DecryptErrorAlert(controller, t);
   }
@@ -78,7 +88,6 @@ const AppLoadingWrapper: React.FC = () => {
   }, [isKeyInvalidateError]);
   return (
     <>
-      <AppLoading />
       <MessageOverlay
         isVisible={isKeyInvalidateError}
         title={t('errors.invalidateKeyError.title')}

android/app/build.gradle

@@ -35,6 +35,7 @@ react {
     //
     //   The entry file for bundle generation. Default is 'index.android.js' or 'index.js'
     // entryFile = file("../js/MyApplication.android.js")
+    entryFile = file("../../index.js")
     //
     //   A list of extra flags to pass to the 'bundle' commands.
     //   See https://github.com/react-native-community/cli/blob/main/docs/commands.md#bundle

ios/Podfile.lock

@@ -14,54 +14,58 @@ PODS:
   - CatCrypto (0.3.2)
   - CrcSwift (0.0.3)
   - DoubleConversion (1.1.6)
-  - EASClient (0.5.1):
+  - EASClient (0.6.0):
     - ExpoModulesCore
-  - EXApplication (5.1.1):
+  - EXApplication (5.3.1):
     - ExpoModulesCore
   - EXBarCodeScanner (12.3.2):
     - EXImageLoader
     - ExpoModulesCore
     - ZXingObjC/OneD
     - ZXingObjC/PDF417
-  - EXCamera (13.2.1):
+  - EXCamera (13.6.0):
     - ExpoModulesCore
-  - EXConstants (14.2.1):
+  - EXConstants (14.4.2):
     - ExpoModulesCore
-  - EXFileSystem (15.2.2):
+  - EXFileSystem (15.4.4):
     - ExpoModulesCore
   - EXFont (11.1.1):
     - ExpoModulesCore
   - EXImageLoader (4.1.1):
     - ExpoModulesCore
     - React-Core
-  - EXJSONUtils (0.5.1)
-  - EXManifests (0.5.2):
-    - EXJSONUtils
-  - Expo (48.0.20):
+  - EXJSONUtils (0.7.1)
+  - EXManifests (0.7.2):
     - ExpoModulesCore
-  - ExpoKeepAwake (12.0.1):
+  - Expo (49.0.16):
+    - ExpoModulesCore
+  - ExpoKeepAwake (12.3.0):
     - ExpoModulesCore
   - ExpoLocalAuthentication (13.3.0):
     - ExpoModulesCore
   - ExpoLocalization (14.1.1):
     - ExpoModulesCore
-  - ExpoModulesCore (1.2.7):
+  - ExpoModulesCore (1.5.11):
+    - RCT-Folly (= 2021.07.22.00)
     - React-Core
     - React-RCTAppDelegate
     - ReactCommon/turbomodule/core
-  - EXSplashScreen (0.18.2):
+  - EXSplashScreen (0.22.0):
     - ExpoModulesCore
+    - RCT-Folly (= 2021.07.22.00)
     - React-Core
-  - EXStructuredHeaders (3.1.2)
-  - EXUpdates (0.16.4):
+  - EXStructuredHeaders (3.3.0)
+  - EXUpdates (0.18.17):
     - ASN1Decoder (~> 1.8)
     - EASClient
     - EXManifests
     - ExpoModulesCore
     - EXStructuredHeaders
     - EXUpdatesInterface
+    - RCT-Folly (= 2021.07.22.00)
+    - ReachabilitySwift
     - React-Core
-  - EXUpdatesInterface (0.9.3)
+  - EXUpdatesInterface (0.10.1)
   - FBLazyVector (0.71.8)
   - FBReactNativeSpec (0.71.8):
     - RCT-Folly (= 2021.07.22.00)
@@ -113,6 +117,7 @@ PODS:
     - FBLazyVector (= 0.71.8)
     - RCTRequired (= 0.71.8)
     - React-Core (= 0.71.8)
+  - ReachabilitySwift (5.0.0)
   - React (0.71.8):
     - React-Core (= 0.71.8)
     - React-Core/DevSupport (= 0.71.8)
@@ -597,6 +602,7 @@ SPEC REPOS:
     - libevent
     - MMKV
     - MMKVCore
+    - ReachabilitySwift
     - TensorFlowLiteC
     - TensorFlowLiteObjC
     - ZXingObjC
@@ -778,25 +784,25 @@ SPEC CHECKSUMS:
   CatCrypto: a477899b6be4954e75be4897e732da098cc0a5a8
   CrcSwift: f85dea6b41dddb5f98bb3743fd777ce58b77bc2e
   DoubleConversion: 5189b271737e1565bdce30deb4a08d647e3f5f54
-  EASClient: 950674e1098ebc09c4c2cf064a61e42e84d9d4c6
-  EXApplication: d8f53a7eee90a870a75656280e8d4b85726ea903
+  EASClient: 49f8ea858204eb4844d9fb386e5fb7920aee2e30
+  EXApplication: 042aa2e3f05258a16962ea1a9914bf288db9c9a1
   EXBarCodeScanner: 8e23fae8d267dbef9f04817833a494200f1fce35
-  EXCamera: a323a5942b5e7fc8349e17d728e91c18840ad561
-  EXConstants: f348da07e21b23d2b085e270d7b74f282df1a7d9
-  EXFileSystem: 844e86ca9b5375486ecc4ef06d3838d5597d895d
+  EXCamera: 2dc2bd2828bca4e283018a0b5a84aec6639ff0b4
+  EXConstants: ce5bbea779da8031ac818c36bea41b10e14d04e1
+  EXFileSystem: 2b826a3bf1071a4b80a8457e97124783d1ac860e
   EXFont: 6ea3800df746be7233208d80fe379b8ed74f4272
   EXImageLoader: fd053169a8ee932dd83bf1fe5487a50c26d27c2b
-  EXJSONUtils: 48b1e764ac35160e6f54d21ab60d7d9501f3e473
-  EXManifests: 500666d48e8dd7ca5a482c9e729e4a7a6c34081b
-  Expo: b7d2843b0a0027d0ce76121a63085764355a16ed
-  ExpoKeepAwake: 69f5f627670d62318410392d03e0b5db0f85759a
+  EXJSONUtils: 6802be4282d42b97c51682468ddc1026a06f8276
+  EXManifests: cf66451b11b2c2f6464917528d792759f7fd6ce0
+  Expo: fcfd60c1ed6806dee5103b210335ae0c72f675ed
+  ExpoKeepAwake: be4cbd52d9b177cde0fd66daa1913afa3161fc1d
   ExpoLocalAuthentication: 32919307c66fb3661caefa07e7811a95a7539d7b
   ExpoLocalization: f26cd431ad9ea3533c5b08c4fabd879176a794bb
-  ExpoModulesCore: 653958063a301098b541ae4dfed1ac0b98db607b
-  EXSplashScreen: 0e0a9ba0cf7553094e93213099bd7b42e6e237e9
-  EXStructuredHeaders: f3a6d417d5d12ef369fd1a31320d1c188a1b0f4b
-  EXUpdates: 603c4dfec2ed9ef323dfbd9c59c946593d4d9a5c
-  EXUpdatesInterface: e86394c0770f14eb96386cbb32be83fa6a97e8f9
+  ExpoModulesCore: d9d45dcbb86a5dba2ec62253267720cb58516f75
+  EXSplashScreen: 5ed09ea490155ef603d007d9f194c9e04a4b7980
+  EXStructuredHeaders: 324cc3130571d2696357fafd8be7fd9a0b5fdf6e
+  EXUpdates: 8f03b362414e8f9f0998f8a6d6c9fc00f2a9d2f2
+  EXUpdatesInterface: 82ed48d417cdcd376c12ca1c2ce390d35500bed6
   FBLazyVector: f637f31eacba90d4fdeff3fa41608b8f361c173b
   FBReactNativeSpec: 0d9a4f4de7ab614c49e98c00aedfd3bfbda33d59
   fmt: ff9d55029c625d3757ed641535fd4a75fedc7ce9
@@ -814,6 +820,7 @@ SPEC CHECKSUMS:
   RCT-Folly: 424b8c9a7a0b9ab2886ffe9c3b041ef628fd4fb1
   RCTRequired: 8af6a32dfc2b65ec82193c2dee6e1011ff22ac2a
   RCTTypeSafety: bee9dd161c175896c680d47ef1d9eaacf2b587f4
+  ReachabilitySwift: 985039c6f7b23a1da463388634119492ff86c825
   React: d850475db9ba8006a8b875d79e1e0d6ac8a0f8b6
   React-callinvoker: 6a0c75475ddc17c9ed54e4ff0478074a18fd7ab5
   React-Codegen: 786571642e87add634e7f4d299c85314ec6cc158
@@ -869,4 +876,4 @@ SPEC CHECKSUMS:
 
 PODFILE CHECKSUM: 01f58b130fa221dabb14b2d82d981ef24dcaba53
 
-COCOAPODS: 1.12.1
+COCOAPODS: 1.14.2

machines/VCItemMachine/ExistingMosipVCItem/ExistingMosipVCItemMachine.typegen.ts

@@ -24,6 +24,11 @@ export interface Typegen0 {
       data: unknown;
       __tip: 'See the XState TS docs to learn how to strongly type this.';
     };
+    'done.invoke.vc-item.checkingServerData.loadDownloadLimitConfig:invocation[0]': {
+      type: 'done.invoke.vc-item.checkingServerData.loadDownloadLimitConfig:invocation[0]';
+      data: unknown;
+      __tip: 'See the XState TS docs to learn how to strongly type this.';
+    };
     'done.invoke.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]': {
       type: 'done.invoke.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]';
       data: unknown;
@@ -147,6 +152,7 @@ export interface Typegen0 {
     generateKeyPair:
       | 'done.invoke.vc-item.addKeyPair:invocation[0]'
       | 'done.invoke.vc-item.kebabPopUp.addKeyPair:invocation[0]';
+    loadDownloadLimitConfig: 'done.invoke.vc-item.checkingServerData.loadDownloadLimitConfig:invocation[0]';
     requestBindingOtp:
       | 'done.invoke.vc-item.kebabPopUp.requestingBindingOtp:invocation[0]'
       | 'done.invoke.vc-item.requestingBindingOtp:invocation[0]';
@@ -192,7 +198,9 @@ export interface Typegen0 {
       | 'done.invoke.vc-item.updatingPrivateKey:invocation[0]'
       | 'done.invoke.vc-item.verifyingCredential:invocation[0]'
       | 'error.platform.vc-item.verifyingCredential:invocation[0]';
-    incrementDownloadCounter: 'POLL';
+    incrementDownloadCounter:
+      | 'POLL'
+      | 'done.invoke.vc-item.checkingServerData.loadDownloadLimitConfig:invocation[0]';
     logDownloaded: 'STORE_RESPONSE';
     logRevoked: 'STORE_RESPONSE';
     logVCremoved: 'STORE_RESPONSE';
@@ -225,17 +233,19 @@ export interface Typegen0 {
       | 'done.invoke.vc-item.kebabPopUp.addingWalletBindingId:invocation[0]'
       | 'done.invoke.vc-item.kebabPopUp.updatingPrivateKey:invocation[0]'
       | 'done.invoke.vc-item.updatingPrivateKey:invocation[0]';
-    sendDownloadLimitExpire: 'error.platform.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]';
+    sendDownloadLimitExpire:
+      | 'FAILED'
+      | 'error.platform.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]';
     sendTamperedVc: 'TAMPERED_VC';
     sendTelemetryEvents: 'STORE_RESPONSE';
     sendVcUpdated: 'PIN_CARD';
     sendWalletBindingSuccess:
       | 'done.invoke.vc-item.kebabPopUp.addingWalletBindingId:invocation[0]'
       | 'done.invoke.vc-item.kebabPopUp.updatingPrivateKey:invocation[0]';
     setCredential: 'GET_VC_RESPONSE' | 'STORE_RESPONSE';
-    setDownloadInterval: 'done.invoke.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]';
+    setDownloadInterval: 'done.invoke.vc-item.checkingServerData.loadDownloadLimitConfig:invocation[0]';
     setLock: 'done.invoke.vc-item.requestingLock:invocation[0]';
-    setMaxDownloadCount: 'done.invoke.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]';
+    setMaxDownloadCount: 'done.invoke.vc-item.checkingServerData.loadDownloadLimitConfig:invocation[0]';
     setOtp: 'INPUT_OTP';
     setOtpError:
       | 'error.platform.vc-item.requestingLock:invocation[0]'
@@ -314,12 +324,13 @@ export interface Typegen0 {
     addWalletBindnigId:
       | 'done.invoke.vc-item.addKeyPair:invocation[0]'
       | 'done.invoke.vc-item.kebabPopUp.addKeyPair:invocation[0]';
-    checkDownloadExpiryLimit: 'STORE_RESPONSE';
-    checkStatus:
-      | 'done.invoke.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]'
-      | 'error.platform.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]';
+    checkDownloadExpiryLimit:
+      | 'POLL'
+      | 'done.invoke.vc-item.checkingServerData.loadDownloadLimitConfig:invocation[0]';
+    checkStatus: 'done.invoke.vc-item.checkingServerData.verifyingDownloadLimitExpiry:invocation[0]';
     downloadCredential: 'DOWNLOAD_READY';
     generateKeyPair: 'INPUT_OTP';
+    loadDownloadLimitConfig: 'STORE_RESPONSE';
     requestBindingOtp: 'CONFIRM';
     requestLock: 'INPUT_OTP';
     requestOtp: 'LOCK_VC' | 'RESEND_OTP';
@@ -340,6 +351,7 @@ export interface Typegen0 {
     | 'checkingServerData'
     | 'checkingServerData.checkingStatus'
     | 'checkingServerData.downloadingCredential'
+    | 'checkingServerData.loadDownloadLimitConfig'
     | 'checkingServerData.savingFailed'
     | 'checkingServerData.savingFailed.idle'
     | 'checkingServerData.savingFailed.viewingVc'
@@ -380,6 +392,7 @@ export interface Typegen0 {
         checkingServerData?:
           | 'checkingStatus'
           | 'downloadingCredential'
+          | 'loadDownloadLimitConfig'
           | 'savingFailed'
           | 'verifyingDownloadLimitExpiry'
           | {savingFailed?: 'idle' | 'viewingVc'};