From 48f5c0ebff112e11f9925ea24cffbfb314458229 Mon Sep 17 00:00:00 2001
From: Shilong Liu <shilongliu@microsoft.com>
Date: Sun, 24 Apr 2022 19:18:55 +0800
Subject: [PATCH] [CG] Fix CG alert about underscore version. (#10606)

Fix CG CVE-2021-23358
---
 src/thrift_0_13_0/Makefile                    |   1 +
 .../0003-Remove-underscore-packages.patch     | 120 ++++++++++++++++++
 2 files changed, 121 insertions(+)
 create mode 100644 src/thrift_0_13_0/patch/0003-Remove-underscore-packages.patch

diff --git a/src/thrift_0_13_0/Makefile b/src/thrift_0_13_0/Makefile
index a44b3d9180..3bdb7c2a14 100644
--- a/src/thrift_0_13_0/Makefile
+++ b/src/thrift_0_13_0/Makefile
@@ -25,6 +25,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	# Disable php perl and few other packages as they need additional packages to be installed
 	patch -p1 < ../patch/0001-Remove-unneeded-packages.patch
 	patch -p1 < ../patch/0002-Remove-minimist-packages.patch
+	patch -p1 < ../patch/0003-Remove-underscore-packages.patch
 	DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -d -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
 	popd
 
diff --git a/src/thrift_0_13_0/patch/0003-Remove-underscore-packages.patch b/src/thrift_0_13_0/patch/0003-Remove-underscore-packages.patch
new file mode 100644
index 0000000000..afef27fee2
--- /dev/null
+++ b/src/thrift_0_13_0/patch/0003-Remove-underscore-packages.patch
@@ -0,0 +1,120 @@
+diff --git a/lib/js/package-lock.json b/lib/js/package-lock.json
+index 2d84fb05a..96c555fc0 100644
+--- a/lib/js/package-lock.json
++++ b/lib/js/package-lock.json
+@@ -2274,8 +2274,7 @@
+         "mkdirp": "~0.5.1",
+         "requizzle": "~0.2.1",
+         "strip-json-comments": "~2.0.1",
+-        "taffydb": "2.6.2",
+-        "underscore": "~1.8.3"
++        "taffydb": "2.6.2"
+       }
+     },
+     "jshint": {
+@@ -3331,17 +3330,7 @@
+     "requizzle": {
+       "version": "0.2.1",
+       "resolved": "https://registry.npmjs.org/requizzle/-/requizzle-0.2.1.tgz",
+-      "integrity": "sha1-aUPDUwxNmn5G8c3dUcFY/GcM294=",
+-      "requires": {
+-        "underscore": "~1.6.0"
+-      },
+-      "dependencies": {
+-        "underscore": {
+-          "version": "1.6.0",
+-          "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.6.0.tgz",
+-          "integrity": "sha1-izixDKze9jM3uLJOT/htRa6lKag="
+-        }
+-      }
++      "integrity": "sha1-aUPDUwxNmn5G8c3dUcFY/GcM294="
+     },
+     "resolve": {
+       "version": "1.1.7",
+@@ -4078,25 +4067,10 @@
+         "xtend": "^4.0.1"
+       }
+     },
+-    "underscore": {
+-      "version": "1.8.3",
+-      "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz",
+-      "integrity": "sha1-Tz+1OxBuYJf8+ctBCfKl6b36UCI="
+-    },
+     "underscore-contrib": {
+       "version": "0.3.0",
+       "resolved": "https://registry.npmjs.org/underscore-contrib/-/underscore-contrib-0.3.0.tgz",
+-      "integrity": "sha1-ZltmwkeD+PorGMn4y7Dix9SMJsc=",
+-      "requires": {
+-        "underscore": "1.6.0"
+-      },
+-      "dependencies": {
+-        "underscore": {
+-          "version": "1.6.0",
+-          "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.6.0.tgz",
+-          "integrity": "sha1-izixDKze9jM3uLJOT/htRa6lKag="
+-        }
+-      }
++      "integrity": "sha1-ZltmwkeD+PorGMn4y7Dix9SMJsc="
+     },
+     "underscore.string": {
+       "version": "3.3.5",
+diff --git a/lib/ts/package-lock.json b/lib/ts/package-lock.json
+index e79c55d97..3f1f822ce 100644
+--- a/lib/ts/package-lock.json
++++ b/lib/ts/package-lock.json
+@@ -2630,8 +2630,7 @@
+         "mkdirp": "~0.5.1",
+         "requizzle": "~0.2.1",
+         "strip-json-comments": "~2.0.1",
+-        "taffydb": "2.6.2",
+-        "underscore": "~1.8.3"
++        "taffydb": "2.6.2"
+       }
+     },
+     "jshint": {
+@@ -3847,17 +3846,7 @@
+     "requizzle": {
+       "version": "0.2.1",
+       "resolved": "https://registry.npmjs.org/requizzle/-/requizzle-0.2.1.tgz",
+-      "integrity": "sha1-aUPDUwxNmn5G8c3dUcFY/GcM294=",
+-      "requires": {
+-        "underscore": "~1.6.0"
+-      },
+-      "dependencies": {
+-        "underscore": {
+-          "version": "1.6.0",
+-          "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.6.0.tgz",
+-          "integrity": "sha1-izixDKze9jM3uLJOT/htRa6lKag="
+-        }
+-      }
++      "integrity": "sha1-aUPDUwxNmn5G8c3dUcFY/GcM294="
+     },
+     "resolve": {
+       "version": "1.9.0",
+@@ -4585,25 +4574,10 @@
+         "xtend": "^4.0.1"
+       }
+     },
+-    "underscore": {
+-      "version": "1.8.3",
+-      "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz",
+-      "integrity": "sha1-Tz+1OxBuYJf8+ctBCfKl6b36UCI="
+-    },
+     "underscore-contrib": {
+       "version": "0.3.0",
+       "resolved": "https://registry.npmjs.org/underscore-contrib/-/underscore-contrib-0.3.0.tgz",
+-      "integrity": "sha1-ZltmwkeD+PorGMn4y7Dix9SMJsc=",
+-      "requires": {
+-        "underscore": "1.6.0"
+-      },
+-      "dependencies": {
+-        "underscore": {
+-          "version": "1.6.0",
+-          "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.6.0.tgz",
+-          "integrity": "sha1-izixDKze9jM3uLJOT/htRa6lKag="
+-        }
+-      }
++      "integrity": "sha1-ZltmwkeD+PorGMn4y7Dix9SMJsc="
+     },
+     "underscore.string": {
+       "version": "3.3.5",