GithubHelp home page GithubHelp logo

labsai / eddi Goto Github PK

View Code? Open in Web Editor NEW
253.0 21.0 91.0 93.22 MB

Prompt & Conversation Management Middleware for Conversational AI APIs such as OpenAI ChatGPT, Facebook Hugging Face, Anthropic Claude, Google Gemini and Ollama. Lean, restful, scalable, and cloud-native. Developed in Java, powered by Quarkus, provided with Docker, and orchestrated with Kubernetes or Openshift.

Home Page: https://eddi.labs.ai

Java 98.89% JavaScript 0.25% Shell 0.09% CSS 0.26% HTML 0.51%
chatbot ai bot bots bot-api bot-framework restful restful-api restful-webservices mongodb dialog java conversational-ui conversational-ai conversational-interface conversational-bots quarkus prompts conversation-memory prompt-management

eddi's Introduction

E.D.D.I: Prompt & Conversation Management Middleware for Conversational AI APIs

E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect and manage LLM API bots with advanced prompt and conversation management for APIs such as OpenAI ChatGPT, Facebook Hugging Face, Anthropic Claude, Google Gemini and Ollama

Developed in Java using Quarkus, it is lean, RESTful, scalable, and cloud-native. It comes as Docker container and can be orchestrated with Kubernetes or Openshift. The Docker image has been certified by IBM/Red Hat.

Latest stable version: 5.3.3

License: Apache License 2.0

Project website: here

Documentation: here

Codacy Badge CircleCI

alt text

Overview

E.D.D.I is a high performance middleware for managing conversations in AI-driven applications. It is designed to run efficiently in cloud environments such as Docker, Kubernetes, and Openshift. E.D.D.I offers seamless API integration capabilities, allowing easy connection with various conversational services or traditional REST APIs with runtime configurations. It supports the integration of multiple chatbots, even multiple versions of the same bot, for smooth upgrading and transitions.

Notable features include:

  • Seamless integration with conversational or traditional REST APIs
  • Configurable NLP and Behavior rules to orchestrate LLM involvement
  • Support for multiple chatbots, including multiple versions of the same bot, running concurrently
  • Support for Major AI API integrations via langchain4j: OpenAI, Hugging Face (text only), Claude, Gemini, Ollama (and more to come)

Technical specifications:

  • Resource-/REST-oriented architecture
  • Java Quarkus framework
  • JAX-RS
  • Dependency Injection
  • Prometheus integration (Metrics endpoint)
  • Kubernetes integration (Liveness/Readiness endpoint)
  • MongoDB for storing bot configurations and conversation logs
  • OAuth 2.0 (Keycloak) for authentication and user management
  • HTML, CSS, Javascript (Dashboard)
  • React (Basic Chat UI)

Prerequisites

  • Java 21
  • Maven 3.8.4
  • MongoDB >= 5.0

How to run the project

  1. Setup a local mongodb (> v5.0)
  2. On a terminal, under project root folder, run the following command:
./mvnw compile quarkus:dev
  1. Go to Browser --> http://localhost:7070

Note: If running locally inside an IDE you need lombok to be enabled (otherwise you will get compile errors complaining about missing constructors). Either download as plugin (e.g. inside Intellij) or follow instructions here [https://projectlombok.org/](https://projectlombok.org/

Build App & Docker image

./mvnw clean package '-Dquarkus.container-image.build=true'

Download from Docker hub registry

docker pull labsai/eddi

https://hub.docker.com/r/labsai/eddi

Run Docker image

For production, launch standalone mongodb and then start an eddi instance as defined in the docker-compose file

docker-compose up

For development, use

docker-compose -f docker-compose.yml -f docker-compose.local.yml up

For integration testing run

./integration-tests.sh

or

docker-compose -f docker-compose.yml -f docker-compose.local.yml -f docker-compose.testing.yml -p ci up -d

prometheus/metrics integration

<eddi-instance>/q/metrics

kubernetes integration

Liveness endpoint:

<eddi-instance>/q/health/live

Readiness endpoint:

<eddi-instance>/q/health/ready

eddi's People

Contributors

arealmaas avatar codacy-badger avatar dependabot[bot] avatar edtechfoundry-ci-bot avatar electrobabe avatar eunit99 avatar galargh avatar ginccc avatar gitter-badger avatar jalalsordo avatar jezpoz avatar kaskadz avatar kkorsakov avatar mend-bolt-for-github[bot] avatar mobe91 avatar peteanusergiu avatar renovate-bot avatar rolandpickl avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hariom-yadaw gitter-badger reloadbrain alfredfrancis anniyanvr herveleclerc slbinilkumar chagge rameshkum shyamsukhamit naveensripathi won21kr massiv-io athiwatp sdiawara edtechfoundry appidom amollimaye amustakim prcongithub afroware dgks0n saakaifoundry khhwang838 lufelix censontechnology phamtuanchip tovenbae kimkucheol enterstudio zhangjingpu bala-27 vinceano lospejos karimabedabbas alaguennich javacodekit pillik chriskeck apheliongroup daoos todun eunit99 jpwon sarwartusshar suyambuganesh bosen sue602 dnj547 sarahgracehous psds01 cardosao strategicallynicole tinashe-mundangepfupfu ravish0007 clickandlearngmbh arealmaas kkorsakov anuragsinghchaudhary lzpfmh vincentsunhao tonylv curtisalleynesr wanderinghusky jalalsordo altovate why-not-sky pu55yf3r thaingo fatbro patrickzhang26 cyd3nt softwareengineer-imerjr mir-dhaka alexmao-robot manubell systemsarchitecture ayazkhuraishi sawdog blackxin abdlquadri huangyingting matrixsociety davgit suyambuganesh82 nasal stophobia jinxialuo toanpv90 javavienna

eddi's Issues

NullPointerException in ChannelManager.java

Hello!

@ginccc We believe we may have found a bug in labsai/EDDI.

The endpoint /channelstore/channels does not conform to the Swagger document at /swagger.json. The Swagger document marks the following fields as required in the POST request body:

[]

However, when running the following request, the server returned a 500 response:

curl -X POST --data "{\"name\": \"xhgifqpow\"}" "http://localhost:7070/channelstore/channels"

Here is the stack trace:

eddi_1     | 2020-05-07 12:19:56 [etp86109903-85] WARN  org.eclipse.jetty.server.HttpChannel - /channelstore/channels
eddi_1     | org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
eddi_1     |    at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:106)
eddi_1     |    at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:372)
eddi_1     |    at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:216)
eddi_1     |    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:515)
eddi_1     |    at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:259)
eddi_1     |    at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:160)
eddi_1     |    at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:362)
eddi_1     |    at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:163)
eddi_1     |    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:245)
eddi_1     |    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:249)
eddi_1     |    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:60)
eddi_1     |    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
eddi_1     |    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
eddi_1     |    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)
eddi_1     |    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1631)
eddi_1     |    at ai.labs.server.ServerRuntime$4.doFilter(ServerRuntime.java:342)
eddi_1     |    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
eddi_1     |    at ai.labs.server.ServerRuntime$3.doFilter(ServerRuntime.java:283)
eddi_1     |    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
eddi_1     |    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:549)
eddi_1     |    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
eddi_1     |    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1610)
eddi_1     |    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
eddi_1     |    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1363)
eddi_1     |    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
eddi_1     |    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:489)
eddi_1     |    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1580)
eddi_1     |    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
eddi_1     |    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1278)
eddi_1     |    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
eddi_1     |    at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
eddi_1     |    at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:173)
eddi_1     |    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
eddi_1     |    at org.eclipse.jetty.server.Server.handle(Server.java:500)
eddi_1     |    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
eddi_1     |    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
eddi_1     |    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
eddi_1     |    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
eddi_1     |    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
eddi_1     |    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
eddi_1     |    at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
eddi_1     |    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
eddi_1     |    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
eddi_1     |    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
eddi_1     |    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
eddi_1     |    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
eddi_1     |    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
eddi_1     |    at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
eddi_1     |    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
eddi_1     |    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
eddi_1     |    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
eddi_1     |    at java.base/java.lang.Thread.run(Unknown Source)
eddi_1     | Caused by: java.lang.NullPointerException: null
eddi_1     |    at ai.labs.channels.config.ChannelManager.initChannel(ChannelManager.java:20)
eddi_1     |    at ai.labs.channels.config.RestChannelDefinitionStore.createChannelDefinition(RestChannelDefinitionStore.java:54)
eddi_1     |    at jdk.internal.reflect.GeneratedMethodAccessor303.invoke(Unknown Source)
eddi_1     |    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
eddi_1     |    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
eddi_1     |    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
eddi_1     |    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
eddi_1     |    at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:621)
eddi_1     |    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:487)
eddi_1     |    at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:437)
eddi_1     |    at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:362)
eddi_1     |    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:439)
eddi_1     |    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:400)
eddi_1     |    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:374)
eddi_1     |    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:67)
eddi_1     |    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:488)
eddi_1     |    ... 48 common frames omitted

Issue found

Hello!

labsai/EDDI. We may have found a bug in your repository.

This bug was found while issuing the following command:
curl -v "http://localhost:7070/packagestore/extensions"

Making this call resulted in the following warning:

*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 7070 (#0)
> GET /packagestore/extensions HTTP/1.1
> Host: localhost:7070
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Date: Thu, 14 May 2020 12:22:09 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Authorization,X-Requested-With,Content-Type,Accept,Origin,Cache-Control
< Access-Control-Allow-Methods: HEAD,GET,PUT,POST,DELETE,PATCH,OPTIONS
< Access-Control-Expose-Headers: Location
< Content-Type: text/html;charset=utf-8
< Content-Length: 100
< 
* Connection #0 to host localhost left intact
RESTEASY003210: Could not find resource for full path: http://localhost:7070/packagestore/extensions

improvement-initialization-db

in order to speed up the setup of EDDI, the java server should create all db entries it needs in runtime.
most of it is the descriptors and permission of the plugins.

CVE-2019-19919 (High) detected in handlebars-4.0.13.js

CVE-2019-19919 - High Severity Vulnerability

Vulnerable Library - handlebars-4.0.13.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.0.13/handlebars.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/handlebars-4.0.13.js

Dependency Hierarchy:

  • handlebars-4.0.13.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution: 4.3.0

Step up your Open Source Security Game with WhiteSource here

Deployment error when I followed the "Steps to create a Chatbot in EDDI"

Hi,

I'm using the docker image with the docker-compose up command only.

Then I followed the guide

I have tried a couple times from the beginning but each time I got hit by a deployment error.

 2018-11-27 17:46:13,431 INFO  [etp284149112-39] ? (:) - Deploying Bot... (environment=unrestricted, botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | 2018-11-27 17:46:13,648 INFO  [etp284149112-39] ? (:) - Bot deployed with status: ERROR (environment=unrestricted, botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | 2018-11-27 17:46:13,649 ERROR [etp284149112-39] ? (:) - Error while deploying bot! (botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | ai.labs.runtime.service.ServiceException: HTTP 404 Not Found
eddi_1     | 	at ai.labs.runtime.service.PackageStoreService.getPackageDocumentDescriptor(PackageStoreService.java:42) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.packages.PackageStoreClientLibrary.getExecutablePackage(PackageStoreClientLibrary.java:33) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.PackageFactory.getExecutablePackage(PackageFactory.java:29) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.bots.BotStoreClientLibrary.getBot(BotStoreClientLibrary.java:35) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.BotFactory.deployBot(BotFactory.java:89) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.core.rest.internal.RestBotAdministration.lambda$deploy$1(RestBotAdministration.java:68) [coreserver-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.BaseRuntime.lambda$submitCallable$1(BaseRuntime.java:120) [runtime-impl-4.4.jar:?]
eddi_1     | 	at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
eddi_1     | 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?]
eddi_1     | 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
eddi_1     | 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
eddi_1     | 	at java.lang.Thread.run(Thread.java:834) [?:?]
eddi_1     | Caused by: javax.ws.rs.NotFoundException: HTTP 404 Not Found
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:221) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:191) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:150) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at com.sun.proxy.$Proxy90.readDescriptor(Unknown Source) ~[?:?]
eddi_1     | 	at ai.labs.runtime.service.PackageStoreService.getPackageDocumentDescriptor(PackageStoreService.java:40) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	... 11 more
eddi_1     | 2018-11-27 17:46:13,665 ERROR [etp284149112-39] ? (:) - Error while deploying bot! (botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | javax.ws.rs.InternalServerErrorException: Error while deploying bot! (botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | 	at ai.labs.core.rest.internal.RestBotAdministration.lambda$deploy$1(RestBotAdministration.java:80) ~[coreserver-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.BaseRuntime.lambda$submitCallable$1(BaseRuntime.java:120) [runtime-impl-4.4.jar:?]
eddi_1     | 	at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
eddi_1     | 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?]
eddi_1     | 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
eddi_1     | 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
eddi_1     | 	at java.lang.Thread.run(Thread.java:834) [?:?]
eddi_1     | Caused by: ai.labs.runtime.service.ServiceException: HTTP 404 Not Found
eddi_1     | 	at ai.labs.runtime.service.PackageStoreService.getPackageDocumentDescriptor(PackageStoreService.java:42) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.packages.PackageStoreClientLibrary.getExecutablePackage(PackageStoreClientLibrary.java:33) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.PackageFactory.getExecutablePackage(PackageFactory.java:29) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.bots.BotStoreClientLibrary.getBot(BotStoreClientLibrary.java:35) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.BotFactory.deployBot(BotFactory.java:89) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.core.rest.internal.RestBotAdministration.lambda$deploy$1(RestBotAdministration.java:68) ~[coreserver-4.4.jar:?]
eddi_1     | 	... 6 more
eddi_1     | Caused by: javax.ws.rs.NotFoundException: HTTP 404 Not Found
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:221) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:191) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:150) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at com.sun.proxy.$Proxy90.readDescriptor(Unknown Source) ~[?:?]
eddi_1     | 	at ai.labs.runtime.service.PackageStoreService.getPackageDocumentDescriptor(PackageStoreService.java:40) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.packages.PackageStoreClientLibrary.getExecutablePackage(PackageStoreClientLibrary.java:33) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.PackageFactory.getExecutablePackage(PackageFactory.java:29) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.bots.BotStoreClientLibrary.getBot(BotStoreClientLibrary.java:35) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.BotFactory.deployBot(BotFactory.java:89) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.core.rest.internal.RestBotAdministration.lambda$deploy$1(RestBotAdministration.java:68) ~[coreserver-4.4.jar:?]
eddi_1     | 	... 6 more
eddi_1     | 2018-11-27 17:52:57,374 INFO  [etp284149112-70] ? (:) - Deploying Bot... (environment=unrestricted, botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | 2018-11-27 17:52:57,437 INFO  [etp284149112-70] ? (:) - Bot deployed with status: ERROR (environment=unrestricted, botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | 2018-11-27 17:52:57,437 ERROR [etp284149112-70] ? (:) - Error while deploying bot! (botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | ai.labs.runtime.service.ServiceException: HTTP 404 Not Found
eddi_1     | 	at ai.labs.runtime.service.PackageStoreService.getPackageDocumentDescriptor(PackageStoreService.java:42) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.packages.PackageStoreClientLibrary.getExecutablePackage(PackageStoreClientLibrary.java:33) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.PackageFactory.getExecutablePackage(PackageFactory.java:29) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.bots.BotStoreClientLibrary.getBot(BotStoreClientLibrary.java:35) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.BotFactory.deployBot(BotFactory.java:89) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.core.rest.internal.RestBotAdministration.lambda$deploy$1(RestBotAdministration.java:68) [coreserver-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.BaseRuntime.lambda$submitCallable$1(BaseRuntime.java:120) [runtime-impl-4.4.jar:?]
eddi_1     | 	at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
eddi_1     | 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?]
eddi_1     | 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
eddi_1     | 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
eddi_1     | 	at java.lang.Thread.run(Thread.java:834) [?:?]
eddi_1     | Caused by: javax.ws.rs.NotFoundException: HTTP 404 Not Found
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:221) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:191) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:150) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at com.sun.proxy.$Proxy90.readDescriptor(Unknown Source) ~[?:?]
eddi_1     | 	at ai.labs.runtime.service.PackageStoreService.getPackageDocumentDescriptor(PackageStoreService.java:40) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	... 11 more
eddi_1     | 2018-11-27 17:52:57,442 ERROR [etp284149112-70] ? (:) - Error while deploying bot! (botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | javax.ws.rs.InternalServerErrorException: Error while deploying bot! (botId=5bfd8292a7b11b0008aedc2a , version=1)
eddi_1     | 	at ai.labs.core.rest.internal.RestBotAdministration.lambda$deploy$1(RestBotAdministration.java:80) ~[coreserver-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.BaseRuntime.lambda$submitCallable$1(BaseRuntime.java:120) [runtime-impl-4.4.jar:?]
eddi_1     | 	at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
eddi_1     | 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?]
eddi_1     | 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
eddi_1     | 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
eddi_1     | 	at java.lang.Thread.run(Thread.java:834) [?:?]
eddi_1     | Caused by: ai.labs.runtime.service.ServiceException: HTTP 404 Not Found
eddi_1     | 	at ai.labs.runtime.service.PackageStoreService.getPackageDocumentDescriptor(PackageStoreService.java:42) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.packages.PackageStoreClientLibrary.getExecutablePackage(PackageStoreClientLibrary.java:33) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.PackageFactory.getExecutablePackage(PackageFactory.java:29) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.bots.BotStoreClientLibrary.getBot(BotStoreClientLibrary.java:35) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.BotFactory.deployBot(BotFactory.java:89) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.core.rest.internal.RestBotAdministration.lambda$deploy$1(RestBotAdministration.java:68) ~[coreserver-4.4.jar:?]
eddi_1     | 	... 6 more
eddi_1     | Caused by: javax.ws.rs.NotFoundException: HTTP 404 Not Found
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:221) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:191) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:150) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) ~[resteasy-client-3.6.1.Final.jar:3.6.1.Final]
eddi_1     | 	at com.sun.proxy.$Proxy90.readDescriptor(Unknown Source) ~[?:?]
eddi_1     | 	at ai.labs.runtime.service.PackageStoreService.getPackageDocumentDescriptor(PackageStoreService.java:40) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.packages.PackageStoreClientLibrary.getExecutablePackage(PackageStoreClientLibrary.java:33) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.PackageFactory.getExecutablePackage(PackageFactory.java:29) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.client.bots.BotStoreClientLibrary.getBot(BotStoreClientLibrary.java:35) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.runtime.internal.BotFactory.deployBot(BotFactory.java:89) ~[runtime-impl-4.4.jar:?]
eddi_1     | 	at ai.labs.core.rest.internal.RestBotAdministration.lambda$deploy$1(RestBotAdministration.java:68) ~[coreserver-4.4.jar:?]
eddi_1     | 	... 6 more

WS-2019-0103 (Medium) detected in handlebars-4.0.13.js

WS-2019-0103 - Medium Severity Vulnerability

Vulnerable Library - handlebars-4.0.13.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.0.13/handlebars.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/handlebars-4.0.13.js

Dependency Hierarchy:

  • handlebars-4.0.13.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

Handlebars.js before 4.1.0 has Remote Code Execution (RCE)

Publish Date: 2019-01-30

URL: WS-2019-0103

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@edc6220

Release Date: 2019-05-30

Fix Resolution: 4.1.0

Step up your Open Source Security Game with WhiteSource here

improvement-basicauth-for-testing

Setting up a keycloak instance is too much effort for testing EDDI. For dev purposes, EDDI should work with basic authentication instead of keycloak.

feature-docker-compose

allow EDDI setup via various reasonable docker-compose configurations.

*) ConfiguartionServer & CoreServer
*) ConfiguationServer & Core Server & Keycloak
*) ConfiguationServer & Core Server & MongoDB
*) ConfiguationServer & Core Server & Keycloak & MongoDB

Properly manage dependency versions

We should improve the management of dependency versions. Right now, the literal versions are scattered all over the project. Instead we should utilize Maven's dependencyManagement.

CVE-2020-11022 (Medium) detected in jquery-3.3.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/jquery-3.3.1.min.js

Dependency Hierarchy:

  • jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

Deployment error when I run ApiServer

I download EDDI-4.4.0 and followed the “launch with VM options
-DEDDI_ENV=[development/production] -Duser.dir=[LOCAL_PATH_TO_EDDI]\apiserver ai.labs.api.ApiServer”。
It shows :

  1. Could not find a suitable constructor in ai.labs.behavior.impl.extensions.Connector. Classes must have either one (and only one) constructor annotated with @Inject or a zero-argument constructor that is not private.
    at ai.labs.behavior.impl.extensions.Connector.class(Connector.java:1)
    at ai.labs.behavior.bootstrap.BehaviorModule.configure(BehaviorModule.java:33)
    what`s wrong about my steps?

No bot output in conversation

Dear team,
I followed the guidelines and successfully setup & create a chat bot.
For bot creation, I use sample Json in your document with generated Unique_Ids in Package & Bot.
But when I go http://localhost:7070/chat/My_Bot_ID I get chat form with empty content. No welcome message (as in test screen capture). Also there is NO output from from bot when I send Hi, hello, ...
I checked the http response and saw that the bot returns conversation steps with correct actions. But NO output. I checked the IDs carefully. Am I missing some steps here?
Thank you,

Input Matcher does not support parsing regular expression

Gregor, I'm considering to use EDDI to create new chatbot engine for a specific domain but as my understanding, the input matcher does not work with the regular expression. I have a lot of words or phrases that user can input but many are almost same. Thus, I think it's better if it's able to use the regular expression to define the phrase. For example:

{
    "phrase": "I would like to buy ${itemName}",
    "exp": "buy_item(${itemName})"
}

Is this possible with EDDI?

What is the best way to get rules calling another REST API

Hi

My need is the following

  • Define some input matcher
  • Attach an REST endpoint to this input (with some context (security, history ...)
  • send back to the conversation the output of the REST endpoint .

Idea is to reuse some internal rest api (developed in various language) that provide kind of "user interaction".

I'm discovering E.D.D.I and unfortunately not able to find doc on this at https://labsai.atlassian.net/wiki/display/EDDI/

I had a look into code, found Conversation callback but not sure it matches what I want

Any idea on how to implements this is welcome

Thx in advance.
Chris

4.1.0 version has compilation error.

I'm trying to setup EDDI project on my eclipse and got a compilation error on line 249 of HistorizedResourceStoreTest.java file in configurationrepository-impl project. It says,

The interface IResource cannot be implemented more than once with different arguments: IResourceStorage.IResource and IResourceStorage.IResource

Any suggestions?

WS-2019-0332 (Medium) detected in handlebars-4.0.13.js

WS-2019-0332 - Medium Severity Vulnerability

Vulnerable Library - handlebars-4.0.13.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.0.13/handlebars.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/handlebars-4.0.13.js

Dependency Hierarchy:

  • handlebars-4.0.13.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Step up your Open Source Security Game with WhiteSource here

CVE-2020-1714 (High) detected in keycloak-core-9.0.3.jar - autoclosed

CVE-2020-1714 - High Severity Vulnerability

Vulnerable Library - keycloak-core-9.0.3.jar

Library home page: http://keycloak.org/keycloak-core

Path to dependency file: EDDI/webserver/pom.xml

Path to vulnerable library: 20210215230048_GFSLHE/downloadResource_HZIWDJ/20210215230117/keycloak-core-9.0.3.jar

Dependency Hierarchy:

  • keycloak-core-9.0.3.jar (Vulnerable Library)

Found in HEAD commit: de9920a95e29c0e4e54f1d288add78b33ab0f99d

Found in base branch: master

Vulnerability Details

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

Publish Date: 2020-05-13

URL: CVE-2020-1714

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

EDDI server stopped automatically after few hours don't use

I deployed EDDI server on Centos7, after few hours it stopped automatically. I checked the log and below is last line of log:

Pool did not terminate

And I guess it related to below method:

private void initExecutorServiceShutdownHook() {
        Runtime.getRuntime().addShutdownHook(new Thread("ShutdownHook_ExecutorService") {
            @Override
            public void run() {
                executorService.shutdown(); // Disable new tasks from being submitted
                try {
                    // Wait a while for existing tasks to terminate
                    if (!executorService.awaitTermination(60, TimeUnit.SECONDS)) {
                        executorService.shutdownNow(); // Cancel currently executing tasks
                        // Wait a while for tasks to respond to being cancelled
                        if (!executorService.awaitTermination(60, TimeUnit.SECONDS)) {
                            log.error("Pool did not terminate");
                        }
                    }
                } catch (InterruptedException e) {
                    // (Re-)Cancel if current thread also interrupted
                    executorService.shutdownNow();
                    // Preserve interrupt status
                    Thread.currentThread().interrupt();
                    log.error(e.getLocalizedMessage(), e);
                }
            }
        });
    }

Is there any suggestion?

Incorrect date-time format in responses

Hello!

@ginccc We may have found a bug in EDDI.

This bug was found while issuing the following command: curl -v "http://localhost:7070/descriptorstore/descriptors for the following endpoints:

- GET: /descriptorstore/descriptors
- GET:/outputstore/outputsets/descriptors
- GET: /packagestore/packages/descriptors
- GET: /parserstore/parsers/descriptors
- GET: /behaviorstore/behaviorsets/descriptors
- GET: /regulardictionarystore/regulardictionaries/descriptors
- GET: /httpcallsstore/httpcalls/descriptors
- GET: /backup/import/examples
- GET: /administration/unrestricted/deploymentstatus
- GET: /propertysetterstore/propertysetters/descriptors
- GET: /botstore/bots/descriptors

According to swagger specs and documentation, dates should be in ISO 8601 format, but they are returned as UNIX timestamps, i.e.:

        "createdOn": 1589806490877,
        "lastModifiedOn": 1589806490877

How to use external rest resources

Hi Gregor,

I would like to use information from an external rest service (in JSON format) as part of an answer to a user's question to a chatbot. How can this be achieved? Do I have to write a Java plugin or is it possible to only create actions / outputs over the rest interface that use third party services somehow?

Thank you in advance!

Does EDDI support wildcards to match a word or words?

I've tried AIML based chatbots and they provide special characters like *, #, _, ^, etc. to match several words or a word. And there're priorities between those wildcards. So, I can easily match similar user inputs to one pattern(phrase in EDDI).

Does EDDI support those features?

WS-2019-0064 (High) detected in handlebars-4.0.13.js

WS-2019-0064 - High Severity Vulnerability

Vulnerable Library - handlebars-4.0.13.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.0.13/handlebars.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/handlebars-4.0.13.js

Dependency Hierarchy:

  • handlebars-4.0.13.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/versions

Release Date: 2019-04-30

Fix Resolution: 1.0.6-2,4.0.14,4.1.2

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

CVE-2019-11358 (Medium) detected in jquery-3.3.1.min.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/jquery-3.3.1.min.js

Dependency Hierarchy:

  • jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

Is there any default out configuration?

Gregor,
In some cases, the user input didn't match with any actions defined thus the bot replied nothing.
Can EDDI allow configure default output for that case? The default output will be configured by the chatbot creator.

Thanks

WS-2019-0331 (Medium) detected in handlebars-4.0.13.js

WS-2019-0331 - Medium Severity Vulnerability

Vulnerable Library - handlebars-4.0.13.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.0.13/handlebars.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/handlebars-4.0.13.js

Dependency Hierarchy:

  • handlebars-4.0.13.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-13

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Step up your Open Source Security Game with WhiteSource here

Different endpoints react differently on incorrect regex inputs

Hello!

@ginccc We may have found a bug in EDDI.

This bug was found while issuing the following command: curl -v "http://localhost:7070/botstore/bots/descriptors?filter=*" for the following endpoints:

- GET: /botstore/bots/descriptors
- GET: /httpcallsstore/httpcalls/descriptors
- GET: /packagestore/packages/descriptors
- GET: /parserstore/parsers/descriptors
- GET: /propertysetterstore/propertysetters/descriptors

If we feed the filter parameter with non-regular expression, it shows unexpected behavior:

Making this call resulted in the following warning:
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 7070 (#0)
> GET /propertysetterstore/propertysetters/descriptors?filter=* HTTP/1.1
> Host: localhost:7070
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 500 Server Error
< Date: Thu, 14 May 2020 09:08:35 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Authorization,X-Requested-With,Content-Type,Accept,Origin,Cache-Control
< Access-Control-Allow-Methods: HEAD,GET,PUT,POST,DELETE,PATCH,OPTIONS
< Access-Control-Expose-Headers: Location
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

and for endpoint GET: /descriptorstore/descriptors, it results in an error

*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 7070 (#0)
> GET /descriptorstore/descriptors?filter=* HTTP/1.1
> Host: localhost:7070
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 400 Bad Request
< Date: Thu, 14 May 2020 09:08:06 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Authorization,X-Requested-With,Content-Type,Accept,Origin,Cache-Control
< Access-Control-Allow-Methods: HEAD,GET,PUT,POST,DELETE,PATCH,OPTIONS
< Access-Control-Expose-Headers: Location
< Content-Type: text/plain;charset=utf-8
< Content-Length: 50
< 
Dangling meta character '*' near index 2
.**.*

Autodiscovery of lifecycle tasks

At the moment, lifecycle task need to be registered manually in the CoreModule. Instead, we want lifecycle tasks on the classpath to be picked up and bound automatically.

Question: Oauth for the bot

Hi,

I want to enable oauth before user can initiate the chat. I went through the documentation and could not find the information. I know it uses keyclock but that looks like for the admin page and not for the bot.

Please explain how to enable oauth before the conversation is started with the bot and use the oauth token to be passed to the REST calls.

Thanks,
Himanshu

Log shows infinispan database authorization errors with MongoDB

I deployed the latest EDDI image on OpenShift and the logs have this recurring entry:

com.mongodb.MongoQueryException: Query failed with error code 13 and error message 'not authorized on eddi to execute command { find: "infinispan_cachestore_ackAwaitingCommands", filter: { expiryTime: { $lte: new Date(1583852236906), $gt: new Date(-1) } }, sort: { _id: -1 }, limit: 1024, $db: "eddi" }' on server 172.30.193.83:27017
	at com.mongodb.operation.FindOperation$1.call(FindOperation.java:735)
	at com.mongodb.operation.FindOperation$1.call(FindOperation.java:725)
	at com.mongodb.operation.OperationHelper.withReadConnectionSource(OperationHelper.java:463)
	at com.mongodb.operation.FindOperation.execute(FindOperation.java:725)
	at com.mongodb.operation.FindOperation.execute(FindOperation.java:89)
	at com.mongodb.client.internal.MongoClientDelegate$DelegateOperationExecutor.execute(MongoClientDelegate.java:196)
	at com.mongodb.client.internal.MongoIterableImpl.execute(MongoIterableImpl.java:143)
	at com.mongodb.client.internal.MongoIterableImpl.iterator(MongoIterableImpl.java:92)
	at com.mongodb.client.internal.MongoIterableImpl.forEach(MongoIterableImpl.java:121)
	at com.mongodb.client.internal.MappingIterable.forEach(MappingIterable.java:59)
	at com.mongodb.client.internal.MappingIterable.into(MappingIterable.java:69)
	at org.infinispan.persistence.mongodb.cache.MongoDBCacheImpl.removeExpiredData(MongoDBCacheImpl.java:131)
	at org.infinispan.persistence.mongodb.store.MongoDBStore.purge(MongoDBStore.java:109)
	at org.infinispan.persistence.manager.PersistenceManagerImpl.lambda$purgeExpired$6(PersistenceManagerImpl.java:466)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1540)
	at org.infinispan.persistence.manager.PersistenceManagerImpl.purgeExpired(PersistenceManagerImpl.java:469)
	at org.infinispan.expiration.impl.ExpirationManagerImpl.processExpiration(ExpirationManagerImpl.java:111)
	at org.infinispan.expiration.impl.ExpirationManagerImpl$ScheduledTask.run(ExpirationManagerImpl.java:245)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)````

I believe the cause is in https://github.com/labsai/EDDI/blob/master/apiserver/config/production/infinispan.xml:

 uri="mongodb://${mongodb.hosts}:${mongodb.port}/${mongodb.database}?w=0&amp;connectTimeoutMS=2000"

which specifies an anonymous connection to MongoDB but will fail if authorization is enabled on the db.

CVE-2020-11023 (Medium) detected in jquery-3.3.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/jquery-3.3.1.min.js

Dependency Hierarchy:

  • jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

How do I start this locally

I don't know java so how do I run this? I've installed mongodb and installed the source. The installation indicates "BUILD SUCCESS". For launch I see the instructions

"launch with VM options
-DEDDI_ENV=[development/production] -Duser.dir=[LOCAL_PATH_TO_EDDI]\apiserver ai.labs.api.ApiServer"

I'm running locally from within the EDDI base directory, so what is the full command? I've tried

java -classpath '.:lib/*' -DEDDI_ENV=development -Duser.dir=/Users/myname/PROGRAMS/EDDI/apiserver ai.labs.api.ApiServer

but get the error "Error: Could not find or load main class ai.labs.api.ApiServe" assume I need to set the class path somewhere.

Also, will the command ./start_eddi.sh? What should I set EDDI_JAVA_ENV_ to?

I'm running on mac.

Thanks

Issues with swagger.json file created from docker image

Firstly thank you for all your efforts, this looks like a very interesting project.

I have downloaded and build the docker images and they have started successfully and I can view the swagger ui

I have a couple of challenges

Firstly the default request URL points to port 80 on what appears to be your own host, I have found the swagger config but its not linked to a mounted volume so it will not be persisted when restarting the docker image. Is there a way to change this so it does get persisted?

Secondly I have retrieved the swagger.json file from the running docker and tried to import it into my app dev tool and it has found that you are using definitions with objects with no properties, is this intentional as I am told that definitions of type object have to either ref a model or define properties.

Thanks M

Any plans to support PostgreSQL ?

Hi, I'm trying to use EDDI, and I'm wondering if you guys planning to support any other databases.

I want to use PostgreSQL instead of MongoDB.

So, I want to know if there's a way to do that.

Thank you.

CVE-2019-17495 (High) detected in multiple libraries

CVE-2019-17495 - High Severity Vulnerability

Vulnerable Libraries - swagger-ui-standalone-preset-3.21.0.js, swagger-ui-bundle-3.21.0.js, swagger-ui-3.21.0.js

swagger-ui-standalone-preset-3.21.0.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.21.0/swagger-ui-standalone-preset.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/swagger-ui-standalone-preset.js

Dependency Hierarchy:

  • swagger-ui-standalone-preset-3.21.0.js (Vulnerable Library)
swagger-ui-bundle-3.21.0.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.21.0/swagger-ui-bundle.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/swagger-ui-bundle.js

Dependency Hierarchy:

  • swagger-ui-bundle-3.21.0.js (Vulnerable Library)
swagger-ui-3.21.0.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.21.0/swagger-ui.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/swagger-ui.js

Dependency Hierarchy:

  • swagger-ui-3.21.0.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Publish Date: 2019-10-10

URL: CVE-2019-17495

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17495

Release Date: 2019-10-10

Fix Resolution: 3.23.11

Step up your Open Source Security Game with WhiteSource here

CVE-2019-8331 (Medium) detected in bootstrap-4.2.1.js, bootstrap-4.2.1.min.js

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-4.2.1.js, bootstrap-4.2.1.min.js

bootstrap-4.2.1.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.2.1/js/bootstrap.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/bootstrap.js

Dependency Hierarchy:

  • bootstrap-4.2.1.js (Vulnerable Library)
bootstrap-4.2.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.2.1/js/bootstrap.min.js

Path to vulnerable library: EDDI/apiserver/src/main/resources/js/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-4.2.1.min.js (Vulnerable Library)

Found in HEAD commit: e141334e85f823e2e1a3c8e4ac2c90fe6a35c48c

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.