Headline
CVE-2021-4326: GitHub - zowe/imperative: Imperative CLI Framework
A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI.
Imperative CLI Framework
Imperative CLI Framework is a command processing system that lets you quickly build customized command-line interfaces. Focus on adding functionality for your users rather than creating CLI infrastructure. We provide you with all the tools to get started building your own CLI plug-ins.
Software Requirements
Install Node.js package manager on your computer. Node.js® is a JavaScript runtime environment on which we architected Imperative CLI Framework.
You must have a means to execute “.sh” (bash) scripts to run integration tests. On Windows, you can install "Git Bash", which is bundled with the standard Git installation - (choose the “Use Git and Unix Tools from Windows Command Prompt” installation option). When you run the integration tests on Windows, you must have Administrative authority to enable the integration tests to create symbolic links.
Note: Broadcom Inc. does not maintain the prerequisite software that Imperative CLI Framework requires. You are responsible for updating Node.js and other prerequisites on your computer. We recommend that you update Node.js regularly to the latest Long Term Support (LTS) version.
Install Imperative as a Dependency
Issue the following commands to install Imperative CLI Framework as a dependency.
Install @latest version:
Be aware that if you update via @latest, you accept breaking changes into your project.
npm install @zowe/imperative
Install @zowe-v2-lts version:
This is a Long Term Support release that is guaranteed to have no breaking changes.
npm install @zowe/imperative@zowe-v2-lts
Note: If you want to install the bleeding edge version of Imperative, you can append --@zowe:registry=https://zowe.jfrog.io/zowe/api/npm/npm-release/ to the install command to get it from a staging registry. It is not recommended to use this registry for production dependencies.
Build and Install Imperative CLI Framework from Source
To build and install the Imperative CLI Framework, follow these steps:
- Clone the zowe/imperative project to your PC.
- From the command line, issue cd [relative path]/imperative
- Issue npm install
- Issue npm run build
- Issue npm run test
To build the entire project (including test stand-alone CLIs): npm run build
To build only imperative source: npm run build:packages
Run Tests
Command
Description
npm run test
Run all automated tests (unit & integration)
npm test:unit
Run unit tests
npm test:integration
Run integration tests
npm test:system
Run system tests (requires IPv6 connection)
Note: To build and install the test CLIs used by the integration tests:
- node scripts/sampleCliTool.js build
- node scripts/sampleCliTool.js install
Sample Applications
We provide a sample plug-in that you can use to get started developing your own plug-ins. See the Zowe CLI Sample Plug-in.
Documentation
We provide documentation that describes how to define commands, work with user profiles, and more! For more information, see the Imperative CLI Framework wiki.
Contribute
For information about how you can contribute code to Imperative CLI Framework, see CONTRIBUTING
Versioning
Imperative CLI Framework uses Semantic Versioning (SemVer) for versioning. For more information, see the Semantic Versioning website.
Licencing Imperative CLI Framework
For Imperative CLI Framework licensing rules, requirements, and guidelines, see LICENSE.
Related news
A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI.