Date

22 Jun 2023

Call-in Information

Time: 10:00 am, Eastern Time

• Join Zoom Meeting
  https://lyrasis.zoom.us/j/81398228834?pwd=SE0wdFN3NnFVbEhYVUhuM3BtQmVUQT09

  Meeting ID: 813 9822 8834
  Passcode: 728426

Attendees

 Indicating note-taker

1. Dragan Ivanovic 
2. William Welling
3. Brian Lowe 
4. Georgy Litvinov   

Agenda

1. Release candidate 3 (VIVO 1.14.0)
   
   1. Published and a couple of issues reported to Georgy
   2. https://github.com/vivo-project/Vitro/pull/407
   3. https://github.com/vivo-project/Vitro/pull/408
   4. https://github.com/vivo-project/Vitro/pull/409
2. Release candidate 4
3. Vulnerability
   1. https://vivo-project.slack.com/archives/C8RL9L98A/p1687378615914659

   2. The penetration testers contacted me with an additional finding for the VIVO server. This one relates to a issue with input not being sanitized for special characters, which could then be used to exploit the site. They consider this a high severity vulnerability and documenting it as a reflected cross site scripting vulnerability. The provided an example of exploiting the issue with the below URL.https://vivo.mydomain.edu/visualizationAjax?vis=capabilitymap&query=291822&callback=ipretResultsoesic<script>alert(1)<%2fscript>cwz3i&noCacheIE=1687235208332

4. Publication claiming
   1. 1. https://vivo-project.slack.com/archives/C8SDQQYJ2/p1687364277662029
      2. Good afternoon all,I have a question about restricting publication claiming. In the 1.11.x release notes, publication claiming is noted as being available to anyone who has the ability to edit in VIVO, whether that be the ability to edit only their profile or edit others. Is there a way to restrict this to be an admin-only privilege?

Notes

A couple of new issues have been recorded related to the Vitro code base. All have been resolved and merged into the main branch. Dragan will generate VIVO 1.14.0 Release candidate 4.

The vulnerability https://vivo.mydomain.edu/visualizationAjax?vis=capabilitymap&query=291822&callback=ipretResultsoesic<script>alert(1)<%2fscript>cwz3i&noCacheIE=1687235208332 is still present in VIVO 1.14.0 release candidate. Not sure what is causing this issue. Dragan will respond to slack message. 

Probably claiming publication is linked with privileges to edit a profile. Once this PR (https://github.com/vivo-project/VIVO/pull/3887) is merged, it will be quite easy to define this as a separate privilege.  Therefore, this issue might be resolved by configuration of VIVO 1.15.0+. Georgy can present how it might be done after summer break. 

Draft notes on Google Drive

Actions

• Dragan Ivanovic to prepare release candidate 4
• Georgy Litvinov to align https://vivo.tib.eu/vivorc/ with release candidate 4
• Dragan Ivanovic to respond to slack messages

Previous actions 

• Dragan Ivanovic will try to collect wiki pages where strategy, vision and roadmap for development of VIVO were discussed in the past
• Georgy Litvinov will try to address the issue https://github.com/vivo-project/VIVO/issues/3871
• Dragan Ivanovic will ask Michael to open a GitHub ticket for the issue about UF performance during login (https://vivo-project.slack.com/archives/C8RL9L98A/p1684174222986709), Brian Lowe and others can continue discussion about this issue once a ticket is open
• Dragan Ivanovic will ask Rodrigo to open a GitHub ticket for the issue about custom theme and VIVO Docker (https://vivo-project.slack.com/archives/C8RL9L98A/p1684962021101889), William Welling  and others can continue discussion about this issue once a ticket is open
• Brian Lowe to open a GitHub issue for index page exception
  • https://github.com/vivo-project/VIVO/issues/3867
  • add sample (minimal RDF to reproduce the issue)
• Miloš Popović or Ivan Mrsulja to review (https://github.com/vivo-project/VIVO/issues/3862)
  • https://github.com/vivo-project/VIVO/pull/3863
  • https://github.com/vivo-project/Vitro/pull/386
• Georgy Litvinov to review (https://github.com/vivo-project/VIVO/issues/3847)
  • https://github.com/vivo-project/Vitro/pull/383
• Review (https://github.com/vivo-project/VIVO/issues/3865)
  • https://github.com/vivo-project/VIVO/pull/3866
• Review (https://github.com/vivo-project/VIVO/issues/3864)
  • https://github.com/vivo-project/Vitro/pull/387
• Review (https://github.com/vivo-project/VIVO/issues/3858)
  • https://github.com/vivo-project/Vitro/pull/385
• Review (https://github.com/vivo-project/VIVO/issues/3859)
  • https://github.com/vivo-project/Vitro/pull/384
• Review (https://github.com/vivo-project/VIVO/issues/3855)
  • https://github.com/vivo-project/VIVO/pull/3861
• Review (https://github.com/vivo-project/VIVO/security/dependabot/3)
  • https://github.com/vivo-project/VIVO/pull/3853

• Brian Lowe and William Welling to review https://github.com/vivo-project/VIVO/pull/3853
• William Welling to review https://github.com/vivo-project/VIVO/pull/3861
• All to think how to organize scripts for VIVO (at the moment for dump and restore) - https://github.com/vivo-project/Vitro/pull/380

• Dragan Ivanovic to make consultation with the VIVO ontology group and Lyrasis system administrators about non-resolvable VIVO ontology links
• Committers to take part in the sprint PR review process
• Dragan Ivanovic to make a PR for fixing privileges for adding grant collaborators
• Brian Lowe to make a PR for fixing ordering of instances with multilingual properties
• Georgy Litvinov will investigate the problem of searching instances with multilingual properties
• Ralph O'Flinn to help with Preparing Documentation for Release by coping space VIVO 1.12.x Documentation to the space VIVO 1.13.x Documentation (or to grant Dragan Ivanovic permissions to do that)
• Dragan Ivanovic to work on documenting new features for VIVO 1.13.x Documentation
• Dragan Ivanovic to create the third one google form for reporting the testing results, that form should be used for testing new features introduced in VIVO 1.13.0
  • New Features: https://docs.google.com/forms/d/19FMslvvSzg_FK-Wmxg4t7EOP2UDft4FVdQvM4-2IO50/edit?usp=sharing
• Everyone to review https://docs.google.com/forms/d/13W2vynR6OmavoV2Px_kJ-k-dlQDv3ERWG0PnXX7ekQA/edit?usp=sharing and https://docs.google.com/forms/d/1dks3b3sJsmM7Q33bwHW_1iVem5VRjg3fqpx8UTFKIfI/edit?usp=sharing
  • and to review https://docs.google.com/forms/d/19FMslvvSzg_FK-Wmxg4t7EOP2UDft4FVdQvM4-2IO50/edit?usp=sharing
• Brian Lowe to work on removing spring dependencies (https://github.com/vivo-project/VIVO/issues/3686)
• Georgy Litvinov to work on PR for merging back a lost fix he noticed
• Everyone to review spreadsheet for defining requirements for JS and CSS framework selection - https://docs.google.com/spreadsheets/d/1p-86FdqQR2SpFIsK5Xa-k6Dgm5ORg6Lrc7eeOEetm8g/edit?usp=sharing

• Benjamin Gross to review https://github.com/vivo-project/Vitro/pull/251
• Dragan Ivanovic to review https://github.com/vivo-project/Vitro/pull/251
• Georgy Litvinov to fix the issue with GitHub action https://github.com/vivo-project/Vitro/pull/269
• Ralph O'Flinn to review https://github.com/vivo-project/Vitro/pull/269
• William Welling to review https://github.com/vivo-project/Vitro/pull/269
• Georgy Litvinov to update pom versions in https://github.com/vivo-project/VIVO-languages/pull/104 and https://github.com/vivo-project/Vitro-languages/pull/54
• Dragan Ivanovic to review and merge https://github.com/vivo-project/VIVO-languages/pull/104 and https://github.com/vivo-project/Vitro-languages/pull/54
• Georgy Litvinov to review https://github.com/vivo-project/VIVO/pull/3613
• Dragan Ivanovic to review https://github.com/vivo-project/Vitro/pull/240 
• Brian Lowe to review https://github.com/vivo-project/Vitro/pull/240
• Ralph O'Flinn to publish orcid-api-client 0.6.4 and update version of this library at https://github.com/vivo-project/VIVO/blob/main/api/pom.xml#L62

• Dragan Ivanovic to create announcement for the demo meeting and to spread it
• Dragan Ivanovic to reorganize code of https://github.com/vivo-project/Vitro/pull/287 and to get rid of enumerations for data types 
• Dragan Ivanovic to investigate organizational (management) aspects of DSpace community and to prepare discussion for the next meeting what might be adopted from there (GitHub actions, labels for issues, template for issue, template for PR)
• William Welling Georgy Litvinov to review sprint PRs (there should be three PRs)
• Brian Lowe to review N3Template operation PR (https://github.com/vivo-project/Vitro/pull/286)
• Georgy Litvinov to review/test https://github.com/vivo-project/orcid-api-client/pull/12
• Ralph O'Flinn to merge https://github.com/vivo-project/orcid-api-client/pull/12 and publish orcid-api-client 0.6.4
• Georgy Litvinov to complete https://github.com/vivo-project/Vitro/pull/251

• Ralph O'Flinn to merge https://github.com/vivo-project/VIVO/pull/3611, after that Georgy Litvinov will create a branch for the sprint and move the code from his fork to there
• Ralph O'Flinn to resolve missing i18n directory issue in VIVO 1.12.2 release
• Georgy Litvinov to work on specification for Dynamic API, Dragan Ivanovic to help Georgy on request
• Ralph O'Flinn to resolve missing i18n directory issue in VIVO 1.12.2 release
• Dragan Ivanovic to find some examples for citation of a GitHub repositories (https://github.com/vivo-project/VIVO/pull/247) 
• Georgy Litvinov to contact Tatiana Walther for reviewing https://github.com/vivo-project/VIVO-languages/pull/104 and https://github.com/vivo-project/Vitro-languages/pull/54
• Benjamin Gross to review https://github.com/vivo-project/VIVO/pull/250, https://github.com/vivo-project/Vitro/pull/251, and https://github.com/vivo-project/Vitro-languages/pull/56
• Brian Lowe to review https://github.com/vivo-project/Vitro/pull/213, https://github.com/vivo-project/Vitro-languages/pull/44, https://github.com/vivo-project/Vitro/pull/240, and https://github.com/vivo-project/VIVO-languages/pull/103
• William Welling to review https://github.com/vivo-project/Vitro/pull/241
• Huda Khan to review https://github.com/vivo-project/VIVO/pull/247