orval icon indicating copy to clipboard operation
orval copied to clipboard

Published 20 hours ago verified publisher icon anymaniax

Snyk failing in Pipeline due to jsonpath-plus issue

Open GRenwickBrambles opened this issue 1 year ago • 4 comments

What are the steps to reproduce this issue?

Run snyk test --severity-threshold=high on package after installing

What happens?

Issues with no direct upgrade or patch: ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884] in [email protected] introduced by [email protected] > @orval/[email protected] > @orval/[email protected] > @ibm-cloud/[email protected] > @stoplight/[email protected] > @stoplight/[email protected] > [email protected] and 1 other path(s) This issue was fixed in versions: 10.0.0

What were you expecting to happen?

Snyk to be fine with all Orval dependencies

Any logs, error output, etc?

https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

Any other comments?

What versions are you using?

npmPackages: axios: ^1.7.7 => 1.7.7 msw: ^2.4.9 => 2.4.9 orval: ^7.1.1 => 7.1.1

GRenwickBrambles avatar Oct 11 '24 15:10 GRenwickBrambles

Updating depedencies of dependencies can be tricky but PR is welcome!

melloware avatar Oct 11 '24 15:10 melloware

image

melloware avatar Oct 15 '24 12:10 melloware

it looks like the fix is there but not tagged yet

https://github.com/stoplightio/spectral/commit/5205058d1c9b48e6785b7744e2e2716cc7f1e0f4

Mariscal6 avatar Oct 16 '24 08:10 Mariscal6

@Mariscal6 thanks for keeping your eye on it and let us know when its released so we can bump!

melloware avatar Oct 16 '24 11:10 melloware

Hello @melloware, it looks like the PR has been merged :)

RasmusStaal1227 avatar Oct 22 '24 08:10 RasmusStaal1227

Nice now Spectral needs to do a release.

melloware avatar Oct 22 '24 11:10 melloware

There is another PR that needs to land in spectral: https://github.com/stoplightio/spectral/pull/2712

jacquesg avatar Oct 22 '24 12:10 jacquesg

OK somebody let me know when Spectral releases.

melloware avatar Oct 22 '24 13:10 melloware

@melloware looks like the PR has landed :)

mackerson123 avatar Oct 25 '24 18:10 mackerson123

Yep but spectral has not done a release yet...

melloware avatar Oct 25 '24 18:10 melloware

@melloware spectral has released the new version

micael-mbagira-parloa avatar Nov 12 '24 10:11 micael-mbagira-parloa

I will look at this today!

melloware avatar Nov 12 '24 12:11 melloware

PR is here but looking at it it looks like IBM OPenApiTools is what needs to update to the latest Spectral? https://github.com/orval-labs/orval/pull/1701/files

melloware avatar Nov 12 '24 14:11 melloware

@melloware correct, I will try to open a PR there tomorrow.

micael-mbagira-parloa avatar Nov 12 '24 16:11 micael-mbagira-parloa

I think they have: https://github.com/IBM/openapi-validator/releases/tag/ibm-openapi-validator%401.27.0

jacquesg avatar Nov 12 '24 16:11 jacquesg

its actually not validator its @ibm-cloud/openapi-ruleset which I updated to 1.25.0 but still not sure that fixes it.

melloware avatar Nov 12 '24 17:11 melloware

Indeed, I've created a PR to update the deps there:

https://github.com/IBM/openapi-validator/pull/697

jacquesg avatar Nov 12 '24 19:11 jacquesg

@melloware version 1.25.1 should now be out.

jacquesg avatar Nov 16 '24 09:11 jacquesg

PR updated! https://github.com/orval-labs/orval/pull/1702

melloware avatar Nov 16 '24 11:11 melloware

OK 7.3.0 is out if everyone wants to try it.

melloware avatar Nov 18 '24 15:11 melloware