BobHanson
update embedded jQuery & jquery-ui to one that addresses known vulnerabilities
We've had some reports from JalviewJS users about detectable vulnerabilities in the SwingJS runtime - see e.g. https://github.com/jalview/jalview-js/issues/12
The core problem is jQuery v1.11.0. Whilst its possible we could patch the vulnerability (or it perhaps isn't even serious for SwingJS deployments), scanners will still see the version number and most likely complain.
I've had a go at porting the patches in swingjs2.js to the latest release of jQuery, this seemed to work OK - but I've now got issues with JQueryUI. Would be great to get some guidance @BobHanson !
Probably time to upgrade anyway. What are they finding?
On Fri, Jan 24, 2025, 11:58 AM Jim Procter @.***> wrote:
We've had some reports from JalviewJS users about detectable vulnerabilities in the SwingJS runtime - see e.g. jalview/jalview-js#12 https://github.com/jalview/jalview-js/issues/12
The core problem is jQuery v1.11.0. Whilst its possible we could patch the vulnerability (or it perhaps isn't even serious for SwingJS deployments), scanners will still see the version number and most likely complain.
I've had a go at porting the patches in swingjs2.js to the latest release of jQuery, this seemed to work OK - but I've now got issues with JQueryUI. Would be great to get some guidance @BobHanson https://github.com/BobHanson !
— Reply to this email directly, view it on GitHub https://github.com/BobHanson/java2script/issues/279, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEHNCW2RWES76HHOT4K637T2MJ5NRAVCNFSM6AAAAABV2GHGAKVHI2DSMVQWIX3LMV43ASLTON2WKOZSHAYTAMBVGE4TGOI . You are receiving this because you were mentioned.Message ID: @.***>
Mostly they're just detecting that jquery 1.11 is luring inside swingjs/swingjs2.js - this is picked up by retire.js. I can see that Jmol's demo pages don't get flagged - since Jmol-SwingJS bundles jQuery v3.7.4. I guess the simplest thing would be to rebuild against the unified SwingJS/Jmol-SwingJS runtime ?
retire.js report:
| 1.11.0 | Found in https://builds.jalview.org/artifact/JB-GJB/shared/build-472/JalviewJS-site/swingjs/swingjs2.js _____Vulnerability info:medium2432 3rd party CORS request may execute CVE-2015-9251 GHSA-rmxg-73gg-4p981234mediumCVE-2015-9251 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98123mediumCVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq123mediumCVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px21mediumCVE-2020-11023 CVE-2020-23064 4647 passing HTML containing | medium | 2432 3rd party CORS request may execute CVE-2015-9251 GHSA-rmxg-73gg-4p98 | 1234 | medium | CVE-2015-9251 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 | 123 | medium | CVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq | 123 | medium | CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 | 1 | medium | CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing | 1 | low | 73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| medium | 2432 3rd party CORS request may execute CVE-2015-9251 GHSA-rmxg-73gg-4p98 | 1234 | ||||||||||||||||
| medium | CVE-2015-9251 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 | 123 | ||||||||||||||||
| medium | CVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq | 123 | ||||||||||||||||
| medium | CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 | 1 | ||||||||||||||||
| medium | CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing | 1 | ||||||||||||||||
| low | 73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update |
It's just copying Jmol-SwingJS.zip https://github.com/BobHanson/Jmol-SwingJS/blob/master/dist/Jmol-SwingJS.zip into your appropriate (?) resource/ directory and then running a build again. I can't remember exactly which directory that is for you. Also there was something about Java 11. But that may have only been for the compiling of the Jalview code itself, not this library.
On Mon, Jan 27, 2025 at 9:13 AM Jim Procter @.***> wrote:
Mostly they're just detecting that jquery 1.11 is luring inside swingjs/swingjs2.js - this is picked up by retire.js. I can see that Jmol's demo pages don't get flagged - since Jmol-SwingJS bundles jQuery v3.7.4. I guess the simplest thing would be to rebuild against the unified SwingJS/Jmol-SwingJS runtime ?
retire.js report: 1.11.0 Found in https://builds.jalview.org/artifact/JB-GJB/shared/build-472/JalviewJS-site/swingjs/swingjs2.js _____Vulnerability info:medium2432 3rd party CORS request may execute CVE-2015-9251 https://github.com/advisories/GHSA-rmxg-73gg-4p98 GHSA-rmxg-73gg-4p98 https://github.com/advisories/GHSA-rmxg-73gg-4p98 1234mediumCVE-2015-9251 https://github.com/advisories/GHSA-rmxg-73gg-4p98 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 https://github.com/advisories/GHSA-rmxg-73gg-4p98123mediumCVE-2019-11358 https://github.com/advisories/GHSA-6c3j-c64m-qhgq 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq https://github.com/advisories/GHSA-6c3j-c64m-qhgq 123mediumCVE-2020-11022 https://github.com/advisories/GHSA-gxr4-xjj5-5px2 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 https://github.com/advisories/GHSA-gxr4-xjj5-5px21mediumCVE-2020-11023 https://github.com/advisories/GHSA-jpcq-cgw6-v4j6 CVE-2020-23064 https://github.com/advisories/GHSA-257q-pv89-v3xv 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 https://github.com/advisories/GHSA-jpcq-cgw6-v4j61low73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update medium 2432 3rd party CORS request may execute CVE-2015-9251 https://github.com/advisories/GHSA-rmxg-73gg-4p98 GHSA-rmxg-73gg-4p98 https://github.com/advisories/GHSA-rmxg-73gg-4p98 1234 medium CVE-2015-9251 https://github.com/advisories/GHSA-rmxg-73gg-4p98 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 https://github.com/advisories/GHSA-rmxg-73gg-4p98 123 medium CVE-2019-11358 https://github.com/advisories/GHSA-6c3j-c64m-qhgq 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq https://github.com/advisories/GHSA-6c3j-c64m-qhgq 123 medium CVE-2020-11022 https://github.com/advisories/GHSA-gxr4-xjj5-5px2 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 https://github.com/advisories/GHSA-gxr4-xjj5-5px2 1 medium CVE-2020-11023 https://github.com/advisories/GHSA-jpcq-cgw6-v4j6 CVE-2020-23064 https://github.com/advisories/GHSA-257q-pv89-v3xv 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 https://github.com/advisories/GHSA-jpcq-cgw6-v4j6 1 low 73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update medium 2432 3rd party CORS request may execute CVE-2015-9251 https://github.com/advisories/GHSA-rmxg-73gg-4p98 GHSA-rmxg-73gg-4p98 https://github.com/advisories/GHSA-rmxg-73gg-4p98 1234 medium CVE-2015-9251 https://github.com/advisories/GHSA-rmxg-73gg-4p98 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 https://github.com/advisories/GHSA-rmxg-73gg-4p98 123 medium CVE-2019-11358 https://github.com/advisories/GHSA-6c3j-c64m-qhgq 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq https://github.com/advisories/GHSA-6c3j-c64m-qhgq 123 medium CVE-2020-11022 https://github.com/advisories/GHSA-gxr4-xjj5-5px2 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 https://github.com/advisories/GHSA-gxr4-xjj5-5px2 1 medium CVE-2020-11023 https://github.com/advisories/GHSA-jpcq-cgw6-v4j6 CVE-2020-23064 https://github.com/advisories/GHSA-257q-pv89-v3xv 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 https://github.com/advisories/GHSA-jpcq-cgw6-v4j6 1 low 73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security update
— Reply to this email directly, view it on GitHub https://github.com/BobHanson/java2script/issues/279#issuecomment-2616028703, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEHNCW3GC2GYFWT4GWDUQL32MZEI5AVCNFSM6AAAAABV2GHGAKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJWGAZDQNZQGM . You are receiving this because you were mentioned.Message ID: @.***>
-- Robert M. Hanson Professor of Chemistry, Emeritus St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr
If nature does not answer first what we want, it is better to take what answer we get.
-- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900
We stand on the homelands of the Wahpekute Band of the Dakota Nation. We honor with gratitude the people who have stewarded the land throughout the generations and their ongoing contributions to this region. We acknowledge the ongoing injustices that we have committed against the Dakota Nation, and we wish to interrupt this legacy, beginning with acts of healing and honest storytelling about this place.