openapi-generator icon indicating copy to clipboard operation
openapi-generator copied to clipboard
verified publisher icon OpenAPITools

[BUG] openapi-generator uses outdated and vulnerable jQuery 1.8.3

Open abuklis opened this issue 2 years ago • 3 comments

Bug Report Checklist

  • [x] Have you provided a full/minimal spec to reproduce the issue?
  • [x] Have you validated the input using an OpenAPI validator (example)?
  • [x] Have you tested with the latest master to confirm the issue still exists?
  • [x] Have you searched for related issues/PRs?
  • [x] What's the actual output vs expected output?
  • [ ] [Optional] Sponsorship to speed up the bug fix or feature request (example)
Description

openapi-generator uses outdated and vulnerable jQuery 1.8.3. This version has vulnerabilities and hence, using it in the project fails the security checks.

openapi-generator version

6.6.0, 7.0.0-beta

Generation Details

jQuery-1.8.3.min.js is located in openapi-generator-6.6.0.jar/openapi-static/assets/js

Steps to reproduce

Add openapi-generator-6.6.0.jar to your Java project, and jQuery-1.8.3.min.js will be automatically loaded to your project

Related issues/PRs

https://github.com/swagger-api/swagger-ui/issues/776

Suggest a fix

Upgrade jQuery to 2.2.3 at least or even newer version

abuklis avatar Jul 11 '23 09:07 abuklis

For me, the generated html contains jQuery v3.1.0, but that, too is vulnerable. In fact, we just got a security requirement from a penetration test that we have to get rid of that dependency. It would be sad if that would mean we have to stop using the OpenAPI Generator. Is there a way to tell the generator to use a newer jQuery version?

For reference, I found that jQuery v3.1.9 the file openapi-generator/modules/openapi-generator/src/main/resources/htmlDocs2/js_jquery.mustache

KiraResari avatar Feb 22 '24 09:02 KiraResari

We are currently using openapi-generator (7.3.0) in one of our project as a maven dependency. In our ecosystem we have all the nexus tooling to check 3rd party dependency vulnerabilities. Currently due to this issue nexus-iq is failing our builds as jquery version used within the openapi-generator jar is deprecated. Hence would like to give a vote up towards this issue. Is there a schedule to fix this issue? It would be nice to know in this regards.

vishalrs avatar Mar 05 '24 08:03 vishalrs

Title: Update jQuery Version in OpenAPI Generator to Address Security Vulnerability

Description: We are currently using OpenAPI Generator version 7.9.0, which includes a vulnerable version of jQuery (1.8.3) located at /openapi-static/assets/js/jquery-1.8.3.min.js. This version of jQuery has known security vulnerabilities as reported by the jQuery team. Despite the updates in OpenAPI Generator, this issue has not been addressed.

Steps to Reproduce:

  1. Use OpenAPI Generator version 7.9.0.
  2. Navigate to the path /openapi-static/assets/js/.
  3. Observe that the jQuery version is 1.8.3.

Expected Behavior: The jQuery version should be updated to the latest version to ensure that security vulnerabilities are mitigated and the security scan does not flag this issue.

Actual Behavior: The jQuery version remains at 1.8.3, which is flagged by security scans due to known vulnerabilities.

Suggested Fix: Update the jQuery version in the OpenAPI Generator to the latest stable release.

Environment:

  • OpenAPI Generator version: 7.9.0
  • Affected file: /openapi-static/assets/js/jquery-1.8.3.min.js

mahendra214 avatar Oct 17 '24 12:10 mahendra214