carbon-charts
carbon-charts copied to clipboard
carbon-design-system
[Accessibility]: Twistlock Vulnerability Scan Threat Detected : CVE-2016-10707
Environment
Browser Node : 14.18.1 React : 17.0.2 npm : 6.14.15 Windows 10 64-bit OS
What happened? What did you expect to happen instead?
Issue : We use Twistlock for security and vulnerability scans before release to Production environment
Vulnerability detected with use of jQuery version 2.1.4 as a result of dom-to-image dependency of @carbon/charts.
This blocks the deployment pipeline and usage of chart features with @carbon/charts-react.
Expected : Twistlock scans don't show any vulnerability threats with the use of @carbon/charts
Reproduction : Install @carbon/charts. In the path : /node_modules/dom-to-image/bower_components/jquery version 2.1.4 is detected with CVE-2016-10707 reported on it.
Suggestions: Evaluate the need for dom-to-image(which is no longer updated) or to find a suitable replacement
Version
@carbon/[email protected]
Data & options used
No response
Relevant log output
6:57:45 | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | GRACE DAYS | DESCRIPTION | TRIGGERED FAILURE |
16:57:45 +------------------+----------+------+-------------+---------------------------+---------------------------------------+-------------+------------+------------+----------------------------------------------------+-------------------+
16:57:45 | CVE-2016-10707 | high | 7.00 | jquery | 2.1.4 | fixed in 3.0.0 | > 3 years | < 1 hour | -1372 | jQuery 3.0.0-rc.1 is vulnerable to Denial of | Yes |
16:57:45 | | | | | | > 3 years ago | | | | Service (DoS) due to removing a logic that | |
16:57:45 | | | | | | | | | | lowercased attribute names. Any attribute getter | |
16:57:45 | | | | | | | | | | using a mixed...
{"version":"2.1.4","name":"jquery","path":"/node_modules/dom-to-image/bower_components/jquery","cveCount":35,"license":"","layerTime":0}
Hi,
Looking at the dom-to-image library, I personally cannot find references of jQuery in the code that we use. Are you able to find any such references? Seems to me like it could be dead/unused code
Additionally, we've reported this issue inside the dom-to-image repo https://github.com/tsayen/dom-to-image/issues/399
However, there does not currently seem to be a new version of the library available which we can update to and resolve the dependency.
You are right. There is no import or direct reference to jQuery in carbon charts code. Carbon charts has a dependency on dom-to-image and if we browse \node_modules\dom-to-image\bower_components\jquery we find a reference there. I am new to NodeJS and ReactJs and use carbon design system
Is carbon-chars impacted by the jquery vulnerabilities? Will this issue be fixed?
Hi @theiliad, Is carbon-chars impacted by the jquery vulnerabilities? Will this issue be fixed? Thanks!
Hi @theiliad, Is carbon-chars impacted by the jquery vulnerabilities? Will this issue be fixed? Thanks!
Hi @theiliad, Is carbon-chars impacted by the jquery vulnerabilities? Will this issue be fixed? Thanks!
Hi, We had @ninja511 look into this issue.
Seems like jquery and ocrad-bower are both dev dependencies rather than production dependencies, and I'm not able to find any usages of jquery inside the main js file in dom-to-image.
Could you pls clarify your concern?
@theiliad @ninja511 Do you have any plan to fix this issue? The vulnerable jquery lib is still under dom-to-image path in node-module, can we treat it as false positive if carbon lib doesn't use jquery? Thank you.
Hello, I opened this bug https://github.com/carbon-design-system/carbon-addons-iot-react/issues/3416, could you confirm when will you fix this issue? We are one of the development team in IBM. Now we need to resolved this issue as soon to fullfill company IT security requirement for High severity issues.
We've removed dom-to-image as a dependancy a while ago. I'm going to close, but lmk if this is still relevant.