DependencyCheck
DependencyCheck copied to clipboard
Published
20 hours ago •
jeremylong
jeremylong
yarn audit analyzer
Describe the bug When analyzing projects with a yarn.lock file: "java.util.NoSuchElementException: No value present" occurs at "org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:244)"
Version of dependency-check used The problem occurs using version 6.5.2 of the cli
Expected behavior Finished Yarn Audit Analyzer
Your report is missing key information for debugging and/or analysis. Please use the issue template provided.
Hi, got exactly the same issue.
Version of dependency-check used The problem occurs when using version 7.0.0 of the maven plugin on Windows 10.
Log file
[WARNING] An unexpected error occurred during analysis of 'C:\<REDACTED>\src\main\webapp\yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
at java.util.Optional.get (Optional.java:148)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson (YarnAuditAnalyzer.java:244)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage (YarnAuditAnalyzer.java:284)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency (YarnAuditAnalyzer.java:106)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:836)
[INFO] Finished Yarn Audit Analyzer (2 seconds)
To Reproduce The plugin is included in the build pipeline of my maven module as following:
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.0.0</version>
<configuration>
<nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
<nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
<pathToYarn>C:\<REDACTED>\AppData\Roaming\npm\yarn.cmd</pathToYarn>
</configuration>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
This module contains the web app under src/main/webapp - package.json, yarn.lock and all the sources are there as well.
Now when I run mvn clean verify, this is the log that I get:
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (3 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (1 seconds)
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration.
[ERROR] ----------------------------------------------------
[WARNING] Analyzing `C:\<REDACTED>\src\main\webapp\package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (3 seconds)
[INFO] Finished CPE Analyzer (7 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARNING] An unexpected error occurred during analysis of 'C:\<REDACTED>\src\main\webapp\yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
at java.util.Optional.get (Optional.java:148)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson (YarnAuditAnalyzer.java:244)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage (YarnAuditAnalyzer.java:284)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency (YarnAuditAnalyzer.java:106)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:836)
[INFO] Finished Yarn Audit Analyzer (2 seconds)
[INFO] Finished RetireJS Analyzer (3 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (22 seconds)
[INFO] Writing report to: C:\<REDACTED>\target\dependency-check-report.html
Expected behavior No error is present, Yarn Audit Analyzer contributes to the report.
Additional context
The warning in the logs There's this warning in the log:
[WARNING] Analyzing `C:\<REDACTED>\src\main\webapp\package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
If I run yarn install then the above log is gone, but the Yarn Audit Analyzer fails in the same way (No value present).
Path to yarn
This is another thing that does not work for me for some reason. I can run yarn -v in the command line from any directory and it'll print a version. To my understanding it means it's correctly found on the PATH. But the maven plugin simply says it can find path to yarn executable.
The yarn version
Globally I've got yarn 1.22.17 installed, but in the project a 'bundled' 3.1.1 version is used - this is the result of running yarn set version stable some time ago in the directory where the sources are. A .yarnrc file is sitting there in the src/main/webapp directory and it is pointing to the 3.1.1 'bundle'. So:
- if I run
yarn -vin thesrc/main/webappdirectory, it'll show3.1.1 - if I run
yarn -voutside of the above directory, it'll show 1.22.17
I have the same issue with yarn 2 lockfile. Is yarn 2 (berry) already supported?
What I understand is, that it has nothing todo with the lockfile.
It tries to read the generated audit file from yarn and it should contain `Audit Request".
Possible issue:
- tmp folder/file permissions
- yarn audit output is not expected
So I run the yarn audit --offline --json --verbose > yarn_audit.json manully.
In my usecase the output was not expected. Instead of the audit line I got:
{"type":"verbose","data":"Error: Couldn't find a package.json file in.... .cache/yarn/v6/npm-caniuse-lite-1.0.30001204-256c85709a348ec4d175e847a3b515c66e79f2aa-integrity/node_modules/caniuse-lite\""}
One dependency is invalid. (after running yarn to install dependencies, it was valid again)
So dependency check is running in offline mode and it requires that packages are downloaded already.
I would suggest, that dependency-check have to check if the audit file contains Couldn't find a package.json file and provide proper error message.
According to https://stackoverflow.com/a/63599370/535203 , one should now use yarn npm audit command but I didn't check if the output of yarn npm audit --all --environment production --recursive --json is the same as the one we obtained with yarn audit --offline --json --verbose
@anthony-o did you perform yarn before audit and could you provide output of the audit command?
In my GitLab pipeline I was having the same problem and solved it by setting the yarn cache path to the current directory using yarn config set cache-folder $CI_PROJECT_DIR/.yarn_cache.
I am using owasp / dependency-check: 7.1.1 as a docker image for the scan job image which downloads the cache from the previous yarn install job, for which I use as the docker image node: 16.16.0- alpine3.15 (yarn version 1.22.19).
It looks like, to resolve this we need to wait for a solution for the gradle plugin org.owasp.dependencycheck and till we have a solution we need to add the following setting to our build.gradle configuration :
dependencyCheck { analyzers.nodeAudit.yarnEnabled = false }
WARNING: This will disable yarn dependency check and if you are using yarn not for tests such as functional tests etc. your code may have vulnerabilities.
There are some other dependency check plugins but they are not as good as this one.
Hi Jeremy,
Sorry for the late response. I did not find time to correct that problem. But I know the root cause and whenever I finish it I will inform you.
Thank you so much.
Kind Regards,
Dede, Mehmet Senior Java Developer
From: rjkf-cybermax2005 @.> Date: Monday, 15 May 2023 at 18:15 To: jeremylong/DependencyCheck @.> Cc: Dede, Mehmet @.>, Assign @.> Subject: Re: [jeremylong/DependencyCheck] yarn audit analyzer (Issue #4215)
Hello, any news regarding this issue?
— Reply to this email directly, view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/4215#issuecomment-1548244991, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AZGAJIJIVADILW5YD4DVWDDXGJQDRANCNFSM5Q57XKQQ. You are receiving this because you were assigned.Message ID: @.***>
This e-mail and any attachments is intended only for the attention of the addressee(s). Its unauthorised use, disclosure, storage or copying is not permitted. If you are not the intended recipient, please destroy all copies and inform the sender by return e-mail. Internet e-mail is not a secure medium. Any reply to this message could be intercepted and read by someone else. Please bear that in mind when deciding whether to send material in response to this message by e-mail. This e-mail (whether you are the sender or the recipient) may be monitored, recorded and retained by the Ministry of Justice. Monitoring / blocking software may be used, and e-mail content may be read at any time. You have a responsibility to ensure laws are not broken when composing or forwarding e-mails and their contents.
Hello, are there any chances what it will be fixed in near future?
With Dependency-Check Core version 8.4.0 and yarn 1.22.19, we see the following log (when outputting to a --log file):
DEBUG - Launching: [yarn, audit, --offline, --json, --verbose]
DEBUG - Process Error Out: {"type":"error","data":"Couldn't find any versions for \"@types/prop-types\" that matches \"^15.7.5\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue."}
Executing yarn audit --offline --json --verbose (which it appears is what the OWASP Dependency Check is doing) results in the same error. Running yarn audit --json --verbose, i.e. without the --offline flag as the error suggests, results in a successful yarn audit scan.
Our yarn.lock file has an entry for "@types/prop-types@*":, which currently resolves to @types/prop-types/-/prop-types-15.7.7.
So this appears to be a problem with yarn audit when run in --offline mode (the package reference does exist within the lock file and has been downloaded to the node_modules and yarn cache folder).
I guess either yarn audit needs fixing or dependency-check needs to use the online version (maybe an option flag for the CLI & Maven/Gradle plugins?).
with yarn 3
yarn npm audit --json --recursive
gives me : ......."dependencies":1523,"devDependencies":14,"optionalDependencies":0,"totalDependencies":1537}
Can we launch the audit by ourself, and then tells ODC to analyse our audit to avoid errors ?
I've launch the following audit command on my project :
Yarn 1.22.19:
yarn audit --all --recursive --json > yarn1all.json
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1092971,
"path": "cypress>@cypress/request",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "2.88.12",
"paths": [
"cypress>@cypress/request"
]
}
],
"metadata": null,
"vulnerable_versions": "<=2.88.12",
"module_name": "@cypress/request",
"severity": "moderate",
"github_advisory_id": "GHSA-p8p7-x288-28g6",
"cves": [
"CVE-2023-28155"
],
"access": "public",
"patched_versions": ">=3.0.0",
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"updated": "2023-08-14T20:53:47.000Z",
"recommendation": "Upgrade to version 3.0.0 or later",
"cwe": [
"CWE-918"
],
"found_by": null,
"deleted": null,
"id": 1092971,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6",
"created": "2023-03-16T15:30:19.000Z",
"reported_by": null,
"title": "Server-Side Request Forgery in Request",
"npm_advisory_id": null,
"overview": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1089270,
"path": "cra-bundle-analyzer>webpack-bundle-analyzer>ejs",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "2.7.4",
"paths": [
"cra-bundle-analyzer>webpack-bundle-analyzer>ejs"
]
}
],
"metadata": null,
"vulnerable_versions": "<3.1.7",
"module_name": "ejs",
"severity": "critical",
"github_advisory_id": "GHSA-phwq-j96m-2c2q",
"cves": [
"CVE-2022-29078"
],
"access": "public",
"patched_versions": ">=3.1.7",
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"updated": "2023-01-30T05:02:57.000Z",
"recommendation": "Upgrade to version 3.1.7 or later",
"cwe": [
"CWE-74"
],
"found_by": null,
"deleted": null,
"id": 1089270,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q",
"created": "2022-04-26T00:00:40.000Z",
"reported_by": null,
"title": "ejs template injection vulnerability",
"npm_advisory_id": null,
"overview": "The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).",
"url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1091181,
"path": "gulp>glob-watcher>chokidar>glob-parent",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "3.1.0",
"paths": [
"gulp>glob-watcher>chokidar>glob-parent"
]
}
],
"metadata": null,
"vulnerable_versions": "<5.1.2",
"module_name": "glob-parent",
"severity": "high",
"github_advisory_id": "GHSA-ww39-953v-wcq6",
"cves": [
"CVE-2020-28469"
],
"access": "public",
"patched_versions": ">=5.1.2",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-02-28T22:39:43.000Z",
"recommendation": "Upgrade to version 5.1.2 or later",
"cwe": [
"CWE-400"
],
"found_by": null,
"deleted": null,
"id": 1091181,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6",
"created": "2021-06-07T21:56:34.000Z",
"reported_by": null,
"title": "glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex",
"npm_advisory_id": null,
"overview": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.",
"url": "https://github.com/advisories/GHSA-ww39-953v-wcq6"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1093882,
"path": "react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "1.0.2",
"paths": [
"react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check"
]
}
],
"metadata": null,
"vulnerable_versions": "<2.0.1",
"module_name": "nth-check",
"severity": "high",
"github_advisory_id": "GHSA-rp65-9cf3-cjxr",
"cves": [
"CVE-2021-3803"
],
"access": "public",
"patched_versions": ">=2.0.1",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-09-13T21:49:55.000Z",
"recommendation": "Upgrade to version 2.0.1 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093882,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"created": "2021-09-20T20:47:31.000Z",
"reported_by": null,
"title": "Inefficient Regular Expression Complexity in nth-check",
"npm_advisory_id": null,
"overview": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n try {\n nthCheck.parse(attack_str) \n }\n catch(err) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
"url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1094304,
"path": "react-scripts>resolve-url-loader>postcss",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "7.0.39",
"paths": [
"react-scripts>resolve-url-loader>postcss"
]
}
],
"metadata": null,
"vulnerable_versions": "<8.4.31",
"module_name": "postcss",
"severity": "moderate",
"github_advisory_id": "GHSA-7fh5-64p2-3v2j",
"cves": [
"CVE-2023-44270"
],
"access": "public",
"patched_versions": ">=8.4.31",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"updated": "2023-10-10T21:32:38.000Z",
"recommendation": "Upgrade to version 8.4.31 or later",
"cwe": [
"CWE-74",
"CWE-144"
],
"found_by": null,
"deleted": null,
"id": 1094304,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"created": "2023-09-30T00:31:10.000Z",
"reported_by": null,
"title": "PostCSS line return parsing error",
"npm_advisory_id": null,
"overview": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j"
}
}
}
{
"type": "auditSummary",
"data": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 2,
"high": 2,
"critical": 1
},
"dependencies": 150,
"devDependencies": 1854,
"optionalDependencies": 0,
"totalDependencies": 2004
}
}
Yarn 3.2.2:
yarn npm audit --all --recursive --json > yarn3all.json
{
"actions": [],
"advisories": {
"1092470": {
"findings": [
{
"version": "4.1.2",
"paths": [
"cypress>@cypress/request>tough-cookie",
"react-scripts>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"
]
}
],
"metadata": null,
"vulnerable_versions": "<4.1.3",
"module_name": "tough-cookie",
"severity": "moderate",
"github_advisory_id": "GHSA-72xf-g2v4-qvf3",
"cves": [
"CVE-2023-26136"
],
"access": "public",
"patched_versions": ">=4.1.3",
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"updated": "2023-07-11T13:44:36.000Z",
"recommendation": "Upgrade to version 4.1.3 or later",
"cwe": [
"CWE-1321"
],
"found_by": null,
"deleted": null,
"id": 1092470,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"created": "2023-07-01T06:30:16.000Z",
"reported_by": null,
"title": "tough-cookie Prototype Pollution vulnerability",
"npm_advisory_id": null,
"overview": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3"
},
"1092971": {
"findings": [
{
"version": "2.88.11",
"paths": [
"cypress>@cypress/request"
]
}
],
"metadata": null,
"vulnerable_versions": "<=2.88.12",
"module_name": "@cypress/request",
"severity": "moderate",
"github_advisory_id": "GHSA-p8p7-x288-28g6",
"cves": [
"CVE-2023-28155"
],
"access": "public",
"patched_versions": ">=3.0.0",
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"updated": "2023-08-14T20:53:47.000Z",
"recommendation": "Upgrade to version 3.0.0 or later",
"cwe": [
"CWE-918"
],
"found_by": null,
"deleted": null,
"id": 1092971,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6",
"created": "2023-03-16T15:30:19.000Z",
"reported_by": null,
"title": "Server-Side Request Forgery in Request",
"npm_advisory_id": null,
"overview": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6"
},
"1093108": {
"findings": [
{
"version": "1.2.3",
"paths": [
"eslint>optionator>word-wrap",
"@typescript-eslint/parser>eslint>optionator>word-wrap",
"@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"eslint-config-airbnb-typescript>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>@eslint-community/eslint-utils>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>@eslint-community/eslint-utils>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-environment-jsdom>jsdom>escodegen>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>escodegen>optionator>word-wrap"
]
}
],
"metadata": null,
"vulnerable_versions": "<1.2.4",
"module_name": "word-wrap",
"severity": "moderate",
"github_advisory_id": "GHSA-j8xg-fqg3-53r7",
"cves": [
"CVE-2023-26115"
],
"access": "public",
"patched_versions": ">=1.2.4",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"updated": "2023-08-24T21:37:44.000Z",
"recommendation": "Upgrade to version 1.2.4 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093108,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26115\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657\n- https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973\n- https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39\n- https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4\n- https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e\n- https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39\n- https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"created": "2023-06-22T06:30:18.000Z",
"reported_by": null,
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"npm_advisory_id": null,
"overview": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\n",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7"
},
"1093262": {
"findings": [
{
"version": "5.7.1",
"paths": [
"@typescript-eslint/eslint-plugin>semver",
"@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"eslint-config-airbnb-typescript>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"
]
}
],
"metadata": null,
"vulnerable_versions": "<5.7.2",
"module_name": "semver",
"severity": "moderate",
"github_advisory_id": "GHSA-c2qf-rxjj-qqgw",
"cves": [
"CVE-2022-25883"
],
"access": "public",
"patched_versions": ">=5.7.2",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"updated": "2023-09-01T23:43:55.000Z",
"recommendation": "Upgrade to version 5.7.2 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093262,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"created": "2023-06-21T06:30:28.000Z",
"reported_by": null,
"title": "semver vulnerable to Regular Expression Denial of Service",
"npm_advisory_id": null,
"overview": "Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"
},
"1093882": {
"findings": [
{
"version": "1.0.2",
"paths": [
"i18next-parser>cheerio>cheerio-select>css-select>nth-check",
"react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check"
]
}
],
"metadata": null,
"vulnerable_versions": "<2.0.1",
"module_name": "nth-check",
"severity": "high",
"github_advisory_id": "GHSA-rp65-9cf3-cjxr",
"cves": [
"CVE-2021-3803"
],
"access": "public",
"patched_versions": ">=2.0.1",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-09-13T21:49:55.000Z",
"recommendation": "Upgrade to version 2.0.1 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093882,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"created": "2021-09-20T20:47:31.000Z",
"reported_by": null,
"title": "Inefficient Regular Expression Complexity in nth-check",
"npm_advisory_id": null,
"overview": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n try {\n nthCheck.parse(attack_str) \n }\n catch(err) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
"url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
},
"1094304": {
"findings": [
{
"version": "7.0.39",
"paths": [
"react-scripts>postcss",
"cra-bundle-analyzer>react-scripts>postcss",
"cra-bundle-analyzer>react-scripts>tailwindcss>postcss",
"cra-bundle-analyzer>react-scripts>tailwindcss>postcss-import>postcss",
"cra-bundle-analyzer>react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>cssnano-utils>postcss"
]
}
],
"metadata": null,
"vulnerable_versions": "<8.4.31",
"module_name": "postcss",
"severity": "moderate",
"github_advisory_id": "GHSA-7fh5-64p2-3v2j",
"cves": [
"CVE-2023-44270"
],
"access": "public",
"patched_versions": ">=8.4.31",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"updated": "2023-10-10T21:32:38.000Z",
"recommendation": "Upgrade to version 8.4.31 or later",
"cwe": [
"CWE-74",
"CWE-144"
],
"found_by": null,
"deleted": null,
"id": 1094304,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"created": "2023-09-30T00:31:10.000Z",
"reported_by": null,
"title": "PostCSS line return parsing error",
"npm_advisory_id": null,
"overview": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j"
},
"1094415": {
"findings": [
{
"version": "7.21.5",
"paths": [
"react-scripts>@babel/core>@babel/traverse",
"react-scripts>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/traverse"
]
}
],
"metadata": null,
"vulnerable_versions": "<7.23.2",
"module_name": "@babel/traverse",
"severity": "critical",
"github_advisory_id": "GHSA-67hx-6x53-jw92",
"cves": [
"CVE-2023-45133"
],
"access": "public",
"patched_versions": ">=7.23.2",
"cvss": {
"score": 9.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"updated": "2023-10-20T13:27:09.000Z",
"recommendation": "Upgrade to version 7.23.2 or later",
"cwe": [
"CWE-184"
],
"found_by": null,
"deleted": null,
"id": 1094415,
"references": "- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92\n- https://nvd.nist.gov/vuln/detail/CVE-2023-45133\n- https://github.com/babel/babel/pull/16033\n- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82\n- https://github.com/babel/babel/releases/tag/v7.23.2\n- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4\n- https://www.debian.org/security/2023/dsa-5528\n- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html\n- https://babeljs.io/blog/2023/10/16/cve-2023-45133\n- https://github.com/advisories/GHSA-67hx-6x53-jw92",
"created": "2023-10-16T13:55:36.000Z",
"reported_by": null,
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"npm_advisory_id": null,
"overview": "### Impact\n\nUsing Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.\n\nKnown affected plugins are:\n- `@babel/plugin-transform-runtime`\n- `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option\n- Any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`\n\nNo other plugins under the `@babel/` namespace are impacted, but third-party plugins might be.\n\n**Users that only compile trusted code are not impacted.**\n\n### Patches\n\nThe vulnerability has been fixed in `@babel/[email protected]`.\n\nBabel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`.\n\n### Workarounds\n\n- Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version.\n- If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:\n - `@babel/plugin-transform-runtime` v7.23.2\n - `@babel/preset-env` v7.23.2\n - `@babel/helper-define-polyfill-provider` v0.4.3\n - `babel-plugin-polyfill-corejs2` v0.4.6\n - `babel-plugin-polyfill-corejs3` v0.8.5\n - `babel-plugin-polyfill-es-shims` v0.10.0\n - `babel-plugin-polyfill-regenerator` v0.5.3",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 43,
"high": 5,
"critical": 14
},
"dependencies": 1523,
"devDependencies": 14,
"optionalDependencies": 0,
"totalDependencies": 1537
}
}
The yarn offline didn't work and had another structure. Files don't have the same structure. So ODP is not yet compatible with yarn 2 3 for sure, and I guess it's easier in my case, to launch the yarn npm audit by myself and try to integrate it directly to sonarqube.
Thanks a lot for the work on ODP, I hope I'll be able to reuse it in couple of months
PS: I've updated my project dependencies now, so the report is no more usable for bad people 👎
I think the solution isn't necessarily that yarn should be friendlier in --offline mode, it's that the error from YarnAuditAnalyzer could be friendlier.
Like @ChrisSamo632, there is an error in the logs. It doesn't pain me to have dependency-checker fail if the item resolved by yarn isn't the one in the yarn.lock, but it would be nice to have that as the error instead of something rather crytic.
That is, instead of what's output to the stdout/stderr now:
[WARN] An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
at java.base/java.util.Optional.get(Optional.java:143)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:240)
...
Have something like:
[WARN] An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): Couldn't find any versions for \"@probe.gl/env\" that matches \"4.0.1\".
[ERROR] Unable to execute a yarn audit because of a mismatch between the yarn.lock and resolved dependencies.
The full log as it stands now:
DEBUG - Launching: [yarn, audit, --offline, --json, --verbose]
2024-01-19 21:41:35,175 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:234
DEBUG - Process Error Out: {"type":"error","data":"Couldn't find any versions for \"@probe.gl/env\" that matches \"4.0.1\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue."}
2024-01-19 21:41:35,175 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:235
DEBUG - Process Out:
2024-01-19 21:41:35,177 org.owasp.dependencycheck.AnalysisTask:94
WARN - An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): No value present
2024-01-19 21:41:35,179 org.owasp.dependencycheck.AnalysisTask:96
ERROR -
java.util.NoSuchElementException: No value present
at java.base/java.util.Optional.get(Optional.java:143)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:240)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:280)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:105)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
