mage icon indicating copy to clipboard operation
mage copied to clipboard

Published 20 hours ago verified publisher icon magefile

Bug: vulnarability scan of mage (1.13.0) showing CVE-2020-11023 present

Open WheeskyJack opened this issue 2 years ago • 13 comments

Bug Description Hi, I recently upgraded mage pkg to 1.13.0. As a part of process, Whitesource vulnerability scan was run on the project. It showed mage having CVE-2020-11023 issue. I am creating this issue to understand if this is really a risk and if any fix available for the same.

What did you do? get the mage package version 1.13.0 and run security scan

What did you expect to happen? no security threats present

What actually happened? vulnerability was found as a result of scan

Environment

  • Mage Version: 1.13.0
  • OS: Mac

WheeskyJack avatar Jun 17 '22 10:06 WheeskyJack

suggested fix by scan was : Upgrade to version jquery - 3.5.0;jquery-rails - 4.4.0

WheeskyJack avatar Jun 17 '22 10:06 WheeskyJack

Hello @WheeskyJack, this is not immediately risky. jQuery is only used for the website portion of Mage, and not anywhere in the actual tool.

ladydascalie avatar Jun 17 '22 11:06 ladydascalie

Thank you! Also, is there any plan to fix this?

WheeskyJack avatar Jun 20 '22 07:06 WheeskyJack

Sure! I'll see about proposing the recommended upgrades :)

ladydascalie avatar Jun 20 '22 08:06 ladydascalie

Thank you.

WheeskyJack avatar Jun 20 '22 10:06 WheeskyJack

@natefinch If you see value in it, I can try to upgrade the hugo template respecting the original changes (It is not going to be super easy, but I think is not that hard). That would upgrade to the jquery 3.3.1 instead of 2.x, and also is going to upgrade other libraries.

jespino avatar Aug 05 '22 08:08 jespino

I would love that, thank you!

natefinch avatar Aug 05 '22 15:08 natefinch

mageVuln

scan report for the reference

WheeskyJack avatar Aug 08 '22 04:08 WheeskyJack

Thanks @WheeskyJack, this is very useful, I can upgrade the theme, and the upgrade jquery in it to the newest 3.X version. Also, would be great to also create a ticket for the upstream theme repo here: https://github.com/matcornic/hugo-theme-learn

jespino avatar Aug 08 '22 09:08 jespino

nevermind, this is already reported and there is already a PR for that. I think I have to do the upgrade manually in this repo.

jespino avatar Aug 08 '22 09:08 jespino

is the issue fixed in 1.14.0?

WheeskyJack avatar Nov 07 '22 10:11 WheeskyJack

@jespino would it be possible to move the site/* directory into a separate repo? It sounds from this thread like the code in that directory is unrelated to the tool itself but is instead the source for https://magefile.org/. However, I'm not sure that security scanning tools will be able to discern that automatically, so I think the next best thing would be to separate the tool from the site.

denkyl08 avatar May 09 '23 19:05 denkyl08

We can probably move the site to a separate repo. The reason it is in the same repo is to make it easy to update the site to go with changes to the tool. But really, I don't think it's super important at this point, since there aren't a ton of large changes going on.

natefinch avatar May 10 '23 00:05 natefinch