custom-learning-office-365 icon indicating copy to clipboard operation
custom-learning-office-365 copied to clipboard

Published 20 hours ago verified publisher icon pnp

Web Part Failed SPCAF scan

Open goodjohnscott opened this issue 3 years ago • 7 comments

Describe the bug

The customlearning.sppkg file was scanned by IT Security using SPCAF and 69 critical errors was found.

To Reproduce

Run SPCAF scan on .sppkg file

Expected behavior

,sppkg file passes scan

Screenshots

image

Learning Pathways version number

4.1.4.0.

Additional context

customlearning_results_05262021.pdf

goodjohnscott avatar May 27 '21 16:05 goodjohnscott

Thanks for submitting this report @goodjohnscott. I will happily review it in more detail, and will look to try and incorporate the feedback in future releases, although there are a few things in here that I can already see are things that we are doing quite purposefully. In the meantime this is an open-source solution so do feel free to submit a PR to correct any of the issues you find that don't fundamentally break the solution (i.e. the sizing of the iFrame component for rendering the assets).

juliemturner avatar May 27 '21 19:05 juliemturner

@juliemturner, you read my mind. I was just talking to the team about making the changes and submitting a PR so we don't run into this issue with other customers. Can you elaborate on what things are you doing purposeful? That would help me with having the customer submit a waiver.

goodjohnscott avatar May 27 '21 19:05 goodjohnscott

Honestly this is a long report, it seems like it's mostly only about escaping the property pane properties, which is IMHO not really a big deal but sure we can do that. There was one thing that I saw around modifying the DOM, which I think based on the code it's referencing is where we're purposefully resizing the iFrame based on the postMessage to the contents of the iFrame to get it's height. Honestly, I do not have the bandwidth right now to review the report in detail and make the changes. That said if you want to attempt to make them I'd happily review your PR and then jettison changes that will fundamentally break the solution, that's really the best I can offer right now. Please review the contribution guidelines here: https://github.com/pnp/custom-learning-office-365#contributions

juliemturner avatar May 27 '21 19:05 juliemturner

I agree with you 100% on how critical some of those errors really are. I'll plan to address the findings that we can without breaking anything and put in a PR. Shall I close this issue?

goodjohnscott avatar May 27 '21 19:05 goodjohnscott

No, leave it open and then reference it in your PR (Addresses Enhancement #525)... that way those that find this can trace back whatever fixes were applied.

juliemturner avatar May 27 '21 19:05 juliemturner

Just wanted to leave a status update. It appears the SPCAF has false positives. We opened a support case with them in June but still haven't gotten confirmation. Once they do, I'll do a PR with my updates.

goodjohnscott avatar Aug 31 '21 16:08 goodjohnscott

@goodjohnscott Thank you for the update. Let us know what you come up and I can review the PR.

dcashpeterson avatar Aug 31 '21 19:08 dcashpeterson