search

CycloneDX / cyclonedx-node-npm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
https://cyclonedx.org/
Apache License 2.0
73 stars 20 forks source link

Dependency on Library with Vulnerability #1224

Closed esarver closed 1 month ago

esarver commented 1 month ago

Describe the bug

Dependency on libxmljs2 version <= 0.35.0 which is known to have a vulnerability labeled "High" (8.1): CVE-2024-34394.

Even if this is expected to not be an exploitable issue, those who include this tool as a Dev Dependency are getting Dependabot alerts.

Screenshots or output-paste

% npm audit

# npm audit report
libxmljs2  *
Severity: high
libxmljs2 type confusion vulnerability when parsing specially crafted XML - https://github.com/advisories/GHSA-mjr4-7xg5-pfvh
libxmljs2 vulnerable to type confusion when parsing specially crafted XML - https://github.com/advisories/GHSA-78h3-pg4x-j8cv
fix available via `npm audit fix --force`
Will install @cyclonedx/cyclonedx-npm@1.10.0, which is a breaking change
node_modules/libxmljs2
  @cyclonedx/cyclonedx-library  >=1.14.0-rc.0
  Depends on vulnerable versions of libxmljs2
  node_modules/@cyclonedx/cyclonedx-library
    @cyclonedx/cyclonedx-npm  >=1.11.0
    Depends on vulnerable versions of @cyclonedx/cyclonedx-library
    node_modules/@cyclonedx/cyclonedx-npm

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

npm audit fix --force does not fix the issue.

mikkopori commented 1 month ago

Would be great to get a new release with this fixed :)

jkowalleck commented 1 month ago

Dependency on libxmljs2 version <= 0.35.0 which is known to have a vulnerability labeled "High" (8.1): CVE-2024-34394. The vulnerability is process driven and not active by default.

see also: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061

It assured that this vulnerability is not coming to action, the vulnerable code is not executed, and we have a unit test checking this: https://github.com/CycloneDX/cyclonedx-javascript-library/blob/bdbe727e48a34f6276a4e4a3056b11943fe9e2f4/tests/functional/internals/OpPlug.node.xmlValidator.implementation.spec.js#L70-L95

The dependency is required for XML-related features in this tool. It is managed here: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1079

jkowalleck commented 1 month ago

npm audit fix --force does not fix the issue.

Would be great to get a new release with this fixed :)

there simply is no fix. there is, to my knowledge, no replacement. but most important: there is no issue, there is nothing to fix - as stated above.

some background: the dependency/library COULD potentially cause issues, IF it was used wrong. it is asserted, that it is NOT used wrong.

mikkopori commented 4 weeks ago

Thank you for clarifying this.

Of course for many projects we still get a warning, and if we have hundreds of warnings then tracking which are really relevant becomes hard.

Since https://www.npmjs.com/package/libxmljs2 is no longer maintained it should be replaced, or forked and the dependencies updated to move forward.

jkowalleck commented 4 weeks ago

Since https://www.npmjs.com/package/libxmljs2 is no longer maintained it should be replaced, or forked and the dependencies updated to move forward.

thats what https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1079 is for.

As usual, this is free open source software - maintained by unpaid volunteers in their spare time. If you know a business that relies on this software, you are welcome to help improve that critical software your business runs on. For example, you could research replacements and publish your findings in that mentioned ticket, and donate the code to "move forward". :D

Any substantial help is more than welcome.