jQuery on NuGet-feed has incorrect vulnerability

[mattiaskagstrom]

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/sonatype-2019-0115?component-type=nuget&component-name=jQuery

Component URL

https://ossindex.sonatype.org/component/pkg:nuget/jQuery

Description sonatype-2019-0115 was patched in jQuery 3.4.0 with PR https://github.com/jquery/jquery/pull/4333

[ken-duck]

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[ericsalim]

Hi, any update on this issue?

I'd also like to report a subset of this bug, affecting NuGet jQuery version 3.5.1 package.

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/sonatype-2019-0115?component-type=nuget&component-name=jQuery

Component URL

https://ossindex.sonatype.org/component/pkg:nuget/jQuery@3.5.1

Description jQuery 3.5.1 is reporting as having a vulnerability that affects only jQuery < 3.4.0

[ken-duck]

Sorry for the delay. Vacation and COVID :P

Deep dive research determined that jQuery as present in Nuget is still vulnerable to this issue due to the bundled jquery-...vsdoc.js variant still containing vulnerable code. In such cases, you are vulnerable only if the ...-vsdoc.js file is being used directly in your production application.

I have raised an internal bug report on this issue, in that though it is still a valid vulnerability, the information that we use to keep it valid is not available to OSS Index, and therefore it is hard for OSS Index users to determine whether they are vulnerable or not. This data is available to Sonatype commercial products, but it would be nice to extend availability in some cases.