Source code vulnerabilities identified by WhiteSource Bolt scan

[Vj-RAC]

Hi @arun-msft

I just wanted to highlight that when we upload this code to our DevOps repository, we got the source scanned with WhiteSource Bolt. However, it has reported 8 high vulnerabilities and 1 medium vulnerability, I have attached the scan report to this issue. Just wondering if you can please take a look and apply a fix.

ModernWorkplace-riskReport(PDF).zip

Thank you.

[arun-msft]

We are checking and will update you soon.

[Vj-RAC]

Thanks for your prompt response @arun-msft

[Vj-RAC]

@arun-msft To avoid confusion, the ones highlighted are related to the Champion Management Platform app.

[eshwarmsft]

Hi @Vj-RAC Would you please update packages to the fix provided in the resolution using steps as followed

1. Find the package.json in the solution code
2. Try to remove node_modules folder
3. Try to re-install npm install
4. Scan again

Please do the steps as mentioned and provide us the update by rescanning, It should mostly get resolved.

Regards Eswar

[bigpix2000]

Checking on the status for this as this is a blocker in my organization. We don't want to second guess what might be in progress to resolve the issue. Thank you!

[Vj-RAC]

Hi @eshwarmsft , Your proposed solution didn't work.

Hi @arun-msft , In order to reolve this issue, the following packages have to be updated to latest version:

"@microsoft/sp-core-library": "1.9.1", "@microsoft/sp-lodash-subset": "1.9.1", "@microsoft/sp-office-ui-fabric-core": "1.9.1", "@microsoft/sp-webpart-base": "^1.12.1", "@pnp/spfx-controls-react": "2.2.0", "@pnp/spfx-property-controls": "^2.2.0-beta.dc99c20",

Thank you.

[v-saikirang]

Hi @Vj-RAC , Thanks for your patience. We are working to update these package dependencies to the latest versions and validate app package.

[JoshLeporati]

This will be addressed in an upcoming release, will update here when the release is available!

[v-saikirang]

Hi @Vj-RAC,

We have published the latest version(1.3) of the package/source code in the same location on git hub. Please go through the ReadMe file for change log. We have updated the dependent packages to recommended versions. Please note that we didn't upgrade to the latest versions as a standard practice. So you might still get the warnings and you may ignore them.

If you still want to upgrade to latest versions you can download the code and upgrade the package versions to latest versions and generate a new package.

I am closing this issue. But please let me know if you need more information. Thanks.