False Positive of momentjs cve-2022-24785

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.

https://retirejs.github.io/retire.js/

Other

3.6k stars 412 forks source link

False Positive of momentjs cve-2022-24785 #422

Closed ghsec closed 8 months ago

ghsec commented 8 months ago

Retire.js version: (retire --version): 3.0.7

node version: (node --version): 16

Description: False positive detection of Momentjs CVE - cve-2022-24785

Expected behaviour: In this case No detection

Retire.js detected CVE-2022-24785 on a particular JavaScript file, which turned out to be a false positive. After analyzing the JavaScript file, it was found to contain the line Date(zc(c))})),e.version="2.29.4",n(Qo),e.fn=bn,e.min=ca, which led to the false positive detection.

eoftedal commented 8 months ago

@ghsec Can you share the file, or is it confidential?

eoftedal commented 8 months ago

I did some updates to the detectors for moment.js. Maybe this goes away now.

eoftedal commented 8 months ago

Closing this. Let me know if the fixes didn't help.

ghsec commented 8 months ago

@eoftedal thank you very much. I'll inform you if it is not fixed. I'll test it.