search

SAP / karma-ui5

A Karma plugin for UI5
Apache License 2.0
69 stars 26 forks source link

CVE-2024-28863 in Mend Bolt report #659

Closed ravindraP20 closed 4 months ago

ravindraP20 commented 4 months ago

Hi,

We are using karma-ui5@3.0.4 as one of the devDependencies. Mend Bolt is showing CVE-2024-28863 in our CI/CD piepline. tar@6.2.0 is vulnerable and upgrade to tar@6.2.1 is recommended.

npm list tar

└─┬ karma-ui5@3.0.4 └─┬ @ui5/project@3.9.0 ├─┬ make-fetch-happen@13.0.0 │ └─┬ cacache@18.0.2 │ └── tar@6.2.0 deduped └─┬ pacote@17.0.6 ├─┬ @npmcli/run-script@7.0.4 │ └─┬ node-gyp@10.0.1 │ └── tar@6.2.0 deduped └── tar@6.2.0

Could you please upgrade the necessary dependencies.

Best Regards Ravindra

matz3 commented 4 months ago

The patched version 6.2.1 can be consumed by updating the package-lock.json in your project. There's nothing this project can or needs to do about this.

ravindraP20 commented 4 months ago

We can anyways update package-lock.json in our project just to not to report the vulnerability in Mend bolt but that does not resolve the vulnerability in karma-ui5@3.0.4

RandomByte commented 4 months ago

We can anyways update package-lock.json in our project just to not to report the vulnerability in Mend bolt but that does not resolve the vulnerability in karma-ui5@3.0.4

Could you please elaborate what you mean?

The linked CVE affects the tar package. As Matthias already stated, upgrading the tar dependency in your project fully resolves this vulnerability. There is no vulnerability in karma-ui5 itself.

ravindraP20 commented 4 months ago

tar@6.2.0 is a transitive dependency and not a direct dependency in our project. It is coming from karma-ui5@3.0.4 image

codeworrior commented 4 months ago

What @matz3 and @RandomByte tried to explain: the version ranges defined by karma@3.0.4 allow an update of @ui5/project to version 3.9.1 which transitively depends on tar@6.2.1 (as requested by you).

There is no change to karma-ui5 needed. you just have to update the dependencies in your project.

After an update (and still using karma@3.0.4), I get the following tree:

└─┬ karma-ui5@3.0.4
  └─┬ @ui5/project@3.9.1
    ├─┬ make-fetch-happen@13.0.1
    │ └─┬ cacache@18.0.3
    │   └── tar@6.2.1 deduped
    └─┬ pacote@17.0.7
      ├─┬ @npmcli/run-script@7.0.4
      │ └─┬ node-gyp@10.1.0
      │   └── tar@6.2.1 deduped
      └── tar@6.2.1

So there is no vulnerability in karma@3.0.4 per se. The dependency resolution that npm did for your project before @ui5/project@3.9.1 was released then, at a later point in time, resulted in the vulnerability report. But simply re-doing the npm dependency resolution fixes it. This is business as usual in npm based projects.

You might think that karma-ui5 should update its dependency versions. That's indeed possible, but to show any effect, it would require the same process on your side: update the npm dependencies of your project.

Last, but not least: any fresh install of your project already now does no longer get the dependency to the vulnerable tar@6.2.0.

ravindraP20 commented 4 months ago

Thanks for the detailed answer.