bertramdev / asset-pipeline

The core implementation of the asset pipeline for the jvm
193 stars 92 forks source link

sass-asset-pipeline 3.4.6 uses a vulnerable versions of transitive dependencies #314

Open vijaysl opened 2 years ago

vijaysl commented 2 years ago

Provides transitive vulnerable dependency org.apache.commons:commons-text:1.8 CVE-2022-42889 9.8 Improper Control of Generation of Code ('Code Injection') vulnerability with high severity found Results powered by Checkmarx(c) Provides transitive vulnerable dependency io.bit3:jsass:5.10.4 CVE-2018-20190 6.5 NULL Pointer Dereference vulnerability pending CVSS allocation CVE-2017-12963 7.5 Out-of-bounds Read vulnerability pending CVSS allocation CVE-2018-20822 6.5 Uncontrolled Recursion vulnerability pending CVSS allocation CVE-2017-11608 6.5 Out-of-bounds Read vulnerability pending CVSS allocation CVE-2018-11697 8.1 Out-of-bounds Read vulnerability pending CVSS allocation CVE-2017-12964 7.5 Uncontrolled Recursion vulnerability with medium severity found CVE-2019-6286 6.5 Out-of-bounds Read vulnerability pending CVSS allocation CVE-2018-20821 6.5 Uncontrolled Recursion vulnerability pending CVSS allocation CVE-2017-11556 7.5 Uncontrolled Recursion vulnerability pending CVSS allocation CVE-2019-6283 6.5 Out-of-bounds Read vulnerability pending CVSS allocation Results powered by Checkmarx(c) Provides transitive vulnerable dependency commons-io:commons-io:2.6 CVE-2021-29425 4.8 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability pending CVSS allocation Results powered by Checkmarx(c)

mkobel commented 1 year ago

jsass is deprecated and will probably get no update: https://github.com/bertramdev/asset-pipeline/issues/276#issuecomment-970757191

The sass-dart-asset-pipeline is a replacement: https://github.com/bertramdev/asset-pipeline/issues/287