search

cdmessin / bot-test

The Unlicense
0 stars 1 forks source link

Satus of project #12

Open ccandreva opened 1 year ago

ccandreva commented 1 year ago

Is this project live at all ? When starting it the npm audit finds 52 vulnerabilities (35 moderate, 11 high, 6 critical).

# npm audit report

@webex/webex-core  *
Severity: moderate
Depends on vulnerable versions of jsonwebtoken
Depends on vulnerable versions of jsonwebtoken - null
fix available via `npm audit fix`
node_modules/@webex/webex-core
  @webex/internal-plugin-calendar  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-conversation
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/internal-plugin-encryption
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-calendar
  @webex/internal-plugin-conversation  >=1.80.77
  Depends on vulnerable versions of @webex/internal-plugin-encryption
  Depends on vulnerable versions of @webex/internal-plugin-user
  Depends on vulnerable versions of @webex/webex-core
  Depends on vulnerable versions of node-scr
  node_modules/@webex/internal-plugin-conversation
  @webex/internal-plugin-device  >=1.80.143
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-device
  @webex/internal-plugin-encryption  *
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/internal-plugin-mercury
  Depends on vulnerable versions of @webex/webex-core
  Depends on vulnerable versions of node-jose
  Depends on vulnerable versions of node-kms
  Depends on vulnerable versions of node-scr
  node_modules/@webex/internal-plugin-encryption
  @webex/internal-plugin-feature  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/internal-plugin-mercury
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-feature
  @webex/internal-plugin-lyra  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-conversation
  Depends on vulnerable versions of @webex/internal-plugin-encryption
  Depends on vulnerable versions of @webex/internal-plugin-feature
  Depends on vulnerable versions of @webex/internal-plugin-mercury
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-lyra
  @webex/internal-plugin-mercury  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/internal-plugin-feature
  Depends on vulnerable versions of @webex/internal-plugin-metrics
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-mercury
  @webex/internal-plugin-metrics  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-metrics
  @webex/internal-plugin-presence  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-presence
  @webex/internal-plugin-search  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-conversation
  Depends on vulnerable versions of @webex/internal-plugin-encryption
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-search
  @webex/internal-plugin-user  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/internal-plugin-user
  @webex/plugin-attachment-actions  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-conversation
  Depends on vulnerable versions of @webex/internal-plugin-mercury
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-attachment-actions
  @webex/plugin-authorization-browser  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-authorization-browser
    @webex/plugin-authorization  >=1.80.143
    Depends on vulnerable versions of @webex/plugin-authorization-browser
    Depends on vulnerable versions of @webex/plugin-authorization-node
    node_modules/@webex/plugin-authorization
  @webex/plugin-authorization-node  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-authorization-node
  @webex/plugin-device-manager  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/internal-plugin-lyra
  Depends on vulnerable versions of @webex/internal-plugin-search
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-device-manager
  @webex/plugin-logger  >=1.80.143
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-logger
  @webex/plugin-meetings  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-mercury
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-meetings
  @webex/plugin-memberships  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-conversation
  Depends on vulnerable versions of @webex/internal-plugin-mercury
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-memberships
  @webex/plugin-messages  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-conversation
  Depends on vulnerable versions of @webex/internal-plugin-mercury
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-messages
  @webex/plugin-people  >=1.80.143
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-people
  @webex/plugin-rooms  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-conversation
  Depends on vulnerable versions of @webex/internal-plugin-mercury
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-rooms
  @webex/plugin-team-memberships  >=1.80.143
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-team-memberships
  @webex/plugin-teams  >=1.80.143
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-teams
  @webex/plugin-webhooks  >=1.80.143
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/plugin-webhooks
  @webex/storage-adapter-local-storage  >=1.80.143
  Depends on vulnerable versions of @webex/webex-core
  node_modules/@webex/storage-adapter-local-storage
  webex  >=1.80.143
  Depends on vulnerable versions of @webex/internal-plugin-calendar
  Depends on vulnerable versions of @webex/internal-plugin-device
  Depends on vulnerable versions of @webex/internal-plugin-presence
  Depends on vulnerable versions of @webex/plugin-attachment-actions
  Depends on vulnerable versions of @webex/plugin-authorization
  Depends on vulnerable versions of @webex/plugin-device-manager
  Depends on vulnerable versions of @webex/plugin-logger
  Depends on vulnerable versions of @webex/plugin-meetings
  Depends on vulnerable versions of @webex/plugin-memberships
  Depends on vulnerable versions of @webex/plugin-messages
  Depends on vulnerable versions of @webex/plugin-people
  Depends on vulnerable versions of @webex/plugin-rooms
  Depends on vulnerable versions of @webex/plugin-team-memberships
  Depends on vulnerable versions of @webex/plugin-teams
  Depends on vulnerable versions of @webex/plugin-webhooks
  Depends on vulnerable versions of @webex/storage-adapter-local-storage
  Depends on vulnerable versions of @webex/webex-core
  node_modules/webex

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix`
node_modules/ajv

ansi-regex  3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
node_modules/cliui/node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex

bl  2.0.0 - 2.2.0
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix`
node_modules/bl

bson  <=1.1.3
Severity: high
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-4jwp-vfvf-657p
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-v8w9-2789-6hhr
fix available via `npm audit fix`
node_modules/bson

flat  <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
fix available via `npm audit fix --force`
Will install mocha@10.2.0, which is a breaking change
node_modules/flat
  yargs-unparser  <=1.6.3
  Depends on vulnerable versions of flat
  node_modules/yargs-unparser
    mocha  5.1.0 - 9.2.1
    Depends on vulnerable versions of minimatch
    Depends on vulnerable versions of yargs-unparser
    node_modules/mocha

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
fix available via `npm audit fix`
node_modules/jsonwebtoken

lodash  <=4.17.20
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/lodash

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install mocha@10.2.0, which is a breaking change
node_modules/minimatch

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

moment  <=2.29.3
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
fix available via `npm audit fix`
node_modules/moment

node-forge  <=1.2.1
Severity: high
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Prototype Pollution in node-forge util.setPath API - https://github.com/advisories/GHSA-wxgw-qj99-44c2
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Prototype Pollution in node-forge - https://github.com/advisories/GHSA-92xj-mqp7-vmcj
fix available via `npm audit fix`
node_modules/node-forge
  node-jose  <=2.0.0
  Depends on vulnerable versions of node-forge
  node_modules/node-jose
    node-kms  <=0.3.2
    Depends on vulnerable versions of node-jose
    node_modules/node-kms
    node-scr  <=0.2.2
    Depends on vulnerable versions of node-jose
    node_modules/node-scr

qs  6.5.0 - 6.5.2 || 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/qs
node_modules/request/node_modules/qs
  body-parser  1.19.0
  Depends on vulnerable versions of qs
  node_modules/body-parser
  express  4.17.0 - 4.17.1 || 5.0.0-alpha.1 - 5.0.0-alpha.8
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of qs
  node_modules/express

validator  <=13.6.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
Inefficient Regular Expression Complexity in Validator.js - https://github.com/advisories/GHSA-xx4c-jj58-r7x6
fix available via `npm audit fix --force`
Will install webex-node-bot-framework@2.3.15, which is a breaking change
node_modules/validator
  webex-node-bot-framework  <=2.3.6
  Depends on vulnerable versions of validator
  node_modules/webex-node-bot-framework

y18n  4.0.0
Severity: high
Prototype Pollution in y18n - https://github.com/advisories/GHSA-c4w7-xm78-47vh
fix available via `npm audit fix`
node_modules/y18n

52 vulnerabilities (35 moderate, 11 high, 6 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
cdmessin commented 1 year ago

This project was simply a POC from many years ago. It is not currently live or maintained in any capacity