pkfec
commented
4 months ago Following vulnerabilities are flagged using snyk cli and not from synk dashboard. More on snyk dashboard discrepancies on slack thread here :
FEC-CMS: 5 package.json: 2 [Snyk High - es5-ext Regular Expression Denial of Service (ReDoS)] (https://github.com/fecgov/fec-cms/issues/6132) [Snyk Medium dompurify Template Injection] (https://github.com/fecgov/fec-cms/issues/6206)
requirements.txt: 3 [Snyk Medium - django@4.2.10 Regular Expression Denial of Service (ReDoS)] (https://github.com/fecgov/fec-cms/issues/6268) [Snyk Medium - jinja2@3.1.3 Cross-site Scripting (XSS)] (https://github.com/fecgov/fec-cms/issues/6250) [Snyk Medium - setuptools@65.5.0 Regular Expression Denial of Service (ReDoS)] (https://github.com/fecgov/fec-cms/issues/6269)
openFEC: 1 flyway: 0 package.json: 0 requirements.txt: 0 requirements-dev.txt: 1 [Snyk Low] - Log Injection in flask-cors@3.0.10
FEC-EREGS: Pausing the vulnerability checks on this repo. This repo will be deprecated soon!
FEC-PATTERN-LIBRARY: None package.json: 0
Search logs: Kibana logs timed out when searched for "User change" in past 7 days or 30 days Deployer account from cloud.gov dashboard: 10
Log review needs to be completed per the Security Event Review Checklist (https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist)
Ref: https://github.com/fecgov/openFEC/issues/5797