pkfec
commented
1 month ago Following vulnerabilities are flagged using snyk cli and not from synk dashboard. More on snyk dashboard discrepancies on slack thread here :
FEC-CMS: 5 package.json: 2 [Snyk Medium dompurify Template Injection] (https://github.com/fecgov/fec-cms/issues/6206)
requirements.txt: 4 [Snyk Medium - django@4.2.10 Regular Expression Denial of Service (ReDoS)] (https://github.com/fecgov/fec-cms/issues/6268) [Snyk Medium - requests@requests@2.31.0 Always-Incorrect Control Flow Implementation] (https://github.com/fecgov/fec-cms/issues/6285) [Snyk Medium - jinja2@3.1.3 Cross-site Scripting (XSS)] (https://github.com/fecgov/fec-cms/issues/6250) [Snyk Medium - setuptools@65.5.0 Regular Expression Denial of Service (ReDoS)] (https://github.com/fecgov/fec-cms/issues/6269)
openFEC: 2 flyway: 0 package.json: 0 requirements.txt: 2 [Snyk Low] - Log Injection in flask-cors@3.0.10 [Snyk Medium] - requests Always-Incorrect Control Flow Implementation](https://github.com/fecgov/openFEC/issues/5845)
FEC-EREGS: This git repo is archived on May 22, 2024 and is this project is deleted from snyk dashboard as well.
FEC-PATTERN-LIBRARY: None package.json: 0
Search logs: In Kibana: No "User changes" found in the past week. Deployer accounts from cloud.gov dashboard: 10
Log review needs to be completed per the Security Event Review Checklist (https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist)
Ref: https://github.com/fecgov/openFEC/issues/5820