cnlucas
commented
4 months ago Note: The following issues were logged based off snyk cli in addition to snyk dashboard.
FEC-CMS: 7 package.json: 2 (do not show up in snyk browser) [Snyk: Med - Information Exposure] (https://github.com/fecgov/fec-cms/issues/6307) [Snyk: High - Watchify] (https://github.com/fecgov/fec-cms/issues/6321)
requirements.txt: 5 [Snyk Medium - django@4.2.10 Regular Expression Denial of Service (ReDoS)] (https://github.com/fecgov/fec-cms/issues/6268) [Snyk Medium - requests@requests@2.31.0 Always-Incorrect Control Flow Implementation] (https://github.com/fecgov/fec-cms/issues/6285) [Snyk Medium - jinja2@3.1.3 Cross-site Scripting (XSS)] (https://github.com/fecgov/fec-cms/issues/6250) [Snyk Medium - setuptools@65.5.0 Regular Expression Denial of Service (ReDoS)] (https://github.com/fecgov/fec-cms/issues/6269) [Snyk Medium - urllib3@1.26.18 Improper Removal of Sensitive Information Before Storage or Transfer] -(https://github.com/fecgov/fec-cms/issues/6343)
OpenFEC: 4 flyway: 1 [Snyk Medium - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')] -https://github.com/fecgov/openFEC/issues/5878 package.json: 0 requirements.txt: 2 [Snyk Low - Flask-cors Log Injection LOCUST ] - https://github.com/fecgov/openFEC/issues/5807 [Snyk Medium - requests Always-Incorrect Control Flow Implementation] - (https://github.com/fecgov/openFEC/issues/5845) [Snyk Medium - urllib3@1.26.18 Improper Removal of Sensitive Information Before Storage or Transfer] -(https://github.com/fecgov/openFEC/issues/5877)
Pattern-Library: 1 [Snyk - dompurify@2.4 Medium Template Injection] (https://github.com/fecgov/fec-pattern-library/issues/223)
Search logs: No "User changes" found in the past week. Deployer accounts from cloud.gov dashboard: 10
Log review needs to be completed per the Security Event Review Checklist (https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist)
Ref: https://github.com/fecgov/openFEC/issues/5863