mprins
commented
2 years ago Your report is missing key information for debugging and/or analysis. Please use the issue template provided.
Open DRong1121 opened 2 years ago
mprins
commented
2 years ago Your report is missing key information for debugging and/or analysis. Please use the issue template provided.
MichalGorskiOnegini
commented
2 years ago I've got exactly the same issue on the version 7.0.0...
maciejtoporowicz
commented
2 years ago Hi, got exactly the same issue.
Version of dependency-check used The problem occurs when using version 7.0.0 of the maven plugin on Windows 10.
Log file
[WARNING] An unexpected error occurred during analysis of 'C:\<REDACTED>\src\main\webapp\yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
at java.util.Optional.get (Optional.java:148)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson (YarnAuditAnalyzer.java:244)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage (YarnAuditAnalyzer.java:284)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency (YarnAuditAnalyzer.java:106)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:836)
[INFO] Finished Yarn Audit Analyzer (2 seconds)To Reproduce The plugin is included in the build pipeline of my maven module as following:
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.0.0</version>
<configuration>
<nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
<nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
<pathToYarn>C:\<REDACTED>\AppData\Roaming\npm\yarn.cmd</pathToYarn>
</configuration>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>This module contains the web app under src/main/webapp - package.json, yarn.lock and all the sources are there as well.
Now when I run mvn clean verify, this is the log that I get:
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (3 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (1 seconds)
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration.
[ERROR] ----------------------------------------------------
[WARNING] Analyzing `C:\<REDACTED>\src\main\webapp\package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (3 seconds)
[INFO] Finished CPE Analyzer (7 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARNING] An unexpected error occurred during analysis of 'C:\<REDACTED>\src\main\webapp\yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
at java.util.Optional.get (Optional.java:148)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson (YarnAuditAnalyzer.java:244)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage (YarnAuditAnalyzer.java:284)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency (YarnAuditAnalyzer.java:106)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:836)
[INFO] Finished Yarn Audit Analyzer (2 seconds)
[INFO] Finished RetireJS Analyzer (3 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (22 seconds)
[INFO] Writing report to: C:\<REDACTED>\target\dependency-check-report.htmlExpected behavior No error is present, Yarn Audit Analyzer contributes to the report.
Additional context
The warning in the logs There's this warning in the log:
[WARNING] Analyzing `C:\<REDACTED>\src\main\webapp\package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-checkIf I run yarn install then the above log is gone, but the Yarn Audit Analyzer fails in the same way (No value present).
Path to yarn
This is another thing that does not work for me for some reason. I can run yarn -v in the command line from any directory and it'll print a version. To my understanding it means it's correctly found on the PATH. But the maven plugin simply says it can find path to yarn executable.
The yarn version
Globally I've got yarn 1.22.17 installed, but in the project a 'bundled' 3.1.1 version is used - this is the result of running yarn set version stable some time ago in the directory where the sources are. A .yarnrc file is sitting there in the src/main/webapp directory and it is pointing to the 3.1.1 'bundle'. So:
yarn -v in the src/main/webapp directory, it'll show 3.1.1yarn -v outside of the above directory, it'll show 1.22.17
lavor
commented
2 years ago I have the same issue with yarn 2 lockfile. Is yarn 2 (berry) already supported?
ghost
commented
2 years ago What I understand is, that it has nothing todo with the lockfile.
It tries to read the generated audit file from yarn and it should contain `Audit Request".
Possible issue:
So I run the yarn audit --offline --json --verbose > yarn_audit.json manully.
In my usecase the output was not expected. Instead of the audit line I got:
{"type":"verbose","data":"Error: Couldn't find a package.json file in.... .cache/yarn/v6/npm-caniuse-lite-1.0.30001204-256c85709a348ec4d175e847a3b515c66e79f2aa-integrity/node_modules/caniuse-lite\""}One dependency is invalid. (after running yarn to install dependencies, it was valid again)
So dependency check is running in offline mode and it requires that packages are downloaded already.
I would suggest, that dependency-check have to check if the audit file contains Couldn't find a package.json file and provide proper error message.
anthony-o
commented
2 years ago According to https://stackoverflow.com/a/63599370/535203 , one should now use yarn npm audit command but I didn't check if the output of yarn npm audit --all --environment production --recursive --json is the same as the one we obtained with yarn audit --offline --json --verbose
ghost
commented
2 years ago @anthony-o did you perform yarn before audit and could you provide output of the audit command?
paganellif
commented
2 years ago In my GitLab pipeline I was having the same problem and solved it by setting the yarn cache path to the current directory using yarn config set cache-folder $CI_PROJECT_DIR/.yarn_cache.
I am using owasp / dependency-check: 7.1.1 as a docker image for the scan job image which downloads the cache from the previous yarn install job, for which I use as the docker image node: 16.16.0- alpine3.15 (yarn version 1.22.19).
JustMehmet
commented
1 year ago It looks like, to resolve this we need to wait for a solution for the gradle plugin org.owasp.dependencycheck and till we have a solution we need to add the following setting to our build.gradle configuration :
dependencyCheck { analyzers.nodeAudit.yarnEnabled = false }
WARNING: This will disable yarn dependency check and if you are using yarn not for tests such as functional tests etc. your code may have vulnerabilities.
There are some other dependency check plugins but they are not as good as this one.
rjkf-cybermax2005
commented
1 year ago Hello, any news regarding this issue?
leo-paz
commented
1 year ago @JustMehmet Any updates here?
rjkf-cybermax2005
commented
12 months ago Hello, are there any chances what it will be fixed in near future?
ChrisSamo632
commented
11 months ago With Dependency-Check Core version 8.4.0 and yarn 1.22.19, we see the following log (when outputting to a --log file):
DEBUG - Launching: [yarn, audit, --offline, --json, --verbose]
DEBUG - Process Error Out: {"type":"error","data":"Couldn't find any versions for \"@types/prop-types\" that matches \"^15.7.5\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue."}Executing yarn audit --offline --json --verbose (which it appears is what the OWASP Dependency Check is doing) results in the same error. Running yarn audit --json --verbose, i.e. without the --offline flag as the error suggests, results in a successful yarn audit scan.
Our yarn.lock file has an entry for "@types/prop-types@*":, which currently resolves to @types/prop-types/-/prop-types-15.7.7.
So this appears to be a problem with yarn audit when run in --offline mode (the package reference does exist within the lock file and has been downloaded to the node_modules and yarn cache folder).
I guess either yarn audit needs fixing or dependency-check needs to use the online version (maybe an option flag for the CLI & Maven/Gradle plugins?).
JayPe69
commented
11 months ago with yarn 3
yarn npm audit --json --recursivegives me : ......."dependencies":1523,"devDependencies":14,"optionalDependencies":0,"totalDependencies":1537}
Can we launch the audit by ourself, and then tells ODC to analyse our audit to avoid errors ?
JayPe69
commented
10 months ago I've launch the following audit command on my project :
Yarn 1.22.19:
yarn audit --all --recursive --json > yarn1all.json{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1092971,
"path": "cypress>@cypress/request",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "2.88.12",
"paths": [
"cypress>@cypress/request"
]
}
],
"metadata": null,
"vulnerable_versions": "<=2.88.12",
"module_name": "@cypress/request",
"severity": "moderate",
"github_advisory_id": "GHSA-p8p7-x288-28g6",
"cves": [
"CVE-2023-28155"
],
"access": "public",
"patched_versions": ">=3.0.0",
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"updated": "2023-08-14T20:53:47.000Z",
"recommendation": "Upgrade to version 3.0.0 or later",
"cwe": [
"CWE-918"
],
"found_by": null,
"deleted": null,
"id": 1092971,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6",
"created": "2023-03-16T15:30:19.000Z",
"reported_by": null,
"title": "Server-Side Request Forgery in Request",
"npm_advisory_id": null,
"overview": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1089270,
"path": "cra-bundle-analyzer>webpack-bundle-analyzer>ejs",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "2.7.4",
"paths": [
"cra-bundle-analyzer>webpack-bundle-analyzer>ejs"
]
}
],
"metadata": null,
"vulnerable_versions": "<3.1.7",
"module_name": "ejs",
"severity": "critical",
"github_advisory_id": "GHSA-phwq-j96m-2c2q",
"cves": [
"CVE-2022-29078"
],
"access": "public",
"patched_versions": ">=3.1.7",
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"updated": "2023-01-30T05:02:57.000Z",
"recommendation": "Upgrade to version 3.1.7 or later",
"cwe": [
"CWE-74"
],
"found_by": null,
"deleted": null,
"id": 1089270,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q",
"created": "2022-04-26T00:00:40.000Z",
"reported_by": null,
"title": "ejs template injection vulnerability",
"npm_advisory_id": null,
"overview": "The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).",
"url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1091181,
"path": "gulp>glob-watcher>chokidar>glob-parent",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "3.1.0",
"paths": [
"gulp>glob-watcher>chokidar>glob-parent"
]
}
],
"metadata": null,
"vulnerable_versions": "<5.1.2",
"module_name": "glob-parent",
"severity": "high",
"github_advisory_id": "GHSA-ww39-953v-wcq6",
"cves": [
"CVE-2020-28469"
],
"access": "public",
"patched_versions": ">=5.1.2",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-02-28T22:39:43.000Z",
"recommendation": "Upgrade to version 5.1.2 or later",
"cwe": [
"CWE-400"
],
"found_by": null,
"deleted": null,
"id": 1091181,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6",
"created": "2021-06-07T21:56:34.000Z",
"reported_by": null,
"title": "glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex",
"npm_advisory_id": null,
"overview": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.",
"url": "https://github.com/advisories/GHSA-ww39-953v-wcq6"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1093882,
"path": "react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "1.0.2",
"paths": [
"react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check"
]
}
],
"metadata": null,
"vulnerable_versions": "<2.0.1",
"module_name": "nth-check",
"severity": "high",
"github_advisory_id": "GHSA-rp65-9cf3-cjxr",
"cves": [
"CVE-2021-3803"
],
"access": "public",
"patched_versions": ">=2.0.1",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-09-13T21:49:55.000Z",
"recommendation": "Upgrade to version 2.0.1 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093882,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"created": "2021-09-20T20:47:31.000Z",
"reported_by": null,
"title": "Inefficient Regular Expression Complexity in nth-check",
"npm_advisory_id": null,
"overview": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n try {\n nthCheck.parse(attack_str) \n }\n catch(err) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
"url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1094304,
"path": "react-scripts>resolve-url-loader>postcss",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "7.0.39",
"paths": [
"react-scripts>resolve-url-loader>postcss"
]
}
],
"metadata": null,
"vulnerable_versions": "<8.4.31",
"module_name": "postcss",
"severity": "moderate",
"github_advisory_id": "GHSA-7fh5-64p2-3v2j",
"cves": [
"CVE-2023-44270"
],
"access": "public",
"patched_versions": ">=8.4.31",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"updated": "2023-10-10T21:32:38.000Z",
"recommendation": "Upgrade to version 8.4.31 or later",
"cwe": [
"CWE-74",
"CWE-144"
],
"found_by": null,
"deleted": null,
"id": 1094304,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"created": "2023-09-30T00:31:10.000Z",
"reported_by": null,
"title": "PostCSS line return parsing error",
"npm_advisory_id": null,
"overview": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j"
}
}
}
{
"type": "auditSummary",
"data": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 2,
"high": 2,
"critical": 1
},
"dependencies": 150,
"devDependencies": 1854,
"optionalDependencies": 0,
"totalDependencies": 2004
}
}Yarn 3.2.2:
yarn npm audit --all --recursive --json > yarn3all.json{
"actions": [],
"advisories": {
"1092470": {
"findings": [
{
"version": "4.1.2",
"paths": [
"cypress>@cypress/request>tough-cookie",
"react-scripts>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"
]
}
],
"metadata": null,
"vulnerable_versions": "<4.1.3",
"module_name": "tough-cookie",
"severity": "moderate",
"github_advisory_id": "GHSA-72xf-g2v4-qvf3",
"cves": [
"CVE-2023-26136"
],
"access": "public",
"patched_versions": ">=4.1.3",
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"updated": "2023-07-11T13:44:36.000Z",
"recommendation": "Upgrade to version 4.1.3 or later",
"cwe": [
"CWE-1321"
],
"found_by": null,
"deleted": null,
"id": 1092470,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"created": "2023-07-01T06:30:16.000Z",
"reported_by": null,
"title": "tough-cookie Prototype Pollution vulnerability",
"npm_advisory_id": null,
"overview": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3"
},
"1092971": {
"findings": [
{
"version": "2.88.11",
"paths": [
"cypress>@cypress/request"
]
}
],
"metadata": null,
"vulnerable_versions": "<=2.88.12",
"module_name": "@cypress/request",
"severity": "moderate",
"github_advisory_id": "GHSA-p8p7-x288-28g6",
"cves": [
"CVE-2023-28155"
],
"access": "public",
"patched_versions": ">=3.0.0",
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"updated": "2023-08-14T20:53:47.000Z",
"recommendation": "Upgrade to version 3.0.0 or later",
"cwe": [
"CWE-918"
],
"found_by": null,
"deleted": null,
"id": 1092971,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6",
"created": "2023-03-16T15:30:19.000Z",
"reported_by": null,
"title": "Server-Side Request Forgery in Request",
"npm_advisory_id": null,
"overview": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6"
},
"1093108": {
"findings": [
{
"version": "1.2.3",
"paths": [
"eslint>optionator>word-wrap",
"@typescript-eslint/parser>eslint>optionator>word-wrap",
"@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"eslint-config-airbnb-typescript>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>@eslint-community/eslint-utils>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>@eslint-community/eslint-utils>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-environment-jsdom>jsdom>escodegen>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>escodegen>optionator>word-wrap"
]
}
],
"metadata": null,
"vulnerable_versions": "<1.2.4",
"module_name": "word-wrap",
"severity": "moderate",
"github_advisory_id": "GHSA-j8xg-fqg3-53r7",
"cves": [
"CVE-2023-26115"
],
"access": "public",
"patched_versions": ">=1.2.4",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"updated": "2023-08-24T21:37:44.000Z",
"recommendation": "Upgrade to version 1.2.4 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093108,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26115\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657\n- https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973\n- https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39\n- https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4\n- https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e\n- https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39\n- https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"created": "2023-06-22T06:30:18.000Z",
"reported_by": null,
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"npm_advisory_id": null,
"overview": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\n",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7"
},
"1093262": {
"findings": [
{
"version": "5.7.1",
"paths": [
"@typescript-eslint/eslint-plugin>semver",
"@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"eslint-config-airbnb-typescript>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"
]
}
],
"metadata": null,
"vulnerable_versions": "<5.7.2",
"module_name": "semver",
"severity": "moderate",
"github_advisory_id": "GHSA-c2qf-rxjj-qqgw",
"cves": [
"CVE-2022-25883"
],
"access": "public",
"patched_versions": ">=5.7.2",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"updated": "2023-09-01T23:43:55.000Z",
"recommendation": "Upgrade to version 5.7.2 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093262,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"created": "2023-06-21T06:30:28.000Z",
"reported_by": null,
"title": "semver vulnerable to Regular Expression Denial of Service",
"npm_advisory_id": null,
"overview": "Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"
},
"1093882": {
"findings": [
{
"version": "1.0.2",
"paths": [
"i18next-parser>cheerio>cheerio-select>css-select>nth-check",
"react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check"
]
}
],
"metadata": null,
"vulnerable_versions": "<2.0.1",
"module_name": "nth-check",
"severity": "high",
"github_advisory_id": "GHSA-rp65-9cf3-cjxr",
"cves": [
"CVE-2021-3803"
],
"access": "public",
"patched_versions": ">=2.0.1",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-09-13T21:49:55.000Z",
"recommendation": "Upgrade to version 2.0.1 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093882,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"created": "2021-09-20T20:47:31.000Z",
"reported_by": null,
"title": "Inefficient Regular Expression Complexity in nth-check",
"npm_advisory_id": null,
"overview": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n try {\n nthCheck.parse(attack_str) \n }\n catch(err) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
"url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
},
"1094304": {
"findings": [
{
"version": "7.0.39",
"paths": [
"react-scripts>postcss",
"cra-bundle-analyzer>react-scripts>postcss",
"cra-bundle-analyzer>react-scripts>tailwindcss>postcss",
"cra-bundle-analyzer>react-scripts>tailwindcss>postcss-import>postcss",
"cra-bundle-analyzer>react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>cssnano-utils>postcss"
]
}
],
"metadata": null,
"vulnerable_versions": "<8.4.31",
"module_name": "postcss",
"severity": "moderate",
"github_advisory_id": "GHSA-7fh5-64p2-3v2j",
"cves": [
"CVE-2023-44270"
],
"access": "public",
"patched_versions": ">=8.4.31",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"updated": "2023-10-10T21:32:38.000Z",
"recommendation": "Upgrade to version 8.4.31 or later",
"cwe": [
"CWE-74",
"CWE-144"
],
"found_by": null,
"deleted": null,
"id": 1094304,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"created": "2023-09-30T00:31:10.000Z",
"reported_by": null,
"title": "PostCSS line return parsing error",
"npm_advisory_id": null,
"overview": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j"
},
"1094415": {
"findings": [
{
"version": "7.21.5",
"paths": [
"react-scripts>@babel/core>@babel/traverse",
"react-scripts>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/traverse"
]
}
],
"metadata": null,
"vulnerable_versions": "<7.23.2",
"module_name": "@babel/traverse",
"severity": "critical",
"github_advisory_id": "GHSA-67hx-6x53-jw92",
"cves": [
"CVE-2023-45133"
],
"access": "public",
"patched_versions": ">=7.23.2",
"cvss": {
"score": 9.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"updated": "2023-10-20T13:27:09.000Z",
"recommendation": "Upgrade to version 7.23.2 or later",
"cwe": [
"CWE-184"
],
"found_by": null,
"deleted": null,
"id": 1094415,
"references": "- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92\n- https://nvd.nist.gov/vuln/detail/CVE-2023-45133\n- https://github.com/babel/babel/pull/16033\n- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82\n- https://github.com/babel/babel/releases/tag/v7.23.2\n- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4\n- https://www.debian.org/security/2023/dsa-5528\n- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html\n- https://babeljs.io/blog/2023/10/16/cve-2023-45133\n- https://github.com/advisories/GHSA-67hx-6x53-jw92",
"created": "2023-10-16T13:55:36.000Z",
"reported_by": null,
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"npm_advisory_id": null,
"overview": "### Impact\n\nUsing Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.\n\nKnown affected plugins are:\n- `@babel/plugin-transform-runtime`\n- `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option\n- Any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`\n\nNo other plugins under the `@babel/` namespace are impacted, but third-party plugins might be.\n\n**Users that only compile trusted code are not impacted.**\n\n### Patches\n\nThe vulnerability has been fixed in `@babel/traverse@7.23.2`.\n\nBabel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`.\n\n### Workarounds\n\n- Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version.\n- If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:\n - `@babel/plugin-transform-runtime` v7.23.2\n - `@babel/preset-env` v7.23.2\n - `@babel/helper-define-polyfill-provider` v0.4.3\n - `babel-plugin-polyfill-corejs2` v0.4.6\n - `babel-plugin-polyfill-corejs3` v0.8.5\n - `babel-plugin-polyfill-es-shims` v0.10.0\n - `babel-plugin-polyfill-regenerator` v0.5.3",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 43,
"high": 5,
"critical": 14
},
"dependencies": 1523,
"devDependencies": 14,
"optionalDependencies": 0,
"totalDependencies": 1537
}
}The yarn offline didn't work and had another structure. Files don't have the same structure. So ODP is not yet compatible with yarn 2 3 for sure, and I guess it's easier in my case, to launch the yarn npm audit by myself and try to integrate it directly to sonarqube.
Thanks a lot for the work on ODP, I hope I'll be able to reuse it in couple of months
PS: I've updated my project dependencies now, so the report is no more usable for bad people 👎
rddesmond
commented
7 months ago I think the solution isn't necessarily that yarn should be friendlier in --offline mode, it's that the error from YarnAuditAnalyzer could be friendlier.
Like @ChrisSamo632, there is an error in the logs. It doesn't pain me to have dependency-checker fail if the item resolved by yarn isn't the one in the yarn.lock, but it would be nice to have that as the error instead of something rather crytic.
That is, instead of what's output to the stdout/stderr now:
[WARN] An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
at java.base/java.util.Optional.get(Optional.java:143)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:240)
...Have something like:
[WARN] An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): Couldn't find any versions for \"@probe.gl/env\" that matches \"4.0.1\".
[ERROR] Unable to execute a yarn audit because of a mismatch between the yarn.lock and resolved dependencies.The full debug log as it's written to disk now:
DEBUG - Launching: [yarn, audit, --offline, --json, --verbose]
2024-01-19 21:41:35,175 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:234
DEBUG - Process Error Out: {"type":"error","data":"Couldn't find any versions for \"@probe.gl/env\" that matches \"4.0.1\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue."}
2024-01-19 21:41:35,175 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:235
DEBUG - Process Out:
2024-01-19 21:41:35,177 org.owasp.dependencycheck.AnalysisTask:94
WARN - An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): No value present
2024-01-19 21:41:35,179 org.owasp.dependencycheck.AnalysisTask:96
ERROR -
java.util.NoSuchElementException: No value present
at java.base/java.util.Optional.get(Optional.java:143)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:240)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:280)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:105)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
chadlwilson
commented
2 months ago Had a look at this, and it seems not so simple to resolve. The error handling is not great, and although relatively easily improved, it's not trivial to correct the real problem.
The old/existing implementation runs yarn audit in --verbose/--offline mode and then scrapes the query that yarn would otherwise make to the npm registry from the output. it is this output query scraping that fails, as it is no longer in the output, even if you correct the flags.
It then uses the same code as for the other analyzer to actually call the npm registry APIs directly, parse the response etc.
There does not seem an equivalent approach that will work with yarn npm audit on Yarn Berry, except to rely on yarn to query the registry instead. It's not really clear to me why the previous implementation worked the way it did, but if the JSON output is the same perhaps it's possible to just reuse the parsed output from the registry while allowing yarn to make the call.
In addition to this, it's probably required to validate this all works with corepack enable and various styles of usage of yarn (e.g the modern approach where it expects you to have the specific yarn version source controlled in .yarn and referred to via a .yarnrc.yml etc).
jeremylong
commented
2 months ago Its been a while since I looked at the Yarn implementation - but I believe we intercepted the request to get a complete listing of the dependencies. The results from the API call only contain the vulnerable dependencies.
chadlwilson
commented
2 months ago Ahh ok, interesting, that makes sense. There's probably a different way to get that now, via yarn info --recursive --json but haven't really looked into it as it's not a command I regularly use.
Describe the bug When analyzing projects with a yarn.lock file: "java.util.NoSuchElementException: No value present" occurs at "org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:244)"
Version of dependency-check used The problem occurs using version 6.5.2 of the cli
Expected behavior Finished Yarn Audit Analyzer