Security vulnerability in karate-core 1.4.1 due to old version 4.5.3 bootstrap (twitter) bootstarp.min.js

[Saruman000]

Could you please upgrade bootstrap (twitter) bootstarp.min.js from 4.5.3 to 5.3.3 or later to fix security XSS vulnerability in karate-core 1.4.1 ?

[ptrthomas]

@Saruman000 this is low priority so you are welcome to submit a PR and the HTML reports will need tweaking. you are not supposed to put karate reports into production and most users don't

[Saruman000]

Peter,

1) Thank you!

2) Latest version of Black Duck SCA security scanner marks bootstrap in karate-core 1.4.1 as SEV-2, which makes it High-Severity finding.

3) YES, so far majority of consumers of KARATE framework limit its usage only to BDD testing in pre-production, and because of that sometime they can try to descope non-production code from Black Duck security testing and avoid such problem. At the same time some of them use same BDD approach to automate application validation after deployment, which makes karate-core part of production deployment.

Again - thank you for supporting karate framework! it is really great.

[ptrthomas]

@Saruman000 thanks for the details on Black Duck - even though that doesn't make sense for a testing framework, I agree that resolving this is ideal for any enterprise using Black Duck