karatelabs / karate

Test Automation Made Simple
https://karatelabs.github.io/karate
MIT License
8.23k stars 1.94k forks source link

Security vulnerability in karate-core 1.4.1 due to old version 4.5.3 bootstrap (twitter) bootstarp.min.js #2588

Open Saruman000 opened 3 months ago

Saruman000 commented 3 months ago

Could you please upgrade bootstrap (twitter) bootstarp.min.js from 4.5.3 to 5.3.3 or later to fix security XSS vulnerability in karate-core 1.4.1 ?

ptrthomas commented 3 months ago

@Saruman000 this is low priority so you are welcome to submit a PR and the HTML reports will need tweaking. you are not supposed to put karate reports into production and most users don't

Saruman000 commented 3 months ago

Peter,

1) Thank you!

2) Latest version of Black Duck SCA security scanner marks bootstrap in karate-core 1.4.1 as SEV-2, which makes it High-Severity finding.

3) YES, so far majority of consumers of KARATE framework limit its usage only to BDD testing in pre-production, and because of that sometime they can try to descope non-production code from Black Duck security testing and avoid such problem. At the same time some of them use same BDD approach to automate application validation after deployment, which makes karate-core part of production deployment.

Again - thank you for supporting karate framework! it is really great.

ptrthomas commented 3 months ago

@Saruman000 thanks for the details on Black Duck - even though that doesn't make sense for a testing framework, I agree that resolving this is ideal for any enterprise using Black Duck