Bug: vulnarability scan of mage (1.13.0) showing CVE-2020-11023 present

[WheeskyJack]

Bug Description Hi, I recently upgraded mage pkg to 1.13.0. As a part of process, Whitesource vulnerability scan was run on the project. It showed mage having CVE-2020-11023 issue. I am creating this issue to understand if this is really a risk and if any fix available for the same.

What did you do? get the mage package version 1.13.0 and run security scan

What did you expect to happen? no security threats present

What actually happened? vulnerability was found as a result of scan

Environment

• Mage Version: 1.13.0
• OS: Mac

[WheeskyJack]

suggested fix by scan was : Upgrade to version jquery - 3.5.0;jquery-rails - 4.4.0

[ladydascalie]

Hello @WheeskyJack, this is not immediately risky. jQuery is only used for the website portion of Mage, and not anywhere in the actual tool.

[WheeskyJack]

Thank you! Also, is there any plan to fix this?

[ladydascalie]

Sure! I'll see about proposing the recommended upgrades :)

[WheeskyJack]

Thank you.

[jespino]

@natefinch If you see value in it, I can try to upgrade the hugo template respecting the original changes (It is not going to be super easy, but I think is not that hard). That would upgrade to the jquery 3.3.1 instead of 2.x, and also is going to upgrade other libraries.

[natefinch]

I would love that, thank you!

[WheeskyJack]

scan report for the reference

[jespino]

Thanks @WheeskyJack, this is very useful, I can upgrade the theme, and the upgrade jquery in it to the newest 3.X version. Also, would be great to also create a ticket for the upstream theme repo here: https://github.com/matcornic/hugo-theme-learn

[jespino]

nevermind, this is already reported and there is already a PR for that. I think I have to do the upgrade manually in this repo.

[WheeskyJack]

is the issue fixed in 1.14.0?

[denkyl08]

@jespino would it be possible to move the site/* directory into a separate repo? It sounds from this thread like the code in that directory is unrelated to the tool itself but is instead the source for https://magefile.org/. However, I'm not sure that security scanning tools will be able to discern that automatically, so I think the next best thing would be to separate the tool from the site.

[natefinch]

We can probably move the site to a separate repo. The reason it is in the same repo is to make it easy to update the site to go with changes to the tool. But really, I don't think it's super important at this point, since there aren't a ton of large changes going on.