Closed ciarancolgan closed 1 year ago
Please refrain from restating automated tooling reports verbatim without further, proper analysis whether it is genuinely valid.
@alexlamsl , I highly suggest you to update the CVE record by filing this form: https://cveform.mitre.org/
Otherwise, all tools that monitor CVE issues will raise a critical issue on UglifyJS package. This is a link on CVE description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37598
@CarlG12 I did not opt for or file any CVEs in the first place, so I failed to see how it is my responsibility to "Report Spam".
You have my full blessing to tell whoever's in charge to remove any records with regards to UglifyJS − and perhaps ask them to obtain a maintainer's opinion/concensus in the future before causing inconvenience to the user community.
@alexlamsl I am in the same boat as @ciarancolgan and many many others. Cooperate vulnerability scanners will force us to remove UglifyJS and find other solutions and never look back. I believe this tool's user community will drop drastically if the CVE isn't resolved. If you disagree with the verdict that this is a true vulnerability, please reach out to NIST.gov and make your case. https://nvd.nist.gov/vuln/detail/CVE-2022-37598
@ciarancolgan here seems to be the area: https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46 https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79
Synopsys BlackDuck scan also reports this as a critical vulnerability. As others have commented, @alexlamsl , you should make your case and get this vulnerability removed from the list. Closing the issue as Invalid in not a solution and not beneficial for anyone.
@ciarancolgan @CarlG12 @jimmyjames177414 @jeensingh - the responsibility for clarifying this belongs to @Supraja9726 who was responsible for filing the issue #5699 that appears to have set this whole chain of events into motion.
I've added a comment to that issue clarifying that I agree with the assessment that this issue is invalid, and I've asked for @Supraja9726 to defend the claim that such a vulnerability exists.
@robbytx thanks for your assessment and the attempt to rectify this situation :+1:
Uglify version At least all versions from our current (3.13.2) to latest
Issue As of 25/10/22, running an
auditjs ossi
scan on our codebase throws this issue as a critical error:Vulnerability Title: [CVE-2022-37598] Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2022-37598?component-type=npm&component-name=uglify-js&utm_source=auditjs&utm_medium=integration&utm_content=4.0.38
According to Sonatype this affects all published versions of UglifyJS so upgrading wont help.The same issue was reported here: https://github.com/mishoo/UglifyJS/issues/5699 but has been closed, marked as invalid?
Would you be able to look into this, or point me at the area and I can take a look at getting a PR raised? Thanks!